memory-forensics-volatility

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The playbook explicitly instructs running Volatility plugins (hashdump, lsadump, cachedump, mimikatz, grep for password/secret, dumpfiles, clipboard) that extract plaintext credentials and hashes from memory, which would require the agent to handle and potentially output secret values verbatim.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The playbook explicitly instructs running privileged operations that alter system state—e.g., insmod lime.ko (loading a kernel module), reading/writing system memory and placing profile/plugin files under system paths—which require root and modify the host.