containing-active-security-breach

SUSPICIOUS: The skill is internally consistent with incident-response containment and routes data to official vendor/admin endpoints, so it is not a credential-harvesting or supply-chain lure. However, it grants an AI agent powerful security operations with immediate real-world impact; this makes it high risk even though purpose alignment is strong.

This module is an incident response containment tool that performs high-impact operations (firewall rule changes, hosts file sinkholing, AD account changes, EDR isolation). I found no clear malicious backdoor or exfiltration logic. However, the code contains serious syntax/format errors and insecure practices (verify=False for Splunk, no input validation, potential logging of secrets). If fixed and run with elevated privileges it can perform destructive actions — treat as powerful administrative tooling, not a casual dependency. Recommend not running this code in production until syntactic issues are fixed, inputs are validated, TLS verification is enforced, and sensitive logging is sanitized. Review and restrict who can execute it and where credentials are stored.