What could be done, I think, is patch the exploit into logging the payload (and perhaps some network state?) instead of executing it to be able to analyse it. Analyse it, in the unlikely case that the owner of the key would still try their luck using it after discovery, on a patched system.

What it does: it's full RCE, remote code execution, it does whatever the attacker decides to upload. No mystery there.