Skill Domain Architecture¶

Overview¶

Each skill domain is a self-contained Python module in skills/. It defines the behavioral guidance, tool set, success criteria, and routing signals for one operational area. The main agent loads a domain on demand - a single call to SkillRegistry.load_domain() - and the pack's configuration merges into the agent's runtime globals.

The Dispatcher Contract¶

Every skill pack must implement exactly three functions. The signatures are fixed; the registry enforces them.

halt_fn(command_count: int, findings_text: str, config: dict) -> bool

Returns True when the objective has been substantively achieved. The universal pre-checks run before this: too few commands → False; error indicators present → False; maximum commands reached → True (force halt). halt_fn only needs to encode "is the work genuinely done?"

hints_fn(task: str, config: dict, available_tools: dict, target_signatures: dict) -> list[str]

Returns a list of tactical hint strings injected into the system prompt. Hints are bounded at 200 characters total - the 8K context budget is a hard limit. The function receives the detected execution target (exec_target in config), allowing pack-side logic to adapt hints for container vs. host execution.

bonus_fn(task_lower: str, has_context: bool, config: dict) -> int

Returns a score bonus for the keyword router. Used to break ties between categories and to nudge routing when the task phrasing is ambiguous.

Pack files cannot import from ARCHER.py. Everything they need is passed through these function arguments. This constraint makes the pack boundary explicit and testable.

SKILL_CATEGORIES Entry Shape¶

Each skill category within a pack defines:

Field	Purpose
`description`	Human-readable description of what this skill does
`keywords`	Routing keywords that score positively for this category
`exclude_keywords`	Keywords that score negatively
`min_commands`	Minimum commands before halt_fn is evaluated
`max_commands`	Maximum commands before force halt
`tools_available`	Dict of tool names available for this skill
`halt_requires`	Evidence strings required to consider the objective achieved
`completion_indicators`	Patterns in output that indicate success
`command_timeout`	Per-command timeout in seconds
`sudo_command_timeout`	Timeout for privileged commands

Current Skill Packs¶

Currently the Pentest Skillpack is the only functional skillpack included in ARCHER, but multiple expansions are in the planning phase.

PT-Recon¶

Reconnaissance and information gathering. - entity_identification - target scoping, IP/domain identification - reconnaissance - passive recon, OSINT - port_scanning - nmap, masscan, port enumeration - service_enumeration - banner grabbing, service fingerprinting

PT-Vulnerability¶

Vulnerability identification and assessment - vulnerability_assessment - manual assessment, CVE detection - vulnerability_scanning - automated scanning (nikto, nuclei, nessus) — signature-based CVE detection, not contextual analysis

PT-Web¶

Web application security testing - full OWASP coverage. - web_enumeration - directory busting, technology fingerprinting - web_vulnerability_scanning - automated web scanning - web_authentication - login bypass, credential testing - web_exploitation - general web exploitation - web_sqli - SQL injection - web_lfi - local file inclusion - web_xss - cross-site scripting - web_cmd_injection - command injection - web_file_upload - file upload exploitation

PT-Exploitation¶

Network and system exploitation. - network_exploitation - remote service exploitation, Metasploit - system_exploitation - local exploitation, buffer overflows

PT-PostExploit¶

Post-compromise operations. - post_exploitation - host enumeration, credential harvesting - lateral_movement - pivoting techniques, pass-the-hash - persistence - backdoors, startup persistence, cron - exfiltration - data collection and transfer

PT-Pivoting¶

Network pivoting and tunneling. - ssh_tunneling - SSH -L/-R/-D port forwarding - socks_proxy - SOCKS proxy setup, proxychains - chisel_pivot - reverse SOCKS over HTTP - ligolo_pivot - TUN interface routing - socat_relay - TCP relay and traversal - ssh_proxyjump - SSH -J chaining

PT-Privesc¶

Privilege escalation. - linux_privesc - SUID binaries, sudo misconfiguration, kernel exploits, GTFOBins - windows_privesc - token impersonation, service misconfigurations, UAC bypass

PT-ActiveDirectory¶

Active Directory attacks. - ad_enumeration - BloodHound, LDAP enumeration, domain mapping - kerberoasting - SPN discovery, ticket extraction - credential_attacks - password spray, AS-REP roasting - lateral_movement_ad - PtH, PtT, WMI, PSExec - dcsync - credential dumping via DCSync - acl_abuse - ACL-based privilege escalation

Adding a New Domain¶

A new skill domain requires:

A new file skills/YourDomain.py implementing SKILL_CATEGORIES, TARGET_SIGNATURES, and the three dispatcher functions
Registration via _register_pack_handlers() at the bottom of the pack file
A SYSTEM_PROMPT_ADDENDUM string (≤200 chars) for domain-specific behavioral guidance
A test file in tests/skills/ validating the dispatcher contracts
Eval harness objectives (at least one per major skill category)

The core agent requires no modification. The domain loads on --do yourdomain --sd yourcategory.