The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes external, untrusted log data which constitutes an indirect prompt injection surface.
Ingestion points: Untrusted data enters the agent context through Elasticsearch query results in scripts/agent.py and via Sysmon XML, CSV, and JSON log files in scripts/process.py.
Boundary markers: None. Log entries are processed without delimiters or instructions to the agent to ignore embedded commands.
Capability inventory: The skill's scripts can read and write files (for reports and findings) and perform network queries to configured Elasticsearch instances. It does not possess arbitrary command execution or system modification capabilities.
Sanitization: Log content is evaluated using regular expressions but is not escaped or sanitized before being included in generated reports or processed by the agent.
[DATA_EXFILTRATION]: The scripts/process.py script uses the standard xml.etree.ElementTree library to parse exported Sysmon XML logs. This library is known to be vulnerable to XML External Entity (XXE) attacks. If an adversary can influence the content of the logs being analyzed, they could potentially exploit this vulnerability to read local files from the host system where the script is executed.

hunting-for-living-off-the-land-binaries