The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/agent.py script utilizes the subprocess module to execute the osqueryi binary. This is the standard method for interacting with osquery to retrieve system telemetry and is consistent with the skill's purpose.
[EXTERNAL_DOWNLOADS]: The SKILL.md file directs users to download osquery from official sources, including osquery.io and pkg.osquery.io. It also references fleetdm.com for centralized fleet management. These are trusted, well-known services within the cybersecurity community.
[DATA_EXFILTRATION]: The scripts/agent.py file collects sensitive system data such as listening ports, SUID binaries, and SSH authorized keys. The script is capable of sending this data to a user-provided Fleet server URL. This behavior is documented and represents the primary intended function of the monitoring agent.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via system telemetry ingestion. Ingestion points: scripts/process.py reads osquery result logs from the file system. Boundary markers: None; logs are processed as raw JSON lines. Capability inventory: scripts/agent.py can execute local commands (osqueryi) and perform network operations. Sanitization: The processing script decodes JSON but does not sanitize data fields for potential instruction-carrying content. This is considered a low-risk architectural characteristic for this type of tool.

deploying-osquery-for-endpoint-monitoring