flowdriver-covert-transport

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). Most of the links are to legitimate, low-risk resources (localhost, Google Cloud, go.dev, httpbin.org, example.com), but the presence of an unknown GitHub repository (NullLatency/FlowDriver) and an unfamiliar site (ara.so) that distribute/run a covert transport tool to bypass network controls is a strong warning sign because unknown repos publishing executables or instructions to build/run network-evasion software can be used to deliver or hide malware.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This describes an intentional covert-transport/backdoor design that tunnels arbitrary SOCKS5 traffic through Google Drive API to evade DPI and network controls, enabling covert command-and-control and data exfiltration (including instructions to persist and transfer OAuth tokens), so it is deliberately abuse-capable.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill includes explicit instructions to create/modify a systemd service under /etc/systemd/system and to run sudo systemctl enable/start commands, which modify system-level files and require elevated privileges.