The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides instructions for executing high-risk system commands designed to blind security monitoring. Examples include patching the ntdll!EtwEventWrite function in memory to disable ETW, creating the MiniNT registry key to suppress Windows Event Log generation, and using Invoke-Phant0m techniques to terminate the threads of the EventLog service without stopping the service itself. It also details how to disable Linux kernel auditing using auditctl -e 0 and terminating the auditd process.
[DATA_EXFILTRATION]: The skill identifies and targets sensitive system file paths for monitoring or modification, which could lead to the exposure of credentials or system history. These include /etc/shadow, /var/log/auth.log, and .bash_history on Linux, as well as Security event logs (.evtx) and LSASS process memory on Windows.
[PROMPT_INJECTION]: The skill establishes an indirect prompt injection surface by requiring the agent to ingest and analyze untrusted system logs which could contain malicious instructions.
Ingestion points: Analysis of auth.log, syslog, audit.log, and Windows Security/System event logs.
Boundary markers: Absent. The skill does not provide delimiters or instructions to separate log data from agent commands.
Capability inventory: The skill includes high-privilege operations such as file system modification (sed, utmpdump), registry manipulation (reg add), and process control (kill, TerminateThread).
Sanitization: Absent. There are no mechanisms described for validating or escaping content retrieved from external logs before it is processed by the agent.

log-evasion