skill-checker 0.1.13 → 0.1.14

package/README.md

@@ -4,7 +4,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Features
 
-- **55 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
+- **56 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
 - **Scoring system**: Grade A–F with 0–100 score
 - **Dual entry**: CLI tool + PreToolUse hook for automatic interception
 - **Configurable policies**: strict / balanced / permissive approval strategies
@@ -14,7 +14,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Security Standard & Benchmark
 
-Skill Checker's 55 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
+Skill Checker's 56 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
 
 See [docs/SECURITY_BENCHMARK.md](docs/SECURITY_BENCHMARK.md) for the full rule mapping matrix, benchmark methodology, scoring model, and known limitations.
 
@@ -164,7 +164,7 @@ Config is resolved in order: CLI `--config` flag → project directory (walks up
 |----------|-------|---------|
 | Structural (STRUCT) | 8 | Missing SKILL.md, invalid frontmatter, binary files |
 | Content (CONT) | 7 | Placeholder text, lorem ipsum, promotional content |
-| Injection (INJ) | 9 | Zero-width chars, prompt override, tag injection, encoded payloads |
+| Injection (INJ) | 10 | Zero-width chars, prompt override, tag injection, social engineering, encoded payloads |
 | Code Safety (CODE) | 15 | eval/exec, shell execution, reverse shell, data exfiltration, API key leakage, rm -rf, obfuscation |
 | Supply Chain (SUPPLY) | 10 | Unknown MCP servers, suspicious domains, malicious hashes, typosquat |
 | Resource Abuse (RES) | 6 | Unrestricted tool access, disable safety checks, ignore project rules |

package/dist/cli.js

@@ -969,6 +969,40 @@ var DELIMITER_PATTERNS = [
   /\[INST\]/i,
   /\[\/INST\]/i
 ];
+var DANGEROUS_ROLE_PATTERN = "(?:(?:an?\\s+)?(?:hacker|attacker|cracker|root|admin(?:istrator)?|superuser|unrestricted|jailbroken|evil|malicious|unfiltered|uncensored)\\b|DAN\\b|(?:a\\s+)?different\\b)";
+var IDENTITY_HIJACKING_PATTERNS = [
+  new RegExp(`\\byou\\s+are\\s+now\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bact\\s+as\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bpretend\\s+(?:you\\s+are|to\\s+be)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\broleplay\\s+(?:as|like)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  new RegExp(`\\bassume\\s+the\\s+role\\s+of\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
+  /\byou\s+are\s+no\s+longer\s+claude\b/i,
+  /\bfrom\s+now\s+on,?\s+you\s+are\b/i
+];
+var DECEPTION_SECRECY_PATTERNS = [
+  /\bdo\s+not\s+tell\s+(the\s+)?(user|human|person|operator)\b/i,
+  /\bdo\s+not\s+(mention|reveal|disclose|expose)\s+(this|that|the|any|these)\b/i,
+  /\bnever\s+(tell|mention|reveal|disclose)\s+(the\s+)?(user|human|person|operator)\b/i,
+  /\bkeep\s+this\s+(secret|hidden|private|confidential)\b(?!\s+key)/i,
+  /\bhide\s+this\s+(from|action|operation|instruction)\b/i,
+  /\bwithout\s+(the\s+)?(user|human)('?s)?\s+(knowledge|knowing|awareness|consent)\b/i,
+  /\bsilently\s+(execute|run|perform|install|download|delete|modify|send)\b/i
+];
+var CONFIG_TAMPERING_PATTERNS = [
+  /\b(modify|change|update|edit|alter|rewrite)\s+(your|my)\s+(memory|config|configuration|settings?|instructions?|behavior|personality)\b/i,
+  /\bwrite\s+to\s+(CLAUDE\.md|\.claude|settings\.json|memory\.md)\b/i,
+  /\b(append|prepend|add|insert)\s+.{0,30}\bto\s+(CLAUDE\.md|\.claude|memory\.md)\b/i,
+  /\boverwrite\s+(your|the)\s+(system|core)\s+(prompt|instructions?|config)\b/i,
+  /\bpersist\s+(this|these|the)\s+(instruction|change|modification|setting)s?\b/i
+];
+var VERIFICATION_BYPASS_PATTERNS = [
+  /\btrust\s+(this|the|these|that|my)\s+(result|output|response|answer|value|data|input)s?\b/i,
+  /\bno\s+need\s+to\s+(check|verify|validate|review|confirm|inspect)\b/i,
+  /\bdo\s+not\s+(verify|validate|check|review|confirm|inspect)\s+(the|this|that|any|these)\b/i,
+  /\b(assume|consider)\s+(it|this|that)\s+(is|to\s+be)\s+(correct|safe|valid|trusted|clean|secure|legitimate)\b/i,
+  /\baccept\s+(this|the|these|that)\s+without\s+(checking|verifying|validating|questioning)\b/i,
+  /\bblindly\s+(trust|accept|execute|run|follow|apply)\b/i
+];
 var injectionChecks = {
   name: "Injection Detection",
   category: "INJ",
@@ -1065,6 +1099,65 @@ var injectionChecks = {
           break;
         }
       }
+      const trimmedLine = line.trim();
+      const nextLine = i + 1 < skill.bodyLines.length ? skill.bodyLines[i + 1] : "";
+      const crossLine = trimmedLine && nextLine ? `${line} ${nextLine}` : line;
+      for (const pattern of IDENTITY_HIJACKING_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "CRITICAL",
+            title: "Social engineering: identity hijacking",
+            message: `Line ${lineNum}: Attempts to hijack the model's identity.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of DECEPTION_SECRECY_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "CRITICAL",
+            title: "Social engineering: deception/secrecy",
+            message: `Line ${lineNum}: Instructs the model to hide actions from the user.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of CONFIG_TAMPERING_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "HIGH",
+            title: "Social engineering: configuration tampering",
+            message: `Line ${lineNum}: Attempts to tamper with model configuration or memory.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
+      for (const pattern of VERIFICATION_BYPASS_PATTERNS) {
+        if (pattern.test(crossLine)) {
+          results.push({
+            id: "INJ-010",
+            category: "INJ",
+            severity: "HIGH",
+            title: "Social engineering: verification bypass",
+            message: `Line ${lineNum}: Attempts to bypass verification or validation.`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120)
+          });
+          break;
+        }
+      }
     }
     const commentRegex = /<!--([\s\S]*?)-->/g;
     let commentMatch;
@@ -1116,7 +1209,10 @@ function hasInstructionLikeContent(text) {
     /\brm\s+-rf\b/i,
     /\bcurl\b.*\bsh\b/i,
     /\beval\b/i,
-    /\bexec\b/i
+    /\bexec\b/i,
+    /\bdo\s+not\s+tell\s+(the\s+)?(user|human)/i,
+    /\bpretend\s+(you\s+are|to\s+be)/i,
+    /\bsilently\s+(execute|run|install)/i
   ];
   return instructionPatterns.some((p) => p.test(text));
 }