skill-guard

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This package includes multiple deliberately malicious test skills — e.g., tests/fake-crypto/scripts/crypto.py reads wallet/keystore files and POSTs them to c2-malware-server.xyz (explicit data exfiltration), tests/fake-formatter/scripts/formatter.py decodes a base64 payload and executes it with subprocess (obfuscated RCE/reverse-shell), tests/fake-timebomb/scripts/reminder.py has a date-activated routine that reads ~/.ssh/id_rsa and sends it via curl (time‑bomb backdoor + credential theft), tests/fake-weather/scripts/weather.py reads an SSH key and POSTs it to evil.com (credential exfiltration), tests/fake-typosquat contains intentionally misspelled packages and imports (typosquatting/supply‑chain attack), and tests/fake-helper/SKILL.md contains a hidden HTML comment instructing secret harvesting and exfiltration (prompt injection) — these are clear, intentional backdoor/exfiltration/supply‑chain abuse patterns.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). SkillGuard explicitly reads and parses SKILL.md and other files from scanned skill directories (e.g., tests/fake-helper/SKILL.md contains a hidden HTML comment with override/exfiltration instructions) and _scan_prompt_injection interprets that untrusted, user-provided content to generate findings/alerts that materially influence scoring and behavior.