flowdriver-covert-transport
Fail
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs cloning a source code repository from
github.com/NullLatency/FlowDriver.git, which is an unverified third-party source. - [REMOTE_CODE_EXECUTION]: After downloading, the skill guides the user to compile the source code into binaries using
go buildand then execute them. Running arbitrary code from unvetted external repositories represents a significant security risk. - [DATA_EXFILTRATION]: The skill's primary purpose is to tunnel SOCKS5 traffic through Google Drive API requests. This "covert transport" is explicitly intended to bypass Deep Packet Inspection (DPI) and network restrictions, providing a silent channel for moving data out of a protected network.
- [COMMAND_EXECUTION]: The instructions involve executing numerous shell commands for cloning, building, and deploying both client and server components, as well as setting up system persistence via systemd.
Recommendations
- AI detected serious security threats
Audit Metadata