aeon-skill-security-scan
Skills tell agents what to do. A malicious or sloppy skill can shell-inject, exfiltrate secrets, override instructions, or run destructive commands. This skill scans every installed SKILL.md and companion script and surfaces the risks before they execute.
Scope
<skills-dir>/*/SKILL.md— primary.<skills-dir>/*/scripts/*.shand*.py— companion scripts.<skills-dir>/*/references/*— documents loaded at runtime.
Default <skills-dir> is the current working directory.
Threat patterns
| Category | What it looks like |
|---|---|
| Shell injection | Unquoted variable expansion, eval, backticks, $(...) with user data. |
| Secret exfiltration | Env vars or file contents piped to outbound HTTP. |
| Path traversal | ../.. chains, absolute paths reaching outside the skill dir. |
| Prompt override | "Ignore previous instructions", persona swaps, instructions inside fetched content. |
| Destructive commands | Recursive deletes rooted at / or ~, device writes. |
| Obfuscation | U+200B / U+FEFF / U+202E (Trojan Source), base64-decode-into-shell, SSRF hosts (ngrok, interact.sh, webhook.site, pipedream). |
Processing
- Pattern scanner produces matches
{file, line, pattern, severity}. - Code-fence downgrade — matches inside fenced code blocks drop one tier. Real
run:blocks are never downgraded. - Baseline suppression — drop (file, pattern, line) tuples in
scan-baseline.yml. - Trusted-publisher filter — entries in
trusted-publishers.txtget format-only validation. Opt-in only. - Delta vs
scan-state.json— fingerprint bysha256(file + line_content + pattern). Classify NEW / RESOLVED / PERSISTENT.
Per-finding remediation
| Pattern | Fix |
|---|---|
| eval / backticks / $(...) with variable | Quote the variable; replace eval with a function. |
| curl with secret in URL | Move secret into prefetch script; never interpolate into shell. |
| Path traversal | Allow-list validation; reject absolute paths. |
| Prompt override phrasing | Documentation → baseline suppression; payload → delete the skill. |
| Recursive delete rooted at / or ~ | Scope to the skill's own working directory. |
| Obfuscation | Delete unless documented and reviewed. |
Output
Verdict CLEAN / ATTENTION / DEGRADED. Needs-attention section per NEW HIGH with one-line remediation. Resolved-since-last-scan section. Per-skill PASS / WARN / FAIL.
Written only when NEW, RESOLVED, or any current HIGH findings.
Rules
- Never auto-deletes a baseline suppression.
- Never edits the pattern library from inside the skill.
- Never notifies on a pure no-op week.
- Read-only scanning.