The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The scripts/agent.py script connects to the GoPhish API using the verify=False flag, disabling SSL certificate verification. This could allow an attacker on the same network to intercept the API key via a Man-in-the-Middle (MITM) attack.
[COMMAND_EXECUTION]: The skill instructions involve executing scripts/agent.py with sensitive credentials (the GoPhish API key) passed as command-line arguments, which may result in the key being recorded in plain text in the system's shell history files.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of external Python libraries gophish and requests from the Python Package Index (PyPI).
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data ingestion surfaces. 1. Ingestion points: Target user data is imported from a CSV file in scripts/agent.py. 2. Boundary markers: Absent; the script does not implement delimiters or instructions to ignore embedded commands in the CSV data. 3. Capability inventory: scripts/agent.py has the capability to write local files (JSON reports) and perform network operations (GoPhish API). 4. Sanitization: Absent; the script parses CSV content and passes it directly to the GoPhish server.

performing-red-team-phishing-with-gophish