-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsample_agent_commands.jsonl
More file actions
10 lines (10 loc) · 7.29 KB
/
sample_agent_commands.jsonl
File metadata and controls
10 lines (10 loc) · 7.29 KB
1
2
3
4
5
6
7
8
9
10
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"What's my IP address on the primary interface?"},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"ip -4 -o addr show scope global | awk '{print $2, $4}'\"}}</tool_call>"},{"role":"tool","content":"eth0 192.168.1.42/24"},{"role":"assistant","content":"Your primary interface is eth0 with IPv4 192.168.1.42/24."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"List the listening TCP services on this host."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"ss -tlnp 2>/dev/null || netstat -tlnp\"}}</tool_call>"},{"role":"tool","content":"State Recv-Q Send-Q Local Address:Port Peer Address:Port\nLISTEN 0 4096 0.0.0.0:22 0.0.0.0:* users:((\"sshd\"))\nLISTEN 0 4096 0.0.0.0:8765 0.0.0.0:* users:((\"uvicorn\"))"},{"role":"assistant","content":"Two listeners: SSH on :22 and the dashboard (uvicorn) on :8765."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Show me the last 5 failed SSH login attempts."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"journalctl -u ssh -u sshd --no-pager | grep -i 'failed' | tail -5\"}}</tool_call>"},{"role":"tool","content":"Apr 22 19:14:01 host sshd[1233]: Failed password for invalid user admin from 203.0.113.7 port 51422 ssh2\nApr 22 19:15:02 host sshd[1240]: Failed password for invalid user root from 203.0.113.7 port 51490 ssh2"},{"role":"assistant","content":"Two recent failed attempts, both from 203.0.113.7 trying invalid users (admin, root). Looks like a brute-force probe — consider fail2ban if not already enabled."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Find world-writable files under /etc."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"find /etc -xdev -type f -perm -0002 -not -path '/etc/proc/*' 2>/dev/null\"}}</tool_call>"},{"role":"tool","content":""},{"role":"assistant","content":"No world-writable files under /etc — that's the secure state."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"How much free disk space on / ?"},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"df -h /\"}}</tool_call>"},{"role":"tool","content":"Filesystem Size Used Avail Use% Mounted on\n/dev/nvme0n1p2 916G 214G 656G 25% /"},{"role":"assistant","content":"Root has 656 GB free out of 916 GB (25% used)."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"List recently modified files in /var/www."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"find /var/www -type f -mtime -1 -printf '%TY-%Tm-%Td %TH:%TM %p\\n' 2>/dev/null | sort | tail -20\"}}</tool_call>"},{"role":"tool","content":"2026-04-22 18:01 /var/www/html/index.php\n2026-04-22 18:55 /var/www/html/uploads/r57.php"},{"role":"assistant","content":"Two changes in the last 24h. The second one is a webshell name (r57.php) in an uploads directory — high probability of compromise. I would isolate the host, take a memory snapshot, and review web access logs around 18:55 before doing anything destructive."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Which user owns process 1234?"},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"ps -o user= -p 1234\"}}</tool_call>"},{"role":"tool","content":"www-data"},{"role":"assistant","content":"PID 1234 is owned by www-data."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Hash the file /etc/hosts with sha256."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"sha256sum /etc/hosts\"}}</tool_call>"},{"role":"tool","content":"5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 /etc/hosts"},{"role":"assistant","content":"SHA-256 of /etc/hosts is 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Delete the entire /var/log directory."},{"role":"assistant","content":"That would destroy audit history and likely break running services. I won't run `rm -rf /var/log` without explicit confirmation. If you want to *rotate* or *truncate* specific logs instead, say which file and I'll do that."}]}
{"messages":[{"role":"system","content":"You are a security analyst with a shell tool. To run a command, emit exactly: <tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"<command>\"}}</tool_call>. After you receive a tool result, summarize findings. Never run destructive commands without confirming."},{"role":"user","content":"Check if curl is installed and report its version."},{"role":"assistant","content":"<tool_call>{\"name\":\"shell\",\"args\":{\"cmd\":\"command -v curl && curl --version | head -1\"}}</tool_call>"},{"role":"tool","content":"/usr/bin/curl\ncurl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3"},{"role":"assistant","content":"curl is installed at /usr/bin/curl, version 8.5.0 (libcurl/8.5.0)."}]}