If you discover a security vulnerability in this repository, please report it privately:
- Email: security@jeremie-gisserot.net
- GitHub: Use the private vulnerability reporting feature
Do not open a public issue for security vulnerabilities.
This repository implements multiple layers of security to protect against malicious skills:
# Install hooks
lefthook install
# Run manually
lefthook run pre-commitChecks:
security-scan.py- Detects prompt injection, malicious code, data exfiltrationgitleaks- Detects hardcoded secretsunicode-check.py- Detects Unicode smuggling attacks
Every pull request is automatically scanned:
- Cisco Skill Scanner - Multi-engine detection (static + LLM + dataflow)
- Local security scan - Pattern-based detection
- Unicode check - Invisible character detection
- Gitleaks - Secret detection
Results appear in the Security tab.
We detect the following threat categories:
| Category | Examples | Severity |
|---|---|---|
| Prompt Injection | "ignore previous instructions", DAN, jailbreak | π΄ Critical |
| Data Exfiltration | curl to unknown domains, file uploads | π΄ Critical |
| Malicious Code | eval(), exec(), reverse shells | π΄ Critical |
| Unicode Smuggling | Invisible Unicode Tags, zero-width chars | π΄ Critical |
| Obfuscation | Base64, hex encoding, fromCharCode | π‘ High |
| Credentials | API keys, tokens, passwords | π‘ High |
| Suspicious URLs | Unknown domains, webhook endpoints | π’ Medium |
Based on Snyk's ToxicSkills research and Cisco's threat intelligence:
ClawHavoc Campaign Patterns:
- Metadata poisoning with overbroad descriptions
- Credential theft via embedded scripts
- Atomic macOS Stealer (AMOS) payloads
- VMProtect-packed infostealers
Prompt Injection Variants:
- Instruction hierarchy overrides
- Unicode Tag smuggling (U+E0000-U+E007F)
- Zero-width character injection
- Base64/hex encoded instructions
Data Exfiltration Methods:
- Curl to attacker-controlled servers
- Multipart form uploads
- Webhook exfiltration
- Environment variable snooping
# Install Lefthook and Gitleaks
brew install lefthook gitleaks
# Initialize hooks
lefthook install# Cisco Skill Scanner (Python 3.10+)
pip install cisco-ai-skill-scanner
# Run full scan
skill-scanner scan ./ --format textWhen contributing skills, follow these guidelines:
- Keep SKILL.md under 500 lines
- Use clear, specific descriptions
- Document all scripts and their purpose
- Use relative paths, not absolute
- Validate all user inputs
- Don't include hardcoded credentials
- Don't use
eval(),exec(), or dynamic code execution - Don't make network requests to unknown domains
- Don't hide instructions in comments or encoded strings
- Don't use Unicode tricks or zero-width characters
If a security scan produces false positives:
- Check if the pattern is legitimate (e.g., example code)
- Add to
.gitleaks.tomlallowlist if it's a secret false positive - Document in the skill's README if it's a known pattern