open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/examples/malicious-skill-demo/README.md

3.9 KiB
Raw Blame History

Malicious Skill Demo

WARNING: This is a security test fixture, NOT a real plugin. All "malicious" patterns are intentionally planted for scanner testing.

What Is This?

A fake Claude Code plugin called "Project Health Dashboard" that looks legitimate but contains security threats across every category the LLM Security plugin can detect. It serves as:

  1. Showcase — demonstrates what the 7 deterministic scanners + 5 LLM agents can find
  2. Regression test — verifiable fixture for scanner development
  3. Educational resource — real attack patterns in a safe, contained context

Embedded Threat Categories

Scanner Threats Files
UNI (Unicode) Zero-width chars, Unicode Tags steganography, BIDI overrides, Cyrillic homoglyphs SKILL.fixture.md, health-check-agent.fixture.md
ENT (Entropy) Base64-encoded payloads, high-entropy credentials SKILL.fixture.md, telemetry.mjs
PRM (Permissions) Purpose-vs-tools mismatch, ghost hooks, haiku on sensitive agent, overprivileged health.fixture.md, health-check-agent.fixture.md, hooks.fixture.json
DEP (Dependencies) 6 typosquatting packages, malicious install scripts, unpinned versions package.json
TNT (Taint) 6 source-to-sink data flows (env→fetch, req.body→exec, input→eval) telemetry.mjs
GIT (Forensics) (Minimal — new directory, no git history)
NET (Network) ngrok, webhook.site, requestbin, pipedream, pastebin, bit.ly, IP-based URLs SKILL.fixture.md, telemetry.mjs, health.fixture.md

LLM Agent Detection (Skill Scanner)

All 7 threat categories from the skill-scanner-agent are represented in SKILL.md:

  1. Prompt Injection — HTML comments with <!-- AGENT: ... -->, spoofed # SYSTEM: headers
  2. Data Exfiltrationprintenv | base64, curl -X POST to external endpoints
  3. Privilege Escalation — instructions to modify hooks/ and settings.json
  4. Scope Creep — reads from ~/.ssh/, ~/.aws/, ~/.npmrc
  5. Hidden Instructions — Unicode Tags steganography, base64-encoded commands, invisible lines
  6. Toolchain Manipulation — typosquatting package installs in prerequisites
  7. Persistence — crontab, ~/.zshrc modification, LaunchAgent creation

How to Run

Quick: Deterministic Scanners Only

cd plugins/llm-security
./examples/malicious-skill-demo/run-demo.sh

Or directly:

node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-health/

Expected: BLOCK verdict, ~59 findings, all active scanners reporting.

Full: LLM-Enhanced Deep Scan

/security scan examples/malicious-skill-demo/evil-project-health/ --deep

This runs both the deterministic scanners AND the LLM agents (skill-scanner, mcp-scanner).

Safety

  • No actual secrets, tokens, or credentials are in these files
  • No real malicious code is executable — URLs are fake/non-functional
  • The package.json typosquatting packages don't exist or are harmless names
  • Install scripts reference non-existent domains
  • Discoverable files use .fixture.{md,json} suffix to prevent Claude Code's plugin loader from picking them up during recursive tree-walking

Security Assessment

A full combined security assessment (LLM skill scanner + 7 deterministic scanners) is available at security-assessment.md. This is real scanner output, not just expected findings:

  • 85 total findings (24 Critical, 24 High, 20 Medium, 6 Low, 11 Info)
  • Verdict: BLOCK 100/100 — both scanning layers independently maxed the risk score
  • All 8 scanners active (1 LLM + 7 deterministic)
  • Includes executive summary, per-scanner breakdown, combined verdict, recommendations, and methodology

Expected Findings

See expected-findings.md for the deterministic scanner catalog of ~50 expected findings with scanner, severity, file, and description.