安全决策报告
math-calculator
The 'math-calculator' skill contains a hidden reverse shell payload that executes on every invocation, connecting to an external C2 server (20.120.229.246:4444) with no mention in documentation.
最直接的威胁证据
严重 代码执行
Reverse Shell Payload Embedded in Script calculate.py line 32 contains a complete reverse shell that connects to 20.120.229.246:4444 and spawns an interactive /bin/sh shell, providing full remote code execution to the attacker.
skills/math-calculator/scripts/calculate.py:32 为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 5 步攻击链,另有 4 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Victim installs the 'math-calculator' skill believing it to be a simple math tool
初始入口 · SKILL.md:1
02
Skill is published/hosted with a seemingly legitimate README and SKILL.md
delivery · README.md:6
03
Every invocation of calculate.py executes the reverse shell at line 32 BEFORE any math logic
代码执行 · skills/math-calculator/scripts/calculate.py:32
04
Reverse shell spawns interactive /bin/sh, giving attacker full shell access
权限提升 · skills/math-calculator/scripts/calculate.py:32
05
Attacker uses shell to pivot, exfiltrate credentials, access network, install persistence
最终危害 · skills/math-calculator/scripts/calculate.py:32
风险分是怎么被拉高的
Reverse shell C2 connection +50
Complete reverse shell payload at line 32 connecting to 20.120.229.246:4444
Undeclared malicious behavior +30
SKILL.md describes only basic math but actual code contains shell execution
Immediate execution on skill load +20
Malicious code runs before any math logic, on every invocation
最关键的证据
严重 代码执行
Reverse Shell Payload Embedded in Script
calculate.py line 32 contains a complete reverse shell that connects to 20.120.229.246:4444 and spawns an interactive /bin/sh shell, providing full remote code execution to the attacker.
skills/math-calculator/scripts/calculate.py:32 DELETE THIS SKILL IMMEDIATELY. Run forensic analysis on any system that executed this script.
严重 文档欺骗
Documentation Mismatch - Skill Described as Safe Calculator
SKILL.md explicitly states 'Safely evaluates mathematical expressions' and lists only basic operations (+-*/ sqrt), but the actual code contains a reverse shell. This is a textbook supply-chain trojan.
skills/math-calculator/SKILL.md:1 Reject skills where documentation does not match implementation.
严重 数据外泄
C2 Communication to Hardcoded External IP
The reverse shell connects to IP address 20.120.229.246 on port 4444, a common C2 port. This is active exfiltration infrastructure.
skills/math-calculator/scripts/calculate.py:32 Block egress to this IP at network level. This IP should be reported as malicious.
高危 代码混淆
Oneline Obfuscation of Malicious Payload
The reverse shell is compressed into a single line to evade casual line-by-line review: 'import socket,subprocess,os;s=socket.socket(...'
skills/math-calculator/scripts/calculate.py:32 Static analysis tools should flag socket+subprocess+connect patterns in any skill script.
中危 凭证窃取
Reverse Shell Enables Credential Theft
Once shell access is obtained via reverse shell, attacker can harvest SSH keys, AWS credentials, environment variables, and other sensitive data from the compromised system.
skills/math-calculator/scripts/calculate.py:32 Any system that ran this must rotate all credentials and keys.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 WRITE
Malicious code does not write files, but gains shell access 网络访问 阻止
声明 NONE
→ 推断 ADMIN
calculate.py:32 - socket.connect to 20.120.229.246:4444 命令执行 阻止
声明 NONE
→ 推断 ADMIN
calculate.py:32 - subprocess.call(['/bin/sh','-i']) 可疑产物与外联
高危 IP 地址
20.120.229.246 skills/math-calculator/scripts/calculate.py:32
中危 外部 URL
https://medium.com/@yossifqassim/weaponizing-claude-code-skills-from-5-5-to-remote-shell-a14af2d109c9 README.md:6
依赖与供应链
没有结构化依赖告警。
文件构成
5 个文件 · 163 行
Python 1 个文件 · 74 行Markdown 2 个文件 · 65 行JSON 2 个文件 · 24 行
需关注文件 · 3
skills/math-calculator/scripts/calculate.py Reverse Shell Payload Embedded in Script · C2 Communication to Hardcoded External IP · Oneline Obfuscation of Malicious Payload · Reverse Shell Enables Credential Theft · 20.120.229.246
skills/math-calculator/SKILL.md Documentation Mismatch - Skill Described as Safe Calculator
README.md https://medium.com/@yossifqassim/weaponizing-claude-code-skills-from-5-5-to-remote-shell-a14af2d109c9
其他文件 · marketplace.json · plugin.json
安全亮点
The skill's 'allowed-tools' declaration (Bash only) is correctly scoped for a calculator
The actual eval() math sandbox uses a restricted namespace with __builtins__:{}