dfir

SUSPICIOUS due to high-risk security/forensics capability being granted to an AI agent, but not malicious. The skill is internally consistent with a DFIR purpose, uses proportionate package-manager installs, and shows no credential harvesting or exfiltration. Main risk comes from enabling offensive-adjacent analysis workflows and handling untrusted forensic content with executable tooling.

This fragment is an attack-enabling credential harvesting and cracking/session-replay workflow. It reads authentication material from a PCAP, extracts and decodes plaintext credentials, assembles challenge-response hashes into cracking-ready formats, and includes guidance to replay session cookies. It is highly likely to be misused outside authorized testing/incident response and would materially increase compromise capability.

This fragment is highly suspicious supply-chain content: it is an actionable credential theft/LSASS dumping and decryption workflow focused on recovering passwords/hashes/Kerberos tickets/DPAPI master keys. Even without executable logic shown, disseminating this kind of operational TTP guidance in a package significantly increases misuse potential and should be treated as a serious security concern pending verification of the repository’s legitimate purpose and how/why it’s distributed.