The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill facilitates the download of the GoPhish binary and Docker container from GitHub and Docker Hub. These are recognized as trusted, well-known sources for this software.
[COMMAND_EXECUTION]: Provides shell commands for environment setup, including docker run, unzip, and chmod. These commands are standard for installing and running the described security tool.
[DATA_EXFILTRATION]: Uses the Python requests library to interface with the GoPhish API. This network communication is essential for the skill's functionality and is directed only to the user-specified API endpoint.
[CREDENTIALS_UNSAFE]: Security credentials such as API keys and SMTP passwords are required for operation but are correctly managed via command-line arguments and environment variables rather than being hardcoded.
[PROMPT_INJECTION]: An indirect prompt injection surface (Category 8) is present where scripts/process.py ingests untrusted CSV data to populate email templates. Analysis shows that while boundary markers and specific sanitization are absent, the risk is inherent to the tool's intended purpose and the skill's capabilities are restricted to documented network operations.

performing-phishing-simulation-with-gophish