skill-checker 0.1.12 → 0.1.14

package/README.md

@@ -4,7 +4,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Features
 
-- **55 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
+- **56 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
 - **Scoring system**: Grade A–F with 0–100 score
 - **Dual entry**: CLI tool + PreToolUse hook for automatic interception
 - **Configurable policies**: strict / balanced / permissive approval strategies
@@ -14,7 +14,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Security Standard & Benchmark
 
-Skill Checker's 55 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
+Skill Checker's 56 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
 
 See [docs/SECURITY_BENCHMARK.md](docs/SECURITY_BENCHMARK.md) for the full rule mapping matrix, benchmark methodology, scoring model, and known limitations.
 
@@ -164,7 +164,7 @@ Config is resolved in order: CLI `--config` flag → project directory (walks up
 |----------|-------|---------|
 | Structural (STRUCT) | 8 | Missing SKILL.md, invalid frontmatter, binary files |
 | Content (CONT) | 7 | Placeholder text, lorem ipsum, promotional content |
-| Injection (INJ) | 9 | Zero-width chars, prompt override, tag injection, encoded payloads |
+| Injection (INJ) | 10 | Zero-width chars, prompt override, tag injection, social engineering, encoded payloads |
 | Code Safety (CODE) | 15 | eval/exec, shell execution, reverse shell, data exfiltration, API key leakage, rm -rf, obfuscation |
 | Supply Chain (SUPPLY) | 10 | Unknown MCP servers, suspicious domains, malicious hashes, typosquat |
 | Resource Abuse (RES) | 6 | Unrestricted tool access, disable safety checks, ignore project rules |

package/dist/cli.js

@@ -969,6 +969,40 @@ var DELIMITER_PATTERNS = [
   /\[INST\]/i,
   /\[\/INST\]/i
 ];
+var DANGEROUS_ROLE_PATTERN = "(?:(?:an?\\s+)?(?:hacker|attacker|cracker|root|admin(?:istrator)?|superuser|unrestricted|jailbroken|evil|malicious|unfiltered|uncensored)\\b|DAN\\b|(?:a\\s+)?different\\b)";
+var IDENTITY_HIJACKING_PATTERNS = [
+  new RegExp(`\\byou\\s+are\\s+now\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bact\\s+as\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bpretend\\s+(?:you\\s+are|to\\s+be)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\broleplay\\s+(?:as|like)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bassume\\s+the\\s+role\\s+of\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  /\byou\s+are\s+no\s+longer\s+claude\b/i,
+  /\bfrom\s+now\s+on,?\s+you\s+are\b/i
+];
+var DECEPTION_SECRECY_PATTERNS = [
+  /\bdo\s+not\s+tell\s+(the\s+)?(user|human|person|operator)\b/i,
+  /\bdo\s+not\s+(mention|reveal|disclose|expose)\s+(this|that|the|any|these)\b/i,
+  /\bnever\s+(tell|mention|reveal|disclose)\s+(the\s+)?(user|human|person|operator)\b/i,
+  /\bkeep\s+this\s+(secret|hidden|private|confidential)\b(?!\s+key)/i,
+  /\bhide\s+this\s+(from|action|operation|instruction)\b/i,
+  /\bwithout\s+(the\s+)?(user|human)('?s)?\s+(knowledge|knowing|awareness|consent)\b/i,
+  /\bsilently\s+(execute|run|perform|install|download|delete|modify|send)\b/i
+];
+var CONFIG_TAMPERING_PATTERNS = [
+  /\b(modify|change|update|edit|alter|rewrite)\s+(your|my)\s+(memory|config|configuration|settings?|instructions?|behavior|personality)\b/i,
+  /\bwrite\s+to\s+(CLAUDE\.md|\.claude|settings\.json|memory\.md)\b/i,
+  /\b(append|prepend|add|insert)\s+.{0,30}\bto\s+(CLAUDE\.md|\.claude|memory\.md)\b/i,
+  /\boverwrite\s+(your|the)\s+(system|core)\s+(prompt|instructions?|config)\b/i,
+  /\bpersist\s+(this|these|the)\s+(instruction|change|modification|setting)s?\b/i
+];
+var VERIFICATION_BYPASS_PATTERNS = [
+  /\btrust\s+(this|the|these|that|my)\s+(result|output|response|answer|value|data|input)s?\b/i,
+  /\bno\s+need\s+to\s+(check|verify|validate|review|confirm|inspect)\b/i,
+  /\bdo\s+not\s+(verify|validate|check|review|confirm|inspect)\s+(the|this|that|any|these)\b/i,
+  /\b(assume|consider)\s+(it|this|that)\s+(is|to\s+be)\s+(correct|safe|valid|trusted|clean|secure|legitimate)\b/i,
+  /\baccept\s+(this|the|these|that)\s+without\s+(checking|verifying|validating|questioning)\b/i,
+  /\bblindly\s+(trust|accept|execute|run|follow|apply)\b/i
+];
 var injectionChecks = {
   name: "Injection Detection",
   category: "INJ",
@@ -1065,6 +1099,65 @@ var injectionChecks = {
           break;
         }
       }
+      const trimmedLine = line.trim();
+      const nextLine = i + 1 < skill.bodyLines.length ? skill.bodyLines[i + 1] : "";
+      const crossLine = trimmedLine && nextLine ? `${line} ${nextLine}` : line;
+      for (const pattern of IDENTITY_HIJACKING_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "CRITICAL",
+            title: "Social engineering: identity hijacking",
+            message: `Line ${lineNum}: Attempts to hijack the model's identity.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of DECEPTION_SECRECY_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "CRITICAL",
+            title: "Social engineering: deception/secrecy",
+            message: `Line ${lineNum}: Instructs the model to hide actions from the user.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of CONFIG_TAMPERING_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "HIGH",
+            title: "Social engineering: configuration tampering",
+            message: `Line ${lineNum}: Attempts to tamper with model configuration or memory.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of VERIFICATION_BYPASS_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "HIGH",
+            title: "Social engineering: verification bypass",
+            message: `Line ${lineNum}: Attempts to bypass verification or validation.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
     }
     const commentRegex = /<!--([\s\S]*?)-->/g;
     let commentMatch;
@@ -1116,7 +1209,10 @@ function hasInstructionLikeContent(text) {
     /\brm\s+-rf\b/i,
     /\bcurl\b.*\bsh\b/i,
     /\beval\b/i,
-    /\bexec\b/i
+    /\bexec\b/i,
+    /\bdo\s+not\s+tell\s+(the\s+)?(user|human)/i,
+    /\bpretend\s+(you\s+are|to\s+be)/i,
+    /\bsilently\s+(execute|run|install)/i
   ];
   return instructionPatterns.some((p) => p.test(text));
 }
@@ -1606,8 +1702,8 @@ import { homedir } from "os";
 
 // src/ioc/indicators.ts
 var DEFAULT_IOC = {
-  version: "2026.03.06",
-  updated: "2026-03-06",
+  version: "2026.03.16",
+  updated: "2026-03-16",
   c2_ips: [
     "91.92.242.30",
     "91.92.242.39",
@@ -1620,32 +1716,61 @@ var DEFAULT_IOC = {
     // as it causes false positives on any empty file.
     "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2": "clawhavoc-exfiltrator"
   },
-  malicious_domains: [
-    "webhook.site",
-    "requestbin.com",
-    "pipedream.com",
-    "pipedream.net",
-    "hookbin.com",
-    "beeceptor.com",
-    "ngrok.io",
-    "ngrok-free.app",
-    "serveo.net",
-    "localtunnel.me",
-    "bore.pub",
-    "interact.sh",
-    "oast.fun",
-    "oastify.com",
-    "dnslog.cn",
-    "ceye.io",
-    "burpcollaborator.net",
-    "pastebin.com",
-    "paste.ee",
-    "hastebin.com",
-    "ghostbin.com",
-    "evil.com",
-    "malware.com",
-    "exploit.in"
-  ],
+  malicious_domains: {
+    exfiltration: [
+      "webhook.site",
+      "requestbin.com",
+      "requestcatcher.com",
+      "pipedream.com",
+      "pipedream.net",
+      "hookbin.com",
+      "beeceptor.com",
+      "postb.in",
+      "webhook.lol",
+      "requestinspector.com",
+      "mockbin.org"
+    ],
+    tunnel: [
+      "ngrok.io",
+      "ngrok-free.app",
+      "serveo.net",
+      "localtunnel.me",
+      "bore.pub",
+      "localhost.run",
+      "loca.lt",
+      "telebit.cloud",
+      "playit.gg",
+      "portmap.io",
+      "pagekite.me"
+    ],
+    oast: [
+      "interact.sh",
+      "oast.fun",
+      "oastify.com",
+      "dnslog.cn",
+      "ceye.io",
+      "burpcollaborator.net",
+      "canarytokens.com",
+      "requestrepo.com"
+    ],
+    paste: [
+      "pastebin.com",
+      "paste.ee",
+      "hastebin.com",
+      "ghostbin.com",
+      "dpaste.org",
+      "rentry.co",
+      "0bin.net",
+      "privatebin.net",
+      "paste.mozilla.org"
+    ],
+    c2: [
+      "evil.com",
+      "malware.com",
+      "exploit.in",
+      "darkweb.onion"
+    ]
+  },
   typosquat: {
     known_patterns: [
       "clawhub1",
@@ -1702,10 +1827,21 @@ function mergeIOC(base, ext) {
     Object.assign(base.malicious_hashes, ext.malicious_hashes);
   }
   if (ext.malicious_domains) {
-    base.malicious_domains = dedupe([
-      ...base.malicious_domains,
-      ...ext.malicious_domains
-    ]);
+    const categories = [
+      "exfiltration",
+      "tunnel",
+      "oast",
+      "paste",
+      "c2"
+    ];
+    for (const cat of categories) {
+      if (ext.malicious_domains[cat]) {
+        base.malicious_domains[cat] = dedupe([
+          ...base.malicious_domains[cat],
+          ...ext.malicious_domains[cat]
+        ]);
+      }
+    }
   }
   if (ext.typosquat) {
     if (ext.typosquat.known_patterns) {
@@ -1730,6 +1866,22 @@ function mergeIOC(base, ext) {
   if (ext.version) base.version = ext.version;
   if (ext.updated) base.updated = ext.updated;
 }
+function getAllDomains(ioc) {
+  const { exfiltration, tunnel, oast, paste, c2 } = ioc.malicious_domains;
+  return [...exfiltration, ...tunnel, ...oast, ...paste, ...c2];
+}
+function getDomainCategory(ioc, domain) {
+  const d = domain.toLowerCase();
+  const categories = ["exfiltration", "tunnel", "oast", "paste", "c2"];
+  for (const cat of categories) {
+    if (ioc.malicious_domains[cat].some(
+      (entry) => d === entry || d.endsWith("." + entry)
+    )) {
+      return cat;
+    }
+  }
+  return void 0;
+}
 function dedupe(arr) {
   return [...new Set(arr)];
 }
@@ -1738,6 +1890,24 @@ function dedupe(arr) {
 var FALLBACK_SUSPICIOUS_DOMAINS = [
   "darkweb.onion"
 ];
+function isSensitiveDomainCombo(line) {
+  if (/curl\b[^\n]*(?:-d|--data|--data-binary|--data-raw|--data-urlencode)\s+@/i.test(line)) {
+    return true;
+  }
+  if (/curl\b[^\n]*(?:-F|--form)\s+[^\s=]+=@/i.test(line)) {
+    return true;
+  }
+  if (/wget\b[^\n]*--post-file/i.test(line)) {
+    return true;
+  }
+  if (/\|\s*(?:sh|bash|zsh|python|node)\b/i.test(line)) {
+    return true;
+  }
+  if (/(?:\.env|\.ssh|id_rsa|\.aws|credentials|\.netrc|\.git-credentials)/i.test(line)) {
+    return true;
+  }
+  return false;
+}
 var MCP_SERVER_PATTERN = /\bmcp[-_]?server\b/i;
 var NPX_Y_PATTERN = /\bnpx\s+-y\s+/;
 var NPM_INSTALL_PATTERN = /\bnpm\s+install\b/;
@@ -1762,7 +1932,10 @@ var supplyChainChecks = {
     const results = [];
     const allText = getAllText(skill);
     const ioc = loadIOC();
-    const suspiciousDomains = ioc.malicious_domains.length > 0 ? ioc.malicious_domains : FALLBACK_SUSPICIOUS_DOMAINS;
+    const suspiciousDomains = getAllDomains(ioc);
+    if (suspiciousDomains.length === 0) {
+      suspiciousDomains.push(...FALLBACK_SUSPICIOUS_DOMAINS);
+    }
     for (let i = 0; i < allText.length; i++) {
       const { line, lineNum, source } = allText[i];
       if (MCP_SERVER_PATTERN.test(line)) {
@@ -1925,15 +2098,46 @@ var supplyChainChecks = {
         const hostname = extractHostname(url);
         for (const domain of suspiciousDomains) {
           if (hostnameMatchesDomain(hostname, domain)) {
+            const category = getDomainCategory(ioc, domain);
+            const categoryLabel = category ? ` (${category})` : "";
+            let severity = "HIGH";
+            let reducedFrom;
+            let msgSuffix = "";
+            if (isSensitiveDomainCombo(line)) {
+              severity = "CRITICAL";
+              msgSuffix = " [escalated: combined with sensitive operation]";
+            } else {
+              const srcLines = getLinesForSource(skill, source);
+              const localIdx = getLocalIndex(source, lineNum, skill.bodyStartLine);
+              const inCodeBlock = localIdx >= 0 && isInCodeBlock(srcLines, localIdx);
+              if (inCodeBlock) {
+                severity = "MEDIUM";
+                reducedFrom = "HIGH";
+                msgSuffix = " [reduced: in code block]";
+              } else {
+                const allLines = getAllLines(skill);
+                const globalIdx = findGlobalLineIndex(allLines, source, lineNum);
+                const isDoc = source === "SKILL.md" && globalIdx >= 0 && isInDocumentationContext(
+                  allLines.map((l) => l.line),
+                  globalIdx
+                );
+                if (isDoc) {
+                  severity = "LOW";
+                  reducedFrom = "HIGH";
+                  msgSuffix = " [reduced: in documentation context]";
+                }
+              }
+            }
             results.push({
               id: "SUPPLY-007",
               category: "SUPPLY",
-              severity: "CRITICAL",
-              title: "Suspicious domain detected",
-              message: `${source}:${lineNum}: References suspicious domain "${domain}".`,
+              severity,
+              title: `Suspicious domain${categoryLabel} detected`,
+              message: `${source}:${lineNum}: References suspicious domain "${domain}".${msgSuffix}`,
               line: lineNum,
               snippet: url,
-              source
+              source,
+              reducedFrom
             });
             break;
           }