The Agent Skills Directory

[COMMAND_EXECUTION]: Requires administrative access to install system-level forensics packages like libimobiledevice-utils using sudo and utilizes su within ADB shells to perform low-level physical disk acquisitions from Android devices.
[EXTERNAL_DOWNLOADS]: Automates the installation of external forensics packages including aleapp, ileapp, and pillow from the Python Package Index (PyPI).
[DATA_EXFILTRATION]: Specifically handles the extraction and aggregation of high-sensitivity personal artifacts, including private messaging databases (WhatsApp, iMessage), call logs, contacts, and GPS data from images, centralizing them in the local case directory.
[PROMPT_INJECTION]: Presents a surface for indirect prompt injection (Category 8). Evidence: 1. Ingestion points: Untrusted mobile device databases are parsed in scripts/agent.py via sqlite3. 2. Boundary markers: No explicit delimiters or instructions are used to separate untrusted data from agent logic. 3. Capability inventory: Includes file system access and data parsing across multiple scripts. 4. Sanitization: Lacks validation or sanitization for ingested database schemas and content.
[REMOTE_CODE_EXECUTION]: The search_keyword method in scripts/agent.py dynamically constructs SQL queries using table and column names retrieved directly from the untrusted database's metadata (sqlite_master), which could allow for logic manipulation or code execution if a maliciously crafted database file is processed.

performing-mobile-device-forensics-with-cellebrite