The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides comprehensive instructions and code examples for generating malicious serialized payloads (Java, PHP, .NET, Python) intended to achieve remote code execution on target systems during security testing.\n- [COMMAND_EXECUTION]: The scripts/agent.py script implements a test_python_pickle function that dynamically constructs a Python object with a __reduce__ method designed to execute system commands via os.system.\n- [DATA_EXFILTRATION]: Instructions in SKILL.md include command examples for exfiltrating the output of system commands (such as whoami) to external callback domains (e.g., abc123.oast.fun) for vulnerability confirmation.\n- [EXTERNAL_DOWNLOADS]: The skill's workflow depends on downloading and cloning several external tool repositories from GitHub (e.g., ysoserial, ysoserial.net, phpggc) that are not hosted by trusted vendors or official organizations.\n- [PROMPT_INJECTION]: The scripts/agent.py script parses serialized data directly from HTTP cookies and response bodies provided by potentially untrusted remote servers without sanitization, creating a surface for indirect instruction injection (Category 8).

exploiting-insecure-deserialization