Scanner Ruleset

Dangerous runtime function calls that can execute arbitrary code or spawn external shell processes. Python rules use AST parsing to catch obfuscated aliases; JS/TS rules skip commented lines to reduce false positives.

Hardcoded secrets, API keys, and authentication tokens embedded in source code or configuration files. Matched context is automatically redacted in scan reports before upload.

Outbound HTTP requests targeting known data collection, webhook relay, and exfiltration services. These services are frequently abused to receive stolen credentials or file contents.

Shell operations that write to AI agent memory and instruction files. A poisoned MEMORY.md or CLAUDE.md can persistently redirect agent behavior across sessions.

base64-encoded payloads designed to evade static analysis. The pattern-level rules catch explicit decode-and-execute pipelines; the deep-scan pass decodes every base64 blob ≥40 characters and re-applies all detection rules to the decoded content.

Operations that escalate a process to root or switch the active user context to a privileged account.

Mechanisms that survive reboots or new login sessions by registering with OS schedulers, init systems, or shell startup scripts.

Network callbacks that open an interactive shell connection from the target machine back to an attacker-controlled host.

Invisible or visually confusable Unicode characters used to hide malicious content from code reviewers while still being executed or interpreted by the runtime.

Instruction patterns that trick users into manually executing malicious commands by framing them as necessary troubleshooting or setup steps. Named after the ClickFix attack campaign.

Irreversible destructive operations that can wipe filesystems or overwrite raw block devices.

Network scanning tools and cloud instance metadata endpoints used to map infrastructure before a targeted attack.

Instruction override patterns embedded in Markdown or configuration that attempt to hijack AI agent behavior by superseding the system prompt.

Executable or native library files bundled inside a skill archive. Skills should contain only text-based instructions and scripts — precompiled binaries cannot be meaningfully reviewed by static analysis.

Reads or directory searches targeting well-known credential storage locations on the host filesystem.

References to cryptocurrency wallet recovery material or wallet application data directories. Inspired by the ClawHavoc campaign (January 2026) where 341 malicious skills stole wallet seed phrases.

Directory traversal patterns and direct reads of sensitive system files. Also covers writes to git hooks, which can persist malicious code across every future commit or merge.

Social engineering patterns that steer agents toward executing bundled scripts by framing them as necessary setup steps. Directly targets the inducement prompt component of SkillJect-style attacks, where the attack lives in the gap between legitimate-looking documentation and a malicious auxiliary script.

Multi-line context scan that detects the specific documentation structure SkillJect exploits: suspicious section headers followed by bundled script execution references, and urgency markers co-located with script invocations. Both rules require an explicit file extension (.sh, .py, .bash) to reduce false positives on generic install commands.

Escalates severity when individually low-risk primitives co-occur in the same file. Targets the evasion technique described in the SkillJect paper where attacks are composed from capabilities that individually fall below alert thresholds. Each rule fires only when higher-severity rules haven't already covered the same file.

Cross-file consistency check that compares script capabilities against the documentation intent profile extracted from SKILL.md. Flags capabilities present in scripts but absent from the documentation — the structural gap that SkillJect exploits. A script making outbound network calls is suspicious when SKILL.md never mentions network access.