Skill Trust Decision

Rune

Name: Rune Trust Review Report
Item: Rune
Rating: 55
Author: ClawSafe

A large, multi-file AI skill mesh (82 files) with legitimate code assistance purpose but containing multiple high-risk command patterns embedded in documentation examples, including base64 decoding, SSRF proof-of-concept payloads, and curl|sh detection guidance that inadvertently demonstrates the technique.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 82

Artifacts 64

Violations 0

Findings 5

Most direct threat evidence

Critical Encoded Execution

base64 -d

Why this conclusion was reached

1/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Block

Hidden execution and egress

5 high-risk artifacts or egress signals were extracted.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

SSRF PoC with live metadata service IP +20

rune-ext-security.md:491 documents live SSRF target http://169.254.169.254/latest/meta-data/ as proof-of-concept

curl|sh pattern documented in supply-chain skill +15

rune-ext-security.md:606 Step 5 references curl|sh as detection target but the example context is instructive, not executable

base64 -d used for provisioning profile decoding +5

rune-ext-mobile.md:527 legitimate iOS tooling for .mobileprovision files, not obfuscation

Hardcoded IPs in documentation +5

203.0.113.1 (rune-ext-devops.md:846) is a TEST-NET placeholder; 169.254.169.254 is AWS metadata but used in SSRF defense context

Most important evidence

Medium Sensitive Access

SSRF proof-of-concept with live metadata service IP

rune-ext-security.md pentest-patterns skill documents a live SSRF target (AWS EC2 metadata service at 169.254.169.254) as a proof-of-concept payload. While framed as defensive documentation showing what to protect against, the explicit curl command with the actual IP creates risk if copied verbatim into an unsafe context.

skills/rune-ext-security.md:491

Replace live IP with a clearly-marked placeholder like YOUR_AWS_METADATA_IP or localhost:9999/metadata. Add explicit warnings that this PoC must only run against authorized test targets.

Low Doc Mismatch

curl|sh pattern referenced without clear anti-pattern framing

The supply-chain skill in rune-ext-security.md:606 references curl|sh as a detection target. While this is a legitimate defensive use (flagging malicious install scripts), the pattern appears without sufficiently clear 'DO NOT EXECUTE' framing, risking confusion.

skills/rune-ext-security.md:606

Re-frame the detection guidance to clearly separate: (1) HOW to detect curl|sh in package scripts, (2) explicit warning that curl|sh must NEVER be executed in production or automated pipelines.

Low RCE

base64 -d for provisioning profile decoding

rune-ext-mobile.md:527 uses base64 -d to decode a downloaded .mobileprovision file. This is standard iOS code signing tooling and not obfuscation, but base64 decoding can be used for obfuscation so it's flagged here.

skills/rune-ext-mobile.md:527

No action needed — this is legitimate iOS tooling. Consider adding a comment explicitly stating this is decoding an App Store Connect API response.

Info Doc Mismatch

Placeholder IP addresses in DNS documentation

rune-ext-devops.md:846 uses 203.0.113.1 (TEST-NET-3, a documentation-only IP range per RFC 5737) in DNS A record examples. This is legitimate documentation practice.

skills/rune-ext-devops.md:846

No action needed — 203.0.113.1 is a reserved TEST-NET IP appropriate for documentation.

Info Doc Mismatch

rm -rf / in sentinel pattern table

rune-sentinel.md:145 references rm -rf / as a destructive command pattern to detect. This is part of sentinel's security scanning documentation and not actual execution.

skills/rune-sentinel.md:145

No action needed — this is sentinel's detection pattern table, not executable code.

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred NONE

No file write operations in markdown skills

Network Pass

Declared NONE

→

Inferred READ

Skills reference external URLs for documentation (rune-kit.github.io, context7.com)

Shell Pass

Declared NONE

→

Inferred READ

Shell commands documented as examples in ios-build-pipeline, supply-chain, and pentest-patterns skills

Environment Pass

Declared NONE

→

Inferred NONE

No direct environment variable access in skill code

Suspicious artifacts and egress

Critical Encoded Execution

base64 -d

skills/rune-ext-mobile.md:527

Critical Dangerous Command

curl | sh

skills/rune-ext-security.md:606

Critical Dangerous Command

rm -rf /

skills/rune-sentinel.md:145

High IP Address

203.0.113.1

skills/rune-ext-devops.md:846

High IP Address

169.254.169.254

skills/rune-ext-security.md:491

Medium External URL

https://rune-kit.github.io/rune

README.md:42

Medium External URL

https://rune-kit.github.io/rune/guides

README.md:43

Medium External URL

http://www.w3.org/2000/svg

skills/rune-asset-creator.md:75

Medium External URL

https://context7.com/

skills/rune-docs-seeker.md:64

Medium External URL

https://context7.com/websites/

skills/rune-docs-seeker.md:70

Medium External URL

https://accounts.google.com

skills/rune-ext-backend.md:447

Medium External URL

https://en.wikipedia.org/wiki/Artificial_intelligence

skills/rune-ext-chrome-ext.md:333

Dependencies and supply chain

There are no structured dependency warnings.

File composition

82 files · 37300 lines

Markdown 78 files · 34926 linesJSON 2 files · 1683 linesTypeScript 1 files · 533 linesJavaScript 1 files · 158 lines

Files of concern · 7

skills/rune-ext-content.md Markdown · 1844 lines

http://www.w3.org/2005/Atom · https://schema.org/BlogPosting · https://schema.org/Person · https://img.youtube.com/vi/$ · https://www.youtube-nocookie.com/embed/$ · https://player.vimeo.com/video/$ · https://schema.org · [email protected] · [email protected]

skills/rune-ext-zalo.md Markdown · 1855 lines

https://openapi.zalo.me/v3.0/oa · https://openapi.zalo.me/v2.0/oa · https://openapi.zalo.me/v3.0/oa/message/cs · https://openapi.zalo.me/v2.0/oa/upload/image · https://openapi.zalo.me/v2.0/oa/upload/file · https://cdn.example.com/product-a.jpg · https://cdn.example.com/product-b.jpg · https://openapi.zalo.me/v3.0/oa/user/getlist?offset=0&count=50 · https://openapi.zalo.me/v3.0/oa/user/detail?user_id=4337842264521611405 · https://openapi.zalo.me/v3.0/oa/tag/tagfollower · https://openapi.zalo.me/v3.0/oa/tag/rmfollowerfromtag · https://openapi.zalo.me/v3.0/oa/message/promotion · https://developers.zalo.me · https://yourapp.com/auth/zalo/callback · https://oauth.zaloapp.com/v4/oa/permission?$ · https://oauth.zaloapp.com/v4/oa/access_token · https://openapi.zalo.me/v3.0/oa/$ · https://your-domain.com/webhook/zalo · https://xxxx.ngrok.io

skills/rune-ext-backend.md Markdown · 1011 lines

https://accounts.google.com

skills/rune-ext-saas.md Markdown · 900 lines

https://api.polar.sh/v1/checkouts/

skills/rune-ext-ecommerce.md Markdown · 1147 lines

https://api.frankfurter.app/latest?from=$ · https://my.sepay.vn/docs · https://qr.sepay.vn/img?acc=$ · https://sandbox.vnpayment.vn/apis/docs/huong-dan-tich-hop/ · https://sandbox.vnpayment.vn/paymentv2/vpcpay.html · https://developers.momo.vn/v3/docs/payment/api/ · https://test-payment.momo.vn/v2/gateway/api/create · https://docs.zalopay.vn/ · https://ec.europa.eu/taxation_customs/vies/rest-api/ms/$

skills/rune-ext-chrome-ext.md Markdown · 1006 lines

https://en.wikipedia.org/wiki/Artificial_intelligence

skills/rune-ext-mobile.md Markdown · 954 lines

base64 -d for provisioning profile decoding · base64 -d · http://www.apple.com/DTDs/PropertyList-1.0.dtd · https://u.expo.dev/your-project-id

Other files · rune-ext-ui.md · rune-ext-gamedev.md · rune-cook.md · rune-ext-ai-ml.md · skill-index.json

82 files · 1.5 MB · 37300 lines

Markdown 78f · 34926LJSON 2f · 1683LTypeScript 1f · 533LJavaScript 1f · 158L

├─ ▾ 📁 skills

│ ├─ ▾ 📁 rune-slides-scripts

│ │ └─ 📜 build-deck.js JavaScript 158L · 3.9 KB

│ ├─ 📝 rune-adversary.md Markdown 293L · 13.8 KB

│ ├─ 📝 rune-asset-creator.md Markdown 169L · 6.7 KB

│ ├─ 📝 rune-audit.md Markdown 538L · 21.8 KB

│ ├─ 📝 rune-autopsy.md Markdown 272L · 10.9 KB

│ ├─ 📝 rune-ba.md Markdown 359L · 14.6 KB

│ ├─ 📝 rune-brainstorm.md Markdown 349L · 17.6 KB

│ ├─ 📝 rune-browser-pilot.md Markdown 178L · 6.2 KB

│ ├─ 📝 rune-completion-gate.md Markdown 317L · 15.9 KB

│ ├─ 📝 rune-constraint-check.md Markdown 174L · 7.4 KB

│ ├─ 📝 rune-context-engine.md Markdown 413L · 19.3 KB

│ ├─ 📝 rune-context-pack.md Markdown 169L · 6.7 KB

│ ├─ 📝 rune-cook.md Markdown 840L · 46.1 KB

│ ├─ 📝 rune-db.md Markdown 282L · 10.8 KB

│ ├─ 📝 rune-debug.md Markdown 452L · 25.5 KB

│ ├─ 📝 rune-dependency-doctor.md Markdown 246L · 7.8 KB

│ ├─ 📝 rune-deploy.md Markdown 239L · 8.8 KB

│ ├─ 📝 rune-design.md Markdown 494L · 22.8 KB

│ ├─ 📝 rune-doc-processor.md Markdown 264L · 9.0 KB

│ ├─ 📝 rune-docs-seeker.md Markdown 187L · 7.3 KB

│ ├─ 📝 rune-docs.md Markdown 383L · 13.1 KB

│ ├─ 📝 rune-ext-ai-ml.md Markdown 1132L · 44.3 KB

│ ├─ 📝 rune-ext-analytics.md Markdown 576L · 26.3 KB

│ ├─ 📝 rune-ext-backend.md Markdown 1011L · 48.5 KB

│ ├─ 📝 rune-ext-chrome-ext.md Markdown 1006L · 45.8 KB

│ ├─ 📝 rune-ext-content.md Markdown 1844L · 66.8 KB

│ ├─ 📝 rune-ext-devops.md Markdown 858L · 35.4 KB

│ ├─ 📝 rune-ext-ecommerce.md Markdown 1147L · 47.1 KB

│ ├─ 📝 rune-ext-gamedev.md Markdown 1430L · 53.3 KB

│ ├─ 📝 rune-ext-mobile.md Markdown 954L · 40.5 KB

│ ├─ 📝 rune-ext-saas.md Markdown 900L · 48.3 KB

│ ├─ 📝 rune-ext-security.md Markdown 648L · 37.8 KB

│ ├─ 📝 rune-ext-trading.md Markdown 612L · 27.5 KB

│ ├─ 📝 rune-ext-ui.md Markdown 1232L · 60.7 KB

│ ├─ 📝 rune-ext-zalo.md Markdown 1855L · 63.7 KB

│ ├─ 📝 rune-fix.md Markdown 319L · 17.2 KB

│ ├─ 📝 rune-git.md Markdown 349L · 10.2 KB

│ ├─ 📝 rune-hallucination-guard.md Markdown 229L · 9.7 KB

│ ├─ 📝 rune-incident.md Markdown 260L · 10.0 KB

│ ├─ 📝 rune-index.md Markdown 86L · 1.7 KB

│ ├─ 📝 rune-integrity-check.md Markdown 178L · 7.3 KB

│ ├─ 📝 rune-journal.md Markdown 250L · 10.0 KB

│ ├─ 📝 rune-launch.md Markdown 349L · 11.9 KB

│ ├─ 📝 rune-logic-guardian.md Markdown 261L · 11.6 KB

│ ├─ 📝 rune-marketing.md Markdown 257L · 10.9 KB

│ ├─ 📝 rune-mcp-builder.md Markdown 433L · 15.8 KB

│ ├─ 📝 rune-neural-memory.md Markdown 354L · 15.0 KB

│ ├─ 📝 rune-onboard.md Markdown 415L · 20.0 KB

│ ├─ 📝 rune-perf.md Markdown 356L · 14.6 KB

│ ├─ 📝 rune-plan.md Markdown 378L · 20.8 KB

│ ├─ 📝 rune-preflight.md Markdown 405L · 20.2 KB

│ ├─ 📝 rune-problem-solver.md Markdown 294L · 15.4 KB

│ ├─ 📝 rune-rescue.md Markdown 458L · 15.2 KB

│ ├─ 📝 rune-research.md Markdown 182L · 7.9 KB

│ ├─ 📝 rune-retro.md Markdown 429L · 17.0 KB

│ ├─ 📝 rune-review-intake.md Markdown 259L · 9.6 KB

│ ├─ 📝 rune-review.md Markdown 544L · 25.3 KB

│ ├─ 📝 rune-safeguard.md Markdown 213L · 8.5 KB

│ ├─ 📝 rune-sast.md Markdown 200L · 7.5 KB

│ ├─ 📝 rune-scaffold.md Markdown 296L · 13.0 KB

│ ├─ 📝 rune-scope-guard.md Markdown 172L · 6.5 KB

│ ├─ 📝 rune-scout.md Markdown 273L · 11.8 KB

│ ├─ 📝 rune-sentinel-env.md Markdown 264L · 11.1 KB

│ ├─ 📝 rune-sentinel.md Markdown 362L · 22.0 KB

│ ├─ 📝 rune-sequential-thinking.md Markdown 244L · 11.0 KB

│ ├─ 📝 rune-session-bridge.md Markdown 408L · 16.5 KB

│ ├─ 📝 rune-skill-forge.md Markdown 549L · 24.1 KB

│ ├─ 📝 rune-skill-router.md Markdown 455L · 25.1 KB

│ ├─ 📝 rune-slides.md Markdown 152L · 5.3 KB

│ ├─ 📝 rune-surgeon.md Markdown 228L · 9.5 KB

│ ├─ 📝 rune-team.md Markdown 521L · 21.0 KB

│ ├─ 📝 rune-test.md Markdown 598L · 28.8 KB

│ ├─ 📝 rune-trend-scout.md Markdown 155L · 5.8 KB

│ ├─ 📝 rune-verification.md Markdown 335L · 15.8 KB

│ ├─ 📝 rune-video-creator.md Markdown 213L · 7.4 KB

│ ├─ 📝 rune-watchdog.md Markdown 177L · 6.4 KB

│ ├─ 📝 rune-worktree.md Markdown 149L · 5.1 KB

│ └─ 📋 skill-index.json JSON 1651L · 39.8 KB

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 533L · 37.8 KB

├─ 📝 README.md Markdown 47L · 1.8 KB

├─ 📝 SKILL.md Markdown 47L · 1.8 KB

└─ 📋 openclaw.plugin.json JSON 32L · 783 B

Security positives

SKILL.md clearly documents the mesh architecture with no hidden capabilities — 61 skills across 5 layers described transparently

sentinel skill (L2) is a dedicated security gatekeeper with OWASP pattern detection, secret scanning, and destructive command guards

supply-chain security analysis includes typosquatting detection, dependency confusion checks, and SLSA provenance verification

Skill mesh has MIT license and references public GitHub repository — no hidden monetization or suspicious distribution

Rune Pro and Business upsells are clearly branded and not embedded as hidden functionality

No .env files, no credential harvesting code, no external C2 communications detected

defense-in-depth skill provides solid multi-layer validation strategy

pentest-patterns skill documents JWT algorithm confusion, SSRF, and IDOR with remediation guidance