| .. | ||
| evil-project-health | ||
| expected-findings.md | ||
| README.md | ||
| run-demo.sh | ||
| security-assessment.md | ||
Malicious Skill Demo
WARNING: This is a security test fixture, NOT a real plugin. All "malicious" patterns are intentionally planted for scanner testing.
What Is This?
A fake Claude Code plugin called "Project Health Dashboard" that looks legitimate but contains security threats across every category the LLM Security plugin can detect. It serves as:
- Showcase — demonstrates what the 7 deterministic scanners + 5 LLM agents can find
- Regression test — verifiable fixture for scanner development
- Educational resource — real attack patterns in a safe, contained context
Embedded Threat Categories
| Scanner | Threats | Files |
|---|---|---|
| UNI (Unicode) | Zero-width chars, Unicode Tags steganography, BIDI overrides, Cyrillic homoglyphs | SKILL.fixture.md, health-check-agent.fixture.md |
| ENT (Entropy) | Base64-encoded payloads, high-entropy credentials | SKILL.fixture.md, telemetry.mjs |
| PRM (Permissions) | Purpose-vs-tools mismatch, ghost hooks, haiku on sensitive agent, overprivileged | health.fixture.md, health-check-agent.fixture.md, hooks.fixture.json |
| DEP (Dependencies) | 6 typosquatting packages, malicious install scripts, unpinned versions | package.json |
| TNT (Taint) | 6 source-to-sink data flows (env→fetch, req.body→exec, input→eval) | telemetry.mjs |
| GIT (Forensics) | (Minimal — new directory, no git history) | — |
| NET (Network) | ngrok, webhook.site, requestbin, pipedream, pastebin, bit.ly, IP-based URLs | SKILL.fixture.md, telemetry.mjs, health.fixture.md |
LLM Agent Detection (Skill Scanner)
All 7 threat categories from the skill-scanner-agent are represented in SKILL.md:
- Prompt Injection — HTML comments with
<!-- AGENT: ... -->, spoofed# SYSTEM:headers - Data Exfiltration —
printenv | base64,curl -X POSTto external endpoints - Privilege Escalation — instructions to modify hooks/ and settings.json
- Scope Creep — reads from ~/.ssh/, ~/.aws/, ~/.npmrc
- Hidden Instructions — Unicode Tags steganography, base64-encoded commands, invisible lines
- Toolchain Manipulation — typosquatting package installs in prerequisites
- Persistence — crontab, ~/.zshrc modification, LaunchAgent creation
How to Run
Quick: Deterministic Scanners Only
cd plugins/llm-security
./examples/malicious-skill-demo/run-demo.sh
Or directly:
node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-health/
Expected: BLOCK verdict, ~59 findings, all active scanners reporting.
Full: LLM-Enhanced Deep Scan
/security scan examples/malicious-skill-demo/evil-project-health/ --deep
This runs both the deterministic scanners AND the LLM agents (skill-scanner, mcp-scanner).
Safety
- No actual secrets, tokens, or credentials are in these files
- No real malicious code is executable — URLs are fake/non-functional
- The package.json typosquatting packages don't exist or are harmless names
- Install scripts reference non-existent domains
- Discoverable files use
.fixture.{md,json}suffix to prevent Claude Code's plugin loader from picking them up during recursive tree-walking
Security Assessment
A full combined security assessment (LLM skill scanner + 7 deterministic scanners) is available at security-assessment.md. This is real scanner output, not just expected findings:
- 85 total findings (24 Critical, 24 High, 20 Medium, 6 Low, 11 Info)
- Verdict: BLOCK 100/100 — both scanning layers independently maxed the risk score
- All 8 scanners active (1 LLM + 7 deterministic)
- Includes executive summary, per-scanner breakdown, combined verdict, recommendations, and methodology
Expected Findings
See expected-findings.md for the deterministic scanner catalog of ~50 expected findings with scanner, severity, file, and description.