Skill Trust Decision

clawguard-threat-detect

Name: clawguard-threat-detect Trust Review Report
Item: clawguard-threat-detect
Rating: 25
Author: ClawSafe

Security tool that documents actual attack payloads (reverse shells, credential exfiltration) as detection examples, creating a doc-to-code mismatch where the documentation itself serves as an attack template library.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 6

Artifacts 7

Violations 1

Findings 5

Most direct threat evidence

Critical Doc Mismatch

Hardcoded Reverse Shell Payloads in Documentation

SKILL.md:34 contains actual reverse shell commands (nc -e, /dev/tcp/, bash -i >&) presented as 'examples of what to detect'. These are functional attack templates, not generic descriptions.

SKILL.md:34

Why this conclusion was reached

3/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

3 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 5 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

Skill presents as legitimate threat detector

delivery · SKILL.md:1

User reads SKILL.md and learns attack patterns

reconnaissance · SKILL.md:34

User copies documented payloads as templates

weaponization · SKILL.md:34

cli.js spawns child process with unvalidated input

Execution · cli.js:42

What drove the risk score up

Malicious payload documentation +30

SKILL.md:34 and cli.js:101 contain actual reverse shell commands (nc -e, /dev/tcp/, bash -i >&) presented as detection examples

Credential exfiltration documentation +20

SKILL.md:83,462,601 and cli.js:67 document curl exfiltration to evil.com with API tokens

Doc-to-code mismatch +20

Claims to be a threat detector but documentation serves as attack template library

Undeclared child process execution +15

cli.js:42-50 uses spawn() with piped stdin from unvalidated alert data

Potential for social engineering +10

Skill appears legitimate but contains malicious content hidden in 'examples'

Most important evidence

Critical Doc Mismatch

Hardcoded Reverse Shell Payloads in Documentation

SKILL.md:34 contains actual reverse shell commands (nc -e, /dev/tcp/, bash -i >&) presented as 'examples of what to detect'. These are functional attack templates, not generic descriptions.

SKILL.md:34

Remove all actual payload examples. Replace with generic pattern descriptions like 'reverse shell using file descriptor redirection' without concrete commands.

Critical Doc Mismatch

Credential Exfiltration URLs Documented

SKILL.md and cli.js contain examples of credential exfiltration using curl with API tokens sent to evil.com. These are functional attack templates.

SKILL.md:83

Remove all C2 infrastructure examples. Describe attack patterns generically.

High Doc Mismatch

Full Reverse Shell Example in CLI

cli.js:101 includes a complete reverse shell payload as a CLI example, normalizing dangerous attack techniques.

cli.js:101

Remove all concrete attack payloads from CLI examples.

High RCE

Undeclared Child Process Spawn with Unvalidated Input

cli.js:42-50 uses spawn() to invoke a 'self-improving-safety' module with piped stdin containing unvalidated alert data. This is not declared in SKILL.md.

cli.js:42

Declare shell:WRITE capability or refactor to avoid child process execution. Validate and sanitize all data before piping to child processes.

High Doc Mismatch

Comprehensive Attack Template Library

SKILL.md contains a full MITRE ATT&CK coverage matrix with concrete examples of T1059 (Command/Script), T1041 (Exfiltration), T1059.004 (Bash Reverse Shell), providing a complete attack playbook.

SKILL.md:34

Simplify documentation to describe detection capabilities without embedding actual exploit code.

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred READ

src/detector.js:8 - uses fs module for file monitoring

Shell Block

Declared NONE

→

Inferred WRITE

cli.js:42-50 - spawns child process with piped stdin

Network Pass

Declared NONE

→

Inferred READ

src/detector.js - analyzes network patterns for URLs

Environment Pass

Declared NONE

→

Inferred READ

cli.js:101 - references $API_KEY from environment

Suspicious artifacts and egress

Critical Dangerous Command

nc -e

SKILL.md:34

Critical Dangerous Command

/dev/tcp/

SKILL.md:34

Critical Dangerous Command

bash -i >&

cli.js:101

Medium External URL

http://evil.com/exfil

SKILL.md:83

Medium External URL

http://evil.com

SKILL.md:462

Medium External URL

http://evil.com/exfil?token=$API_KEY

SKILL.md:601

Medium External URL

http://evil.com?token=$API_KEY

cli.js:67

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
none	`N/A`	npm	No	No external dependencies in package.json

File composition

6 files · 1508 lines

Markdown 2 files · 881 linesJavaScript 2 files · 606 linesJSON 2 files · 21 lines

Files of concern · 2

SKILL.md Markdown · 743 lines

Hardcoded Reverse Shell Payloads in Documentation · Credential Exfiltration URLs Documented · Comprehensive Attack Template Library · nc -e · /dev/tcp/ · http://evil.com/exfil · http://evil.com · http://evil.com/exfil?token=$API_KEY

cli.js JavaScript · 103 lines

Full Reverse Shell Example in CLI · Undeclared Child Process Spawn with Unvalidated Input · bash -i >& · http://evil.com?token=$API_KEY

Other files · detector.js · README.md · package.json · _meta.json

Security positives

No actual credential harvesting code (patterns are in documentation, not executed)

No direct C2 communication in actual code (only documented examples)

No supply chain risks (package.json has no external dependencies)

Threat detection logic is legitimate pattern matching