The Agent Skills Directory

[SAFE]: The skill performs its primary function of threat intelligence orchestration without using dangerous execution patterns such as eval(), exec(), or subprocess spawning. It focuses on structured data processing using standard libraries.
[EXTERNAL_DOWNLOADS]: Fetches indicators of compromise (IOCs) from established threat intelligence sources, including CISA's TAXII server and Abuse.ch's URLhaus and Feodo Tracker repositories. These downloads are limited to telemetry data and do not involve executing remote scripts or code.
[DATA_EXFILTRATION]: The skill transfers ingested threat data to configured security platforms like Splunk Enterprise Security and MISP. This transmission is the core intended functionality and does not involve the unauthorized collection or exfiltration of sensitive local files or system configurations.
[CREDENTIALS_UNSAFE]: No hardcoded credentials (API keys, passwords, or tokens) were identified. Authentication to external APIs and internal SIEM systems is handled through script arguments, environment variables, and placeholders, supporting secure configuration management.
[SAFE]: Ingestion points for external data include the ingest_taxii_feed, ingest_urlhaus_feed, and ingest_feodotracker functions in scripts/agent.py. While explicit prompt boundary markers are absent in the instructional text, the agent-side script normalizes all external data into structured STIX 2.1 objects using the stix2 library, which provides inherent sanitization and schema validation before the data is pushed to downstream systems.

building-threat-intelligence-feed-integration