The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py uses the subprocess module to execute local Windows commands for forensic collection, including wmic, netstat, reg, and schtasks. These commands are executed using list-based arguments, which prevents shell injection, and are strictly limited to information gathering for forensic triage.
[DATA_EXFILTRATION]: The triage script scripts/agent.py collects sensitive system metadata, including process lists (with command lines), active network connections, and registry persistence keys. This data is output to the standard output in JSON format for the investigator. No unauthorized network transmission or exfiltration to external domains was detected in the code.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in scripts/process.py, which parses external forensic artifacts (CSV files) generated by third-party tools like KAPE or PECmd.
Ingestion points: Reads CSV files from a user-specified directory via os.walk and csv.DictReader in scripts/process.py.
Boundary markers: None observed in the processing script; data is parsed and aggregated into a JSON report.
Capability inventory: The skill includes file writing (scripts/process.py writing to forensic_analysis.json) and system command execution (scripts/agent.py).
Sanitization: The script performs basic parsing and field extraction but does not sanitize content against potential malicious strings embedded in forensic artifacts that could influence an LLM interpreting the final report.

performing-endpoint-forensics-investigation