The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell commands and specialized forensic tools like vssadmin, volatility, and find to gather evidence, assess shadow copy status, and analyze memory dumps. These are standard practices in cybersecurity incident response.
[EXTERNAL_DOWNLOADS]: The workflow and scripts make requests to established cybersecurity platforms including VirusTotal, ID Ransomware, and the No More Ransom project for variant identification and threat analysis. These interactions target well-known and trusted security resources.
[PROMPT_INJECTION]: The skill processes ransom notes found on target systems, which are attacker-controlled files, creating a surface for indirect prompt injection.
Ingestion points: Ransom note contents are read from the filesystem into the agent's context for analysis and report generation.
Boundary markers: The skill does not use specific delimiters or instructions to distinguish the untrusted ransom note content from trusted system data during processing.
Capability inventory: The agent can read files, execute system commands, and perform network requests to security databases.
Sanitization: There is no evidence of sanitization or escaping applied to the text extracted from ransom notes before it is included in investigation reports.

investigating-ransomware-attack-artifacts