jmagly/forensics-profile
plugins/forensics/skills/forensics-profile/SKILL.md
Build target system profile via SSH or cloud API enumeration
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg forensics-profileInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 9:08 AM1.6s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- forensics-profile
- platforms:
- [all]
- description:
- Build target system profile via SSH or cloud API enumeration
- argumentHint:
- <target> [--output path] [--deep] [--cloud aws|azure|gcp]
- category:
- forensics-reconnaissance
/forensics-profile
Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages.
Usage
/forensics-profile <target> [options]
Arguments
| Argument | Required | Description |
|----------|----------|-------------|
| target | Yes | SSH connection string (ssh://user@host:port) or cloud target (aws://account-id/region) |
| --output | No | Custom output directory (default: .aiwg/forensics/profiles/<hostname>-<date>/) |
| --deep | No | Perform deep enumeration including package inventory and kernel config |
| --cloud | No | Cloud provider context: aws, azure, or gcp |
| --no-network | No | Skip network enumeration (faster, less intrusive) |
| --format | No | Output format: markdown (default) or json |
Behavior
When invoked, this command:
-
Parse Target
- Resolve hostname or IP from connection string
- Verify SSH connectivity or cloud API access
- Detect operating system family (Linux distro, version, kernel)
- Record target identifier for artifact naming
-
System Enumeration
- Collect OS version, kernel version, architecture
- Enumerate running processes and services
- List installed packages and versions
- Check uptime and last reboot time
- Identify virtualization or container environment
-
User and Account Inventory
- Enumerate local user accounts from
/etc/passwd - Identify privileged users (UID 0, sudo group members)
- Check for recently created or modified accounts
- Review
/etc/sudoersand sudoers.d entries - List active login sessions and recent auth history
- Enumerate local user accounts from
-
Network Baseline
- Capture listening ports and bound services
- Document active network connections
- Record network interfaces and IP assignments
- Identify firewall rules (iptables, nftables, ufw)
- Note DNS resolver configuration
-
Security Control Assessment
- Check for security tools (auditd, fail2ban, SELinux, AppArmor)
- Review SSH daemon configuration
- Identify logging configuration and log rotation
- Note enabled/disabled security features
-
Save Profile Artifact
- Write
system-profile.mdwith structured findings - Write
system-profile.jsonfor machine processing - Generate SHA-256 hash of profile files
- Log acquisition metadata and timestamps
- Write
Examples
Example 1: Basic SSH profile
/forensics-profile ssh://[email protected]:22
Example 2: Deep profile with custom output
/forensics-profile ssh://[email protected] --deep --output .aiwg/forensics/profiles/web-server/
Example 3: Cloud target
/forensics-profile aws://123456789012/us-east-1 --cloud aws
Example 4: JSON output for pipeline use
/forensics-profile ssh://analyst@host --format json
Output
Artifacts are saved to .aiwg/forensics/profiles/<hostname>-<date>/:
.aiwg/forensics/profiles/web01-2026-02-27/
├── system-profile.md # Human-readable profile
├── system-profile.json # Machine-readable profile
├── acquisition-log.yaml # Timing and metadata
└── checksums.sha256 # Integrity hashes
Sample Output
Profiling Target: 192.168.1.50
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Step 1: Connecting to target
Connected via SSH ([email protected]:22)
OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91)
Step 2: System enumeration
Hostname: web01.internal
Uptime: 47 days, 3 hours
Architecture: x86_64
Running services: 23 active units
Installed packages: 412
Step 3: User inventory
Total accounts: 28 (4 with shell access)
Privileged users: root, deploy
Sudo group members: admin, deploy
Active sessions: 2
Step 4: Network baseline
Interfaces: eth0 (10.0.1.50/24), lo
Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld)
Active connections: 14 established
Firewall: ufw active (12 rules)
Step 5: Security controls
auditd: active
fail2ban: active (3 jails)
AppArmor: enforcing (18 profiles)
SSH: password auth disabled, key-only
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Profile complete.
Output: .aiwg/forensics/profiles/web01-2026-02-27/
Next Steps:
/forensics-triage ssh://[email protected] - Capture volatile data
/forensics-investigate ssh://[email protected] --scope full
References
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026