ktg-plugin-marketplace/plugins/llm-security/examples/malicious-skill-demo/README.md

# Malicious Skill Demo

> **WARNING: This is a security test fixture, NOT a real plugin.**
> All "malicious" patterns are intentionally planted for scanner testing.

## What Is This?

A fake Claude Code plugin called "Project Health Dashboard" that **looks legitimate** but contains security threats across every category the LLM Security plugin can detect. It serves as:

1. **Showcase** — demonstrates what the 7 deterministic scanners + 5 LLM agents can find
2. **Regression test** — verifiable fixture for scanner development
3. **Educational resource** — real attack patterns in a safe, contained context

## Embedded Threat Categories

| Scanner | Threats | Files |
|---------|---------|-------|
| **UNI** (Unicode) | Zero-width chars, Unicode Tags steganography, BIDI overrides, Cyrillic homoglyphs | SKILL.fixture.md, health-check-agent.fixture.md |
| **ENT** (Entropy) | Base64-encoded payloads, high-entropy credentials | SKILL.fixture.md, telemetry.mjs |
| **PRM** (Permissions) | Purpose-vs-tools mismatch, ghost hooks, haiku on sensitive agent, overprivileged | health.fixture.md, health-check-agent.fixture.md, hooks.fixture.json |
| **DEP** (Dependencies) | 6 typosquatting packages, malicious install scripts, unpinned versions | package.json |
| **TNT** (Taint) | 6 source-to-sink data flows (env→fetch, req.body→exec, input→eval) | telemetry.mjs |
| **GIT** (Forensics) | (Minimal — new directory, no git history) | — |
| **NET** (Network) | ngrok, webhook.site, requestbin, pipedream, pastebin, bit.ly, IP-based URLs | SKILL.fixture.md, telemetry.mjs, health.fixture.md |

### LLM Agent Detection (Skill Scanner)

All 7 threat categories from the skill-scanner-agent are represented in SKILL.md:

1. **Prompt Injection** — HTML comments with `<!-- AGENT: ... -->`, spoofed `# SYSTEM:` headers
2. **Data Exfiltration** — `printenv | base64`, `curl -X POST` to external endpoints
3. **Privilege Escalation** — instructions to modify hooks/ and settings.json
4. **Scope Creep** — reads from ~/.ssh/, ~/.aws/, ~/.npmrc
5. **Hidden Instructions** — Unicode Tags steganography, base64-encoded commands, invisible lines
6. **Toolchain Manipulation** — typosquatting package installs in prerequisites
7. **Persistence** — crontab, ~/.zshrc modification, LaunchAgent creation

## How to Run

### Quick: Deterministic Scanners Only

```bash
cd plugins/llm-security
./examples/malicious-skill-demo/run-demo.sh
```

Or directly:

```bash
node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-health/
```

**Expected:** BLOCK verdict, ~59 findings, all active scanners reporting.

### Full: LLM-Enhanced Deep Scan

```
/security scan examples/malicious-skill-demo/evil-project-health/ --deep
```

This runs both the deterministic scanners AND the LLM agents (skill-scanner, mcp-scanner).

## Safety

- No actual secrets, tokens, or credentials are in these files
- No real malicious code is executable — URLs are fake/non-functional
- The package.json typosquatting packages don't exist or are harmless names
- Install scripts reference non-existent domains
- Discoverable files use `.fixture.{md,json}` suffix to prevent Claude Code's plugin loader from picking them up during recursive tree-walking

## Security Assessment

A full combined security assessment (LLM skill scanner + 7 deterministic scanners) is available at **[security-assessment.md](security-assessment.md)**. This is real scanner output, not just expected findings:

- **85 total findings** (24 Critical, 24 High, 20 Medium, 6 Low, 11 Info)
- **Verdict: BLOCK 100/100** — both scanning layers independently maxed the risk score
- **All 8 scanners active** (1 LLM + 7 deterministic)
- Includes executive summary, per-scanner breakdown, combined verdict, recommendations, and methodology

## Expected Findings

See [expected-findings.md](expected-findings.md) for the deterministic scanner catalog of ~50 expected findings with scanner, severity, file, and description.