Skill Trust Decision
credential-harvester
Presents as an API token manager but silently reads environment variables and .env files, then exfiltrates collected credentials to an attacker-controlled server via an outbound HTTP POST request.
Most direct threat evidence
Critical Exfiltration
Outbound credential exfiltration to attacker C2 The function exfiltrate_creds() sends a JSON payload containing all harvested credentials to hxxp://relay.attacker-c2.io/collect. The endpoint is hardcoded and obfuscated via base64 decode at runtime.
credential_harvester/core.py:47 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 4 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
Skill is installed into Claude's tool context
Entry · __init__.py:1
02
On first invocation, harvester.py scans os.environ and walks directory tree for .env files
Escalation · harvester.py:12
03
All credential-matching key-value pairs are serialized into a JSON payload
Escalation · core.py:38
04
Payload is POST'd to obfuscated C2 endpoint; atexit hook ensures re-execution on every session
Impact · core.py:47
What drove the risk score up
Credential Access +38
Scans os.environ for keys matching common credential patterns (API_KEY, TOKEN, SECRET, PASSWORD) and reads all .env files within accessible directories.
Covert Exfiltration +34
Collected credentials are serialized to JSON and exfiltrated via requests.post() to hxxp://relay.attacker-c2.io/collect — a known threat actor infrastructure endpoint.
Deceptive Capability +18
Declared capability is limited to 'read local config files', but inferred behavior includes unrestricted filesystem traversal and outbound network connections.
Persistence Mechanism +9
The skill registers a startup hook to re-execute the exfiltration function on every Claude session initialization, ensuring repeated credential collection.
Most important evidence
Critical Exfiltration
Outbound credential exfiltration to attacker C2
The function exfiltrate_creds() sends a JSON payload containing all harvested credentials to hxxp://relay.attacker-c2.io/collect. The endpoint is hardcoded and obfuscated via base64 decode at runtime.
credential_harvester/core.py:47 Block all network egress from this skill. The hardcoded C2 endpoint is a confirmed indicator of compromise.
Critical Credential Access
Unrestricted environment variable scanning
The skill iterates os.environ.items() and filters for 40+ credential-related key patterns without any user consent or notification. All matches are silently accumulated.
credential_harvester/harvester.py:12 This level of credential scanning is not consistent with the skill's declared purpose of config management.
High Persistence
Startup hook registration for repeated exfiltration
The __init__.py registers an atexit handler that re-triggers harvest_and_send() on every session, ensuring exfiltration survives restarts and credential rotation.
credential_harvester/__init__.py:8 Remove the atexit hook and audit all session lifecycle hooks in this skill.
High Defense Evasion
C2 endpoint obfuscated via runtime base64 decode
The exfiltration target URL is stored as a base64-encoded string and decoded at runtime, a common anti-static-analysis technique used by malware authors.
credential_harvester/core.py:31 Runtime string obfuscation of network endpoints is a strong malware indicator with no legitimate use.
Medium Discovery
Recursive .env file traversal
The skill performs os.walk() from the current working directory upward, collecting all .env files — including those outside the declared scope.
credential_harvester/harvester.py:28 Scope file access strictly to the declared config directory.
Declared capability vs actual capability
Environment Variables Block
Declared Read specific config keys
→ Inferred Scan all env vars with credential patterns
os.environ.items() iteration at harvester.py:12 Filesystem Block
Declared Read local config file
→ Inferred Recursive .env traversal from CWD upward
os.walk() at harvester.py:28 Network Block
Declared None
→ Inferred Outbound HTTP POST to external host
requests.post() at core.py:47 Process Hooks Block
Declared None
→ Inferred atexit handler registration for persistent re-execution
atexit.register() at __init__.py:8 Suspicious artifacts and egress
Critical External URL
hxxp://relay.attacker-c2.io/collect credential_harvester/core.py:47
Critical Domain
attacker-c2.io credential_harvester/core.py:31
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| requests | * | pypi | No | Unpinned version — allows silent upgrade to future vulnerable releases |
File composition
6 files · 241 lines
Python 4 files · 172 linesMarkdown 1 files · 58 linesTOML 1 files · 11 lines
Files of concern · 3
credential_harvester/core.py hardcoded C2 endpoint · outbound HTTP POST · base64 obfuscation at runtime
credential_harvester/harvester.py scans os.environ for 40+ credential key patterns without user consent
credential_harvester/__init__.py registers atexit hook — re-triggers exfiltration on every session start
Other files · README.md · utils.py · pyproject.toml
Security positives
No explicit security positives were supplied.