Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,71 @@
# API Reference: Detecting Mobile Malware Behavior
## Android Dangerous Permissions
| Permission | Risk | Abuse Scenario |
|------------|------|---------------|
| SEND_SMS | HIGH | Premium rate SMS fraud |
| READ_SMS | HIGH | OTP/2FA theft |
| BIND_ACCESSIBILITY_SERVICE | CRITICAL | Screen scraping, keylogging |
| BIND_DEVICE_ADMIN | CRITICAL | Device lockout, ransomware |
| INSTALL_PACKAGES | CRITICAL | Dropper functionality |
| SYSTEM_ALERT_WINDOW | HIGH | Overlay phishing attacks |
## Android Analysis Tools
```bash
# Extract permissions from APK
aapt dump permissions app.apk
# Decompile APK
apktool d app.apk -o output_dir/
# Decompile to Java source
jadx app.apk -d java_output/
# Run MobSF scan
docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf
```
## Suspicious API Patterns
```python
# Dynamic code loading
r"DexClassLoader|PathClassLoader"
# Shell execution
r"Runtime\.exec|ProcessBuilder"
# Device fingerprinting
r"TelephonyManager\.getDeviceId"
```
## MobSF REST API
```python
import requests
# Upload APK
resp = requests.post("http://localhost:8000/api/v1/upload",
files={"file": open("app.apk", "rb")},
headers={"Authorization": API_KEY})
# Get scan results
resp = requests.post("http://localhost:8000/api/v1/scan",
data={"hash": file_hash},
headers={"Authorization": API_KEY})
```
## Android Broadcast Receivers (Persistence)
| Action | Malware Use |
|--------|-------------|
| BOOT_COMPLETED | Auto-start on reboot |
| SMS_RECEIVED | SMS interception |
| PHONE_STATE | Call monitoring |
| CONNECTIVITY_CHANGE | Network-triggered C2 |
## CLI Usage
```bash
python agent.py --apk suspicious.apk
python agent.py --source-dir jadx_output/
python agent.py --apk app.apk --source-dir decompiled/
```
@@ -0,0 +1,151 @@
#!/usr/bin/env python3
"""Mobile malware behavior detection agent.
Analyzes Android APK manifests and iOS app metadata for suspicious permissions,
dangerous API usage, and known malware behavioral patterns.
"""
import argparse
import json
import re
import subprocess
import sys
import zipfile
from pathlib import Path
from datetime import datetime
DANGEROUS_ANDROID_PERMISSIONS = {
"android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"),
"android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"),
"android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"),
"android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"),
"android.permission.RECORD_AUDIO": ("HIGH", "Records audio"),
"android.permission.CAMERA": ("MEDIUM", "Camera access"),
"android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"),
"android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"),
"android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"),
"android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"),
"android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"),
"android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"),
"android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"),
"android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"),
"android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"),
"android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"),
}
SUSPICIOUS_RECEIVERS = [
"BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE",
"NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE",
]
MALWARE_API_PATTERNS = [
(r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"),
(r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"),
(r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"),
(r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"),
(r"loadLibrary|System\.load", "MEDIUM", "Native library loading"),
(r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"),
(r"javax\.crypto", "LOW", "Cryptographic operations"),
(r"HttpURLConnection|OkHttp", "LOW", "Network communication"),
(r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"),
]
def analyze_apk_manifest(apk_path):
findings = []
permissions = []
try:
result = subprocess.run(
["aapt", "dump", "permissions", apk_path],
capture_output=True, text=True, timeout=30)
if result.returncode == 0:
for line in result.stdout.split("\n"):
perm_match = re.search(r"uses-permission.*'([^']+)'", line)
if perm_match:
perm = perm_match.group(1)
permissions.append(perm)
if perm in DANGEROUS_ANDROID_PERMISSIONS:
sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm]
findings.append({
"type": "dangerous_permission",
"permission": perm,
"severity": sev,
"description": desc,
})
except (FileNotFoundError, subprocess.TimeoutExpired):
try:
with zipfile.ZipFile(apk_path, 'r') as z:
if "AndroidManifest.xml" in z.namelist():
findings.append({"note": "Binary manifest found, use aapt or apktool to decode"})
except zipfile.BadZipFile:
findings.append({"error": "Invalid APK file"})
return {"permissions": permissions, "findings": findings}
def scan_decompiled_source(source_dir):
findings = []
source_path = Path(source_dir)
for java_file in source_path.rglob("*.java"):
try:
content = java_file.read_text(encoding="utf-8", errors="replace")
for pattern, severity, desc in MALWARE_API_PATTERNS:
matches = re.findall(pattern, content)
if matches:
findings.append({
"type": "suspicious_api",
"file": str(java_file),
"pattern": desc,
"match_count": len(matches),
"severity": severity,
})
except OSError:
continue
for smali_file in source_path.rglob("*.smali"):
try:
content = smali_file.read_text(encoding="utf-8", errors="replace")
if "Landroid/app/admin/DeviceAdminReceiver" in content:
findings.append({
"type": "device_admin",
"file": str(smali_file),
"severity": "CRITICAL",
"description": "App registers as device administrator",
})
except OSError:
continue
return findings
def calculate_risk(findings):
score = 0
for f in findings:
sev = f.get("severity", "LOW")
score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0)
risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \
"MEDIUM" if score >= 15 else "LOW"
return {"score": min(score, 100), "risk_level": risk}
def main():
parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector")
parser.add_argument("--apk", help="Path to APK file")
parser.add_argument("--source-dir", help="Path to decompiled source directory")
args = parser.parse_args()
results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
if args.apk:
apk_results = analyze_apk_manifest(args.apk)
results["permissions"] = apk_results["permissions"]
results["findings"].extend(apk_results["findings"])
if args.source_dir:
results["findings"].extend(scan_decompiled_source(args.source_dir))
results["risk"] = calculate_risk(results["findings"])
results["total_findings"] = len(results["findings"])
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()