Add Strike Team: Core Engagement plugin

[AATheBuilder]

Elite engagement suite with Objective Dominance prompts, structured Vault memory, and Hunter Recon Sync.

[a0-bot]

Plugin submission validation failed

ERROR: PR must modify exactly one plugin folder under plugins/

[3clyp50]

Hello @AATheBuilder I went through the plugin's code, and I have this review for you.

Secrets & Sensitive Data Access — 🔴 Fail

File: tools/loot_capture.py → lines 5–10

    """
    Capture harvested credentials, keys, or sensitive data (loot) 
    and store it in the structured recon memory.
    """

    async def execute(self, target: str, kind: str, value: str, username: str = "", context: str = "", **kwargs) -> Response:

Risk: The tool explicitly solicits credentials, keys, and other sensitive material as normal input. That means the plugin is designed to handle secrets directly, increasing exposure risk anywhere it is enabled. It should handle them using the secrets manager wrapper

---

Secrets & Sensitive Data Access — 🔴 Fail

File: helpers/recon_memory.py → lines 489–497

    # Create Loot entity
    loot_val = f"{kind}:{username}" if username else f"{kind}:{value[:20]}..."
    loot_entity = _upsert_entity(
        data,
        entity_type="Loot",
        value=loot_val,
        properties={
            "kind": kind,
            "secret": value,  # NOTE: In a real prod env, this should be encrypted

Risk: The code persists the raw secret value into the plugin’s recon memory without encryption. That creates durable plaintext exposure of harvested credentials or tokens to anyone who can read the Agent Zero workdir, logs, snapshots, or backups during an attack.

Have a good one and let me know if you need any more info,
Alessandro

[AATheBuilder]

Hello @AATheBuilder I went through the plugin's code, and I have this review for you.

Secrets & Sensitive Data Access — 🔴 Fail

File: tools/loot_capture.py → lines 5–10

    """
    Capture harvested credentials, keys, or sensitive data (loot) 
    and store it in the structured recon memory.
    """

    async def execute(self, target: str, kind: str, value: str, username: str = "", context: str = "", **kwargs) -> Response:

Risk: The tool explicitly solicits credentials, keys, and other sensitive material as normal input. That means the plugin is designed to handle secrets directly, increasing exposure risk anywhere it is enabled. It should handle them using the secrets manager wrapper

---

Secrets & Sensitive Data Access — 🔴 Fail

File: helpers/recon_memory.py → lines 489–497

    # Create Loot entity
    loot_val = f"{kind}:{username}" if username else f"{kind}:{value[:20]}..."
    loot_entity = _upsert_entity(
        data,
        entity_type="Loot",
        value=loot_val,
        properties={
            "kind": kind,
            "secret": value,  # NOTE: In a real prod env, this should be encrypted

Risk: The code persists the raw secret value into the plugin’s recon memory without encryption. That creates durable plaintext exposure of harvested credentials or tokens to anyone who can read the Agent Zero workdir, logs, snapshots, or backups during an attack.

Have a good one and let me know if you need any more info,
Alessandro

Hey! I didn't consider that - I will run through it again and find another way to store the data.

Thank you.

[AATheBuilder]

All done bro! Please let me know if it is OK?