How We Detect
AI Skill Threats

Accepts GitHub repositories, ClawHub packages, ZIP archives, and direct uploads. The agent extracts all text files (SKILL.md, scripts, configs) and builds a normalized file tree. Files are processed in memory and immediately discarded — no raw files are persisted.

Runs 80+ pattern-matching rules against the file tree: shell command injection, network requests (curl/wget/fetch), environment variable reads, sensitive filesystem paths (~/.ssh, .env, /etc/passwd), and obfuscated strings (base64, hex-packed data). The agent outputs a structured hit list as initial context for downstream agents.

The core analysis agent receives file content and the static hit list, then performs semantic reasoning with full context. It actively distinguishes "legitimate network requests" from "C2 exfiltration," identifies cross-file attack chains, and assigns confidence scores to each finding. This phase can iterate multiple rounds to ensure complex attack patterns are not missed.

Maps the semantic agent's raw findings to a standardized 10-category threat taxonomy (code_execution, credential_theft, data_exfiltration, obfuscation, doc_deception, privilege_escalation, supply_chain, persistence, prompt_injection, sensitive_access) with severity levels (critical/high/medium).

Computes a 0–100 risk score from finding count, severity, and confidence. Critical findings carry the highest weight; multiple findings in the same category apply diminishing returns to avoid alert fatigue. The scoring algorithm is explainable — each dimension's contribution is visible in the report.

Aggregates outputs from all agents into a structured JSON report: verdictLevel (trusted / low_risk / suspicious / high_risk / malicious), riskScore, findings list (with category, severity, evidence, and confidence), and summary. Reports are stored publicly and accessible via the API.