conducting-social-engineering-penetration-test

This playbook is a detailed, actionable social-engineering/phishing campaign workflow that maps data sources to collection sinks and outlines attacker infrastructure and tactics. It is dual-use: appropriate under tightly scoped, authorized penetration tests with documented legal and data handling safeguards; dangerous if used without authorization. Key deficiencies are the lack of explicit, enforceable safeguards (consent, minimization, retention, destruction, and legal boundaries). No code-level obfuscation or embedded secrets detected in the document itself, but the guidance materially enables credential/session theft and privacy violations. Recommend restricting distribution, adding mandatory legal/consent procedures, and including safe-handling and minimization controls if retained for legitimate use.

This file is a dual-use phishing administration/test utility: it does not contain obfuscated or hidden backdoors, nor does it contain clear remote-exfiltration to third-party domains built into the code. However, it explicitly facilitates phishing operations (credential harvesting) and has insecure defaults — notably disabling TLS verification and instructing the server to ignore cert errors for SMTP. These defaults materially increase security risk and could be abused or cause accidental compromise. Recommended mitigations: enable TLS verification, avoid suppressing warnings, avoid printing/storing plaintext credentials in logs, add timeouts/retries and input validation, and restrict use to authorized testing environments.

SUSPICIOUS: the skill is a practical offensive social-engineering playbook for an AI agent, including credential capture, MFA bypass, deceptive calls, and physical intrusion tactics. Even if framed as authorized testing, these capabilities are high-risk and disproportionate for general agent use; install guidance is also weakly verified.