The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The agent.py script requires the user to pass a Splunk password as a command-line argument (--password). Credentials passed in this manner are visible to other users on the system via process monitoring utilities and are typically recorded in shell history files.
[COMMAND_EXECUTION]: The script generates Splunk Search Processing Language (SPL) queries by directly interpolating data retrieved from the environment into query strings without sanitization, creating a surface for indirect injection.
Ingestion points: The script fetches notable event data (IPs, usernames) from Splunk ES using the get_notable_events function in scripts/agent.py.
Boundary markers: No delimiters or safety instructions are used to separate untrusted data from the SPL query structure.
Capability inventory: The script uses service.jobs.create in scripts/agent.py to execute these dynamically generated queries against the Splunk server.
Sanitization: There is no evidence of escaping or validation of variables such as src_ip, user, or indicator before they are embedded in search queries via Python f-strings.

triaging-security-alerts-in-splunk