@elizaos/skills 2.0.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -0
- package/package.json +53 -0
- package/skills/1password/SKILL.md +70 -0
- package/skills/1password/references/cli-examples.md +29 -0
- package/skills/1password/references/get-started.md +17 -0
- package/skills/apple-notes/SKILL.md +77 -0
- package/skills/apple-reminders/SKILL.md +96 -0
- package/skills/bear-notes/SKILL.md +107 -0
- package/skills/bird/SKILL.md +224 -0
- package/skills/blogwatcher/SKILL.md +69 -0
- package/skills/blucli/SKILL.md +47 -0
- package/skills/bluebubbles/SKILL.md +131 -0
- package/skills/camsnap/SKILL.md +45 -0
- package/skills/canvas/SKILL.md +203 -0
- package/skills/clawhub/SKILL.md +77 -0
- package/skills/coding-agent/SKILL.md +284 -0
- package/skills/discord/SKILL.md +578 -0
- package/skills/eightctl/SKILL.md +50 -0
- package/skills/food-order/SKILL.md +48 -0
- package/skills/gemini/SKILL.md +43 -0
- package/skills/gifgrep/SKILL.md +79 -0
- package/skills/github/SKILL.md +77 -0
- package/skills/gog/SKILL.md +116 -0
- package/skills/goplaces/SKILL.md +52 -0
- package/skills/healthcheck/SKILL.md +245 -0
- package/skills/himalaya/SKILL.md +257 -0
- package/skills/himalaya/references/configuration.md +184 -0
- package/skills/himalaya/references/message-composition.md +199 -0
- package/skills/imsg/SKILL.md +74 -0
- package/skills/local-places/SERVER_README.md +101 -0
- package/skills/local-places/SKILL.md +102 -0
- package/skills/local-places/pyproject.toml +21 -0
- package/skills/local-places/src/local_places/__init__.py +2 -0
- package/skills/local-places/src/local_places/google_places.py +314 -0
- package/skills/local-places/src/local_places/main.py +65 -0
- package/skills/local-places/src/local_places/schemas.py +107 -0
- package/skills/mcporter/SKILL.md +61 -0
- package/skills/model-usage/SKILL.md +69 -0
- package/skills/model-usage/references/codexbar-cli.md +33 -0
- package/skills/model-usage/scripts/model_usage.py +310 -0
- package/skills/nano-banana-pro/SKILL.md +58 -0
- package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
- package/skills/nano-pdf/SKILL.md +38 -0
- package/skills/notion/SKILL.md +172 -0
- package/skills/obsidian/SKILL.md +81 -0
- package/skills/openai-image-gen/SKILL.md +89 -0
- package/skills/openai-image-gen/scripts/gen.py +240 -0
- package/skills/openai-whisper/SKILL.md +38 -0
- package/skills/openai-whisper-api/SKILL.md +52 -0
- package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
- package/skills/openhue/SKILL.md +51 -0
- package/skills/oracle/SKILL.md +125 -0
- package/skills/ordercli/SKILL.md +78 -0
- package/skills/peekaboo/SKILL.md +190 -0
- package/skills/sag/SKILL.md +87 -0
- package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
- package/skills/security-ask-questions-if-underspecified/README.md +24 -0
- package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
- package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
- package/skills/security-audit-context-building/README.md +58 -0
- package/skills/security-audit-context-building/commands/audit-context.md +21 -0
- package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
- package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
- package/skills/security-building-secure-contracts/README.md +241 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
- package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
- package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
- package/skills/security-burpsuite-project-parser/README.md +103 -0
- package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
- package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
- package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
- package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
- package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
- package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
- package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
- package/skills/security-constant-time-analysis/README.md +381 -0
- package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
- package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
- package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
- package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
- package/skills/security-constant-time-analysis/pyproject.toml +52 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
- package/skills/security-constant-time-analysis/uv.lock +8 -0
- package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
- package/skills/security-culture-index/README.md +79 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
- package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
- package/skills/security-differential-review/README.md +109 -0
- package/skills/security-differential-review/commands/diff-review.md +21 -0
- package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
- package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
- package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
- package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
- package/skills/security-dwarf-expert/README.md +38 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
- package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
- package/skills/security-entry-point-analyzer/README.md +74 -0
- package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
- package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
- package/skills/security-firebase-apk-scanner/README.md +85 -0
- package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
- package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
- package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
- package/skills/security-fix-review/README.md +118 -0
- package/skills/security-fix-review/commands/fix-review.md +24 -0
- package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
- package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
- package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
- package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
- package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills/security-insecure-defaults/README.md +45 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
- package/skills/security-modern-python/README.md +58 -0
- package/skills/security-modern-python/hooks/hooks.json +16 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
- package/skills/security-modern-python/hooks/test_helper.bash +75 -0
- package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills/security-property-based-testing/README.md +47 -0
- package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
- package/skills/semgrep-rule-creator/README.md +43 -0
- package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
- package/skills/semgrep-rule-variant-creator/README.md +86 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/session-logs/SKILL.md +115 -0
- package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
- package/skills/sharp-edges/README.md +48 -0
- package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/sherpa-onnx-tts/SKILL.md +103 -0
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
- package/skills/skill-creator/SKILL.md +370 -0
- package/skills/skill-creator/license.txt +202 -0
- package/skills/skill-creator/scripts/init_skill.py +378 -0
- package/skills/skill-creator/scripts/package_skill.py +111 -0
- package/skills/skill-creator/scripts/quick_validate.py +101 -0
- package/skills/slack/SKILL.md +144 -0
- package/skills/songsee/SKILL.md +49 -0
- package/skills/sonoscli/SKILL.md +46 -0
- package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
- package/skills/spec-to-code-compliance/README.md +67 -0
- package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/spotify-player/SKILL.md +64 -0
- package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/static-analysis/README.md +59 -0
- package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
- package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
- package/skills/summarize/SKILL.md +87 -0
- package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
- package/skills/testing-handbook-skills/README.md +241 -0
- package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
- package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
- package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
- package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
- package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
- package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
- package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
- package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
- package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
- package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
- package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
- package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
- package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
- package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
- package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
- package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
- package/skills/things-mac/SKILL.md +86 -0
- package/skills/tmux/SKILL.md +135 -0
- package/skills/tmux/scripts/find-sessions.sh +112 -0
- package/skills/tmux/scripts/wait-for-text.sh +83 -0
- package/skills/trello/SKILL.md +95 -0
- package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/variant-analysis/README.md +41 -0
- package/skills/variant-analysis/commands/variants.md +23 -0
- package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/video-frames/SKILL.md +46 -0
- package/skills/video-frames/scripts/frame.sh +81 -0
- package/skills/voice-call/SKILL.md +45 -0
- package/skills/wacli/SKILL.md +72 -0
- package/skills/weather/SKILL.md +54 -0
- package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
- package/skills/yara-authoring/README.md +131 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
|
@@ -0,0 +1,399 @@
|
|
|
1
|
+
# YARA-X Rule Testing
|
|
2
|
+
|
|
3
|
+
Testing is non-negotiable. Untested rules cause alert fatigue (false positives) or missed detections (false negatives).
|
|
4
|
+
|
|
5
|
+
## Testing Philosophy
|
|
6
|
+
|
|
7
|
+
Every rule needs three validation stages:
|
|
8
|
+
|
|
9
|
+
1. **Positive validation** — Matches all target samples
|
|
10
|
+
2. **Negative validation** — Zero matches on goodware
|
|
11
|
+
3. **Edge case validation** — Handles variants, packed versions, fragments
|
|
12
|
+
|
|
13
|
+
## Validation Workflow
|
|
14
|
+
|
|
15
|
+
```
|
|
16
|
+
┌──────────────────────┐
|
|
17
|
+
│ Write initial rule │
|
|
18
|
+
└──────────┬───────────┘
|
|
19
|
+
│
|
|
20
|
+
▼
|
|
21
|
+
┌──────────────────────┐
|
|
22
|
+
│ yr check (validate) │──── Fix issues ────┐
|
|
23
|
+
└──────────┬───────────┘ │
|
|
24
|
+
│ │
|
|
25
|
+
▼ │
|
|
26
|
+
┌──────────────────────┐ │
|
|
27
|
+
│ Lint (style checks) │──── Fix issues ────┤
|
|
28
|
+
└──────────┬───────────┘ │
|
|
29
|
+
│ │
|
|
30
|
+
▼ │
|
|
31
|
+
┌──────────────────────┐ │
|
|
32
|
+
│ Test vs. samples │──── Missing? ──────┤
|
|
33
|
+
└──────────┬───────────┘ (widen rule) │
|
|
34
|
+
│ │
|
|
35
|
+
▼ │
|
|
36
|
+
┌──────────────────────┐ │
|
|
37
|
+
│ Test vs. goodware │──── FPs? ──────────┤
|
|
38
|
+
└──────────┬───────────┘ (tighten rule) │
|
|
39
|
+
│ │
|
|
40
|
+
▼ │
|
|
41
|
+
┌──────────────────────┐ │
|
|
42
|
+
│ Peer review │──── Issues? ───────┘
|
|
43
|
+
└──────────┬───────────┘
|
|
44
|
+
│
|
|
45
|
+
▼
|
|
46
|
+
┌──────────────────────┐
|
|
47
|
+
│ Deploy to production │
|
|
48
|
+
└──────────────────────┘
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
### Validation with yr check
|
|
52
|
+
|
|
53
|
+
Always validate rules before testing:
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
# Basic validation
|
|
57
|
+
yr check rule.yar
|
|
58
|
+
|
|
59
|
+
# Validate directory
|
|
60
|
+
yr check rules/
|
|
61
|
+
|
|
62
|
+
# Migration mode (identifies legacy YARA compatibility issues)
|
|
63
|
+
yr check --relaxed-re-syntax rules/
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
> **Note:** Use `--relaxed-re-syntax` only as a temporary diagnostic tool during migration.
|
|
67
|
+
> Fix all identified issues rather than relying on relaxed mode permanently.
|
|
68
|
+
|
|
69
|
+
YARA-X provides better error messages than legacy YARA, with precise source locations for issues.
|
|
70
|
+
|
|
71
|
+
## Goodware Testing
|
|
72
|
+
|
|
73
|
+
### Platform-Specific Goodware
|
|
74
|
+
|
|
75
|
+
Test against legitimate software in your target ecosystem, not just Windows binaries:
|
|
76
|
+
|
|
77
|
+
| Platform | Goodware Corpus |
|
|
78
|
+
|----------|-----------------|
|
|
79
|
+
| **PE files** | VirusTotal goodware, clean Windows installs |
|
|
80
|
+
| **JavaScript/Node** | Popular npm packages (lodash, react, express, axios) |
|
|
81
|
+
| **VS Code extensions** | Top 100 marketplace extensions by installs |
|
|
82
|
+
| **Browser extensions** | Chrome Web Store popular extensions |
|
|
83
|
+
| **npm packages** | Top 100+ packages by weekly downloads |
|
|
84
|
+
| **Python packages** | Top PyPI packages (requests, django, flask) |
|
|
85
|
+
|
|
86
|
+
**Critical:** A rule that fires on legitimate software in your target ecosystem is useless. VT's goodware corpus is PE-centric — supplement with ecosystem-appropriate files.
|
|
87
|
+
|
|
88
|
+
### Goodware Corpus Selection
|
|
89
|
+
|
|
90
|
+
Not all goodware is equal. Choose corpus that matches your rule's target:
|
|
91
|
+
|
|
92
|
+
| Rule Target | Minimum Goodware Corpus |
|
|
93
|
+
|-------------|------------------------|
|
|
94
|
+
| PE files | Chrome, Firefox, Adobe Reader, Microsoft Office, Python installer |
|
|
95
|
+
| JavaScript | lodash, react, express, webpack, electron |
|
|
96
|
+
| npm packages | Top 100 by weekly downloads + packages with postinstall scripts |
|
|
97
|
+
| Chrome extensions | Top 50 marketplace extensions |
|
|
98
|
+
|
|
99
|
+
**Expert baseline:** "Test against Chrome, Firefox, and Adobe Reader" — Kaspersky Applied YARA
|
|
100
|
+
|
|
101
|
+
### Interpreting Goodware Matches
|
|
102
|
+
|
|
103
|
+
```
|
|
104
|
+
Rule matched goodware — now what?
|
|
105
|
+
├─ Matched 1-2 files?
|
|
106
|
+
│ └─ Investigate: is the match legitimate? Add exclusion or tighten string
|
|
107
|
+
├─ Matched 3-5 files?
|
|
108
|
+
│ └─ Pattern is too common — find different indicators
|
|
109
|
+
├─ Matched 6+ files?
|
|
110
|
+
│ └─ Rule is fundamentally broken — start over
|
|
111
|
+
└─ Matched only one vendor's software?
|
|
112
|
+
└─ Add vendor exclusion: `not $fp_vendor`
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
### VirusTotal Goodware Corpus (Recommended)
|
|
116
|
+
|
|
117
|
+
The gold standard. VirusTotal maintains a corpus of 1M+ clean files from major software vendors.
|
|
118
|
+
|
|
119
|
+
1. Upload your rule to [VirusTotal Intelligence](https://www.virustotal.com/gui/hunting)
|
|
120
|
+
2. Select "Goodware" corpus
|
|
121
|
+
3. Run retrohunt
|
|
122
|
+
4. Review any matches — each is a potential false positive
|
|
123
|
+
|
|
124
|
+
**Interpreting results:**
|
|
125
|
+
|
|
126
|
+
| Matches | Assessment | Action |
|
|
127
|
+
|---------|------------|--------|
|
|
128
|
+
| 0 | Excellent | Proceed to deployment |
|
|
129
|
+
| 1-2 | Investigate | Review matches, add exclusions or tighten strings |
|
|
130
|
+
| 3-5 | Too common | Find different indicators |
|
|
131
|
+
| 6+ | Broken | Start over with different indicators |
|
|
132
|
+
|
|
133
|
+
### Local Testing
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
# Should return zero matches
|
|
137
|
+
yr scan -r rules/ /path/to/goodware/
|
|
138
|
+
|
|
139
|
+
# Count matches (quiet mode)
|
|
140
|
+
yr scan -c rules/ /path/to/goodware/
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
### yarGen Database Lookup
|
|
144
|
+
|
|
145
|
+
Before deployment, check strings against yarGen's goodware database:
|
|
146
|
+
|
|
147
|
+
```bash
|
|
148
|
+
# Query strings against goodware database
|
|
149
|
+
python db-lookup.py -f strings.txt
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
Strings appearing in the database are likely to cause false positives.
|
|
153
|
+
|
|
154
|
+
### YARA-CI
|
|
155
|
+
|
|
156
|
+
[YARA-CI](https://yara-ci.cloud.virustotal.com/) provides cloud-based validation:
|
|
157
|
+
|
|
158
|
+
1. Connect GitHub repository
|
|
159
|
+
2. Each PR automatically tested
|
|
160
|
+
3. Reports syntax errors and performance issues
|
|
161
|
+
4. Integrates with VT goodware corpus
|
|
162
|
+
|
|
163
|
+
## Free Testing Alternatives
|
|
164
|
+
|
|
165
|
+
Not everyone has VirusTotal Intelligence access. Here are free alternatives:
|
|
166
|
+
|
|
167
|
+
### Free Online Tools
|
|
168
|
+
|
|
169
|
+
| Tool | Purpose | Access |
|
|
170
|
+
|------|---------|--------|
|
|
171
|
+
| **YARA-CI** | GitHub App tests PRs against 1M NIST goodware files | Free, [github.com/apps/virustotal-yara-ci](https://github.com/apps/virustotal-yara-ci) |
|
|
172
|
+
| **YaraDbg** | Web-based rule debugger with step-through execution | Free, [yaradbg.dev](https://yaradbg.dev) |
|
|
173
|
+
| **Klara** | Kaspersky's distributed YARA scanner | Open source, self-hosted |
|
|
174
|
+
|
|
175
|
+
### YARA-CI Setup
|
|
176
|
+
|
|
177
|
+
YARA-CI is the best free option for automated testing:
|
|
178
|
+
|
|
179
|
+
```bash
|
|
180
|
+
# 1. Install GitHub App from github.com/apps/virustotal-yara-ci
|
|
181
|
+
# 2. Connect your rules repository
|
|
182
|
+
# 3. Each PR automatically tested against 1M+ goodware files
|
|
183
|
+
# 4. View results at yara-ci.cloud.virustotal.com
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
Results include:
|
|
187
|
+
- Syntax validation
|
|
188
|
+
- Performance warnings
|
|
189
|
+
- Goodware matches (potential FPs)
|
|
190
|
+
- Slowloris detection (rules that timeout)
|
|
191
|
+
|
|
192
|
+
### Building a Local Goodware Corpus
|
|
193
|
+
|
|
194
|
+
For offline testing, build your own corpus:
|
|
195
|
+
|
|
196
|
+
**Windows PE files:**
|
|
197
|
+
```bash
|
|
198
|
+
# Fresh Windows 11 VM → export C:\Windows\System32\*.dll
|
|
199
|
+
# Download Chrome, Firefox, Adobe Reader installers
|
|
200
|
+
# Python/Node installers from official sources
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
**npm/JavaScript packages:**
|
|
204
|
+
```bash
|
|
205
|
+
# Download top packages
|
|
206
|
+
npm pack lodash react express axios webpack
|
|
207
|
+
# Extract for scanning
|
|
208
|
+
for f in *.tgz; do tar -xzf "$f"; done
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
**Chrome extensions:**
|
|
212
|
+
```bash
|
|
213
|
+
# Export installed extensions from chrome://extensions (Developer mode)
|
|
214
|
+
# Or download .crx files from Chrome Web Store using extension ID
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
**macOS applications:**
|
|
218
|
+
```bash
|
|
219
|
+
# Copy from /Applications/ on a fresh macOS install
|
|
220
|
+
# System binaries from /usr/bin/, /usr/sbin/
|
|
221
|
+
```
|
|
222
|
+
|
|
223
|
+
### NIST NSRL
|
|
224
|
+
|
|
225
|
+
The [NIST National Software Reference Library](https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl) provides hash sets of known-good files:
|
|
226
|
+
|
|
227
|
+
- **Size:** ~147GB compressed
|
|
228
|
+
- **Contains:** Hashes from legitimate software
|
|
229
|
+
- **Use:** Filter known-good files before scanning
|
|
230
|
+
|
|
231
|
+
```bash
|
|
232
|
+
# Download RDS (Reference Data Set)
|
|
233
|
+
# Available at: https://www.nist.gov/itl/ssd/software-quality-group/nsrl-download-links
|
|
234
|
+
# Use to exclude known-good files from your corpus
|
|
235
|
+
```
|
|
236
|
+
|
|
237
|
+
### macOS XProtect
|
|
238
|
+
|
|
239
|
+
Apple's built-in YARA rules are a good reference:
|
|
240
|
+
|
|
241
|
+
```bash
|
|
242
|
+
# Location on macOS
|
|
243
|
+
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara
|
|
244
|
+
|
|
245
|
+
# View rules (requires SIP disabled or extraction from DMG)
|
|
246
|
+
cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
XProtect rules demonstrate Apple's production patterns for macOS malware detection.
|
|
250
|
+
|
|
251
|
+
### Minimum Local Corpus by Platform
|
|
252
|
+
|
|
253
|
+
| Rule Target | Minimum Local Corpus |
|
|
254
|
+
|-------------|---------------------|
|
|
255
|
+
| PE files | Chrome.exe, Firefox.exe, python.exe (10+ files) |
|
|
256
|
+
| npm packages | lodash, react, express, webpack (top 50 by downloads) |
|
|
257
|
+
| Chrome extensions | uBlock Origin, React DevTools, Grammarly (top 20) |
|
|
258
|
+
| macOS | /Applications/* from fresh install |
|
|
259
|
+
| Android DEX | Top 10 Play Store apps (extracted APKs) |
|
|
260
|
+
|
|
261
|
+
## Malware Sample Testing
|
|
262
|
+
|
|
263
|
+
### Positive Testing
|
|
264
|
+
|
|
265
|
+
```bash
|
|
266
|
+
# Rule should match all target samples
|
|
267
|
+
yr scan -r MAL_Win_Emotet.yar samples/emotet/
|
|
268
|
+
|
|
269
|
+
# With matched strings shown
|
|
270
|
+
yr scan -s MAL_Win_Emotet.yar samples/emotet/
|
|
271
|
+
|
|
272
|
+
# Expected: all files listed
|
|
273
|
+
# If any missing: rule too narrow
|
|
274
|
+
```
|
|
275
|
+
|
|
276
|
+
### Variant Coverage
|
|
277
|
+
|
|
278
|
+
Test against:
|
|
279
|
+
- Multiple versions/builds
|
|
280
|
+
- Packed variants (UPX, custom packers)
|
|
281
|
+
- Different configurations
|
|
282
|
+
- Both 32-bit and 64-bit
|
|
283
|
+
|
|
284
|
+
## False Positive Investigation
|
|
285
|
+
|
|
286
|
+
When a rule matches goodware:
|
|
287
|
+
|
|
288
|
+
### 1. Identify the Match
|
|
289
|
+
|
|
290
|
+
```bash
|
|
291
|
+
yr scan -s rule.yar false_positive.exe
|
|
292
|
+
```
|
|
293
|
+
|
|
294
|
+
Shows which strings matched.
|
|
295
|
+
|
|
296
|
+
### 2. Analyze Why
|
|
297
|
+
|
|
298
|
+
Common causes:
|
|
299
|
+
- String too generic ("cmd.exe", API names)
|
|
300
|
+
- Shared library code
|
|
301
|
+
- Common development patterns
|
|
302
|
+
- Legitimate use of same techniques
|
|
303
|
+
|
|
304
|
+
### 3. Remediation Options
|
|
305
|
+
|
|
306
|
+
**Option A: Exclude the specific file**
|
|
307
|
+
|
|
308
|
+
```yara
|
|
309
|
+
strings:
|
|
310
|
+
$fp_vendor = "Legitimate Software Inc"
|
|
311
|
+
|
|
312
|
+
condition:
|
|
313
|
+
$malware_string and not $fp_vendor
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
**Option B: Add distinguishing string**
|
|
317
|
+
|
|
318
|
+
```yara
|
|
319
|
+
strings:
|
|
320
|
+
$generic = "common_string"
|
|
321
|
+
$specific = "unique_malware_marker"
|
|
322
|
+
|
|
323
|
+
condition:
|
|
324
|
+
$generic and $specific // Both required
|
|
325
|
+
```
|
|
326
|
+
|
|
327
|
+
**Option C: Tighten positional constraints**
|
|
328
|
+
|
|
329
|
+
```yara
|
|
330
|
+
condition:
|
|
331
|
+
$marker in (0..1024) and // Only in first 1KB
|
|
332
|
+
filesize < 500KB // Malware-typical size
|
|
333
|
+
```
|
|
334
|
+
|
|
335
|
+
**Option D: Replace the string**
|
|
336
|
+
|
|
337
|
+
Find a more unique indicator and remove the problematic string.
|
|
338
|
+
|
|
339
|
+
## Supply Chain Package Testing
|
|
340
|
+
|
|
341
|
+
For npm/PyPI/RubyGems rules, test against ecosystem-appropriate corpora:
|
|
342
|
+
|
|
343
|
+
### Recommended Test Corpora
|
|
344
|
+
|
|
345
|
+
| Corpus | Source | Purpose |
|
|
346
|
+
|--------|--------|---------|
|
|
347
|
+
| Top 1000 npm packages | `npm search --searchlimit=1000` | Avoid FPs on popular dependencies |
|
|
348
|
+
| Packages with postinstall scripts | Filter for `scripts.postinstall` in package.json | Common attack vector |
|
|
349
|
+
| Known malicious packages | [npm-shai-hulud-scanner](https://github.com/nickytonline/npm-shai-hulud-scanner) list | Positive validation |
|
|
350
|
+
| VS Code top extensions | Marketplace API | Extension-specific rules |
|
|
351
|
+
|
|
352
|
+
### Common Attack Pattern Testing
|
|
353
|
+
|
|
354
|
+
**Critical pattern:** `postinstall + network call + credential path` is the signature of supply chain attacks. Test that your rule catches this combo while ignoring legitimate build scripts.
|
|
355
|
+
|
|
356
|
+
```bash
|
|
357
|
+
# Build a test corpus from npm
|
|
358
|
+
mkdir -p test_corpus/legitimate test_corpus/suspicious
|
|
359
|
+
|
|
360
|
+
# Grab legitimate packages with postinstall (build tools)
|
|
361
|
+
npm pack webpack && tar -xzf webpack-*.tgz -C test_corpus/legitimate/
|
|
362
|
+
npm pack electron-builder && tar -xzf electron-builder-*.tgz -C test_corpus/legitimate/
|
|
363
|
+
|
|
364
|
+
# Your rule should NOT match legitimate postinstall scripts
|
|
365
|
+
yr scan -r supply_chain_rule.yar test_corpus/legitimate/
|
|
366
|
+
# Expected: zero matches
|
|
367
|
+
```
|
|
368
|
+
|
|
369
|
+
### Known Malicious Package Patterns
|
|
370
|
+
|
|
371
|
+
Rules targeting supply chain attacks should detect patterns from documented incidents:
|
|
372
|
+
|
|
373
|
+
| Incident | Key Indicators | Reference |
|
|
374
|
+
|----------|----------------|-----------|
|
|
375
|
+
| chalk/debug (Sept 2025) | `runmask`, `checkethereumw`, ERC-20 selectors | Stairwell |
|
|
376
|
+
| os-info-checker-es6 | Variation selectors, eval+atob | Veracode |
|
|
377
|
+
| event-stream | Flatmap dependency, Bitcoin wallet targeting | npm advisory |
|
|
378
|
+
|
|
379
|
+
**Positive validation:** Test your rule against recreated (defanged) versions of known malicious packages to ensure detection.
|
|
380
|
+
|
|
381
|
+
## Checklist
|
|
382
|
+
|
|
383
|
+
Before any rule goes to production:
|
|
384
|
+
|
|
385
|
+
- [ ] `yr check` passes (syntax and YARA-X compatibility)
|
|
386
|
+
- [ ] `yr fmt --check` passes (consistent formatting)
|
|
387
|
+
- [ ] Linter passes (`uv run yara_lint.py rule.yar`)
|
|
388
|
+
- [ ] Matches all target samples (positive testing)
|
|
389
|
+
- [ ] Zero matches on goodware corpus (negative testing)
|
|
390
|
+
- [ ] Tested against packed variants if applicable
|
|
391
|
+
- [ ] Performance acceptable (< 1s per file on average)
|
|
392
|
+
- [ ] Peer reviewed by second analyst
|
|
393
|
+
- [ ] Version and changelog updated
|
|
394
|
+
|
|
395
|
+
### Supply Chain Rule Additions
|
|
396
|
+
|
|
397
|
+
- [ ] Tested against top 100 packages in target ecosystem
|
|
398
|
+
- [ ] Does not match legitimate postinstall scripts (webpack, electron-builder, etc.)
|
|
399
|
+
- [ ] Validated against known malicious package patterns
|