Ctf Forensics
v1.0.0Provides digital forensics and signal analysis techniques for CTF challenges. Use when analyzing disk images, memory dumps, event logs, network captures, cry...
⭐ 0· 109·1 current·1 all-time
by@gandli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the content: extensive disk/memory/network/stego/crypto forensics techniques. The registry declares no required binaries/env vars, but SKILL.md lists many recommended pip/apt/brew/gem packages and expects a filesystem-capable agent with Python/bash and internet access for installing tools — this is reasonable for a how-to forensic guide but is a capability/requirements discrepancy the user should be aware of.
Instruction Scope
SKILL.md and companion files instruct the agent to read/write/mount images, parse Windows registry hives, extract browser master keys, open /etc/shadow, use cryptsetup with recovered master keys, and even include examples of base64+nc exfiltration. Those behaviors are consistent with forensics training, but they are high-risk if executed on a live host or without explicit user consent. The instructions do not limit the target context (e.g., sandboxed evidence images vs. host filesystem), so automated invocation could perform sensitive reads or potentially destructive actions.
Install Mechanism
There is no automated install spec or code — this is instruction-only (low file-write risk). However the guide explicitly recommends installing many third-party tools (via apt/brew/pip/gem) and requires internet access for that; installing those tools is up to the operator and could pull a lot of external software. No arbitrary download-and-extract install URLs are embedded in the skill files.
Credentials
The skill does not request environment variables, credentials, or config paths in registry metadata. The instructions reference accessing local artifacts (registry hives, /etc files, browser Local State) which are appropriate for a forensics guide; there are no declared requests for unrelated cloud credentials or other third-party tokens.
Persistence & Privilege
The skill is not always-enabled, has no install-time persistence, and contains no code that alters other skills or global agent settings. It is instruction-only and therefore has no built-in permanent privilege escalation.
Assessment
This is essentially an offline how-to reference for CTF-style forensics: it is coherent with that purpose but contains many commands that access sensitive artifacts (registry hives, /etc/shadow, browser master keys), perform crypto/key operations, mount images, and even demonstrates exfiltration techniques. Before using: (1) do not grant the skill automatic filesystem access or network access — run it only in a controlled/sandboxed environment with sample evidence files; (2) review any commands that will run as root or that modify system state (mount, cryptsetup, dd) and prefer read-only analysis on copies; (3) be cautious with examples that use netcat/base64 or other exfil methods — they are illustrative but could leak data if executed; (4) if you plan to install recommended packages, inspect and install them manually from trusted package sources rather than letting an agent do it automatically; (5) if you do not trust the skill to act autonomously, disable automatic invocation or require manual approval for any actions that touch the host filesystem or network.Like a lobster shell, security has layers — review code before you run it.
latestvk974q2av0eg0857yv3q5z40hjh83xe36
License
MIT-0
Free to use, modify, and redistribute. No attribution required.