dfir
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill provides Python scripts and CLI tool instructions (e.g.,
tshark,analyzeMFT,7z,hashcat) to process forensic evidence files. These operations are standard for forensic automation and are executed locally on provided artifacts. - [EXTERNAL_DOWNLOADS]: Instructions include installing reputable forensic libraries and tools via standard package managers (
pip install python-evtx windowsprefetch analyzeMFT,brew install wireshark). All identified dependencies are well-known in the security community. - [DATA_EXFILTRATION]: The skill is designed to identify and extract sensitive system artifacts such as the Active Directory database (
ntds.dit), registry hives (SAM,SYSTEM), and firewall logs. This capability is the primary intended function of a forensic tool and no unauthorized remote exfiltration was detected. - [PROMPT_INJECTION]: Indirect injection surface analysis.
- Ingestion points: The skill processes untrusted forensic artifacts including
.evtxlogs,.pcapcaptures, and NTFS$MFTfiles. - Boundary markers: No specific delimiters or "ignore instructions" markers are used when processing the contents of these artifacts.
- Capability inventory: The skill utilizes subprocess calls to forensic utilities and executes Python scripts for binary data parsing and timestamp correlation across multiple files.
- Sanitization: The skill uses structured parsing (e.g., XML namespace handling for EVTX and CSV column extraction for MFT) rather than free-text interpretation, which significantly reduces the risk of malicious payload execution from analyzed data.
- Ingestion points: The skill processes untrusted forensic artifacts including
Audit Metadata