The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes cloud CLI tools (AWS, Azure, GCP) to perform administrative forensic tasks, including snapshotting volumes, modifying instance attributes for isolation, and querying audit logs. These actions are appropriate for the specified use case.
[COMMAND_EXECUTION]: The workflow involves using sudo mount to attach forensic volumes as read-only and cp to collect sensitive artifacts such as SSH keys, bash history, and system logs. While these are sensitive operations, they are standard procedures in digital forensics for evidence preservation.
[DATA_EXFILTRATION]: The skill collects sensitive cloud metadata and log files, saving them to a local investigation directory (/cases/). There is no evidence of data being transmitted to unauthorized external domains; network activity is limited to official cloud service APIs.

performing-cloud-forensics-investigation