The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The SKILL.md file contains instructions to download and build the EvilGinx3 framework from a third-party GitHub repository (https://github.com/kgretzky/evilginx2.git). While well-known in the security community, this repository is not managed by a trusted organization or well-known service provider.
[COMMAND_EXECUTION]: The workflow instructions in SKILL.md require the user to execute the compiled binary using sudo ./bin/evilginx, granting the third-party code root privileges on the system. Additionally, the script scripts/agent.py uses subprocess.run to execute the evilginx command to check its version.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from phishlet configuration files and session logs which could contain malicious instructions.
Ingestion points: scripts/agent.py reads external YAML phishlets and session log files in parse_phishlet, analyze_session_log, and generate_detection_rules. scripts/process.py reads session capture files.
Boundary markers: None. The scripts read and process file content directly without using delimiters or instructions to ignore embedded agent commands.
Capability inventory: scripts/agent.py has the ability to execute shell commands via subprocess.run. scripts/process.py performs file system write operations when exporting cookies.
Sanitization: While scripts/agent.py uses yaml.safe_load, the log parsing logic in both scripts uses simple string searching and regular expressions without validating the integrity or source of the input data.

performing-initial-access-with-evilginx3