The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/agent.py file executes system utilities such as powershell.exe, reg.exe, and wevtutil.exe using subprocess.run. These commands are used to query system configuration and logs for forensic artifacts. The command arguments are hardcoded or derived from safe internal lookups, minimizing injection risks.
[SAFE]: The automated AV detection for 'VBS:Runner-NI' in SKILL.md is a false positive. The document contains literal strings representing malicious LOLBin abuse (e.g., mshta vbscript:Execute) to illustrate detection patterns for the agent. These are educational examples and are not executed.
[SAFE]: A potential indirect prompt injection surface exists because the skill ingests untrusted data from Windows Event Logs and Registry values in scripts/agent.py. Ingestion points: scripts/agent.py (reads .evtx files and registry keys). Boundary markers: Absent. Capability inventory: subprocess.run (in scripts/agent.py). Sanitization: Absent. However, the skill's capabilities are limited to system enumeration, and it does not perform automated sensitive actions based on the content of the logs.

detecting-fileless-malware-techniques