Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

skills/detecting-mobile-malware-behavior/scripts/agent.py

@@ -0,0 +1,151 @@
+#!/usr/bin/env python3
+"""Mobile malware behavior detection agent.
+
+Analyzes Android APK manifests and iOS app metadata for suspicious permissions,
+dangerous API usage, and known malware behavioral patterns.
+"""
+
+import argparse
+import json
+import re
+import subprocess
+import sys
+import zipfile
+from pathlib import Path
+from datetime import datetime
+
+DANGEROUS_ANDROID_PERMISSIONS = {
+    "android.permission.SEND_SMS": ("HIGH", "Can send SMS (premium rate fraud)"),
+    "android.permission.READ_SMS": ("HIGH", "Reads SMS (OTP theft)"),
+    "android.permission.RECEIVE_SMS": ("HIGH", "Intercepts SMS"),
+    "android.permission.READ_CONTACTS": ("MEDIUM", "Reads contacts"),
+    "android.permission.RECORD_AUDIO": ("HIGH", "Records audio"),
+    "android.permission.CAMERA": ("MEDIUM", "Camera access"),
+    "android.permission.READ_CALL_LOG": ("HIGH", "Reads call logs"),
+    "android.permission.ACCESS_FINE_LOCATION": ("MEDIUM", "Fine GPS location"),
+    "android.permission.WRITE_EXTERNAL_STORAGE": ("LOW", "Write to external storage"),
+    "android.permission.INSTALL_PACKAGES": ("CRITICAL", "Can install other apps"),
+    "android.permission.REQUEST_INSTALL_PACKAGES": ("HIGH", "Request app install"),
+    "android.permission.SYSTEM_ALERT_WINDOW": ("HIGH", "Overlay attacks"),
+    "android.permission.BIND_ACCESSIBILITY_SERVICE": ("CRITICAL", "Accessibility abuse"),
+    "android.permission.BIND_DEVICE_ADMIN": ("CRITICAL", "Device admin control"),
+    "android.permission.READ_PHONE_STATE": ("MEDIUM", "Reads device identifiers"),
+    "android.permission.PROCESS_OUTGOING_CALLS": ("HIGH", "Intercepts outgoing calls"),
+}
+
+SUSPICIOUS_RECEIVERS = [
+    "BOOT_COMPLETED", "SMS_RECEIVED", "PHONE_STATE",
+    "NEW_OUTGOING_CALL", "PACKAGE_ADDED", "CONNECTIVITY_CHANGE",
+]
+
+MALWARE_API_PATTERNS = [
+    (r"DexClassLoader|PathClassLoader", "HIGH", "Dynamic code loading"),
+    (r"Runtime\.exec|ProcessBuilder", "HIGH", "Command execution"),
+    (r"TelephonyManager\.getDeviceId", "MEDIUM", "Device fingerprinting"),
+    (r"Base64\.decode.*exec", "CRITICAL", "Encoded payload execution"),
+    (r"loadLibrary|System\.load", "MEDIUM", "Native library loading"),
+    (r"Cipher.*AES.*encrypt", "LOW", "Encryption (possible ransomware)"),
+    (r"javax\.crypto", "LOW", "Cryptographic operations"),
+    (r"HttpURLConnection|OkHttp", "LOW", "Network communication"),
+    (r"getRuntime\(\)\.exec", "HIGH", "Shell command execution"),
+]
+
+
+def analyze_apk_manifest(apk_path):
+    findings = []
+    permissions = []
+    try:
+        result = subprocess.run(
+            ["aapt", "dump", "permissions", apk_path],
+            capture_output=True, text=True, timeout=30)
+        if result.returncode == 0:
+            for line in result.stdout.split("\n"):
+                perm_match = re.search(r"uses-permission.*'([^']+)'", line)
+                if perm_match:
+                    perm = perm_match.group(1)
+                    permissions.append(perm)
+                    if perm in DANGEROUS_ANDROID_PERMISSIONS:
+                        sev, desc = DANGEROUS_ANDROID_PERMISSIONS[perm]
+                        findings.append({
+                            "type": "dangerous_permission",
+                            "permission": perm,
+                            "severity": sev,
+                            "description": desc,
+                        })
+    except (FileNotFoundError, subprocess.TimeoutExpired):
+        try:
+            with zipfile.ZipFile(apk_path, 'r') as z:
+                if "AndroidManifest.xml" in z.namelist():
+                    findings.append({"note": "Binary manifest found, use aapt or apktool to decode"})
+        except zipfile.BadZipFile:
+            findings.append({"error": "Invalid APK file"})
+
+    return {"permissions": permissions, "findings": findings}
+
+
+def scan_decompiled_source(source_dir):
+    findings = []
+    source_path = Path(source_dir)
+    for java_file in source_path.rglob("*.java"):
+        try:
+            content = java_file.read_text(encoding="utf-8", errors="replace")
+            for pattern, severity, desc in MALWARE_API_PATTERNS:
+                matches = re.findall(pattern, content)
+                if matches:
+                    findings.append({
+                        "type": "suspicious_api",
+                        "file": str(java_file),
+                        "pattern": desc,
+                        "match_count": len(matches),
+                        "severity": severity,
+                    })
+        except OSError:
+            continue
+    for smali_file in source_path.rglob("*.smali"):
+        try:
+            content = smali_file.read_text(encoding="utf-8", errors="replace")
+            if "Landroid/app/admin/DeviceAdminReceiver" in content:
+                findings.append({
+                    "type": "device_admin",
+                    "file": str(smali_file),
+                    "severity": "CRITICAL",
+                    "description": "App registers as device administrator",
+                })
+        except OSError:
+            continue
+    return findings
+
+
+def calculate_risk(findings):
+    score = 0
+    for f in findings:
+        sev = f.get("severity", "LOW")
+        score += {"CRITICAL": 30, "HIGH": 15, "MEDIUM": 5, "LOW": 2}.get(sev, 0)
+    risk = "CRITICAL" if score >= 80 else "HIGH" if score >= 40 else \
+           "MEDIUM" if score >= 15 else "LOW"
+    return {"score": min(score, 100), "risk_level": risk}
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Mobile Malware Behavior Detector")
+    parser.add_argument("--apk", help="Path to APK file")
+    parser.add_argument("--source-dir", help="Path to decompiled source directory")
+    args = parser.parse_args()
+
+    results = {"timestamp": datetime.utcnow().isoformat() + "Z", "findings": []}
+
+    if args.apk:
+        apk_results = analyze_apk_manifest(args.apk)
+        results["permissions"] = apk_results["permissions"]
+        results["findings"].extend(apk_results["findings"])
+
+    if args.source_dir:
+        results["findings"].extend(scan_decompiled_source(args.source_dir))
+
+    results["risk"] = calculate_risk(results["findings"])
+    results["total_findings"] = len(results["findings"])
+    print(json.dumps(results, indent=2))
+
+
+if __name__ == "__main__":
+    main()