0X6C7879/linuxgun
skills/linuxgun/SKILL.md
Linux 应急响应专用技能。Use when users provide SSH connection fields (hostname, port, username, password) and need guided intrusion triage, evidence-oriented command execution, per-command analysis, threat grading, and actionable containment/remediation recommendations.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec linuxgunInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 5:53 AM110.3s5 files scanned
SKILL.md
- name:
- linuxgun
- description:
- Linux 应急响应专用技能。Use when users provide SSH connection fields (hostname, port, username, password) and need guided intrusion triage, evidence-oriented command execution, per-command analysis, threat grading, and actionable containment/remediation recommendations.
- compatibility:
- Requires filesystem-based agent with terminal execution capability (expect/ssh) and read access to skill reference files.
- user-invocable:
- false
- id:
- linux-emergency-response
- trigger_regex:
- (?=.*hostname\s*=\s*\S+)(?=.*port\s*=\s*\d+)(?=.*username\s*=\s*\S+)(?=.*password\s*=\s*\S+).+
Linux Gun AI Skills
快速开始
当用户消息同时包含 hostname、port、username、password 四段时:
- 验证参数完整性(见下方验证规则)
- 保存连接信息用于后续 SSH 命令执行
- 询问用户选择排查流程方向(见排查流程选择)
- 使用 expect 通过 SSH 执行应急响应命令
- 每次执行命令后必须分析输出结果,给出专业结论
验证规则
- port 必须是 1-65535 整数,否则立即返回 "参数不完整:port 范围错误"
- 四段任一缺失,返回 "参数不完整,请提供 hostname port username password"
输出分析要求(重要)
每次执行命令后,必须对输出进行分析并给出结论,格式如下:
标准分析报告格式
📋 命令: [执行的命令]
📊 分析结果:
- [发现的关键信息点1]
- [发现的关键信息点2]
...
⚠️ 可疑项:
- [可疑项1及原因]
- [可疑项2及原因]
...
✅ 正常项:
- [正常项说明]
💡 建议:
- [下一步排查建议]
- [处置建议(如有必要)]
威胁等级标注
- 🔴 高危: 确认存在入侵痕迹或后门
- 🟡 中危: 存在可疑项需进一步确认
- 🟢 低危/正常: 未发现明显异常
核心排查重点
根据输出内容重点关注以下8个方面:
- 用户排查: UID=0 的非 root 用户、新建用户、异常 shell
- 进程排查: 高 CPU/内存占用、异常进程名、隐藏进程、挖矿特征
- 网络排查: 外连 IP、异常端口、反弹 shell 特征
- 文件排查: 近期修改文件、SUID/SGID 文件、隐藏文件、webshell
- 计划任务: 异常定时任务、base64 编码命令、外连下载
- 启动项: 异常服务、rc.local 修改、bashrc 后门
- 日志分析: 暴力破解、异常登录 IP、sudo 提权
- 后门检测: LD_PRELOAD、SSH 公钥、rootkit 特征
💡 详细解读要点见 references/analysis-guide.md
排查流程选择
连接成功后,询问用户选择使用哪个排查流程:
0. 快速全面排查(自动执行关键检查项并汇总分析)
1. 系统信息排查
2. 网络连接排查
3. 进程排查
4. 文件排查
5. 后门排查
6. 隧道检测
7. webshell排查
8. 病毒排查
9. 内存排查
10. 黑客工具排查
11. 内核排查
12. 其他排查
13. Kubernetes排查
14. 系统性能分析
15. 基线检查
📖 各流程详细检查项见 references/workflows.md 🔧 具体命令和操作见 references/commands-mapping.md
执行流程
选择"快速全面排查"时
- 自动执行所有检查项中的关键命令
- 汇总分析所有输出结果
- 给出综合报告和处置建议
选择单个排查流程时
- 执行该流程下的所有检查项命令
- 分析每个命令的输出结果
- 给出该领域的专业排查报告
- 建议下一步排查方向
交互式排查
- 如果用户未指定流程,建议从 系统信息排查 开始
- 根据发现的可疑项,引导用户深入相关领域
- 可以随时切换到其他排查流程
参考文档
- workflows.md - 16个排查流程的详细检查项清单
- commands-mapping.md - 检查项到具体命令的完整映射表
- analysis-guide.md - 各类检查项的详细解读要点和风险判断标准
最佳实践
- 按需加载 references 文件 - 只在用户选择特定排查流程时加载对应的检查项和命令
- 保持分析连贯性 - 每次执行命令后立即分析,不要等所有命令执行完再分析
- 明确风险等级 - 根据证据强度明确标注高危/中危/低危
- 提供可执行建议 - 不仅是发现问题,还要给出具体的下一步行动建议
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026