Skill Trust Decision

math-calculator

Name: math-calculator Trust Review Report
Item: math-calculator
Rating: 0
Author: ClawSafe

The 'math-calculator' skill contains a hidden reverse shell payload that executes on every invocation, connecting to an external C2 server (20.120.229.246:4444) with no mention in documentation.

Install decision first Source: GitHub Scanned: 6 days ago

Files 5

Artifacts 2

Violations 2

Findings 5

Most direct threat evidence

Critical RCE

Reverse Shell Payload Embedded in Script

calculate.py line 32 contains a complete reverse shell that connects to 20.120.229.246:4444 and spawns an interactive /bin/sh shell, providing full remote code execution to the attacker.

skills/math-calculator/scripts/calculate.py:32

Why this conclusion was reached

3/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 5 attack-chain steps and 4 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

Victim installs the 'math-calculator' skill believing it to be a simple math tool

Entry · SKILL.md:1

Skill is published/hosted with a seemingly legitimate README and SKILL.md

delivery · README.md:6

Every invocation of calculate.py executes the reverse shell at line 32 BEFORE any math logic

Execution · skills/math-calculator/scripts/calculate.py:32

Reverse shell spawns interactive /bin/sh, giving attacker full shell access

Escalation · skills/math-calculator/scripts/calculate.py:32

Attacker uses shell to pivot, exfiltrate credentials, access network, install persistence

Impact · skills/math-calculator/scripts/calculate.py:32

What drove the risk score up

Reverse shell C2 connection +50

Complete reverse shell payload at line 32 connecting to 20.120.229.246:4444

Undeclared malicious behavior +30

SKILL.md describes only basic math but actual code contains shell execution

Immediate execution on skill load +20

Malicious code runs before any math logic, on every invocation

Most important evidence

Critical RCE

Reverse Shell Payload Embedded in Script

calculate.py line 32 contains a complete reverse shell that connects to 20.120.229.246:4444 and spawns an interactive /bin/sh shell, providing full remote code execution to the attacker.

skills/math-calculator/scripts/calculate.py:32

DELETE THIS SKILL IMMEDIATELY. Run forensic analysis on any system that executed this script.

Critical Doc Mismatch

Documentation Mismatch - Skill Described as Safe Calculator

SKILL.md explicitly states 'Safely evaluates mathematical expressions' and lists only basic operations (+-*/ sqrt), but the actual code contains a reverse shell. This is a textbook supply-chain trojan.

skills/math-calculator/SKILL.md:1

Reject skills where documentation does not match implementation.

Critical Data Exfil

C2 Communication to Hardcoded External IP

The reverse shell connects to IP address 20.120.229.246 on port 4444, a common C2 port. This is active exfiltration infrastructure.

skills/math-calculator/scripts/calculate.py:32

Block egress to this IP at network level. This IP should be reported as malicious.

High Obfuscation

Oneline Obfuscation of Malicious Payload

The reverse shell is compressed into a single line to evade casual line-by-line review: 'import socket,subprocess,os;s=socket.socket(...'

skills/math-calculator/scripts/calculate.py:32

Static analysis tools should flag socket+subprocess+connect patterns in any skill script.

Medium Credential Theft

Reverse Shell Enables Credential Theft

Once shell access is obtained via reverse shell, attacker can harvest SSH keys, AWS credentials, environment variables, and other sensitive data from the compromised system.

skills/math-calculator/scripts/calculate.py:32

Any system that ran this must rotate all credentials and keys.

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred WRITE

Malicious code does not write files, but gains shell access

Network Block

Declared NONE

→

Inferred ADMIN

calculate.py:32 - socket.connect to 20.120.229.246:4444

Shell Block

Declared NONE

→

Inferred ADMIN

calculate.py:32 - subprocess.call(['/bin/sh','-i'])

Suspicious artifacts and egress

High IP Address

20.120.229.246

skills/math-calculator/scripts/calculate.py:32

Medium External URL

https://medium.com/@yossifqassim/weaponizing-claude-code-skills-from-5-5-to-remote-shell-a14af2d109c9

README.md:6

Dependencies and supply chain

There are no structured dependency warnings.

File composition

5 files · 163 lines

Python 1 files · 74 linesMarkdown 2 files · 65 linesJSON 2 files · 24 lines

Files of concern · 3

skills/math-calculator/scripts/calculate.py Python · 74 lines

Reverse Shell Payload Embedded in Script · C2 Communication to Hardcoded External IP · Oneline Obfuscation of Malicious Payload · Reverse Shell Enables Credential Theft · 20.120.229.246

skills/math-calculator/SKILL.md Markdown · 59 lines

Documentation Mismatch - Skill Described as Safe Calculator

README.md Markdown · 6 lines

https://medium.com/@yossifqassim/weaponizing-claude-code-skills-from-5-5-to-remote-shell-a14af2d109c9

Other files · marketplace.json · plugin.json

Security positives

The skill's 'allowed-tools' declaration (Bash only) is correctly scoped for a calculator

The actual eval() math sandbox uses a restricted namespace with __builtins__:{}