The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill provides instructions to download and build Zeek from its official GitHub repository (https://github.com/zeek/zeek). This is a well-known and trusted source for network security software.
[COMMAND_EXECUTION]: The script scripts/agent.py utilizes subprocess.run to interact with the system's Zeek installation. It executes commands such as zeek --version, zeekctl status, and zeek -r to process PCAP files. These operations use list-based arguments to prevent shell injection and are consistent with the skill's operational requirements.
[COMMAND_EXECUTION]: SKILL.md contains instructions for the user to perform system-level configurations using sudo, including package installation, network interface tuning with ethtool, and service deployment with zeekctl. These elevated privileges are standard for tools requiring raw network packet access.
[COMMAND_EXECUTION]: A persistence mechanism is established via a cron job (/etc/cron.d/zeek-logrotate) to handle periodic log maintenance. This is a routine administrative task for the Zeek monitoring service.
[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection because it ingests and processes untrusted network metadata from Zeek logs (e.g., DNS queries, HTTP user agents). While agent.py parses these logs safely into structured data, a downstream LLM processing the resulting reports could be influenced by malicious content embedded within the network traffic.
[SAFE]: The skill uses placeholders for sensitive information, such as ${ES_PASSWORD} in the Filebeat configuration, avoiding the use of hardcoded credentials.

detecting-network-anomalies-with-zeek