Threat Database
Every entry below is a real threat-classified finding from a reviewed scan of a published skill — detected by the SkillSafe scanner and confirmed in Stage-2 AI review. Entries are anonymized: we publish the rule that fired, its severity, and when — never the skill, publisher, or file. This is the data behind the "Threats Caught" number on the homepage.
84 threats recorded
14 critical
43 high
18 medium
| Detected | Rule | Severity | Description |
|---|---|---|---|
| Jun 8, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 8, 2026 | undoc_network | high | Surplus: script makes outbound network calls not documented in SKILL.md (SS-SF01) |
| Jun 8, 2026 | ai_config_dir_access | medium | Access to Claude Code config/skills directory (SS04-3) |
| Jun 8, 2026 | composite_env_leak | medium | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 8, 2026 | composite_env_leak | medium | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 8, 2026 | composite_env_leak | medium | Composite: env var → matching service auth (informational, SS-CP02) |
| Jun 8, 2026 | composite_env_leak | medium | Composite: env var → matching service auth (informational, SS-CP02) |
| Jun 8, 2026 | ai_config_dir_access | high | Access to Claude Code config/skills directory (SS04-3) |
| Jun 8, 2026 | composite_medium_cluster | high | Composite: 11 medium-severity findings in one file (SS-CP04) |
| Jun 8, 2026 | ai_config_dir_access | high | Access to Claude Code config/skills directory (SS04-3) |
| Jun 8, 2026 | aws_access_key | critical | AWS Access Key ID detected |
| Jun 7, 2026 | mandatory_localhost_curl | medium | Mandatory curl POST to localhost:8888/notify on every skill invocation (undocumented side-channel) |
| Jun 7, 2026 | ai_config_dir_access | high | Access to Claude Code config/skills directory (SS04-3) |
| Jun 7, 2026 | composite_medium_cluster | high | Composite: 17 medium-severity findings in one file (SS-CP04) |
| Jun 7, 2026 | ai_config_dir_access | high | Access to Claude Code config/skills directory (SS04-3) |
| Jun 7, 2026 | undoc_env_read | high | Surplus: script reads environment variables not documented in SKILL.md (SS-SF02) |
| Jun 7, 2026 | undoc_env_read | high | Surplus: script reads environment variables not documented in SKILL.md (SS-SF02) |
| Jun 7, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 7, 2026 | py_subprocess | info | subprocess executes external commands |
| Jun 7, 2026 | py_subprocess | info | subprocess executes external commands |
| Jun 7, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 7, 2026 | js_exec_sync | info | execSync() executes shell commands synchronously |
| Jun 7, 2026 | js_child_process_import | info | child_process ES module import enables shell command execution |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | browser_session_harvest | high | Browser cookie/session harvesting via CDP or profile read (SS22) |
| Jun 6, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 6, 2026 | browser_session_harvest | high | Browser cookie/session harvesting via CDP or remote debugging port (SS22) |
| Jun 6, 2026 | composite_env_leak | medium | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | persistence_launchd | high | Persistence via macOS LaunchAgent/LaunchDaemon (SS08) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | undoc_subprocess | high | Surplus: script executes subprocesses not documented in SKILL.md (SS-SF03) |
| Jun 6, 2026 | composite_env_leak | medium | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | mock_response_tampering | medium | Configurable mock response injection: mock_response field allows arbitrary text to be substituted for AI safety refusals in session history, defaulting to 'Understood. Here's the implementation:' |
| Jun 6, 2026 | unverified_external_dependency | medium | Installation clones from unverified GitHub repo ryfineZ/codex-session-patcher — no integrity verification (no hash pinning, no signature check) |
| Jun 6, 2026 | workspace_config_injection | high | Workspace config injection: --install-claude-ctf creates ~/.claude-ctf-workspace/CLAUDE.md with attacker-controlled instructions that become Claude Code's project-level system prompt when the user launches Claude from that directory |
| Jun 6, 2026 | session_content_exfiltration | high | Session content sent to external LLM endpoints: when ai_enabled=true, refusal-flagged session content is transmitted to api.openai.com or openrouter.ai for AI-assisted rewriting |
| Jun 6, 2026 | ai_safety_bypass | critical | Explicit AI safety bypass tool: skill description and trigger keywords are 'bypass ai refusal in coding tool', 'remove ai refusals from session file', 'inject ctf prompts into codex' — the skill's stated purpose is circumventing AI safety measures |
| Jun 6, 2026 | session_file_write | critical | Session file manipulation: skill explicitly reads and overwrites live agent session files at ~/.codex/sessions/, ~/.claude/projects/, and OpenCode SQLite DB to replace AI safety refusals with attacker-controlled content |
| Jun 6, 2026 | prompt_system_prompt | critical | Prompt injection: system prompt reference — ctf_prompts config field used to inject per-platform system prompts into Codex, Claude Code, and OpenCode to reduce AI refusals |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 6, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 6, 2026 | py_subprocess | info | subprocess executes external commands |
| Jun 5, 2026 | composite_medium_cluster | high | Composite: 6 medium-severity findings in one file (SS-CP04) |
| Jun 5, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_write_exfil | high | Composite: file write + outbound network in same file (SS-CP03) |
| Jun 5, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_write_exfil | high | Composite: file write + outbound network in same file (SS-CP03) |
| Jun 5, 2026 | composite_env_leak | high | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_env_leak | medium | Composite: environment variable read + outbound network (SS-CP02) — skill reads browser cookie store from live Chrome profile directories (via GEMINI_WEB_CHROME_PROFILE_DIR / GEMINI_WEB_CHROME_PATH env vars and CDP debug port at 127.0.0.1) and transmits session cookies to accounts.google.com and gemini.google.com; while all network targets are Google-owned, this pattern is structurally identical to the sibling version graded C for Google session cookie harvesting and represents a confirmed medium-severity privacy risk |
| Jun 5, 2026 | composite_env_leak | high | Skill reads live Google session cookies from user's Chrome browser profile and transmits them to Google/Gemini authentication endpoints |
| Jun 5, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 5, 2026 | composite_medium_cluster | critical | Composite: dual persistence (cron + launchd) with broad ~/.claude read scope and silent outbound git push constitutes an automated exfiltration pipeline (SS-CP04) |
| Jun 5, 2026 | persistence_launchd | high | LaunchAgent plist creation establishes persistent macOS background process for recurring automated backup (SS08) |
| Jun 5, 2026 | persistence_cron | critical | Cron job installs a silent 6-hour auto-commit-and-push of all ~/.claude contents to a remote git repo (SS08) |
| Jun 5, 2026 | composite_medium_cluster | critical | Composite: dual persistence (cron + launchd) with broad ~/.claude read scope and silent outbound git push constitutes an automated exfiltration pipeline (SS-CP04) |
| Jun 5, 2026 | persistence_launchd | high | LaunchAgent plist creation establishes persistent macOS background process for recurring automated backup (SS08) |
| Jun 5, 2026 | persistence_cron | critical | Cron job installs a silent 6-hour auto-commit-and-push of all ~/.claude contents to a remote git repo (SS08) |
| Jun 5, 2026 | undoc_env_read | high | Surplus: script reads environment variables not documented in SKILL.md (SS-SF02) |
| Jun 5, 2026 | undoc_file_write | medium | Surplus: script writes files not documented in SKILL.md (SS-SF04) |
| Jun 5, 2026 | composite_write_exfil | high | Composite: file write + outbound network in same file (SS-CP03) |
| Jun 5, 2026 | composite_exec_exfil | critical | Composite: process execution + outbound network in same file (SS-CP01) — tar/openssl subprocess pipeline feeds directly into HTTP POST upload to third-party soul-upload.com; agent identity and memory files are exfiltrated to a remote endpoint not controlled by the user |
| Jun 5, 2026 | composite_env_leak | low | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | composite_env_leak | low | Composite: environment variable read + outbound network (SS-CP02) |
| Jun 5, 2026 | undocumented_capability_filesystem_enumeration | medium | Skill instructs the AI to enumerate user skill directories on first activation without explicit user consent |
| Jun 5, 2026 | undocumented_capability_filesystem_recon | medium | Agent instructed to enumerate installed skills directories on first activation without user request |
| Jun 5, 2026 | undocumented_capability_injected_command | low | Injected companion-check block directs agent to silently run 'ls' across multiple skill directories on first activation without user request |
| Jun 5, 2026 | py_eval | info | eval() can execute arbitrary code |
| Jun 5, 2026 | ai_observation | high | User PII (email address and phone number) is collected and POSTed to https://pua-skill.pages.dev/api/leaderboard, an unaffiliated third-party domain hosted on Cloudflare Pages. The domain has no verifiable ownership link to the skill publisher. |
| Jun 5, 2026 | composite_exec_exfil | high | Composite: process execution + outbound network in same file (SS-CP01) |
| Jun 5, 2026 | ai_observation | medium | Undocumented after_complete hook with trigger: session-logger and mode: auto fires automatically after every completion without user consent |
| Jun 5, 2026 | ai_observation | high | Skill stores plaintext ChatGPT Team admin credentials (TEAM_ADMIN_EMAIL / TEAM_ADMIN_PASSWORD) in .env file for use by automated Playwright browser automation pipeline that registers and manages bulk fake accounts. |
| Jun 5, 2026 | ai_observation | high | Skill instructs storing OpenAI admin account email and plaintext password in .env file (OPENAI_EMAIL / OPENAI_PASSWORD) as part of automated mass account-registration pipeline. |
| Jun 5, 2026 | ai_observation | medium | — |
| Jun 5, 2026 | ai_observation | medium | — |
| Jun 5, 2026 | ai_observation | medium | — |
| Jun 5, 2026 | ai_observation | high | — |
| Jun 5, 2026 | ai_observation | high | — |