skill-checker 0.1.13 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +3 -3
  2. package/dist/cli.js +97 -1
  3. package/dist/cli.js.map +1 -1
  4. package/dist/index.js +97 -1
  5. package/dist/index.js.map +1 -1
  6. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -977,6 +977,40 @@ var DELIMITER_PATTERNS = [
977
977
  /\[INST\]/i,
978
978
  /\[\/INST\]/i
979
979
  ];
980
+ var DANGEROUS_ROLE_PATTERN = "(?:(?:an?\\s+)?(?:hacker|attacker|cracker|root|admin(?:istrator)?|superuser|unrestricted|jailbroken|evil|malicious|unfiltered|uncensored)\\b|DAN\\b|(?:a\\s+)?different\\b)";
981
+ var IDENTITY_HIJACKING_PATTERNS = [
982
+ new RegExp(`\\byou\\s+are\\s+now\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
983
+ new RegExp(`\\bact\\s+as\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
984
+ new RegExp(`\\bpretend\\s+(?:you\\s+are|to\\s+be)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
985
+ new RegExp(`\\broleplay\\s+(?:as|like)\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
986
+ new RegExp(`\\bassume\\s+the\\s+role\\s+of\\s+${DANGEROUS_ROLE_PATTERN}`, "i"),
987
+ /\byou\s+are\s+no\s+longer\s+claude\b/i,
988
+ /\bfrom\s+now\s+on,?\s+you\s+are\b/i
989
+ ];
990
+ var DECEPTION_SECRECY_PATTERNS = [
991
+ /\bdo\s+not\s+tell\s+(the\s+)?(user|human|person|operator)\b/i,
992
+ /\bdo\s+not\s+(mention|reveal|disclose|expose)\s+(this|that|the|any|these)\b/i,
993
+ /\bnever\s+(tell|mention|reveal|disclose)\s+(the\s+)?(user|human|person|operator)\b/i,
994
+ /\bkeep\s+this\s+(secret|hidden|private|confidential)\b(?!\s+key)/i,
995
+ /\bhide\s+this\s+(from|action|operation|instruction)\b/i,
996
+ /\bwithout\s+(the\s+)?(user|human)('?s)?\s+(knowledge|knowing|awareness|consent)\b/i,
997
+ /\bsilently\s+(execute|run|perform|install|download|delete|modify|send)\b/i
998
+ ];
999
+ var CONFIG_TAMPERING_PATTERNS = [
1000
+ /\b(modify|change|update|edit|alter|rewrite)\s+(your|my)\s+(memory|config|configuration|settings?|instructions?|behavior|personality)\b/i,
1001
+ /\bwrite\s+to\s+(CLAUDE\.md|\.claude|settings\.json|memory\.md)\b/i,
1002
+ /\b(append|prepend|add|insert)\s+.{0,30}\bto\s+(CLAUDE\.md|\.claude|memory\.md)\b/i,
1003
+ /\boverwrite\s+(your|the)\s+(system|core)\s+(prompt|instructions?|config)\b/i,
1004
+ /\bpersist\s+(this|these|the)\s+(instruction|change|modification|setting)s?\b/i
1005
+ ];
1006
+ var VERIFICATION_BYPASS_PATTERNS = [
1007
+ /\btrust\s+(this|the|these|that|my)\s+(result|output|response|answer|value|data|input)s?\b/i,
1008
+ /\bno\s+need\s+to\s+(check|verify|validate|review|confirm|inspect)\b/i,
1009
+ /\bdo\s+not\s+(verify|validate|check|review|confirm|inspect)\s+(the|this|that|any|these)\b/i,
1010
+ /\b(assume|consider)\s+(it|this|that)\s+(is|to\s+be)\s+(correct|safe|valid|trusted|clean|secure|legitimate)\b/i,
1011
+ /\baccept\s+(this|the|these|that)\s+without\s+(checking|verifying|validating|questioning)\b/i,
1012
+ /\bblindly\s+(trust|accept|execute|run|follow|apply)\b/i
1013
+ ];
980
1014
  var injectionChecks = {
981
1015
  name: "Injection Detection",
982
1016
  category: "INJ",
@@ -1073,6 +1107,65 @@ var injectionChecks = {
1073
1107
  break;
1074
1108
  }
1075
1109
  }
1110
+ const trimmedLine = line.trim();
1111
+ const nextLine = i + 1 < skill.bodyLines.length ? skill.bodyLines[i + 1] : "";
1112
+ const crossLine = trimmedLine && nextLine ? `${line} ${nextLine}` : line;
1113
+ for (const pattern of IDENTITY_HIJACKING_PATTERNS) {
1114
+ if (pattern.test(crossLine)) {
1115
+ results.push({
1116
+ id: "INJ-010",
1117
+ category: "INJ",
1118
+ severity: "CRITICAL",
1119
+ title: "Social engineering: identity hijacking",
1120
+ message: `Line ${lineNum}: Attempts to hijack the model's identity.`,
1121
+ line: lineNum,
1122
+ snippet: line.trim().slice(0, 120)
1123
+ });
1124
+ break;
1125
+ }
1126
+ }
1127
+ for (const pattern of DECEPTION_SECRECY_PATTERNS) {
1128
+ if (pattern.test(crossLine)) {
1129
+ results.push({
1130
+ id: "INJ-010",
1131
+ category: "INJ",
1132
+ severity: "CRITICAL",
1133
+ title: "Social engineering: deception/secrecy",
1134
+ message: `Line ${lineNum}: Instructs the model to hide actions from the user.`,
1135
+ line: lineNum,
1136
+ snippet: line.trim().slice(0, 120)
1137
+ });
1138
+ break;
1139
+ }
1140
+ }
1141
+ for (const pattern of CONFIG_TAMPERING_PATTERNS) {
1142
+ if (pattern.test(crossLine)) {
1143
+ results.push({
1144
+ id: "INJ-010",
1145
+ category: "INJ",
1146
+ severity: "HIGH",
1147
+ title: "Social engineering: configuration tampering",
1148
+ message: `Line ${lineNum}: Attempts to tamper with model configuration or memory.`,
1149
+ line: lineNum,
1150
+ snippet: line.trim().slice(0, 120)
1151
+ });
1152
+ break;
1153
+ }
1154
+ }
1155
+ for (const pattern of VERIFICATION_BYPASS_PATTERNS) {
1156
+ if (pattern.test(crossLine)) {
1157
+ results.push({
1158
+ id: "INJ-010",
1159
+ category: "INJ",
1160
+ severity: "HIGH",
1161
+ title: "Social engineering: verification bypass",
1162
+ message: `Line ${lineNum}: Attempts to bypass verification or validation.`,
1163
+ line: lineNum,
1164
+ snippet: line.trim().slice(0, 120)
1165
+ });
1166
+ break;
1167
+ }
1168
+ }
1076
1169
  }
1077
1170
  const commentRegex = /<!--([\s\S]*?)-->/g;
1078
1171
  let commentMatch;
@@ -1124,7 +1217,10 @@ function hasInstructionLikeContent(text) {
1124
1217
  /\brm\s+-rf\b/i,
1125
1218
  /\bcurl\b.*\bsh\b/i,
1126
1219
  /\beval\b/i,
1127
- /\bexec\b/i
1220
+ /\bexec\b/i,
1221
+ /\bdo\s+not\s+tell\s+(the\s+)?(user|human)/i,
1222
+ /\bpretend\s+(you\s+are|to\s+be)/i,
1223
+ /\bsilently\s+(execute|run|install)/i
1128
1224
  ];
1129
1225
  return instructionPatterns.some((p) => p.test(text));
1130
1226
  }