The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py executes PowerShell commands to gather telemetry from the host system.\n
Evidence: subprocess.check_output is used to run powershell -Command in the query_ad_service_accounts and check_interactive_logons functions.\n
Context: These operations are necessary for the skill's primary purpose of threat hunting in Active Directory environments.\n- [PROMPT_INJECTION]: The script scripts/process.py creates a surface for indirect prompt injection by processing untrusted log data without proper isolation.\n
Ingestion points: Log files (JSON/CSV) are parsed by the parse_logs function from user-provided input paths.\n
Boundary markers: The generated hunt report (hunt_report.md) interpolates command lines and task content directly into markdown without delimiters or warnings.\n
Capability inventory: The skill environment allows for shell command execution via PowerShell as seen in agent.py.\n
Sanitization: No sanitization, escaping, or validation is performed on the CommandLine or Task_Content fields extracted from the logs before they are written to findings reports.

detecting-service-account-abuse