The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/agent.py uses subprocess.run to execute a hardcoded PowerShell command that queries the Windows Security event log for RDP logon events. This is a legitimate administrative function required for the skill's purpose of session monitoring.
[SAFE]: The utility scripts/agent.py accesses the local system file /var/log/auth.log to parse SSH authentication events. This access is necessary for the stated functionality and does not involve network exfiltration or unauthorized file system operations.
[SAFE]: Documentation in SKILL.md and references/api-reference.md includes strings commonly associated with malicious activity, such as destructive shell commands and credential harvesting tools. These are explicitly defined as patterns for detection rules and security alerting within a Privileged Access Management (PAM) context, rather than instructions to be executed by the agent.

implementing-privileged-session-monitoring