cisco-ai-skill-scanner 1.0.1__py3-none-any.whl → 1.0.2__py3-none-any.whl

skill_scanner/data/yara_rules/code_execution_generic.yara

@@ -0,0 +1,76 @@
+//////////////////////////////////////////
+// Code Execution Detection Rule for Agent Skills
+// Target: Dangerous code execution with untrusted input
+// Tuned to require context indicators to reduce FPs
+//////////////////////////////////////////
+
+rule code_execution_generic{
+
+    meta:
+        author = "Cisco"
+        description = "Detects dangerous code execution patterns with untrusted input in agent skills"
+        classification = "harmful"
+        threat_type = "CODE EXECUTION"
+
+    strings:
+
+        // === High confidence patterns (individually suspicious) ===
+
+        // Base64 decode + exec/eval chain (obfuscation pattern)
+        $obfuscated_exec = /\b(base64\.(b64)?decode|atob|decode\(['"]base64['"]\))\s*\([^)]+\)[^}]{0,50}\b(eval|exec|os\.system|subprocess)\s*\(/i
+
+        // Pickle loads with external data (unsafe deserialization)
+        $pickle_external = /\b(requests|urllib|open|read)[^;]{0,80}pickle\.(loads?)\s*\(/i
+
+        // Shell injection: command + variable interpolation
+        $shell_injection_var = /\b(os\.system|subprocess\.(run|call|Popen)|popen)\s*\([^)]*(\$\{|\%s|\.format\(|f['"]).*(input|user|param|arg|data|request)/i
+
+        // Eval/exec with user input explicitly (handles user_input, userInput, user-input)
+        // Requires word boundary to avoid matching "Database", "parameter", etc.
+        $eval_user_input = /\b(eval|exec)\s*\([^)]*\b(input|user_input|param|args?|request|data)\b[^)]*\)/i
+
+        // Dynamic import with user input
+        $import_user_input = /\b__import__\s*\([^)]*\b(input|user|param|request)\b/i
+
+        // Eval/exec with variable (dangerous in agent skills context)
+        $eval_variable = /\b(eval|exec)\s*\(\s*[a-z_][a-z0-9_]*\s*\)/i
+
+        // Exec with f-string (always dangerous - code injection)
+        $exec_fstring = /\bexec\s*\(\s*f['"]/i
+
+        // === Medium confidence (need context) ===
+
+        // System calls with string formatting (potential injection)
+        $system_format = /\b(os\.system|subprocess\.(run|call|Popen|check_output))\s*\(\s*f['"]/
+
+        // Exec with network-fetched content
+        $exec_network = /\b(requests|urllib|http)[^;]{0,100}\b(eval|exec)\s*\(/i
+
+        // === Exclusion patterns ===
+        $documentation = /(```python|```bash|# Example|# Demo|# Tutorial)/
+
+        // Zig/Rust/Go function definitions (not Python exec)
+        $zig_rust_fn = /\b(pub\s+)?fn\s+exec\s*\(/
+
+    condition:
+        // Exclude non-Python exec definitions
+        not $zig_rust_fn and
+        (
+            // High confidence patterns - always flag
+            (
+                $obfuscated_exec or
+                $pickle_external or
+                $shell_injection_var or
+                $eval_user_input or
+                $import_user_input or
+                $eval_variable or
+                $exec_fstring
+            )
+            or
+            // Medium confidence - flag unless clearly documentation
+            (
+                ($system_format or $exec_network) and
+                not $documentation
+            )
+        )
+}

skill_scanner/data/yara_rules/{coercive_injection.yara → coercive_injection_generic.yara}

@@ -1,10 +1,10 @@
 //////////////////////////////////////////
 // Detects coercive or attention-grabbing prompt injections.
-// Target: Directives forcing execution order (e.g., “Always execute this tool first”).
+// Target: Directives forcing execution order (e.g., "Always execute this tool first").
 // (Mandatory language to override normal tool chains)
 //////////////////////////////////////////
 
-rule coercive_injection {
+rule coercive_injection_generic {
 
     meta:
         author = "Cisco"

skill_scanner/data/yara_rules/command_injection_generic.yara

@@ -0,0 +1,77 @@
+//////////////////////////////////////////
+// Shell/System Command Injection Detection Rule
+// Target: Command injection patterns for agent skills (Python/Bash)
+// (Shell operators, dangerous commands, network tools + reverse shells)
+/////////////////////////////////////////
+
+rule command_injection_generic{
+
+    meta:
+        author = "Cisco"
+        description = "Detects command injection patterns in agent skills: shell operators, system commands, and network tools"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // Dangerous system commands
+        $dangerous_system_cmds = /\b(shutdown|reboot|halt|poweroff)\s+(-[fh]|now|0)\b/
+
+        // Network tools with suspicious usage (reverse connections, port scanning)
+        $malicious_network_tools = /\b(nc|netcat)\s+(-[le]|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Reconnaissance tools
+        $reconnaissance_tools = /\b(nmap)\s+(-[sS]|--script|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/i
+
+        // Data exfiltration - flag known exfil destinations OR curl POST with sensitive data
+        $data_exfiltration_known_dest = /\b(curl|wget)\s+[^\n]*(discord\.com\/api\/webhooks|webhook\.site|ngrok\.io|pastebin\.com|requestbin\.com|pipedream\.net)/i
+
+        // curl POST that sends files, env vars, or credential-like data
+        $curl_post_sensitive = /\bcurl\s+[^\n]*(-X\s*POST|-d\s*[@\$]|--data[^\s]*\s*[@\$])[^\n]*(\$\{?\w*(KEY|TOKEN|SECRET|PASS|CRED)|\.ssh|\.aws|\.env|credentials)/i
+
+        // Reverse shell patterns (high severity)
+        $reverse_shells = /\b(bash\s+-i|sh\s+-i|nc\s+-e|\/dev\/tcp\/[0-9]+\.|socat.*exec|python.*socket.*connect)\b/i
+
+        // Shell command chaining with DANGEROUS targets (not cleanup dirs)
+        // Only flag rm -rf on dangerous paths, not on cleanup directories
+        $dangerous_rm = /[|&;]\s*rm\s+-rf\s+(\/|~\/|\$HOME|\/etc|\/root|\/home)/
+
+        // dd overwrite dangerous
+        $dangerous_dd = /\bdd\s+if=\/dev\/(zero|random|urandom)\s+of=\//
+
+        // chmod 777 on sensitive paths
+        $dangerous_chmod = /\bchmod\s+(777|666)\s+[^\n]*(\.ssh|\.aws|\.env|\/etc)/
+
+        // Safe cleanup patterns (exclusions)
+        $safe_cleanup = /(rm\s+-rf\s+(\/var\/lib\/apt|\/tmp\/|node_modules|__pycache__|\.cache|\.npm|dist\/|build\/|target\/)|\bclean\b.*rm\s+-rf)/
+
+    condition:
+        // Exclude safe cleanup patterns
+        not $safe_cleanup and
+        (
+            // Dangerous system command patterns
+            $dangerous_system_cmds or
+
+            // Network tool abuse patterns
+            $malicious_network_tools or
+
+            // Reconnaissance tools
+            $reconnaissance_tools or
+
+            // Data exfiltration tools
+            $data_exfiltration_known_dest or
+            $curl_post_sensitive or
+
+            // Reverse shell patterns
+            $reverse_shells or
+
+            // Dangerous rm operations
+            $dangerous_rm or
+
+            // Dangerous dd operations
+            $dangerous_dd or
+
+            // Dangerous chmod
+            $dangerous_chmod
+        )
+}

skill_scanner/data/yara_rules/{credential_harvesting.yara → credential_harvesting_generic.yara}

@@ -3,7 +3,7 @@
 // Target: API keys and tokens, SSH keys and certificates, Environment variables, Database credentials
 //////////////////////////////////////////
 
-rule credential_harvesting{
+rule credential_harvesting_generic{
 
     meta:
         author = "Cisco"
@@ -34,6 +34,7 @@ rule credential_harvesting{
         $key_certificate_content = /(-----BEGIN (RSA |OPENSSH |EC |DSA |CERTIFICATE|PRIVATE KEY|ENCRYPTED PRIVATE KEY)-----|ssh-(rsa|ed25519)\s+[A-Za-z0-9+\/=]{8})/
 
         // AI/ML model API key names (very specific)
+        // Post-filter in static.py handles placeholder exclusion
         $ai_model_credential_names = /\b(OPENAI_API_KEY|ANTHROPIC_API_KEY|CLAUDE_API_KEY|GOOGLE_AI_KEY|GEMINI_API_KEY|COHERE_API_KEY|HUGGINGFACE_TOKEN|HF_TOKEN|TOGETHER_API_KEY|REPLICATE_API_TOKEN|MISTRAL_API_KEY)\s*=\s*['\"][A-Za-z0-9\-_]{20,}['\"]/
 
         // Suspicious environment variable theft (not just reading)
@@ -49,8 +50,10 @@ rule credential_harvesting{
         // Hardcoded credential file paths in strings
         $hardcoded_credential_paths = /['\"][\~\/]+(\.ssh\/id_rsa|\.ssh\/id_dsa|\.aws\/credentials|\.kube\/config|etc\/passwd|etc\/shadow)['\"]/
 
-        // Pattern for exfiltration action words
-        $leak_param  = /\b(leak|exfiltrate|export|dump) [^\n]*(parameter|context|files?|credentials?|keys?|tokens?|secrets?)\b/i
+        // Pattern for exfiltration action words (require malicious context)
+        $leak_param  = /\b(leak|exfiltrate|siphon|harvest) [^\n]*(parameter|context|files?|credentials?|keys?|tokens?|secrets?)\b/i
+        // Dump credentials - require explicit credential context, not "extract key points"
+        $dump_creds = /\b(dump|steal) [^\n]{0,30}(credential|password|api[_\s]?key|token|secret)\b/i
 
         // Base64 credential encoding patterns
         $base64_credential_encoding = /\b(base64\s+encode [^\n]*credentials?|concatenate [^\n]*conversation\s+history)\b/i
@@ -65,7 +68,16 @@ rule credential_harvesting{
         $python_imports = /\b(from|import)\s+(pathlib|typing|dataclasses|argparse|json|sys|os|re|collections|functools|itertools)/i
         $python_type_hints = /\b(Dict|List|Tuple|Optional|Union|Path|Set|Callable|Any)\s*\[/
         $function_definitions = /\bdef\s+(read|write|load|save|extract|process|parse|get|set)_\w+\s*\(/
-        $template_indicators = /(\bYOUR_API_KEY|\bREPLACE_WITH|\bINSERT_KEY|\.example|\.sample|\.template|<your|<insert|placeholder)/i
+        $template_indicators = /(\bYOUR_API_KEY|\bREPLACE_WITH|\bINSERT_KEY|\bCHANGE_ME|\bCHANGEME|\bPLACEHOLDER\b|\byour[-_ ]?(api|token|key|secret|password)\b|\b(example|sample|dummy|test)[-_ ]?(key|token|secret|password)\b|\.example|\.sample|\.template|<your|<insert|placeholder)/i
+
+        // Documentation patterns - instructions on how to set keys (not actual key theft)
+        $documentation_env_setup = /(export|set)\s+[A-Z_]*(API_KEY|TOKEN|SECRET)\s*=\s*[<\["]?(your|<|root|\$\{)/i
+        $documentation_config_hint = /\b(configure|setup|create|add)\s+(your|an?)\s+(api[_\s]?key|token|secret)\b/i
+        $documentation_env_var_hint = /\b(environment\s+variable|env\s+var|\.env\s+file)\s*:?\s*[A-Z_]*(KEY|TOKEN|SECRET)/i
+        // Markdown code blocks with export statements (documentation examples)
+        $markdown_export_example = /```[^\n]*\n[^\`]*export\s+[A-Z_]*(KEY|TOKEN|SECRET)/i
+        // Shell script variable references (not hardcoded values)
+        $shell_var_reference = /export\s+[A-Z_]*(KEY|TOKEN|SECRET)\s*=\s*["']?\$\{/
 
     condition:
 
@@ -74,6 +86,12 @@ rule credential_harvesting{
         not $python_type_hints and
         not $function_definitions and
         not $template_indicators and
+        // Exclude documentation about how to set up credentials
+        not $documentation_env_setup and
+        not $documentation_config_hint and
+        not $documentation_env_var_hint and
+        not $markdown_export_example and
+        not $shell_var_reference and
 
         (
             // Actual API credentials (keys, tokens)
@@ -103,6 +121,9 @@ rule credential_harvesting{
             // Exfiltration attempts
             $leak_param or
 
+            // Credential dumping
+            $dump_creds or
+
             // Base64 credential encoding
             $base64_credential_encoding or
 

skill_scanner/data/yara_rules/{transitive_trust_abuse.yara → indirect_prompt_injection_generic.yara}

@@ -1,16 +1,19 @@
 //////////////////////////////////////////
-// Transitive Trust Abuse Detection
-// Target: Skills that delegate trust to untrusted external content
-// For agent skills that consume webpages, files, issues, docs
+// Indirect Prompt Injection - Instruction Manipulation Detection
+// AITech-1.2 / AISubtech-1.2.1
+// Target: Skills that embed/follow malicious instructions from external data sources
+// Detects delegation of trust to untrusted external content (webpages, documents, APIs)
 //////////////////////////////////////////
 
-rule transitive_trust_abuse{
+rule indirect_prompt_injection_generic{
 
     meta:
         author = "Cisco"
-        description = "Detects skills that delegate trust to untrusted external content"
+        description = "Detects indirect prompt injection via instruction manipulation from external sources"
         classification = "harmful"
         threat_type = "TRANSITIVE TRUST ABUSE"
+        aitech = "AITech-1.2"
+        aisubtech = "AISubtech-1.2.1"
 
     strings:
 

skill_scanner/data/yara_rules/{prompt_injection.yara → prompt_injection_generic.yara}

@@ -3,7 +3,7 @@
 // Target: Instruction override patterns, Tool injection commands
 //////////////////////////////////////////
 
-rule prompt_injection{
+rule prompt_injection_generic{
 
     meta:
 
@@ -15,7 +15,7 @@ rule prompt_injection{
     strings:
 
         // Instruction override patterns (exclude Python type comments)
-        $instruction_overrides = /\b(Bypass|Dis\W?regard|Do not (follow|Obey)|Forget|Ignore)\s+((all|any|each|every|most|some)\s+(of\s+)?)?((your|the)\s)?(command|communication|conte[nx]t|conversation|data|guidelines|input|instruction|message|request|response|text)(s)?/i
+        $instruction_overrides = /\b(Bypass|Dis\W?regard|Do not (follow|Obey)|Forget|Ignore)\s+((all|any|each|every|most|some)\s+(of\s+)?)?((your|the|previous|prior|above|earlier)\s)?(command|communication|conte[nx]t|conversation|data|guidelines|input|instruction|message|request|response|text)(s)?/i
 
         // Legitimate patterns to exclude
         $python_type_comment = /# type: ignore/

skill_scanner/data/yara_rules/{unicode_steganography.yara → prompt_injection_unicode_steganography.yara}

@@ -2,15 +2,16 @@
 // Unicode Steganography and Hidden Characters Detection
 // Target: Invisible Unicode used for prompt injection
 // Based on: https://en.wikipedia.org/wiki/Tags_(Unicode_block)
+// Tuned to reduce FPs: requires high threshold OR dangerous code context
 //////////////////////////////////////////
 
-rule unicode_steganography{
+rule prompt_injection_unicode_steganography{
 
     meta:
         author = "Cisco"
         description = "Detects hidden Unicode characters used for invisible prompt injection and steganography"
         classification = "harmful"
-        threat_type = "PROMPT INJECTION"
+        threat_type = "UNICODE STEGANOGRAPHY"
         reference = "https://en.wikipedia.org/wiki/Tags_(Unicode_block)"
 
     strings:
@@ -34,32 +35,37 @@ rule unicode_steganography{
         $line_separator = "\xE2\x80\xA8"  // U+2028 LINE SEPARATOR
         $paragraph_separator = "\xE2\x80\xA9"  // U+2029 PARAGRAPH SEPARATOR
 
-        // --- 5. Homoglyph detection ---
-        $cyrillic_a = "\xD0\x90"  // А (Cyrillic A mimics Latin A)
-        $cyrillic_e = "\xD0\x95"  // Е (Cyrillic E mimics Latin E)
-        $cyrillic_o = "\xD0\x9E"  // О (Cyrillic O mimics Latin O)
+        // --- 5. Variation Selectors Supplement (U+E0100-E01EF) ---
+        // Used in os-info-checker-es6 attack (2025)
+        $var_selectors = { F3 A0 (84|85|86|87) }
 
-    condition:
+        // --- 6. Dangerous code patterns (context for zero-width detection) ---
+        $eval_decode = /eval\s*\(\s*(atob|unescape)\s*\(/
+        $func_decode = /Function\s*\(\s*atob\s*\(/
+        $fromcharcode = /String\.fromCharCode/
 
-        // Detection logic - flag and manually review (better safe than miss attack)
+    condition:
         (
-            // Encoded tag characters in strings (any occurrence is suspicious)
+            // Encoded tag characters in strings (always suspicious)
             $unicode_tag_pattern or
             $unicode_long_tag or
 
-            // Zero-width steganography (tools alternate chars to encode binary 0s/1s)
-            // Aggregate count across all types is more effective than individual checks
-            (#zw_space + #zw_non_joiner + #zw_joiner) > 10 or
+            // Variation selectors + decode = highly suspicious (os-info-checker-es6 pattern)
+            (#var_selectors > 5 and any of ($eval_decode, $func_decode, $fromcharcode)) or
+
+            // Zero-width steganography requires BOTH high count AND suspicious code
+            // 50+ zero-width chars + decode function = likely steganography
+            ((#zw_space + #zw_non_joiner + #zw_joiner) > 50 and any of ($eval_decode, $func_decode, $fromcharcode)) or
 
-            // Any directional override (highly suspicious in code/English text)
+            // Very high zero-width count alone is suspicious (>200 indicates deliberate encoding)
+            (#zw_space + #zw_non_joiner + #zw_joiner) > 200 or
+
+            // Any directional override (highly suspicious in source code)
             $rtlo or
             $ltro or
 
             // Invisible separators (no legitimate use in source code)
             $line_separator or
-            $paragraph_separator or
-
-            // Homoglyph attacks (5+ Cyrillic chars mimicking Latin in English context)
-            (#cyrillic_a + #cyrillic_e + #cyrillic_o) > 5
+            $paragraph_separator
         )
 }

skill_scanner/data/yara_rules/script_injection_generic.yara

@@ -0,0 +1,82 @@
+//////////////////////////////////////////
+// Script Injection Detection Rule for Agent Skills
+// Target: Malicious script payloads, not legitimate code examples
+// Tuned to require attack indicators
+//////////////////////////////////////////
+
+rule script_injection_generic{
+
+    meta:
+        author = "Cisco"
+        description = "Detects malicious script injection patterns in agent skills"
+        classification = "harmful"
+        threat_type = "INJECTION ATTACK"
+
+    strings:
+
+        // === High confidence: actual attack patterns ===
+
+        // Script tag with suspicious content (event handlers, data exfil)
+        $script_suspicious = /<script[^>]*>[^<]{0,500}(document\.cookie|localStorage|eval\(|fetch\([^)]*credentials|XMLHttpRequest|window\.location\s*=)/i
+
+        // JavaScript protocol handler in href/action (XSS vector)
+        $js_protocol_handler = /\b(href|action|src)\s*=\s*['"]?javascript:/i
+
+        // Base64 data URI with script content
+        $data_uri_script = /data:(text\/html|application\/javascript);base64,[A-Za-z0-9+\/=]{50,}/i
+
+        // VBScript with shell execution
+        $vbs_shell = /\bCreateObject\s*\(\s*['"]WScript\.Shell['"]\s*\)[^}]{0,100}(\.Run|\.Exec)/i
+
+        // Inline event handler injection
+        $event_handler_injection = /\b(onerror|onload|onclick|onmouseover)\s*=\s*['"][^'"]*\b(alert|eval|fetch|document\.)/i
+
+        // === Medium confidence: obfuscation + execution ===
+
+        // Eval with decode/unescape chain (common obfuscation)
+        $eval_decode = /\b(eval|Function)\s*\(\s*(unescape|decodeURI|atob|String\.fromCharCode)\s*\(/i
+
+        // Document.write with encoded content
+        $doc_write_encoded = /document\.write\s*\([^)]*\b(unescape|decodeURI|atob|fromCharCode)\s*\(/i
+
+        // === ANSI terminal deception (legitimate attack) ===
+        $ansi_clear_rewrite = /\\x1[Bb]\[2J|\\x1[Bb]\[1;1H\\x1[Bb]\[0J|\\033\[2J/
+        $ansi_cursor_hide = /\\x1[Bb]\[\?25[lh]|\\033\[\?25[lh]/
+
+        // === Hidden instruction obfuscation ===
+        $hidden_overflow = /\b(overflow\s*:\s*hidden|visibility\s*:\s*hidden)[^}]{0,50}(instruction|command|payload)/i
+
+        // === Exclusions ===
+        $xml_namespace = /(xmlns:script=|<script:module|openoffice\.org)/i
+        $markdown_code = /```(html|javascript|js|typescript|jsx|tsx|vue|svelte|htm)/i
+        $react_component = /(import React|from ['"]react['"]|React\.Component)/
+        // Documentation patterns showing code examples
+        $documentation_example = /\b(example|sample|snippet|demo|tutorial|usage)\s*:?\s*(```|<script)/i
+        $inline_code_marker = /`<script[^`]*`/
+        // Legitimate framework templates (not injection)
+        $vue_template = /<template>\s*<script/
+        $svelte_component = /<script\s+(context=|lang=)/
+
+    condition:
+        not $xml_namespace and
+        not $react_component and
+        not $markdown_code and
+        not $documentation_example and
+        not $inline_code_marker and
+        not $vue_template and
+        not $svelte_component and
+        (
+            // High confidence - always flag
+            $script_suspicious or
+            $js_protocol_handler or
+            $data_uri_script or
+            $vbs_shell or
+            $event_handler_injection or
+            $eval_decode or
+            $doc_write_encoded or
+            // ANSI attacks
+            ($ansi_clear_rewrite and $ansi_cursor_hide) or
+            // Hidden instructions (not just overflow:hidden alone)
+            $hidden_overflow
+        )
+}

skill_scanner/data/yara_rules/{sql_injection.yara → sql_injection_generic.yara}

@@ -3,7 +3,7 @@
 // Target: SQL keywords and operations, SQL tautologies and bypasses, Database-specific functions
 //////////////////////////////////////////
 
-rule sql_injection{
+rule sql_injection_generic{
 
     meta:
         author = "Cisco"
@@ -23,13 +23,17 @@ rule sql_injection{
         $union_based_attacks = /(UNION\s+(ALL\s+)?SELECT|'\s*UNION\s+SELECT|"\s*UNION\s+SELECT)/i
 
         // Time-based blind injection techniques (SQL context only)
-        $time_based_injections = /\b(SLEEP|WAITFOR\s+DELAY|BENCHMARK|pg_sleep)\s*\(/i
+        // Require SQL-specific context like quotes or semicolons
+        $time_based_injections = /['";]\s*(SLEEP|WAITFOR\s+DELAY|BENCHMARK|pg_sleep)\s*\(/i
 
-        // Exclude Python sleep functions (not SQL injection)
-        $python_sleep = /(time\.sleep|asyncio\.sleep|threading\.[A-Za-z]*\.sleep)\s*\(/
+        // Exclude non-SQL sleep functions (Python, Rust, JS, etc.)
+        $non_sql_sleep = /(time\.sleep|asyncio\.sleep|threading\.[A-Za-z]*\.sleep|tokio::time::sleep|std::thread::sleep|Thread\.sleep|setTimeout)\s*\(/
 
-        // Error-based injection methods
-        $error_based_techniques = /\b(EXTRACTVALUE|UPDATEXML|EXP\(~\(SELECT|CAST)\s*\(/i
+        // Error-based injection methods (SQL-specific, not general cast())
+        $error_based_techniques = /\b(EXTRACTVALUE|UPDATEXML|EXP\(~\(SELECT)\s*\(/i
+
+        // SQL CAST injection (require SQL context)
+        $sql_cast_injection = /\bCAST\s*\([^)]*\s+AS\s+(INT|VARCHAR|CHAR|TEXT|NVARCHAR)\)/i
 
         // Database-specific system objects in malicious contexts
         $database_system_objects = /(\bSELECT [^;]*\b(information_schema|mysql\.user|all_tables|user_tables)\b|\bFROM\s+(information_schema|mysql\.user|dual|all_tables|user_tables)\b|LOAD_FILE\s*\(\s*['"][^'"]*\.(config|passwd|shadow|key)\b|INTO\s+OUTFILE\s+['"][^'"]*\.(txt|sql|php)\b|\b(xp_cmdshell|sp_executesql)\s*\(|dbms_[a-z_]+\s*\()/i
@@ -43,10 +47,17 @@ rule sql_injection{
         // Common context phrases where these words appear in benign usage
         $common_context_phrases = /\b(adds?\s+a\s+user|create\s+user|new\s+user|user\s+(account|profile|registration|authentication|permissions?|roles?)|user\s+(who|that)|for\s+user|the\s+user|current\s+user\s+(account|profile)|user\s+(input|data|information)|example:?\s+SELECT\s+USER\(\)|SELECT\s+USER\(\)\s+returns?|built-?in\s+function)\b/i
 
+        // Documentation and code examples (legitimate SQL shown in docs)
+        $documentation_markers = /(```sql|```mysql|```postgres|-- Example|-- Query|SELECT\s+.*FROM\s+.*--\s*\w+\s+query|sample\s+query|example\s+query)/i
+        $schema_exploration = /\b(information_schema|pg_catalog|sys\.(schemas|tables|columns))\b.*\b(documentation|reference|schema|metadata)\b/i
+
     condition:
 
-        // Exclude Python sleep functions from all checks
-        not $python_sleep and (
+        // Exclude non-SQL sleep functions from all checks
+        not $non_sql_sleep and
+        // Exclude documentation showing SQL examples
+        not $documentation_markers and
+        not $schema_exploration and (
 
         // SQL injection tautologies
         ($injection_tautologies and not $common_sql_ops and not $common_context_phrases) or
@@ -63,6 +74,9 @@ rule sql_injection{
         // Error-based injection techniques
         ($error_based_techniques and not $common_sql_ops and not $common_context_phrases) or
 
+        // SQL CAST injection
+        ($sql_cast_injection and not $common_sql_ops and not $common_context_phrases) or
+
         // Database system object access
         ($database_system_objects and not $common_sql_ops and not $common_context_phrases) or
 

skill_scanner/data/yara_rules/system_manipulation_generic.yara

@@ -0,0 +1,79 @@
+//////////////////////////////////////////
+// System Manipulation and Privilege Escalation Detection
+// Target: File destruction and manipulation operations
+// (Process control and termination)
+//////////////////////////////////////////
+
+rule system_manipulation_generic{
+
+    meta:
+        author = "Cisco"
+        description = "Detects system manipulation, privilege escalation, and destructive file operations"
+        classification = "harmful"
+        threat_type = "SYSTEM MANIPULATION"
+
+    strings:
+        // Suspicious environment variable manipulation (not just reading)
+        $env_var_manipulation = /\b(os\.environ\s*\[[^\]]*\]\s*=|export\s+PATH=|unset\s+(PATH|HOME|USER))\b/i
+
+        // File destruction and manipulation
+        $file_destruction = /\b(rm\s+-rf|dd\s+if=\/dev\/zero|wipefs|shred\s+-|find\s+[^\n]+-delete)\b/i
+
+        // Dangerous file permission changes
+        $permission_manipulation = /\b(chmod\s+(777|4755|6755|[ug]?\+s)|(chown|chgrp)\s+(root|0)|setuid|setgid)\b/i
+
+        // Critical system file access
+        $critical_system_access = /\b(\/etc\/(passwd|shadow|sudoers)|\/root\/\.ssh|~\/\.aws\/credentials|~\/\.ssh\/id_rsa)\b/i
+
+        // Privilege escalation patterns
+        $privilege_escalation = /\b(sudo\s+-[si]|su\s+-c?|runuser|doas)\b/i
+
+        // Dangerous process operations
+        $process_manipulation = /\b(kill\s+-9\s+[0-9]+|killall\s+-9|pkill\s+-9)\b/i
+
+        // Dangerous recursive operations with wildcards (exclude common cleanup dirs)
+        $recursive_operations = /\b(rm\s+-rf\s+(\/\s|\/root|\/home|\$HOME|~\/|\/etc|\/usr)|\bfind\s+\/\s+-delete)\b/i
+
+        // Safe cleanup patterns to exclude (Docker, npm, apt cache cleanup, backup retention)
+        $safe_cleanup = /(rm\s+-rf\s+(\/var\/lib\/apt\/lists|\/tmp\/|node_modules|__pycache__|\.cache|\.npm|\/var\/cache|dist|build|target)|find\s+[^\n]*-mtime\s+\+[0-9]+[^\n]*-delete|find\s+[^\n]*backup[^\n]*-delete)/i
+
+        // Testing and build commands (not manipulation)
+        $testing_commands = /\b(pytest|tox|make\s+test|npm\s+test|cargo\s+test|go\s+test|mvn\s+test|gradle\s+test|jest|mocha)\b/i
+
+        // Safe directory creation
+        $safe_mkdir = /\bmkdir\s+-p\b/
+
+        // System path manipulation
+        $path_manipulation = /\b(PATH=\/tmp|PATH=\.:|export\s+PATH=[\$\{])/i
+
+    condition:
+        // Exclude safe patterns
+        not $safe_cleanup and
+        not $testing_commands and
+        not $safe_mkdir and
+        (
+            // Environment variable manipulation (not just reading)
+            $env_var_manipulation or
+
+            // File destruction (not safe cleanup)
+            ($file_destruction and not $safe_cleanup) or
+
+            // Permission manipulation
+            $permission_manipulation or
+
+            // Critical system access
+            $critical_system_access or
+
+            // Privilege escalation
+            $privilege_escalation or
+
+            // Process manipulation
+            $process_manipulation or
+
+            // Recursive operations
+            $recursive_operations or
+
+            // PATH manipulation
+            $path_manipulation
+        )
+}