The Agent Skills Directory

[PROMPT_INJECTION]: No evidence of prompt injection or instructions to bypass safety guidelines was found. The skill maintains a consistent focus on educational and simulation objectives.
[DATA_EXFILTRATION]: The scripts use the 'requests' library to communicate with a GoPhish API server. This behavior is expected and requires user-provided credentials (API keys) via command-line arguments. No unauthorized access to sensitive local files (e.g., SSH keys, environment variables) or hardcoded secrets was detected.
[REMOTE_CODE_EXECUTION]: The skill mentions external dependencies like 'requests', 'dnspython', and 'rich', which are standard Python packages. It also provides instructions for downloading 'GoPhish' from its official GitHub repository, which is a well-known and trusted service for this domain.
[OBFUSCATION]: A workflow document contains an example of 'HTML Smuggling' that includes a Base64-encoded string representing a PE file header. This is explicitly presented as a pedagogical example of a payload used in simulations and does not represent an attempt to hide malicious code within the skill itself.
[INDIRECT_PROMPT_INJECTION]: The 'process.py' script ingests external data from 'targets.csv' to generate personalized email templates using string formatting. While this presents a theoretical injection surface (Category 8), the capabilities of the script are limited to local file writing and DNS lookups, and no automated feedback loop to the LLM is established, minimizing risk.

conducting-spearphishing-simulation-campaign