jmagly/target-profiling
agentic/code/frameworks/forensics-complete/skills/target-profiling/SKILL.md
Research and build a target system profile via SSH — discovers OS, services, users, network baseline, and security stack
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg target-profilingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 12:21 PM144.6s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- target-profiling
- description:
- Research and build a target system profile via SSH — discovers OS, services, users, network baseline, and security stack
- tools:
- Bash, Read, Write, Glob, Grep
- platforms:
- [all]
target-profiling
Connects to a target system over SSH and constructs a structured baseline profile covering operating system details, running services, user accounts, network configuration, and installed security tooling. The profile serves as the foundation for all subsequent forensic work.
Triggers
Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):
- "OSINT [target]" → open-source intelligence gathering
- "footprint [domain]" → attack surface mapping
- "recon [system]" → system reconnaissance
Purpose
Before any investigation can proceed, examiners need a documented understanding of what the system looks like in its current state. This skill produces a structured .aiwg/forensics/profiles/<hostname>.md file that records point-in-time system state, making deviations visible during analysis.
Behavior
When triggered, this skill:
-
Parse connection string:
- Accepts
user@host,user@host:port, or a named SSH config alias - Validates connectivity before starting collection
- Example:
ssh -o ConnectTimeout=10 [email protected] 'echo ok'
- Accepts
-
Collect OS identity:
- Read
/etc/os-releasefor distro and version - Capture kernel version with
uname -r - Record architecture with
uname -m - Capture system uptime and last reboot time
- Read
-
Enumerate running services:
- Use
systemctl list-units --type=service --state=running(systemd systems) - Fall back to
service --status-allorrc-statuson non-systemd systems - Record enabled-at-boot services separately from currently active
- Use
-
Enumerate local user accounts:
- Parse
/etc/passwdfor non-system accounts (UID >= 1000) - Check
/etc/sudoersand/etc/sudoers.d/for privilege grants - List accounts with active login shells
- Record last login times from
lastlogorlast
- Parse
-
Capture network baseline:
- Active interfaces and addresses:
ip addr show - Routing table:
ip route show - Listening ports and owning processes:
ss -tlnpornetstat -tlnp - Current established connections:
ss -tnp state established
- Active interfaces and addresses:
-
Identify security tooling:
- Check for presence of auditd, SELinux/AppArmor, fail2ban, crowdstrike, osquery, wazuh, filebeat
- Record firewall type (iptables, nftables, ufw, firewalld) and active ruleset summary
-
Write profile document:
- Save to
.aiwg/forensics/profiles/<hostname>.md - Include collection timestamp and SSH user used
- Save to
Usage Examples
Example 1 — Basic profile
profile target [email protected]
Connects as the specified user and writes .aiwg/forensics/profiles/webserver-01.md.
Example 2 — Non-standard port
profile target [email protected]:2222
Connects on port 2222, derives hostname from the target's hostname command.
Example 3 — Named alias
system reconnaissance prod-db-01
Resolves prod-db-01 via ~/.ssh/config.
Output Locations
- Profile:
.aiwg/forensics/profiles/<hostname>.md - Raw collection log:
.aiwg/forensics/profiles/<hostname>-raw.txt
Configuration
target_profiling:
ssh_timeout: 10
min_uid: 1000
include_security_tools:
- auditd
- apparmor
- selinux
- fail2ban
- crowdstrike
- osquery
- wazuh
- filebeat
output_format: markdown
References
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Validate SSH connectivity before starting collection; document what is and is not accessible
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/non-destructive.md — Profile using read-only commands only; do not alter target system state
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Record collection timestamp and SSH user with the profile for forensic traceability
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/linux-forensics/SKILL.md — Target profile feeds as baseline context for subsequent Linux forensic investigation
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Profile documents collected after target profiling feed the evidence preservation workflow
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026