The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill performs network requests to several well-known external services including VirusTotal, AbuseIPDB, PagerDuty, and the MITRE ATT&CK API for the purpose of threat intelligence enrichment and incident management.
[DATA_EXFILTRATION]: As part of the automated triage process, the skill transmits security indicators such as IP addresses, file hashes, and domain names to third-party services like VirusTotal and AbuseIPDB for reputation scoring.
[COMMAND_EXECUTION]: The workflow involves the execution of local shell commands using curl and jq, as well as Python scripts for data processing, reporting, and integration with internal systems like Splunk and TheHive.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes alert data sourced from external detection systems (SIEM/EDR).
Ingestion points: Alert summaries and descriptions are retrieved from Splunk and TheHive and passed to triage classification logic in scripts/agent.py and scripts/process.py.
Boundary markers: There are no explicit delimiters or instructions to ignore instructions embedded within the processed alert text.
Capability inventory: The skill can perform network requests, execute shell commands, and interact with incident management APIs.
Sanitization: The skill does not perform validation or sanitization of the alert content before using it to generate triage decisions and reports.

triaging-security-incident-with-ir-playbook