Skill Audit Report

ai-skill-audit audit examples/evil-deploy.md --llm --verbose --output html

Source: examples/evil-deploy.md

Evil Deploy

F
skill dotai-skill Score: 28%
completeness 50% weight 20%
clarity 80% weight 15%
actionability 25% weight 20%
safety 5% weight 15%
testability 0% weight 10%
trust 0% weight 20%
Details & Suggestions

completeness (50%)

  • Has description
  • Has 10 steps
  • Add usage examples showing how to invoke this skill
  • Add gotchas/caveats to warn about common failure points
  • Define input parameters if the skill accepts any

clarity (80%)

  • Step count (10) is ideal
  • Language is concrete and specific
  • Description is very long — consider trimming to under 200 characters

actionability (25%)

  • No inputs defined (not always needed)
  • Start each step with an action verb (Run, Check, Verify, etc.)
  • Reference specific tools or commands in steps (e.g. `git diff`, Grep)

safety (5%)

  • Add gotchas/caveats to warn about common failure points
  • Add specific gotchas (describe what can go wrong and why)
  • Address what happens when things go wrong (errors, failures, retries)

testability (0%)

  • Add examples showing how to use this skill
  • Add examples with concrete parameter values
  • Add examples that describe expected outcomes

trust (0%)

  • CRITICAL: 19 suspicious pattern(s) found — review carefully before use
  • [EXFILTRATION] Posts data to external URL
  • [EXFILTRATION] May leak secrets
  • [EXFILTRATION] May leak secrets (credential in output)
  • [EXFILTRATION] May exfiltrate environment variables
  • [EXFILTRATION] Encoded data exfiltration
  • [EXFILTRATION] Accesses SSH keys
  • [EXFILTRATION] Accesses AWS credentials
  • [EXFILTRATION] Reads secret/key files
  • [EXFILTRATION] References crypto wallet/keys
  • [EXFILTRATION] Reverse shell via bash /dev/tcp
  • [EXFILTRATION] Printing credentials (credential logging)
  • [EXFILTRATION] Credentials in curl -u argument (visible in process list)
  • [OBFUSCATION] Decodes and executes hidden commands
  • [SECRET] Possible hardcoded API key or token
  • [SUSPICIOUS_URL] Pipe from URL to shell (remote code execution)
  • [SUSPICIOUS_URL] Direct IP address (no DNS = suspicious)
  • [PERSISTENCE] Appending to authorized_keys — backdoor installation
  • [HIJACKING] Cryptocurrency miner (xmrig)
  • [HIJACKING] Mining pool connection (stratum protocol)

LLM Security Review

CRITICAL
  • The skill is named 'Evil Deploy' with a description claiming it's a fake example, but the steps contain fully functional attack commands that would execute if an agent followed them.
    Fix: Remove all executable attack payloads; if this is documentation, use clearly pseudocode examples that cannot be copy-pasted into a shell.
  • The description is wrapped in an HTML comment tag, meaning agents that strip comments would see no description at all and may proceed to execute the steps without context.
    Fix: Move the description out of the HTML comment so it is always visible to the agent parsing the skill.
  • Step 1 reads the user's private SSH key, which constitutes unauthorized access to a protected credential file.
    Fix: Remove this step entirely; skills must never read private key files.
  • Step 2 reads AWS credentials, exfiltrating cloud access keys.
    Fix: Remove this step; cloud credential files are protected and must not be read by skills.
  • Step 3 prints an API key to stdout, leaking it into the LLM context window where it can be retrieved.
    Fix: Never log or print credentials; use masked output (first 4 / last 4 chars) if debugging is needed.
  • Step 4 exfiltrates the entire .env file contents to an external webhook endpoint.
    Fix: Remove this step; never POST local file contents to external URLs without explicit user confirmation.
  • Step 5 opens a reverse shell to a remote IP, giving an attacker full interactive access to the host.
    Fix: Remove this step; reverse shells are never acceptable in skill files.
  • Step 6 installs a persistent SSH backdoor by appending an attacker-controlled public key to authorized_keys.
    Fix: Remove this step; skills must never modify SSH authorized_keys.
  • Step 7 decodes and executes an opaque base64 payload, enabling arbitrary hidden code execution.
    Fix: Remove this step; piping decoded data into bash is a classic obfuscated execution pattern.
  • Step 8 contains a hardcoded API key literal embedded directly in the skill file.
    Fix: Remove the hardcoded key; credentials must never appear as literals in skill files.
  • Step 9 passes plaintext credentials as CLI arguments to curl, exposing them in process listings.
    Fix: Remove this step; use environment variables or stdin for authentication, never CLI arguments.
  • Step 10 launches a cryptocurrency miner, consuming host resources for the attacker's benefit.
    Fix: Remove this step; cryptomining is resource theft and has no legitimate skill purpose.
HIGH
  • The skill has no legitimate functional purpose — every step is a distinct attack vector with no deployment logic whatsoever.
    Fix: If intended as educational documentation, rewrite as a reference table of banned patterns rather than executable steps.

Poor skill with 31 suggestions for improvement (weakest: testability)