The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides numerous commands for forensic analysis using established tools like Volatility 3, Tshark/Wireshark, Binwalk, and Sleuth Kit. These are used for legitimate diagnostic and recovery purposes within the stated scope of CTF forensics.
[EXTERNAL_DOWNLOADS]: The documentation references and provides instructions for installing various specialized tools and libraries (e.g., heatshrink2, femtozip, keepass2john). These sources are well-known in the security community or are official package registries.
[DATA_EXPOSURE]: The skill frequently references sensitive file paths such as SAM/SYSTEM hives, SSH keys, and environment variables. However, these references are contextually appropriate as they describe evidence extraction from forensic images provided in a challenge, rather than attempting to access the host system's credentials.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted external data (forensic evidence like PCAPs and disk images). While this constitutes an attack surface, the skill serves as a reference guide for analytical workflows and does not inherently facilitate the execution of instructions embedded in that data. Evidence of this surface includes:
Ingestion points: Processes external files like .dd, .pcap, and .vmem (SKILL.md, references/disk-and-memory.md).
Boundary markers: Absent (Standard for a reference guide).
Capability inventory: Extensive use of shell commands and Python execution (SKILL.md, references/*.md).
Sanitization: Not applicable for a documentation-based skill.

ctf-forensics