The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py utilizes subprocess.check_output to run PowerShell commands for querying local Sysmon logs via Get-WinEvent. This execution is restricted to local system diagnostics and uses type-validated or hardcoded parameters, posing no arbitrary command injection risk.
[DATA_EXPOSURE]: The skill accesses local Sysmon event logs to identify potential security incidents. This is the intended and documented behavior of the tool. There is no evidence of harvesting sensitive files (e.g., credentials, SSH keys) or performing network exfiltration.
[SAFE]: The Python scripts (scripts/agent.py and scripts/process.py) are well-structured for security analysis purposes. They perform local data processing and reporting without external dependencies or hidden behaviors.
[SAFE]: Documentation and reference files provide legitimate security hunting workflows, Splunk queries, and Sigma rules consistent with industry standards for threat hunting.

detecting-t1055-process-injection-with-sysmon