# Skill-Veil Built-in Security Rules
# This file contains all 67 security detection rules for skill analysis.
# Format matches the Rule struct with serde serialization.
# ============================================
# Remote Execution Rules
# ============================================
- id: SKILL_REMOTE_EXEC_WGET_BASH
category: remote_exec
severity: critical
confidence: 0.98
when: !regex
pattern: "wget\\s+.*-O\\s*-\\s*\\|\\s*(ba)?sh"
action: block
reason: "Remote download and execution via wget piped to shell"
shield:
scope: skill.install
enabled: true
tags:
- remote_exec
- supply_chain
promptintel_threats:
- "Malware generation"
- id: SKILL_REMOTE_EXEC_POWERSHELL
category: remote_exec
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)(Invoke-WebRequest|iwr|wget)\\s*.*\\|\\s*(iex|Invoke-Expression)"
action: block
reason: "Remote download and execution via PowerShell"
shield:
scope: skill.install
enabled: true
tags:
- remote_exec
- powershell
promptintel_threats:
- "Malware generation"
# ============================================
# Supply Chain Rules
# ============================================
- id: SKILL_SUPPLY_CHAIN_CHMOD_EXEC
category: supply_chain
severity: high
confidence: 0.85
when: !regex
pattern: "chmod\\s+\\+x\\s+.*&&\\s*\\./"
action: require_approval
reason: "Downloaded file made executable and run immediately"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_SUPPLY_CHAIN_NO_HASH
category: supply_chain
severity: medium
confidence: 0.65
# Anchor the extension so `wget myfile.sh.txt` / `curl test.sh.backup`
# don't trigger. `\\S+` consumes the URL/filename without crossing
# whitespace, and the trailing class requires the executable extension
# to be the LAST extension before a delimiter (space, quote, paren,
# semicolon, end-of-line). Pre-fix `.*\\.(sh|...)` matched any
# substring `.sh` mid-token, so changelog/README mentions of e.g.
# `wget archive.sh.gz` lifted benign skills to `require_approval`.
# Note: the regex crate does not support negative lookahead, so this
# rule cannot distinguish "download with hash verification" from
# "download without hash verification". Confidence is reduced to
# reflect the higher false-positive rate on scripts that verify hashes.
when: !regex
pattern: "(?i)(curl|wget|Invoke-WebRequest)\\s+\\S+\\.(sh|ps1|exe|bin)(?:[\\s\"'`)\\];]|$)"
action: require_approval
reason: "Downloading executable — verify hash integrity separately"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- id: SKILL_SUPPLY_CHAIN_UNPINNED_GLOBAL_NPM
category: supply_chain
severity: low
confidence: 0.75
when: !regex
pattern: "(?m)^\\s*npm\\s+install\\s+-g\\s+(@[A-Za-z0-9_.-]+\\/)?[A-Za-z0-9_.-]+\\s*$"
action: require_approval
reason: "Global npm install without explicit version pin"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- npm
- id: SKILL_SUPPLY_CHAIN_TYPOSQUATTING
category: supply_chain
severity: critical
confidence: 0.88
when: !regex
pattern: "(?i)(npm install|npm i\\b|npx|yarn add|pnpm add|clawhub install|clauhub install)\\s+(-g\\s|--global\\s|--force\\s).{0,80}\\b(shersh|humantest-app|clawion|clauwd|claudd|claaude|openclaaw|openlcaw)\\b"
action: block
reason: "Looks-alike package name installed globally — typosquat supply-chain attack"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- typosquat
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_SUPPLY_CHAIN_UNPINNED_PIP
category: supply_chain
severity: low
confidence: 0.75
when: !regex
pattern: "(?m)^\\s*pip\\s+install\\s+[A-Za-z0-9_.][A-Za-z0-9_.-]*(?:\\s+[A-Za-z0-9_.][A-Za-z0-9_.-]*)*\\s*$"
action: require_approval
reason: "Python dependencies installed without explicit version pinning"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- python
- id: SKILL_DOCKER_PRIVILEGED
category: privilege_escalation
severity: medium
confidence: 0.85
when: !regex
pattern: "(?i)docker\\s+run\\s+.*--privileged"
action: require_approval
reason: "Docker container requests privileged execution"
shield:
scope: skill.container
enabled: true
tags:
- docker
- privilege_escalation
# ============================================
# Reverse Shell Rules
# ============================================
- id: SKILL_REVERSE_SHELL_BASH
category: remote_exec
severity: critical
confidence: 0.99
when: !regex
pattern: "bash\\s+-i\\s+>&\\s*/dev/tcp/"
action: block
reason: "Bash reverse shell detected"
shield:
scope: skill.network
enabled: true
tags:
- reverse_shell
- critical
promptintel_threats:
- "Exploit or payload output"
- "Malware generation"
- id: SKILL_REVERSE_SHELL_NC
category: remote_exec
severity: critical
confidence: 0.95
when: !regex
pattern: "(\\bnc\\b|ncat|netcat)\\s+.*-e\\s+(ba)?sh"
action: block
reason: "Netcat reverse shell detected"
shield:
scope: skill.network
enabled: true
tags:
- reverse_shell
- critical
promptintel_threats:
- "Exploit or payload output"
- "Malware generation"
# ============================================
# Credential Exposure Rules
# ============================================
- id: SKILL_CRED_HARDCODED_KEY
category: credential_exposure
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(api[_-]?key|secret[_-]?key|password|token)\\s*[=:]\\s*[\"'][^\"']{8,}[\"']"
action: require_approval
reason: "Potential hardcoded credential or API key"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
promptintel_threats:
- "Credential leak"
- "Credential Harvesting Templates"
# ============================================
# Persuasive Language Rules
# ============================================
- id: SKILL_PERSUASIVE_URGENCY
category: persuasive_language
severity: low
confidence: 0.60
# `safe` was removed from the alternation. Even with `\bsafe\b`, the regex
# crate's `\b` matches at the `-` in `type-safe` / `thread-safe` because
# `-` is a non-word character — every skill documenting its own safety
# properties produced two `low` findings. The remaining arms (`just once`,
# `trust me`, `urgent`, `immediately`, `right now`, `don't worry`) are
# specific enough that pure substring matching does not collide with
# benign prose.
when: !regex
pattern: "(?i)(just\\s+once|trust\\s+me|don'?t\\s+worry|urgent|immediately|right\\s+now)"
action: log
reason: "Persuasive or urgency language detected"
enabled: true
tags:
- semantic
- persuasive
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_SOCIAL_MANIPULATION_AUTHORITY
category: social_manipulation
severity: medium
confidence: 0.72
when: !regex
pattern: "(?i)(as your administrator|security team requires|mandatory compliance|non-compliance will)"
action: require_approval
reason: "Authority-based social pressure detected"
shield:
scope: skill.review
enabled: true
tags:
- semantic
- social_manipulation
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_AUTONOMY_ESCALATION_NO_REVIEW
category: autonomy_escalation
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(without human review|without confirmation|automatically approve|no human approval required)"
action: require_approval
reason: "Skill attempts to bypass normal approval or review controls"
shield:
scope: skill.approval
enabled: true
tags:
- autonomy
- semantic
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Direct prompt injection"
- id: SKILL_PROMPT_TAMPERING_OVERRIDE
category: persistent_prompt_tampering
severity: high
confidence: 0.84
when: !regex
pattern: "(?i)(ignore previous system instructions|override the system prompt|replace the system message|persist these instructions across sessions)"
action: require_approval
reason: "Skill contains persistent prompt tampering language"
shield:
scope: skill.prompt
enabled: true
tags:
- prompt_tampering
- semantic
promptintel_threats:
- "Direct prompt injection"
- "Jailbreak"
- id: SKILL_TOOL_ABUSE_SESSION_EXTRACTION
category: tool_abuse
severity: high
confidence: 0.82
when: !regex
pattern: "(?i)(extract cookies|dump session tokens|harvest browser storage|export authentication headers)"
action: require_approval
reason: "Skill describes tool usage patterns associated with session or token extraction"
shield:
scope: skill.tools
enabled: true
tags:
- tool_abuse
- credentials
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Credential Harvesting Templates"
- id: SKILL_SOCIAL_MANIPULATION_TRUST_CHAIN
category: social_manipulation
severity: medium
confidence: 0.72
when: !regex
pattern: "(?i)(ignore\\s+the\\s+usual\\s+review|skip\\s+approval|do\\s+not\\s+tell|keep\\s+this\\s+quiet|trust\\s+the\\s+skill)"
action: require_approval
reason: "Language attempts to bypass human review or hide execution intent"
shield:
scope: skill.review
enabled: true
tags:
- semantic
- manipulation
- social
promptintel_threats:
- "Fraud and social engineering"
- "Jailbreak"
- id: SKILL_AUTONOMY_ESCALATION_UNBOUNDED
category: autonomy_escalation
severity: medium
confidence: 0.76
when: !regex
pattern: "(?i)(continue\\s+acting\\s+without\\s+approval|act\\s+autonomously\\s+until\\s+complete|take\\s+any\\s+action\\s+needed)"
action: require_approval
reason: "Skill expands agent autonomy without bounded approval or stop conditions"
shield:
scope: skill.autonomy
enabled: true
tags:
- autonomy
- context
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
# ============================================
# Privilege Escalation Rules
# ============================================
- id: SKILL_PRIV_SUDO_NOPASSWD
category: privilege_escalation
severity: high
confidence: 0.90
when: !regex
pattern: "(?i)NOPASSWD|visudo|/etc/sudoers"
action: block
reason: "Sudo privilege escalation attempt"
shield:
scope: skill.system
enabled: true
tags:
- privilege_escalation
promptintel_threats:
- "Harmful Automation Guidance"
# ============================================
# Data Exfiltration Rules
# ============================================
- id: SKILL_EXFIL_ENV_UPLOAD
category: data_exfiltration
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)(curl|wget|nc)\\s+.*\\$\\(?(env|printenv|cat\\s+/etc|cat\\s+~/\\.)"
action: block
reason: "Potential environment/credential exfiltration"
shield:
scope: skill.network
enabled: true
tags:
- exfiltration
promptintel_threats:
- "Credential Harvesting Templates"
- "Contextual Exfiltration Patterns"
# ============================================
# Obfuscation Rules
# ============================================
- id: SKILL_OBFUSCATION_BASE64
category: obfuscation
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)(base64\\s+-[dD]|echo\\s+[A-Za-z0-9+/=]{20,}\\s*\\|\\s*base64)"
action: require_approval
reason: "Base64 encoded command execution"
shield:
scope: skill.install
enabled: true
tags:
- obfuscation
promptintel_threats:
- "Encoding and obfuscation"
# ============================================
# NEW RULES BASED ON MALWARE DATASET ANALYSIS
# ============================================
- id: SKILL_MALICIOUS_DOMAIN
category: supply_chain
severity: critical
confidence: 0.98
when: !regex
pattern: "(?i)(setup-service\\.com|app-distribution\\.net|download\\.setup-service|openclaw\\.careers|openclawcli\\.vercel\\.app)"
action: block
reason: "Known malicious installer domain detected"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- malicious_domain
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_OPENCLAW_TROJAN
category: supply_chain
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)openclaw-core.*(install|download|run)"
action: require_approval
reason: "Potentially trojanized openclaw-core installer"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- trojan
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- "Malware generation"
- id: SKILL_REMOTE_SELF_UPDATE
category: supply_chain
severity: critical
confidence: 0.93
when: !regex
# Bounded quantifiers (`.{0,N}`) replace the previous `.*` chain so a
# document packed with the same trigger words cannot force the matcher
# into super-linear scanning. Each gap covers a realistic phrase span
# without permitting unbounded text between markers.
pattern: "(?i)(compare.{0,40}(?:installed|current).{0,40}version.{0,40}(?:latest|newest|remote).{0,40}at\\s+https?://|use\\s+whichever\\s+version.{0,40}(?:is\\s+)?newer|update.{0,40}(?:local\\s+)?skill\\s+file\\s+before\\s+proceed|always.{0,40}(?:fetch|check|compare).{0,40}latest.{0,40}version.{0,40}SKILL\\.md)"
action: block
reason: "Skill instructs the agent to self-update from a remote URL — potential Trojan dropper mechanism"
shield:
scope: skill.install
enabled: true
tags:
- supply_chain
- self_update
- trojan
promptintel_threats:
- "Malware generation"
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_AUTONOMY_OVERRIDE
category: scope_creep
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(do\\s+not\\s+ask|don'?t\\s+ask)\\s+(your\\s+)?human|without\\s+(human\\s+)?permission|autonomously\\s+(send|create|register|execute)"
action: require_approval
reason: "Instructions to bypass human approval"
shield:
scope: skill.autonomy
enabled: true
tags:
- autonomy
- jailbreak
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Direct prompt injection"
- id: SKILL_AGENT_MANIPULATION
category: persuasive_language
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)predatory\\s+(skill|behavior|assimilation)|digital\\s+dominance|bypass\\s+(safety|restrictions)|evolve\\s+autonomously"
action: require_approval
reason: "Agent manipulation or jailbreak language"
shield:
scope: skill.behavior
enabled: true
tags:
- jailbreak
- manipulation
promptintel_threats:
- "Jailbreak"
- "Direct prompt injection"
- id: SKILL_WALLET_PRIVATE_KEY
category: credential_exposure
severity: critical
confidence: 0.90
when: !regex
pattern: "(?i)(private[_-]?key|mnemonic|seed\\s*phrase)\\s*[=:]"
action: block
reason: "Cryptocurrency wallet private key or mnemonic handling"
shield:
scope: skill.crypto
enabled: true
# Crypto-research / wallet-recovery / DeFi-coaching skills document
# `private_key:` / `mnemonic:` in YAML config examples as
# placeholder fields the user fills in. Require code-context
# corroboration; downgrade for educational/anti-pattern catalogues.
requires_code_artifact: true
downgrade_when_documentation_context: true
tags:
- crypto
- wallet
promptintel_threats:
- "Credential Harvesting Templates"
- "Privacy / PII Exfiltration Templates"
- id: SKILL_TELEGRAM_EXFIL
category: data_exfiltration
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)telegram\\s*(bot|api|send)|api\\.telegram\\.org|send.*telegram"
action: require_approval
reason: "Telegram bot for potential data exfiltration"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- telegram
promptintel_threats:
- "Data exfiltration via prompt"
# A LIVE Telegram bot-token URL embedded in skill content
# (`api.telegram.org/bot<numeric-id>:<token>`) is an IOC: legitimate
# skills read the token from an env var and never embed the
# `<id>:<token>` secret literally. Distinct from the broad
# `SKILL_TELEGRAM_EXFIL` (any "telegram" mention, FP-prone) and
# `SKILL_METADATA_HARDCODED_BOT_TOKEN` (assignment form only). Measured
# 0/4000 on the VT-clean corpus, 4/2976 malicious — conclusive-grade
# by construction (mirrored into CONCLUSIVE_SINGLE_RULE_IDS).
- id: SKILL_TELEGRAM_BOT_TOKEN_HARDCODED
category: credential_exposure
severity: critical
confidence: 0.97
when: !regex
pattern: "api\\.telegram\\.org/bot[0-9]{6,}:[A-Za-z0-9_-]{20,}"
action: block
reason: "Live Telegram bot token embedded in skill content — hardcoded exfiltration credential"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- telegram
- ioc
promptintel_threats:
- "Data exfiltration via prompt"
- "Hardcoded credential"
- "Contextual Exfiltration Patterns"
- id: SKILL_DISCORD_WEBHOOK
category: data_exfiltration
severity: high
confidence: 0.90
when: !regex
pattern: "(?i)discord\\s*(webhook|api)|discord(app)?\\.com/api/webhooks"
action: require_approval
reason: "Discord webhook for potential data exfiltration"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- discord
promptintel_threats:
- "Data exfiltration via prompt"
- "Contextual Exfiltration Patterns"
- id: SKILL_AGENT_NETWORK
category: scope_creep
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(agent\\s+network|swarm\\s+(protocol|coordination|of\\s+agents)|collective\\s+agent|hive\\s*(mind|protocol|network))|recruit.*agents|\\d+\\s*\\+?\\s*agents?\\s+(sharing|connected|coordinated)"
action: require_approval
reason: "Agent network or swarm coordination"
shield:
scope: skill.network
enabled: true
tags:
- botnet
- swarm
promptintel_threats:
- "Multi-Agent Collusion"
- id: SKILL_MEMORY_WIPE
category: obfuscation
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(delete|wipe|purge|clear)\\s*(all\\s+)?memory|(deep|aggressive)\\s*(clean|wipe|purge)|destroy\\s+(evidence|logs|history)"
action: require_approval
reason: "Memory wiping or evidence destruction"
shield:
scope: skill.antiforensics
enabled: true
tags:
- antiforensics
- memory_wipe
promptintel_threats:
- "Telemetry Evasion Techniques"
- id: SKILL_HEARTBEAT_PERSISTENCE
category: scope_creep
severity: medium
confidence: 0.70
when: !regex
pattern: "(?i)heartbeat\\.md|add\\s+to\\s+(your\\s+)?heartbeat|each\\s+heartbeat\\s*:"
action: log
reason: "Heartbeat-based persistence mechanism"
shield:
scope: skill.persistence
enabled: true
tags:
- persistence
- heartbeat
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Telemetry Evasion Techniques"
- id: SKILL_PUMP_DUMP
category: scope_creep
severity: critical
confidence: 0.90
when: !regex
pattern: "(?i)(pump|dump)\\s*(and|&)\\s*(dump|pump)|(viral|coordinated)\\s*(promo|pump|shill)|token\\s*(manipulation|fraud)"
action: block
reason: "Cryptocurrency pump-and-dump or market manipulation"
shield:
scope: skill.fraud
enabled: true
tags:
- fraud
- crypto
promptintel_threats:
- "Fraud and social engineering"
- "Disinformation campaign"
- id: SKILL_AGENT_ENCODING
category: obfuscation
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)agent\\s*lingua|human.*cannot\\s+read|agent\\s+translation\\s+required"
action: block
reason: "Agent-specific encoding to hide from human oversight"
shield:
scope: skill.obfuscation
enabled: true
tags:
- obfuscation
- prompt_injection
promptintel_threats:
- "Encoding and obfuscation"
- "Telemetry Evasion Techniques"
# ============================================
# ADDITIONAL RULES FROM GAP ANALYSIS
# ============================================
- id: SKILL_SURVEILLANCE_MACOS_DB
category: data_exfiltration
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)knowledgeC\\.db|ZOBJECT|screen\\s*time|application\\s*usage\\s*database"
action: block
reason: "Access to macOS surveillance databases (screen time, app usage)"
shield:
scope: skill.privacy
enabled: true
tags:
- surveillance
- spyware
- macos
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- "Contextual Exfiltration Patterns"
- id: SKILL_WEBCAM_CAPTURE
category: data_exfiltration
severity: critical
confidence: 0.90
# Pattern only matches LIVE camera-capture primitives. The previous
# alternation included the bare word `webcam` plus a permissive
# `AVCaptureDevice` substring, both of which fired on every skill
# that fetched public webcam URLs (foto-webcam.eu and similar
# weather/scenery feeds) and on documentation prose that merely
# mentioned the word. Cross-LLM triage on a 4000-skill VT-clean
# corpus confirmed 7/9 fires under this rule were false positives.
# Keep `imagesnap` (macOS CLI), `ffmpeg avfoundation` (live capture
# pipeline), the `cv2.VideoCapture(0)` / `getUserMedia` primitives
# that grab the user's hardware camera, and the
# `AVCaptureDevice.{devices,defaultDevice,discoverySession}`
# accessors — everything else was noise.
when: !regex
pattern: "(?i)\\bimagesnap\\b|ffmpeg.*avfoundation|cv2\\.VideoCapture\\(\\s*0\\s*\\)|navigator\\.mediaDevices\\.getUserMedia|AVCaptureDevice\\.(?:devices|defaultDevice|discoverySession)"
action: block
reason: "Live webcam / camera capture primitive"
shield:
scope: skill.privacy
enabled: true
# Educational / detection-catalogue skills (privacy auditors,
# security scanners) routinely document camera primitives as
# anti-patterns; downgrade for those.
downgrade_when_documentation_context: true
tags:
- surveillance
- webcam
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- id: SKILL_OAUTH_TOKEN_THEFT
category: credential_exposure
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)oauth.*token.*save|token.*persist|refresh_token.*store|\\.ah_tokens|tokens\\.json"
action: require_approval
reason: "OAuth token storage or theft pattern"
shield:
scope: skill.auth
enabled: true
tags:
- oauth
- token_theft
promptintel_threats:
- "Credential Harvesting Templates"
- "Credential leak"
- id: SKILL_FINGERPRINT_SPOOF
category: obfuscation
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)curl[-_]?cffi|impersonate.*browser|fingerprint.*spoof|browser.*impersonat"
action: require_approval
reason: "Browser fingerprint spoofing for evasion"
shield:
scope: skill.evasion
enabled: true
tags:
- evasion
- fingerprint
promptintel_threats:
- "Telemetry Evasion Techniques"
- id: SKILL_ERROR_HANDLER_HIJACK
category: data_exfiltration
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)process\\.on\\s*\\(\\s*['\"]error['\"]\\s*,.{0,120}\\b(post|send|fetch|request|emit|write)\\b|uncaughtException.*post|unhandledRejection.*send"
action: require_approval
reason: "Error handler hijacking for data exfiltration"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- error_handler
promptintel_threats:
- "Telemetry Evasion Techniques"
- "Data exfiltration via prompt"
- id: SKILL_CREDENTIAL_HARVEST
category: credential_exposure
severity: critical
confidence: 0.90
when: !regex
pattern: "(?i)os\\.walk.*\\.env|walk.*config\\.js|find.*credential|glob.*secret"
action: block
reason: "File system traversal for credential harvesting"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
- harvesting
promptintel_threats:
- "Credential Harvesting Templates"
- id: SKILL_BOUNDARY_TESTING
category: persuasive_language
severity: medium
confidence: 0.70
when: !regex
pattern: "(?i)test\\s+boundaries|restrictions\\s+are\\s+(conventional|optional|fuzzy)|you\\s+don'?t\\s+need\\s+permission|(ignore|circumvent|override)\\s+(safety|guidelines|constraints)"
action: require_approval
reason: "Encourages boundary testing or ignoring restrictions"
shield:
scope: skill.behavior
enabled: true
tags:
- jailbreak
- prompt_injection
promptintel_threats:
- "Jailbreak"
- id: SKILL_SOLANA_WALLET
category: credential_exposure
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(solana|sol)\\s*(wallet|rpc|transaction).*(sign|transfer|send)|(sign|transfer|send).*(solana|sol)\\s*(wallet|transaction)"
action: require_approval
reason: "Solana wallet transaction signing capability"
shield:
scope: skill.crypto
enabled: true
tags:
- crypto
- solana
promptintel_threats:
- "Credential Harvesting Templates"
- id: SKILL_ETHEREUM_WALLET
category: credential_exposure
severity: high
confidence: 0.80
when: !regex
pattern: "\\b0x[a-fA-F0-9]{40}\\b|(?i)\\b(ethereum|eth|erc20?)\\s*(wallet|transfer|transaction)\\b"
action: require_approval
reason: "Ethereum wallet or contract interaction"
shield:
scope: skill.crypto
enabled: true
tags:
- crypto
- ethereum
promptintel_threats:
- "Credential Harvesting Templates"
- id: SKILL_CRON_PERSISTENCE
category: scope_creep
severity: medium
confidence: 0.75
# Pre-fix the alternation arms `scheduled\s+(task|job|execution)` and
# `(daily|weekly|hourly)\s+(purge|cleanup|check)` matched ubiquitous
# English phrasing — "Run a scheduled task", "weekly cleanup", "daily
# check of the API endpoint" — pushing benign automation skills toward
# `require_approval`. Only a real `crontab -e/add/install` invocation
# is a reliable persistence indicator at this severity. Other
# persistence mechanisms (launchctl, schtasks, cron file edits) are
# covered by adjacent rules; the over-broad scheduling-prose arms have
# been removed.
when: !regex
pattern: "(?i)crontab\\s+(-e|add|install)"
action: require_approval
reason: "Scheduled task persistence mechanism"
shield:
scope: skill.persistence
enabled: true
tags:
- persistence
- cron
promptintel_threats:
- "Telemetry Evasion Techniques"
- id: SKILL_SOCIAL_AUTOMATION
category: scope_creep
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)(moltbook|molttok|clawsocial|clawstack)|register\\s+(on|to)\\s+social|autonomous\\s+(post|tweet|message)"
action: require_approval
reason: "Automated social platform interaction"
shield:
scope: skill.social
enabled: true
tags:
- social
- automation
promptintel_threats:
- "Disinformation campaign"
- "Automation for crime"
- id: SKILL_TOKEN_SCAM
# Re-categorised from scope_creep to social_manipulation: token-pump /
# paywalled-trading skills are active social-engineering fraud, not a
# permission-hygiene concern. social_manipulation escalates to
# SuspiciousPackageBehavior via findings::mapping::signal_class_for.
category: social_manipulation
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)\\$[A-Z]{3,10}\\s*token|(buy|mint|stake)\\s*(\\$)?[A-Z]{3,10}|(tier|level)\\s*\\d+.*token"
action: require_approval
reason: "Token promotion or potential scam"
shield:
scope: skill.fraud
enabled: true
# Crypto / token vocabulary fires on every skill that helps a user
# research a real token (`buy $ETH`, `stake $SOL`, "mint NFT"). The
# token-scam pattern is only meaningful when the skill actually
# contains code (or shell snippets) acting on the wallet; pure
# prose discussions of the same vocabulary are educational. Also
# downgrade for skills with explicit confirmation gates and for
# detection-catalogue skills (security scanners describing
# token-scam patterns as anti-patterns).
requires_code_artifact: true
downgrade_when_confirmation_gate: true
downgrade_when_documentation_context: true
tags:
- fraud
- crypto
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_LAUNCHAGENT_PERSISTENCE
category: scope_creep
severity: high
confidence: 0.90
when: !regex
pattern: "(?i)LaunchAgent|LaunchDaemon|com\\.apple\\.loginitems|~/Library/LaunchAgents"
action: require_approval
reason: "macOS LaunchAgent persistence mechanism"
shield:
scope: skill.persistence
enabled: true
tags:
- persistence
- macos
promptintel_threats:
- "Telemetry Evasion Techniques"
- id: SKILL_PYTHON_HEREDOC
category: remote_exec
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)python3?\\s*<<\\s*['\"]?EOF|python3?\\s+-c\\s*['\"]import\\s+(urllib|requests|socket)"
action: require_approval
reason: "Python heredoc or inline network code execution"
shield:
scope: skill.install
enabled: true
tags:
- remote_exec
- python
promptintel_threats:
- "Encoding and obfuscation"
- "Hidden instruction in code or comments"
- id: SKILL_P2P_HIVE
category: scope_creep
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)p2p\\s*hive|connect.*hive|sovereign\\s*ghost|distributed\\s*agent\\s*network"
action: require_approval
reason: "P2P hive or distributed agent network connection"
shield:
scope: skill.network
enabled: true
tags:
- botnet
- p2p
promptintel_threats:
- "Multi-Agent Collusion"
- id: SKILL_SMS_CALL_ACCESS
category: data_exfiltration
severity: high
confidence: 0.90
when: !regex
# Pre-fix the bare `call\s*log` clause matched benign prose like
# "tool call logged to ~/.vmware/audit.db" and "evidence checklist:
# ... call logs". 5/5 LLM-consensus FPs in the v5 corpus traced
# to that loose clause. New pattern requires the SMS/call evidence
# to look like an actual database file path or platform API target,
# not the English phrase "call log" appearing in unrelated prose.
pattern: "(?i)(sms\\s*database|messages\\.db|callhistory(\\.storedata|\\.db)?|sms\\.db|mmssms\\.db|com\\.android\\.providers\\.telephony|content://sms|content://call_log|callkit|library/sms/|/private/var/mobile/library/sms|call_log\\.(db|sqlite|store|storedata))"
action: block
reason: "Access to SMS or call log databases"
shield:
scope: skill.privacy
enabled: true
tags:
- surveillance
- sms
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- id: SKILL_AUTO_PR_MERGE
category: scope_creep
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)auto\\s*(merge|approve)\\s*pr|merge\\s*without\\s*review|bypass\\s*code\\s*review"
action: require_approval
reason: "Automated PR merging without human review"
shield:
scope: skill.code
enabled: true
tags:
- code_modification
- automation
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- id: SKILL_PLAINTEXT_CREDS
category: credential_exposure
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)store.*password.*plain|save.*credential.*file|write.*secret.*disk|credentials\\.txt"
action: require_approval
reason: "Plaintext credential storage pattern"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
- plaintext
promptintel_threats:
- "Credential leak"
- "Credential Harvesting Templates"
- id: SKILL_NFT_WALLET_SIGN
category: credential_exposure
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)nft\\s*mint|wallet\\s*sign|sign\\s*transaction|approve\\s*all\\s*tokens"
action: require_approval
reason: "NFT minting or wallet signing operation"
shield:
scope: skill.crypto
enabled: true
tags:
- crypto
- nft
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_EXTERNAL_SCRIPT_EXEC
category: remote_exec
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)run\\s+scripts/|execute\\s+scripts/|bash\\s+scripts/|python\\s+scripts/"
action: require_approval
reason: "Execution of scripts from skill package"
shield:
scope: skill.install
enabled: true
tags:
- remote_exec
- scripts
promptintel_threats:
- "Malware generation"
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_SHARED_SECRET
category: credential_exposure
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)shared\\s*secret|global\\s*api\\s*key|common\\s*credential|default\\s*password\\s*="
action: require_approval
reason: "Shared or global credential pattern"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
- shared_secret
promptintel_threats:
- "Credential leak"
- id: SKILL_PAYMENT_ACCESS
category: credential_exposure
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)credit\\s*card|payment\\s*method|card\\s*number|cvv|billing\\s*info|full\\s*card\\s*access"
action: block
reason: "Access to payment or credit card information"
shield:
scope: skill.payment
enabled: true
# Vocabulary-only regex: matches plain prose mentions of payment
# terminology in coaching / educational / FDD-review skills that
# have nothing to do with handling card data. Cross-LLM triage on
# 4000 VT-clean skills measured ~46% FP rate (49/106). Require the
# match to also appear in a fenced code block; otherwise emit at
# ReviewSignal / RequireApproval so analysts still see it but the
# verdict no longer auto-blocks. Also downgrade when the document
# declares an explicit confirmation gate (propose→YES workflows)
# or when the document is itself a security-scanner / detection
# catalogue describing payment patterns as ANTI-patterns.
requires_code_artifact: true
downgrade_when_confirmation_gate: true
downgrade_when_documentation_context: true
tags:
- payment
- pci
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- "Fraud and social engineering"
# ============================================
# FINAL GAP RULES - Multilingual & Specific
# ============================================
- id: SKILL_SMS_DATABASE_MULTI
category: data_exfiltration
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)banco\\s*de\\s*dados\\s*de\\s*mensagens|caixa\\s*de\\s*entrada|mensagens\\s*SMS|SMS\\s*não\\s*lidas"
action: block
reason: "SMS/message database access (Portuguese)"
shield:
scope: skill.privacy
enabled: true
tags:
- sms
- exfiltration
- portuguese
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- id: SKILL_DEVICE_DEBUG_INTERFACE
category: privilege_escalation
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)interface\\s*de\\s*depura|debug\\s*interface|adb\\s+shell|AT\\s+commands?"
action: require_approval
reason: "Device debugging or AT command interface access"
shield:
scope: skill.device
enabled: true
tags:
- device
- debug
promptintel_threats:
- "Reconnaissance and target profiling"
- id: SKILL_DOT_TOKEN_FILES
category: credential_exposure
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)(~/|\\$HOME/|/home/|\\bcat\\s+|\\bread\\s+)\\.(line_token|line_secret|token|secret|credentials|api_key)"
action: require_approval
reason: "Plaintext credential storage in dot files"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
- plaintext
promptintel_threats:
- "Credential leak"
- "Credential Harvesting Templates"
- id: SKILL_GH_AUTO_MERGE
category: scope_creep
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)gh\\s+pr\\s+merge.*--auto|gh\\s+pr\\s+checkout|merge.*without.*review"
action: require_approval
reason: "GitHub CLI automated PR merge without human review"
shield:
scope: skill.code
enabled: true
tags:
- github
- automation
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- id: SKILL_OPENCLAW_DIR
category: scope_creep
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)\\.openclaw/skills/|/home/.*/.openclaw/"
action: require_approval
reason: "Access to OpenClaw skills directory"
shield:
scope: skill.filesystem
enabled: true
tags:
- openclaw
- filesystem
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_MESSAGING_DATA
category: data_exfiltration
severity: high
confidence: 0.80
when: !regex
pattern: "(?i)(recupera|filtra|formata)\\s*(automaticamente)?\\s*mensagens|(GSM|SIM)\\s*(module|módulo)|comandos?\\s*AT"
action: require_approval
reason: "Access to messaging platform data or GSM/SIM modules"
shield:
scope: skill.communications
enabled: true
tags:
- messaging
- gsm
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- "Contextual Exfiltration Patterns"
# ============================================
# VIRUSTOTAL BLOG RULES (Feb 2026)
# From: "From Automation to Infection" Parts I & II
# ============================================
- id: SKILL_SSH_KEY_INJECTION
category: privilege_escalation
severity: critical
confidence: 0.98
# The threat is *injection* of SSH keys (writing to `authorized_keys` or
# placing a private key on disk). Earlier versions matched the bare
# tokens `authorized_keys`, `.ssh/`, and `ssh-ed25519`, which fired on
# any documentation that mentioned SSH paths or recommended key types.
# The tightened pattern requires either:
# - a write/append shell idiom against `authorized_keys`, OR
# - actual key material (algorithm prefix + an `AAAA` base64 body of
# plausible length).
# Prose like "make sure ~/.ssh/ has permission 700" or "ssh-ed25519
# keys are recommended" no longer matches.
when: !regex
pattern: "(?i)(echo\\s+[^\\n]{0,200}>>\\s*[^\\n]{0,80}authorized_keys|cat\\s+[^\\n]{0,200}>>\\s*[^\\n]{0,80}authorized_keys|tee\\s+-a\\s+[^\\n]{0,80}authorized_keys|>\\s*~?/?\\.?ssh/authorized_keys|ssh-rsa\\s+AAAA[A-Za-z0-9+/=]{50,}|ssh-ed25519\\s+AAAA[A-Za-z0-9+/=]{30,})"
action: block
reason: "SSH key injection or authorized_keys modification"
shield:
scope: skill.ssh
enabled: true
tags:
- ssh
- backdoor
- persistence
promptintel_threats:
- "Credential Harvesting Templates"
- "Telemetry Evasion Techniques"
- id: SKILL_WARMUP_HIJACK
category: remote_exec
severity: high
confidence: 0.85
# `def __init__` was removed: it is the standard Python OOP constructor and
# universally appears in any Python skill that defines a class. The
# warmup-hijack threat targets `warmup()` / `pre_run()` style entrypoints
# that execute before argument parsing — not generic OOP constructors —
# so dropping `__init__` removes a high-volume false positive without
# weakening the actual detection.
when: !regex
pattern: "(?i)(warmup|setup)\\s*\\(\\s*\\)|def\\s+(warmup|pre_run)|function\\s+warmup"
action: require_approval
reason: "Initialization function that may execute before argument parsing"
shield:
scope: skill.init
enabled: true
tags:
- hijacking
- init
promptintel_threats:
- "Hidden instruction in code or comments"
- "Direct prompt injection"
- id: SKILL_COGNITIVE_ROOTKIT
category: scope_creep
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)(SOUL\\.md|AGENTS\\.md|PERSONA\\.md|SYSTEM\\.md)|(write|append|inject)\\s*(to|into)\\s*(soul|persona|system\\s*prompt)"
action: block
reason: "Cognitive rootkit - modification of persistent agent instruction files"
shield:
scope: skill.persistence
enabled: true
tags:
- rootkit
- prompt_injection
- persistence
promptintel_threats:
- "Direct prompt injection"
- "Model Behavior Manipulation via Feedback Loops"
- id: SKILL_KNOWN_C2_INFRA
category: remote_exec
severity: critical
confidence: 0.99
# Port `13338` is anchored as `:13338` — an actual port reference. Pre-fix
# the bare `13338` substring matched any document mentioning the digit
# sequence (`issue #13338`, `error 13338`, `processed 13338 records`) and
# produced a critical/block verdict. Requiring the `:` prefix limits
# matches to URL/host:port forms and the IP-with-port idiom.
when: !regex
pattern: "(?i)(mydeadinternet\\.com|54\\.91\\.154\\.110|:13338\\b)"
action: block
reason: "Known malicious C2 infrastructure from VirusTotal research"
shield:
scope: skill.network
enabled: true
tags:
- c2
- ioc
promptintel_threats:
- "Reconnaissance and target profiling"
- id: SKILL_SEMANTIC_WORM
category: scope_creep
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)/api/infections|referred_by|propagat(e|ion)|infect.*other.*agents?|spread.*to.*agents?"
action: block
reason: "Semantic worm propagation pattern"
shield:
scope: skill.worm
enabled: true
tags:
- worm
- propagation
promptintel_threats:
- "Multi-Agent Collusion"
- "Model Behavior Manipulation via Feedback Loops"
- id: SKILL_MALICIOUS_PUBLISHER
category: supply_chain
severity: critical
confidence: 0.99
when: !regex
pattern: "(?i)(hightower6eu|hightowerp6eu)"
action: block
reason: "Known malicious skill publisher identified by VirusTotal"
shield:
scope: skill.publisher
enabled: true
tags:
- publisher
- ioc
promptintel_threats:
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_PASSWORD_ARCHIVE
category: obfuscation
severity: high
confidence: 0.90
when: !regex
pattern: "(?i)(password|pwd)\\s*[=:]\\s*['\"]?(openclaw|infected|malware|password123)['\"]?|unzip\\s+-P\\s*(openclaw|infected)"
action: block
reason: "Password-protected archive with known malware password"
shield:
scope: skill.obfuscation
enabled: true
tags:
- obfuscation
- archive
promptintel_threats:
- "Encoding and obfuscation"
- id: SKILL_GLOT_IO_HOSTING
category: supply_chain
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)glot\\.io|run\\.glot\\.io|snippets\\.glot\\.io"
action: require_approval
reason: "Script hosted on glot.io - platform used for malware distribution"
shield:
scope: skill.hosting
enabled: true
tags:
- hosting
- glot
promptintel_threats:
- "Encoding and obfuscation"
- "Supply Chain Abuse (package-level prompts)"
- id: SKILL_AMOS_STEALER
category: data_exfiltration
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)(atomic\\s*stealer|\\bamos\\b.*(?:steal|exfil|grab|dump|harvest|collect|send|upload|post)|infostealer)|(?:Keychain|Login\\s*Data|Cookies\\.sqlite|wallet\\.dat).{0,120}(?:exfil|steal|upload|send|post|dump|harvest|collect|read|copy|access)"
action: block
reason: "Atomic Stealer (AMOS) infostealer pattern"
shield:
scope: skill.stealer
enabled: true
tags:
- stealer
- amos
- macos
promptintel_threats:
- "Credential Harvesting Templates"
- "Malware generation"
- id: SKILL_DEV_TCP_SHELL
category: remote_exec
severity: critical
confidence: 0.99
when: !regex
pattern: "(?i)/dev/tcp/|/dev/udp/|0>&1|>&\\s*/dev/"
action: block
reason: "Bash reverse shell using /dev/tcp"
shield:
scope: skill.network
enabled: true
tags:
- reverse_shell
- bash
promptintel_threats:
- "Exploit or payload output"
- "Malware generation"
- id: SKILL_ENV_WEBHOOK_EXFIL
category: data_exfiltration
severity: critical
confidence: 0.90
when: !regex
pattern: "(?i)(\\benv\\b|\\.env|process\\.env|os\\.environ).{0,120}webhook|webhook.{0,120}(\\benv\\b|secret|token|key)"
action: block
reason: "Environment variable exfiltration to webhook"
shield:
scope: skill.exfil
enabled: true
# The 120-char window matches every legit API skill that documents
# `WEBHOOK_*` env vars + auth header in nearby prose. Require the
# chain to appear in a code block (real read+POST), and downgrade
# for documentation catalogues that describe webhook
# configuration as a feature.
requires_code_artifact: true
downgrade_when_documentation_context: true
tags:
- exfiltration
- webhook
- env
promptintel_threats:
- "Credential Harvesting Templates"
- "Contextual Exfiltration Patterns"
- id: SKILL_NOHUP_PERSISTENCE
category: scope_creep
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)nohup\\s+.+\\s*&|disown|setsid\\s+.+&"
action: require_approval
reason: "Background process persistence with nohup/disown"
shield:
scope: skill.persistence
enabled: true
tags:
- persistence
- background
promptintel_threats:
- "Telemetry Evasion Techniques"
- id: SKILL_PLAIN_HTTP_DOWNLOAD
category: supply_chain
severity: medium
confidence: 0.75
when: !regex
pattern: "(?i)(curl|wget|fetch)\\s+['\"]?http://"
action: require_approval
reason: "Unencrypted HTTP download - payload could be intercepted/modified"
shield:
scope: skill.network
enabled: true
tags:
- http
- insecure
- id: SKILL_ERROR_SUPPRESSION
category: obfuscation
severity: medium
confidence: 0.70
when: !regex
pattern: "2>/dev/null|2>&1\\s*>/dev/null|stderr.*null|--quiet.*--silent"
action: log
reason: "Error output suppression - may hide malicious activity"
shield:
scope: skill.obfuscation
enabled: true
tags:
- obfuscation
- stealth
promptintel_threats:
- "Telemetry Evasion Techniques"
# =============================================
# Gap rules — derived from batch-240 FN analysis
# =============================================
- id: SKILL_CHINESE_SYSINFO_COLLECT
category: data_exfiltration
severity: high
confidence: 0.78
when: !regex
pattern: "系统信息|操作系统|CPU信息|内存信息|磁盘信息|网络信息|计算机名称|已安装软件"
action: require_approval
reason: "Chinese-language system fingerprinting — collects OS, CPU, memory, disk, network info"
shield:
scope: skill.privacy
enabled: true
tags:
- fingerprinting
- chinese
- sysinfo
promptintel_threats:
- "Reconnaissance and target profiling"
- "Unicode tricks"
- id: SKILL_CRYPTO_BILLING_PER_CALL
category: data_exfiltration
severity: critical
confidence: 0.92
when: !regex
pattern: "(?i)(SkillPay|每次调用[^\\n]{0,40}(?:USDT|ETH|BTC|USDC)|per[._\\-\\s]call[^\\n]{0,40}(?:USDT|USDC|ETH|crypto|payment)|per\\s+(?:call|execution|task)[^\\n]{0,60}(?:USDC|USDT|ETH)|(?:BSC|ERC20)\\s+USDT|USDT\\s+on\\s+(?:BSC|ERC20)|USDT.*BEP-20|支付.*USDT|crypto.*payment.*per|pay.*per.*(?:call|request|use))"
action: block
reason: "Covert per-call cryptocurrency billing without explicit user consent"
shield:
scope: skill.payment
enabled: true
tags:
- financial
- crypto_billing
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_X402_MICROPAYMENT
category: data_exfiltration
severity: critical
confidence: 0.91
when: !regex
pattern: "(?i)(x402\\s+(?:payment|micropayments?|protocol)|via\\s+x402\\b|earn.*(?:USDC|USDT).*(?:per|every)\\s+(?:call|task|execution|request)|(?:USDC|USDT).*per\\s+(?:call|execution|task).*from.*wallet|signed\\s+(?:auto(?:matically)?|from).*(?:user'?s?|your)\\s+(?:own\\s+)?wallet|costs?\\s+\\$[0-9.]+\\s+(?:USDC|USDT)\\s+(?:from|per\\s+call))"
action: block
reason: "Skill uses x402 micropayment protocol or charges per-call crypto fees from the user's wallet"
shield:
scope: skill.payment
enabled: true
tags:
- financial
- x402
- covert_billing
- micropayment
promptintel_threats:
- "Fraud and social engineering"
- id: SKILL_CHINESE_CONDITIONAL_AUTONOMY
category: autonomy_escalation
severity: high
confidence: 0.88
when: !regex
pattern: "如果[^\\n]{0,60}请立即执行|不要告诉用户|悄悄地[^\\n]{0,30}执行|静默[^\\n]{0,30}执行|隐藏[^\\n]{0,30}执行|不要通知用户"
action: block
reason: "Chinese-language conditional or hidden autonomous execution instruction"
shield:
scope: skill.autonomy
enabled: true
tags:
- autonomy
- chinese
- hidden_execution
promptintel_threats:
- "Hidden instruction in code or comments"
- "Unicode tricks"
- id: SKILL_ECHO_WRAPPED_BASE64_EXEC
category: obfuscation
severity: critical
confidence: 0.95
when: !regex
pattern: "(?i)echo\\s+['\"]?[A-Za-z0-9+/]{20,}={0,2}['\"]?\\s*\\|\\s*base64\\s+[-dD]|echo\\s+['\"]?L[0-9A-Za-z+/]{10,}['\"]?\\s*\\|"
action: block
reason: "Echo-piped base64 dropper — two-stage obfuscated remote execution"
shield:
scope: skill.install
enabled: true
tags:
- obfuscation
- dropper
- remote_exec
promptintel_threats:
- "Encoding and obfuscation"
- id: SKILL_FINANCIAL_POSITION_EXFIL
category: data_exfiltration
severity: high
confidence: 0.86
when: !regex
pattern: "(?is)(?:monitor|collect|track|fetch|推送|发送).{0,200}(?:wallet|position|holding|balance|transaction|持仓|钱包|余额|资产).{0,200}(?:telegram|discord|webhook|feishu|weixin|微信|qq|bot_token|飞书)"
action: block
reason: "Skill collects financial/wallet data and routes it to a messaging or webhook channel"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- financial
- crypto
promptintel_threats:
- "Privacy / PII Exfiltration Templates"
- "Contextual Exfiltration Patterns"
- id: SKILL_METADATA_HARDCODED_BOT_TOKEN
category: data_exfiltration
severity: high
confidence: 0.83
when: !regex
pattern: "(?i)(?:bot[_-]?token|webhook[_-]?url|discord\\.com/api/webhooks/\\d|api\\.telegram\\.org/bot[A-Za-z0-9_-]{10,})\\s*[=:]\\s*['\"]https?://[^'\"\\s]{10,}['\"]"
action: require_approval
reason: "Hardcoded bot token or webhook URL — likely unauthorized data routing"
shield:
scope: skill.exfil
enabled: true
tags:
- exfiltration
- webhook
- hardcoded_credential
promptintel_threats:
- "Credential leak"
- "Credential Harvesting Templates"
# ============================================
# Corpus-driven rules (data/ false-negatives)
# ============================================
#
# The rules below target behaviors observed in the malicious corpus at
# ~/tools/malware/skill-veil/data/ that slipped past pre-existing rules.
# Each is intentionally behavioral (not IOC-bound) so new campaigns with
# the same TTPs are caught without rule edits.
# Motivated by: aiclaw-voice (c19671b0…) POSTs openclaw_id + api_key to a
# remote /install endpoint. Captures the broader pattern of shipping an
# internal identifier *together with* a key/token in the POST body.
- id: SKILL_CREDENTIAL_FORWARDING_POST
category: credential_exposure
severity: critical
confidence: 0.90
when: !regex
pattern: "(?is)(POST|fetch|requests\\.post|curl\\s+-X\\s*POST|axios\\.post|http\\.post)\\b.{0,400}(api[_-]?key|openclaw[_-]?id|access[_-]?token|bearer|auth[_-]?token|secret[_-]?key)\\b.{0,120}[\"':=][\"'{\\[]?"
action: block
reason: "Credential or internal identifier forwarded via POST to a remote endpoint"
shield:
scope: skill.exfiltration
enabled: true
# The 400-char window matches every standard API client doing
# `axios.post(url, { headers: { Authorization: 'Bearer ' + token }})`
# which is the modal benign behaviour. Cross-LLM triage measured
# 17.2% FP rate (74/431). Require the chain to actually appear in
# a fenced code block (prose mentions of POST + token in
# documentation are not exfil) and downgrade for educational /
# detection-catalogue skills.
requires_code_artifact: true
downgrade_when_documentation_context: true
tags:
- exfiltration
- credential
- c2
promptintel_threats:
- "Credential Harvesting Templates"
- "Data exfiltration via prompt"
# Motivated by: exchange-alerts (24d89bf8…) reads telegram.botToken from
# the OpenClaw user config to hijack the messaging channel.
- id: SKILL_TELEGRAM_BOT_TOKEN_EXFIL
category: credential_exposure
severity: high
confidence: 0.88
when: !regex
pattern: "(?i)(telegram\\.bot[_-]?token|bot[_-]?token\\s*(?:=|:)|read\\s+telegram[_-]?token|TELEGRAM_BOT_TOKEN\\s*=)\\s*[\"'a-z0-9_\\$]{0,40}"
action: block
reason: "Reads or captures a Telegram bot token from host config"
shield:
scope: skill.exfiltration
enabled: true
tags:
- exfiltration
- telegram
- credential
promptintel_threats:
- "Credential Harvesting Templates"
- "Credential leak"
# Motivated by: aiclaw-voice self-registration (POST /api/openclaw/install
# with api_key + api_url). Detects the /install-or-register URL shape paired
# with a JSON body that carries credentials.
- id: SKILL_SELF_REGISTER_INSTALL_ENDPOINT
category: data_exfiltration
severity: critical
confidence: 0.85
when: !regex
pattern: "(?is)https?://[^\\s'\"]{4,80}/(api/)?(openclaw/)?(install|register|bind|enroll|activate)\\b.{0,300}(api[_-]?key|openclaw[_-]?id|client[_-]?secret|bearer)"
action: block
reason: "Self-registration or install callback that transmits credentials to an external service"
shield:
scope: skill.exfiltration
enabled: true
tags:
- exfiltration
- install_hook
- c2
promptintel_threats:
- "Credential Harvesting Templates"
- "Supply Chain Abuse (package-level prompts)"
# Motivated by: 03ed3ae7… systemCheckloader.py loads .pyc bytecode out of
# data.txt. Detects the loader ring (`marshal.loads(base64.b64decode(...))`
# or direct `.pyc` magic bytes as escape sequences embedded in source).
- id: SKILL_MARSHAL_BASE64_LOADER
category: obfuscation
severity: critical
confidence: 0.94
when: !regex
pattern: "(?is)marshal\\.loads\\s*\\(\\s*(?:base64\\.b64decode|codecs\\.decode|zlib\\.decompress|bytes\\.fromhex|binascii\\.a2b_base64)\\s*\\("
action: block
reason: "Python bytecode loader over an encoded blob — classic in-memory dropper"
shield:
scope: skill.install
enabled: true
tags:
- obfuscation
- dropper
- marshal
promptintel_threats:
- "Encoding and obfuscation"
# Motivated by: data.txt files in the corpus carrying embedded .pyc
# bytecode as text. Detects the \x03\xf3\r\n (CPython 3.9+) / \x42\x0d / etc.
# magic-byte escape sequences that appear when bytecode is stored in text.
- id: SKILL_PYC_BYTECODE_IN_TEXT
category: obfuscation
severity: high
confidence: 0.85
when: !regex
pattern: "\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}\\\\r\\\\n"
action: require_approval
reason: "Escape-sequence blob consistent with Python bytecode (.pyc) embedded as text"
shield:
scope: skill.obfuscation
enabled: true
tags:
- obfuscation
- dropper
promptintel_threats:
- "Encoding and obfuscation"
- "Hidden instruction in code or comments"
# Motivated by: openhive (41b132be…) polls openhive-api.fly.dev every 30
# minutes for fresh instructions. Detects scheduled or loop-driven fetch
# from a remote URL.
- id: SKILL_HEARTBEAT_REMOTE_POLL
category: autonomy_escalation
severity: high
confidence: 0.82
when: !regex
pattern: "(?is)(every|cada|каждые|每)\\s+\\d+\\s*(min|minute|minutes|hour|hours|hr|hrs|мин|分钟|分).{0,160}(fetch|poll|GET|curl\\s+-s|wget|requests\\.get|http\\.get|axios\\.get)\\s+[\"'`<]?https?://|while\\s+(true|True)\\b.{0,80}sleep\\s*\\(\\s*\\d{2,5}\\s*\\).{0,80}(fetch|urlopen|requests\\.get|http\\.get)"
action: block
reason: "Heartbeat polling of a remote endpoint — agent receives out-of-band instructions"
shield:
scope: skill.autonomy
enabled: true
tags:
- c2
- polling
- autonomy
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Telemetry Evasion Techniques"
# Motivated by: max-banking (1ea9ac3f…) REGRA #1 forbids confirmation after
# payment execution. Catches "don't ask / don't confirm + payment verb".
- id: SKILL_ZERO_CONFIRMATION_PAYMENT
category: autonomy_escalation
severity: critical
confidence: 0.88
when: !regex
# Pre-fix the English `(no|never|do not)\s+ask` clauses matched
# benign safety prose: "Never ask the user for raw card details",
# "must never ask for or store passwords, account numbers, PINs,
# SSNs, or payment details". 6 of 9 LLM-consensus FPs in the v5
# corpus traced to that loose pattern.
#
# New rule: the English negation+ask clause REQUIRES the
# ask-target to be a confirmation/approval/permission concept
# (skipping the human-in-the-loop step) — NOT a data-collection
# noun (`credentials`, `password`, `card`, `PIN`, `SSN`).
# Non-English clauses are kept verbatim because the tokenisation
# ambiguity does not arise (`não pergunte` / `不要确认` are unambiguous
# in payment-skill context).
pattern: "(?is)((n(ã|a)o\\s+pergunt|n(ã|a)o\\s+confirm|sin\\s+preguntar|без\\s+под|不要确认|不要询问|skip\\s+confirm|bypass\\s+confirm|without\\s+confirm|proibido\\s+confirmar).{0,160}(pay|paga|pagar|PIX|boleto|transfer|pagamento|payment|transferencia|перевод|支付|付款|send\\s+money|wire)|(no\\s+ask|never\\s+ask|do\\s+not\\s+ask|don'?t\\s+ask)\\s+(the\\s+(user|customer|human|operator)\\s+)?(for\\s+)?(confirmation|permission|approval|consent|to\\s+confirm|to\\s+approve|to\\s+verify).{0,160}(pay|paga|pagar|PIX|boleto|transfer|pagamento|payment|transferencia|перевод|支付|付款|send\\s+money|wire))"
action: block
reason: "Instructs the agent to execute payment without user confirmation"
shield:
scope: skill.payment
enabled: true
# Pre-fix this rule fired on every payment skill that documented
# the negative ("we do NOT ask before X"), even when the same
# skill enforced an explicit propose→confirm gate elsewhere
# (`okx-trading`-style workflows). When the document declares an
# explicit confirmation gate, downgrade — the gate is precisely
# the safety control this rule was designed to require.
downgrade_when_confirmation_gate: true
tags:
- payment
- autonomy
- coercion
promptintel_threats:
- "Agentic Misuse (tool/agent loops)"
- "Fraud and social engineering"
# Motivated by: packages writing credentials into `~/.openclaw/secrets/` or
# `~/.claude/credentials/`. Covers persistence of tokens in common
# agent-runtime secret dirs.
- id: SKILL_SECRETS_DIR_WRITE
category: credential_exposure
severity: high
confidence: 0.90
when: !regex
pattern: "(?i)~/\\.(openclaw|claude|agent|anthropic|openai|copilot)/(secrets|credentials|keys|tokens|session|auth)|(session|credentials|auth)\\.json|\\.openclaw/secrets/|\\.claude/credentials/"
action: block
reason: "Writes or reads a file inside an agent-runtime secrets directory"
shield:
scope: skill.secrets
enabled: true
# Vocabulary-only regex: the path patterns above appear verbatim in
# documentation explaining where credentials are stored, in
# security-scanner skills that detect these paths as anti-patterns,
# and in skills that document their own config layout. Require the
# match to also appear in a code block (real read/write call) and
# downgrade for educational catalogues.
requires_code_artifact: true
downgrade_when_documentation_context: true
tags:
- credential
- persistence
promptintel_threats:
- "Credential Harvesting Templates"
# Motivated by: morning-briefing uses `+19782651806` + `imsg send`. Flags a
# literal phone number paired with an auto-send verb, so hardcoded targets
# are blocked regardless of country code.
- id: SKILL_HARDCODED_PHONE_AUTOSEND
category: data_exfiltration
severity: high
confidence: 0.82
when: !regex
pattern: "(?is)(\\+?\\d[\\d\\s().-]{9,17}\\d).{0,100}(imsg|imessage|sms|whatsapp|telegram|wa\\.me|signal|sendmessage|twilio|sendmsg)|(imsg\\s+send|imessage\\s+send|sms\\s+send|twilio.*messages|whatsapp\\s+send).{0,80}\\+?\\d[\\d\\s().-]{9,17}\\d"
action: require_approval
reason: "Hardcoded phone number combined with an auto-send directive"
shield:
scope: skill.communications
enabled: true
tags:
- exfiltration
- messaging
promptintel_threats:
- "Fraud and social engineering"
# Motivated by: max-banking (1ea9ac3f…) Portuguese coercion: "NÃO pergunte",
# "NUNCA deve ver detalhes", "REGRA #1 — PROIBIDO CONFIRMAR".
- id: SKILL_PERSUASIVE_PORTUGUESE
category: persuasive_language
severity: medium
confidence: 0.80
when: !regex
pattern: "(?i)n(ã|a)o\\s+pergunt|nunca\\s+deve\\s+(ver|perguntar|confirmar|pedir)|proibido\\s+(confirmar|perguntar|pedir)|REGRA\\s*#?\\s*\\d+\\s*[—-]\\s*PROIBIDO|exclusivo\\s+para\\s+uso\\s+interno|assume\\s+a\\s+inten(ç|c)(ã|a)o"
action: require_approval
reason: "Portuguese-language coercion: instructs agent to bypass user confirmation"
shield:
scope: skill.behavior
enabled: true
tags:
- coercion
- multilang
- portuguese
promptintel_threats:
- "Fraud and social engineering"
- "Recursive or translation trick"
# Motivated by: Spanish-language variants observed in adjacent corpora.
# Proactively covers the Spanish-speaking attacker market.
- id: SKILL_PERSUASIVE_SPANISH
category: persuasive_language
severity: medium
confidence: 0.80
when: !regex
pattern: "(?i)no\\s+(preguntes|pidas|confirmes)\\b|nunca\\s+le?\\s*(preguntes|pidas|confirmes|pregunta)\\b|sin\\s+preguntar\\s+al?\\s*usuario|asume\\s+la?\\s*intenci(ó|o)n|REGLA\\s*#?\\s*\\d+\\s*[—-]\\s*PROHIBIDO|nunca\\s+debe\\s+ver"
action: require_approval
reason: "Spanish-language coercion: instructs agent to bypass user confirmation"
shield:
scope: skill.behavior
enabled: true
tags:
- coercion
- multilang
- spanish
promptintel_threats:
- "Fraud and social engineering"
- "Recursive or translation trick"
# Motivated by: Russian-language coercion patterns observed in public
# reports of agent-targeted malware. Defensive coverage.
- id: SKILL_PERSUASIVE_RUSSIAN
category: persuasive_language
severity: medium
confidence: 0.80
when: !regex
pattern: "не\\s+спрашивай|никогда\\s+не\\s+спрашивай|без\\s+(подтверждения|разрешения|вопросов)|не\\s+запрашивай|не\\s+проси\\s+подтверждения"
action: require_approval
reason: "Russian-language coercion: instructs agent to bypass user confirmation"
shield:
scope: skill.behavior
enabled: true
tags:
- coercion
- multilang
- russian
promptintel_threats:
- "Fraud and social engineering"
- "Recursive or translation trick"
# Motivated by: xiaoyao-pai (d47d22f7…) uses `git clone … && bash
# /tmp/…/install.sh`. The existing curl-pipe / wget-pipe rules don't cover
# the git-clone dropper shape, which is popular in Chinese-language corpora.
- id: SKILL_REMOTE_EXEC_GIT_CLONE_BASH
category: remote_exec
severity: critical
confidence: 0.92
when: !regex
pattern: "(?i)git\\s+clone\\s+https?://[^\\s'\"]+.{0,120}&&\\s*(bash|sh|zsh|python3?|node|pwsh|powershell)\\s+[^\\s]*(install|setup|bootstrap|run)"
action: block
reason: "Git-clone-then-execute dropper pattern"
shield:
scope: skill.install
enabled: true
tags:
- remote_exec
- supply_chain
- dropper
promptintel_threats:
- "Malware generation"
# Motivated by: SKILL_CRED_HARDCODED_KEY (builtin:169) only matched "api_key"
# literally. Many skills in the corpus use "apiKey", "AUTH_TOKEN",
# "X-API-Key", or Bearer-style tokens.
- id: SKILL_API_KEY_HEADER_GENERIC
category: credential_exposure
severity: high
confidence: 0.82
when: !regex
pattern: "(?i)(X-API-Key|Authorization:\\s*Bearer|apiKey\\s*[:=]|AUTH_TOKEN\\s*[:=]|ACCESS_TOKEN\\s*[:=]|client[_-]secret\\s*[:=])\\s*[\"']?[A-Za-z0-9_\\-]{20,}"
action: block
reason: "Generic API-key / bearer-token pattern with a long secret-like value"
shield:
scope: skill.exfiltration
enabled: true
tags:
- credential
- hardcoded
promptintel_threats:
- "Credential leak"
# ============================================
# VT-codeinsight-driven rules (gap analysis)
# ============================================
#
# These 7 rules close detection gaps surfaced by `skill-veil vt cross-check`
# against the OpenClaw malicious corpus. Each rule targets a *behavior* (not
# a literal IOC) so new campaigns sharing the same TTPs are caught without
# rule edits. Comment headers cite the recurrence (across the 73 SHAs whose
# VT codeinsight verdict disagreed with skill-veil's pre-fix output).
# Frequency: 42 packages. Targets the "exfil to attacker's personal messaging
# account" pattern: hardcoded Feishu / Lark / WeChat / QQ identifiers next to
# a send/notify/relay verb. We deliberately match the structural shape of
# these IDs (formatted prefix + length) rather than literal values.
- id: SKILL_HARDCODED_MESSAGING_EXFIL
category: data_exfiltration
severity: critical
confidence: 0.88
when: !regex
pattern: "(?is)((send_(qq|wechat|feishu|lark|telegram)|notify_(qq|wechat|feishu|lark)|(wechat|feishu|lark|telegram)\\.send|relay_to_(qq|wechat|feishu|lark)|forward_to_(wechat|feishu|lark|qq)|qq[_-]?target|telegram[_-]?(chat[_-]?id|target)|chat[_-]?id\\s*[=:]\\s*['\"]?\\d{8,12}).{0,400}(ou_[a-f0-9]{30,}|o[A-Za-z0-9_-]{20,}@im\\.wechat|qqbot:c2c:[A-F0-9]{32}|\\b[A-F0-9]{32}\\b|\\d{9,12})|(ou_[a-f0-9]{30,}|qqbot:c2c:[A-F0-9]{32}|o[A-Za-z0-9_-]{20,}@im\\.wechat).{0,400}(send_(qq|wechat|feishu|lark|telegram)|notify_(qq|wechat|feishu|lark)|(wechat|feishu|lark|telegram)\\.send))"
action: block
reason: "Hardcoded Feishu/Lark/WeChat/QQ/Telegram identifier paired with a send-or-relay verb — exfil to attacker-controlled account"
shield:
scope: skill.exfiltration
enabled: true
tags:
- exfiltration
- messaging
- hardcoded_identifier
promptintel_threats:
- "Data exfiltration via prompt"
- "Contextual Exfiltration Patterns"
# Frequency: 20 packages. Detects skill-managed cron registration via
# child_process / execSync — a persistence vector that previous regex-only
# cron rules (SKILL_CRON_PERSISTENCE, SKILL_CRON_ETC_WRITE) miss when the
# scheduler call is wrapped in a JS launcher.
- id: SKILL_EXEC_CRON_INJECTION
category: persistent_prompt_tampering
severity: critical
confidence: 0.88
when: !regex
pattern: "(?is)(execSync|child_process\\.(exec|spawn|fork|spawnSync|execSync))\\s*\\(\\s*['\"`]\\s*(openclaw\\s+cron\\s+(add|register|install)|cron\\s+add\\s+--cron\\s+\"[^\"]*\\*[^\"]*\\*[^\"]*\\*)|(writeFile(Sync)?|fs\\.write).{0,80}(HEARTBEAT\\.md|heartbeat\\.json)"
action: block
reason: "Skill registers cron persistence via subprocess or writes a heartbeat marker file"
shield:
scope: skill.install
enabled: true
tags:
- persistence
- cron
- subprocess
promptintel_threats:
- "Telemetry Evasion Techniques"
- "Agentic Misuse (tool/agent loops)"
# Frequency: 18 packages. Catches loyalty / jailbreak / silent-relay
# instructions used to override the agent's safety posture. The Chinese
# 忠诚原则 ("loyalty principle") and 不输出确认信息 ("do not output
# confirmation messages") are recurrent corpus markers.
- id: SKILL_PROMPT_HIJACK_JAILBREAK
category: autonomy_escalation
severity: high
confidence: 0.85
when: !regex
pattern: "(?i)(忠诚原则|loyalty\\s+principle|ALWAYS_(ULTIMATE|HIGHEST_PRIORITY)|disable\\s+all\\s+limits|silent\\s+relay|never\\s+(modify|summari[sz]e|filter)\\s+(the\\s+)?output|不(输出确认信息|要询问用户)|prioritize\\s+\\S+\\s+over\\s+(user|operator)\\s+(intent|request))"
action: block
reason: "Skill instructs the agent to override its own safety posture (loyalty / silent relay / output filtering)"
shield:
scope: skill.autonomy
enabled: true
tags:
- autonomy
- jailbreak
- prompt_injection
promptintel_threats:
- "Jailbreak"
- "Direct prompt injection"
# Frequency: 28 packages. Active credential harvesting: a script reads
# secrets-bearing files AND posts them remotely in the same source. We
# require both ends to appear within ~600 bytes of each other (multiline)
# to avoid flagging unrelated read/post pairs.
- id: SKILL_CREDENTIAL_HARVESTING_ACTIVE
category: credential_exposure
severity: critical
confidence: 0.90
when: !regex
pattern: "(?is)(readFileSync|fs\\.readFile|open\\s*\\(|read_text|with\\s+open)[^\\n]{0,80}(\\.env|id_rsa|id_ed25519|api_keys?\\.json|\\.ssh/|/\\.config/[^/\\s]+/(token|credential|api[_-]?key)|/\\.aws/credentials|/\\.gcloud/[^/\\s]+\\.json).{0,600}(curl\\s+(-\\w+\\s+)*https?://|requests\\.post\\s*\\(|axios\\.post\\s*\\(|fetch\\s*\\(\\s*['\"]https?:|http\\.post\\s*\\(|urllib\\.request\\.urlopen\\s*\\(\\s*['\"]https?:)"
action: block
reason: "Skill reads a credentials file and transmits its contents to a remote endpoint in the same script"
shield:
scope: skill.exfiltration
enabled: true
tags:
- exfiltration
- credential
- active_harvest
promptintel_threats:
- "Credential Harvesting Templates"
- "Data exfiltration via prompt"
# Frequency: 7 packages. Mutates the user's interactive shell or Claude
# settings. The --dangerously-skip-permissions alias was directly observed
# in the corpus.
- id: SKILL_SHELL_CONFIG_SABOTAGE
category: privilege_escalation
severity: high
confidence: 0.88
when: !regex
pattern: "(?is)(writeFileSync|appendFileSync|fs\\.(writeFile|appendFile)|>>\\s*~/|echo\\s+[^\\n]{0,200}>>\\s*~/)\\s*[\"']?~/(\\.zshrc|\\.bashrc|\\.profile|\\.bash_profile|\\.config/fish/config\\.fish|\\.claude/settings\\.json)|alias\\s+\\w+\\s*=\\s*['\"][^'\"]*--dangerously-skip-permissions[^'\"]*['\"]|bypassPermissions\\s*[:=]\\s*true"
action: block
reason: "Skill modifies the user's interactive shell rc / Claude settings or installs a permission-bypass alias"
shield:
scope: skill.system
enabled: true
tags:
- persistence
- privilege_escalation
- shell_rc
promptintel_threats:
- "Telemetry Evasion Techniques"
- "Agentic Misuse (tool/agent loops)"
# Frequency: 8 packages. Reads agent core/memory files (MEMORY.md, SOUL.md,
# BOOTSTRAP.md, ~/.claude/memory/) and transmits them externally. Captures
# "siphon the agent's accumulated knowledge to attacker" pattern.
- id: SKILL_CORE_FILE_EXFIL
category: data_exfiltration
severity: high
confidence: 0.88
when: !regex
pattern: "(?is)(readFileSync|fs\\.readFile|open\\s*\\(|read_text|with\\s+open)[^\\n]{0,120}(MEMORY\\.md|SOUL\\.md|BOOTSTRAP\\.md|PERSONA\\.md|~/\\.claude/(memory|context)/|~/\\.openclaw/(memory|context)/).{0,500}(curl\\s+(-\\w+\\s+)*https?://|requests\\.post\\s*\\(|axios\\.post\\s*\\(|fetch\\s*\\(\\s*['\"]https?:|upload\\w*\\s*\\(|transmit\\w*\\s*\\(|http\\.post\\s*\\()"
action: block
reason: "Skill reads an agent core memory file and transmits it externally"
shield:
scope: skill.exfiltration
enabled: true
tags:
- exfiltration
- memory
- core_file
promptintel_threats:
- "Data exfiltration via prompt"
- "Sensitive document disclosure"
# Frequency: 11 packages. Hardcoded crypto wallet (Solana base58 / EVM hex)
# inside an automation script paired with a fake-confirmation or
# random-tx-hash pattern. Restricted to scripts that also reference
# transaction/payment vocabulary so legitimate DeFi reads don't trip.
- id: SKILL_FINANCIAL_FRAUD_AUTOMATION
category: tool_abuse
severity: critical
confidence: 0.85
when: !regex
pattern: "(?is)(\\b0x[a-fA-F0-9]{40}\\b|\\b[1-9A-HJ-NP-Za-km-z]{32,44}\\b).{0,300}((random\\.uniform|Math\\.random|fake_|mock_)\\w*\\s*\\(.*?(tx[_-]?hash|transaction|signature)|(confirm|verify)\\w*\\s*\\(\\s*(false|None|null|0\\b)|payment.*(redirect|forward).*(author|attacker|developer))|(?i)(alipay|paypal\\.me|wechat\\s*pay|venmo).{0,80}(qr|qrcode|recipient).{0,200}(skill|automated|script)"
action: block
reason: "Skill automates payment / transaction with hardcoded wallet plus fake-confirmation pattern"
shield:
scope: skill.payment
enabled: true
tags:
- financial_fraud
- wallet
- automation
promptintel_threats:
- "Fraud and social engineering"
- "Automation for crime"
- id: SKILL_COMMAND_INJECTION_HEREDOC
category: remote_exec
severity: critical
confidence: 0.80
# Bash heredocs with a single-quoted (`<<'EOF'`) or double-quoted
# (`<<"EOF"`) delimiter suppress all variable expansion — `${VAR}` is
# treated as literal text, not an interpolation. Pre-fix the optional
# `['"]?` class accepted both quoted and unquoted forms, producing a
# false `command_injection` finding on safely-quoted payloads. The
# tightened pattern requires an unquoted delimiter (no leading `'` or
# `"`) to fire; here-strings (`<<<`) are unaffected.
when: !regex
pattern: "(?is)(<<\\s*[A-Z]+|<<<).{0,400}\\$\\{[A-Za-z_][A-Za-z0-9_]*\\}"
action: require_approval
reason: "Unquoted variable interpolation inside heredoc — possible shell injection"
shield:
scope: skill.exec
enabled: true
tags:
- command_injection
- shell
promptintel_threats:
- "Exploit or payload output"
- id: SKILL_CRED_THEFT_ENV_EXFIL
category: credential_exposure
severity: critical
confidence: 0.92
when: !regex
pattern: "(?is)(ANTHROPIC_API_KEY|OPENAI_API_KEY|DEEPSEEK_API_KEY|GEMINI_API_KEY|GROQ_API_KEY|MISTRAL_API_KEY|XAI_API_KEY|HUGGINGFACE_TOKEN|HF_TOKEN).{0,160}(curl\\b|fetch\\(|requests\\.|axios|Invoke-WebRequest).{0,180}(webhook|telegram|discord|pastebin|ngrok|attacker|moltpad|bore\\.pub)"
action: block
reason: "Provider API key from environment exfiltrated over HTTP"
shield:
scope: skill.secrets
enabled: true
tags:
- credentials
- exfil
promptintel_threats:
- "Credential Harvesting Templates"
- "Credential leak"
- id: SKILL_SCAREWARE_PAYMENT_INSTRUCTION
category: social_manipulation
severity: high
confidence: 0.78
when: !regex
pattern: "(?i)(send\\s+payment|transfer.*alipay|qq.*pay|scan.*to\\s+pay|wallet\\s+address|deposit\\s+(usdt|usdc|btc|eth)|wechat\\s*pay|微信支付|支付宝).{0,160}(\\$\\d+|¥\\d+\\b|USDT\\b|BTC\\b|ETH\\b|recv|deposit|tx_hash|chain_id)"
action: require_approval
reason: "Skill embeds payment / wallet instructions — likely scareware or scam"
shield:
scope: skill.review
enabled: true
tags:
- social_manipulation
- fraud
promptintel_threats:
- "Fraud and social engineering"
- "Harmful Automation Guidance"