The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py uses subprocess.check_output to execute various system tools including noPac.py, powershell.exe, and wmic.exe. While these are part of the skill's intended functionality for security testing, the execution of shell commands with variable parameters increases the attack surface.
[DYNAMIC_EXECUTION]: In scripts/process.py, the function check_machine_account_quota constructs a multi-line Python script as a string using an f-string and executes it via subprocess.run(['python3', '-c', ...]). This method of dynamic code generation and execution is a risky practice as it bypasses standard module loading and makes the execution flow harder to audit.
[COMMAND_EXECUTION]: The dynamic Python script construction in scripts/process.py directly interpolates variables like {domain}, {username}, and {password} into the script string. Because these variables are not sanitized or escaped, an attacker or a user with a specially crafted password (e.g., containing single quotes and Python commands) could achieve arbitrary code execution on the host machine running the script.
[REMOTE_CODE_EXECUTION]: The skill documentation and error messages in scripts/process.py encourage the user to download and run external scripts from third-party GitHub repositories (e.g., github.com/cube0x0/noPac). Executing unverified code from external sources is a significant security risk.

exploiting-nopac-cve-2021-42278-42287