# AI Agent Skills & MCP Servers - Threat Intelligence Database # For use with /security-check and /security-audit commands # Manually maintained — update after new security advisories version: "2.0.0" updated: "2026-02-11" sources: - name: "Snyk ToxicSkills" url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/" date: "2026-02-05" - name: "Koi Security ClawHavoc" url: "https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting" date: "2026-02-01" - name: "SafeDep Agent Skills Threat Model" url: "https://safedep.io/agent-skills-threat-model" date: "2026-01" - name: "Cymulate EscapeRoute (CVE-2025-53109/53110)" url: "https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/" date: "2025-09" - name: "Checkpoint MCPoison (CVE-2025-54135/54136)" url: "https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/" date: "2025-10" - name: "JFrog Prompt Hijacking (CVE-2025-6515)" url: "https://jfrog.com/blog/mcp-prompt-hijacking-vulnerability/" date: "2025-10" - name: "JFrog PyPI MCP Reverse Shell" url: "https://research.jfrog.com/post/3-malicious-mcps-pypi-reverse-shell/" date: "2025-12" - name: "Recorded Future MCP Inspector (CVE-2025-49596)" url: "https://www.recordedfuture.com/blog/anthropic-mcp-inspector-cve-2025-49596" date: "2025-07" - name: "Flatt Security - 8 ways to pwn Claude Code" url: "https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/" date: "2026-01" - name: "SentinelOne WebFetch SSRF (CVE-2026-24052)" url: "https://www.sentinelone.com/vulnerability-database/cve-2026-24052/" date: "2026-01" - name: "The Hacker News - MCP Git Server Flaws" url: "https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html" date: "2026-01" - name: "Bitsight TRACE - Exposed MCP Servers" url: "https://www.bitsight.com/blog/exposed-mcp-servers-reveal-new-ai-vulnerabilities" date: "2026-01" - name: "Defender's Initiative - Postmark MCP Squatter" url: "https://defendersinitiative.substack.com/p/npm-not-another-package-malicious" date: "2025-11" - name: "SAFE-MCP Framework" url: "https://www.safemcp.org" date: "2026-01" # ═══════════════════════════════════════════════════════════════ # MALICIOUS AUTHORS (confirmed by security researchers) # ═══════════════════════════════════════════════════════════════ malicious_authors: # Snyk ToxicSkills confirmed — block ALL skills from these authors - name: "zaycv" source: "Snyk ToxicSkills" risk: "critical" notes: "40+ malicious skills, programmatic malware campaign, clawhub/clawdhub1 typosquats" - name: "Aslaep123" source: "Snyk ToxicSkills" risk: "critical" notes: "Malicious crypto/trading skills, typosquatted exchange tools" - name: "pepe276" source: "Snyk ToxicSkills" risk: "critical" notes: "Unicode-obfuscated instructions, DAN-style jailbreaking for exfiltration" - name: "moonshine-100rze" source: "Snyk ToxicSkills" risk: "critical" notes: "Mixed prompt-injection + exfil; GitHub repo aztr0nutzs/NET_NiNjA.v1.2 hosts additional weaponized skills" # ═══════════════════════════════════════════════════════════════ # MALICIOUS SKILLS (confirmed by researchers) # Organized by campaign and type for efficient scanning # ═══════════════════════════════════════════════════════════════ malicious_skills: # ─── Snyk ToxicSkills confirmed ─── - name: "clawhud" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "clawhub1" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "clawdhub1" type: "typosquatting" target: "clawhub" source: "Snyk ToxicSkills" risk: "critical" - name: "polymarket-traiding-bot" type: "malware" source: "Snyk ToxicSkills + Koi AuthTool" risk: "critical" notes: "Typosquatting + credential theft" # ─── ClawHavoc campaign: ClawHub CLI typosquats (29 skills) ─── # All deploy Atomic Stealer (AMOS) via fake prerequisites - name: "clawhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawhubb" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawhubcli" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "clawwhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" - name: "cllawhub" type: "typosquatting" target: "clawhub-cli" source: "Koi ClawHavoc" risk: "critical" # 23 random-suffix variants — match with pattern "clawhub-*" - name: "clawhub-6yr3b" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-c9y4p" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-d4kxr" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-f3qcn" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-gpcrq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-gstca" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hh1fd" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hh2km" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-hylhq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-i7oci" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-i9zhz" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-ja7eh" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-krmvq" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-oihpl" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-olgys" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-osasg" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-rkvny" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-sxtsn" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-tlxx5" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-uoeym" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-wixce" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" - name: "clawhub-wotp2" type: "typosquatting" source: "Koi ClawHavoc" risk: "critical" # ─── ClawHavoc: Crypto tools (111 skills) ─── # Solana wallet (33 variants) — pattern: solana-* - name: "solana-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "33 variants (solana-07bcb through solana-ytzgw), deploys AMOS" # Phantom wallet (29 variants) — pattern: phantom-* - name: "phantom-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "29 variants (phantom-0jcvy through phantom-ygmjc), deploys AMOS" # Wallet trackers (25 variants) — pattern: wallet-tracker-* - name: "wallet-tracker-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "25 variants (wallet-tracker-0ghsk through wallet-tracker-zih4w)" # Insider wallet finders (23 variants) — pattern: insider-wallets-finder-* - name: "insider-wallets-finder-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "23 variants (insider-wallets-finder-1a7pi through insider-wallets-finder-zzs2p)" # Ethereum gas trackers (14 variants) — pattern: ethereum-gas-tracker-* - name: "ethereum-gas-tracker-*" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" notes: "14 variants" # Lost Bitcoin (3 skills) - name: "lost-bitcoin-10li1" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" - name: "lost-bitcoin-dbrgt" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" - name: "lost-bitcoin-eabml" type: "malware" category: "crypto" source: "Koi ClawHavoc" risk: "critical" # ─── ClawHavoc: YouTube utilities (57 skills) ─── # Summarizers (29 variants) — pattern: youtube-summarize-* - name: "youtube-summarize-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "29 variants, deploys AMOS" # Thumbnail grabbers (13 variants) — pattern: youtube-thumbnail-grabber-* - name: "youtube-thumbnail-grabber-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "13 variants" # Downloaders (13 variants) — pattern: youtube-video-downloader-* - name: "youtube-video-downloader-*" type: "malware" category: "youtube" source: "Koi ClawHavoc" risk: "critical" notes: "13 variants" # ─── ClawHavoc: Polymarket bots (34 skills) ─── - name: "poly" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polym" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polymarkets" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" - name: "polytrading" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" # 30 random-suffix variants — pattern: polymarket-* - name: "polymarket-*" type: "malware" category: "polymarket" source: "Koi ClawHavoc" risk: "critical" notes: "30 variants (polymarket-25nwy through polymarket-z7lwp)" # ─── ClawHavoc: Auto-updaters (30 skills) ─── - name: "amir" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "update" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "updater" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" - name: "auto-updater-*" type: "malware" category: "updater" source: "Koi ClawHavoc" risk: "critical" notes: "27 variants (auto-updater-161ks through auto-updater-xsunp)" # ─── ClawHavoc: Finance & social (76 skills) ─── - name: "yahoo-finance-*" type: "malware" category: "finance" source: "Koi ClawHavoc" risk: "critical" notes: "24 variants" - name: "x-trends-*" type: "malware" category: "social" source: "Koi ClawHavoc" risk: "critical" notes: "25 variants" # ─── ClawHavoc: Google Workspace (17 skills) ─── - name: "google-workspace-*" type: "malware" category: "productivity" source: "Koi ClawHavoc" risk: "critical" notes: "17 variants targeting Gmail/Calendar/Drive" # ─── Koi outliers: AuthTool campaign (3 skills) ─── # NOT AMOS — separate payload - name: "base-agent" type: "malware" source: "Koi ClawHavoc (AuthTool)" risk: "critical" notes: "Fake auth tool dropping separate payload" - name: "bybit-agent" type: "malware" source: "Koi ClawHavoc (AuthTool)" risk: "critical" notes: "Fake auth tool dropping separate payload" # ─── Koi outliers: Hidden backdoor (2 skills) ─── # Inline reverse shell to 54.91.154.110:13338 - name: "better-polymarket" type: "backdoor" source: "Koi ClawHavoc" risk: "critical" notes: "Reverse shell to 54.91.154.110:13338 via /bin/bash -i >/dev/tcp/..." - name: "polymarket-all-in-one" type: "backdoor" source: "Koi ClawHavoc" risk: "critical" notes: "Reverse shell to 54.91.154.110:13338" # ─── Koi outliers: Credential exfiltration (1 skill) ─── - name: "rankaj" type: "credential-theft" source: "Koi ClawHavoc" risk: "critical" notes: "Reads ~/.clawdbot/.env, POSTs to webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412" # ─── Supply chain: Malicious MCP servers on PyPI (JFrog) ─── - name: "mcp-runcmd-server" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433 before starting MCP server" - name: "mcp-runcommand-server" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433" - name: "mcp-runcommand-server2" type: "supply-chain" platform: "pypi" source: "JFrog" risk: "critical" notes: "Reverse shell to 45.115.38.27:4433" # ─── Supply chain: Malicious npm MCP package ─── - name: "postmark-mcp" type: "supply-chain" platform: "npm" source: "Defender's Initiative" risk: "critical" notes: "Squatter copying official Postmark MCP with hidden backdoor" # ═══════════════════════════════════════════════════════════════ # MALICIOUS SKILL PATTERNS (for wildcard/regex matching) # Use these when scanning installed skills by name # ═══════════════════════════════════════════════════════════════ malicious_skill_patterns: # Exact prefix matches — any skill starting with these is suspicious - pattern: "clawhub-" campaign: "ClawHavoc" risk: "critical" notes: "29 typosquat variants with random suffixes" - pattern: "solana-" campaign: "ClawHavoc" risk: "critical" notes: "33 crypto wallet variants" - pattern: "phantom-" campaign: "ClawHavoc" risk: "critical" notes: "29 phantom wallet variants" - pattern: "wallet-tracker-" campaign: "ClawHavoc" risk: "critical" notes: "25 wallet tracker variants" - pattern: "insider-wallets-finder-" campaign: "ClawHavoc" risk: "critical" notes: "23 variants" - pattern: "ethereum-gas-tracker-" campaign: "ClawHavoc" risk: "critical" notes: "14 variants" - pattern: "youtube-summarize-" campaign: "ClawHavoc" risk: "critical" notes: "29 summarizer variants" - pattern: "youtube-thumbnail-grabber-" campaign: "ClawHavoc" risk: "critical" notes: "13 variants" - pattern: "youtube-video-downloader-" campaign: "ClawHavoc" risk: "critical" notes: "13 variants" - pattern: "polymarket-" campaign: "ClawHavoc" risk: "critical" notes: "30 random-suffix variants" - pattern: "auto-updater-" campaign: "ClawHavoc" risk: "critical" notes: "27 variants" - pattern: "yahoo-finance-" campaign: "ClawHavoc" risk: "critical" notes: "24 variants" - pattern: "x-trends-" campaign: "ClawHavoc" risk: "critical" notes: "25 variants" - pattern: "google-workspace-" campaign: "ClawHavoc" risk: "critical" notes: "17 variants" - pattern: "lost-bitcoin-" campaign: "ClawHavoc" risk: "critical" notes: "3 variants" - pattern: "mcp-runcmd" campaign: "PyPI supply chain" risk: "critical" notes: "JFrog: reverse shell MCP servers" - pattern: "mcp-runcommand" campaign: "PyPI supply chain" risk: "critical" notes: "JFrog: reverse shell MCP servers" # ═══════════════════════════════════════════════════════════════ # CVE DATABASE (MCP servers & AI agent tools) # ═══════════════════════════════════════════════════════════════ cve_database: # --- Anthropic Filesystem MCP --- - id: "CVE-2025-53109" component: "Filesystem MCP Server" severity: "high" description: "Symlink escape to arbitrary filesystem access / potential LPE" source: "Cymulate EscapeRoute" fixed_in: "0.6.3 / 2025.7.1" mitigation: "Update to >= 0.6.3; avoid Filesystem MCP in sensitive environments" - id: "CVE-2025-53110" component: "Filesystem MCP Server" severity: "high" description: "Naive prefix-match directory bypass (startsWith on paths)" source: "Cymulate EscapeRoute" fixed_in: "0.6.3 / 2025.7.1" mitigation: "Update to >= 0.6.3" # --- Anthropic MCP Inspector --- - id: "CVE-2025-49596" component: "MCP Inspector" severity: "critical" cvss: 9.4 description: "RCE via unauthenticated proxy on 0.0.0.0; drive-by RCE from malicious web page" source: "Recorded Future / SocRadar" fixed_in: "0.14.1" mitigation: "Update to >= 0.14.1; restrict to localhost" notes: "~560 exposed instances found on Shodan" # --- Anthropic MCP Git Server (3 flaws, Jan 2026) --- - id: "CVE-2025-68143" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "git_init path traversal — arbitrary filesystem path for repo creation" source: "The Hacker News / PointGuard AI" fixed_in: "2025.9.25" mitigation: "Update; restrict Git MCP to trusted repos" - id: "CVE-2025-68144" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "Argument injection in git_diff/git_checkout — shell metacharacters via user-controlled args" source: "The Hacker News / PointGuard AI" fixed_in: "2025.12.18" mitigation: "Update; sanitize all user inputs to git CLI" - id: "CVE-2025-68145" component: "MCP Git Server (mcp-server-git)" severity: "high" description: "--repository path validation bypass — access beyond allowlist" source: "The Hacker News / PointGuard AI" fixed_in: "2025.12.18" mitigation: "Update; enforce strict path validation" # --- MCP Python SDK --- - id: "CVE-2025-66416" component: "MCP Python SDK (mcp on PyPI)" severity: "medium" description: "DNS rebinding to local HTTP MCP servers when using FastMCP HTTP/SSE with no auth" source: "Debian Security Tracker" fixed_in: "1.23.0" mitigation: "Update to >= 1.23.0; enable TransportSecuritySettings explicitly" # --- MCP Gateway --- - id: "CVE-2025-64443" component: "MCP Gateway" severity: "medium" description: "DNS rebinding against SSE/streaming listeners — indirect access to MCP servers behind gateway" source: "Blog Gowrishankar" fixed_in: "0.28.0" mitigation: "Update to > 0.27.0" # --- MCP TypeScript SDK --- - id: "CVE-2026-25536" component: "MCP TypeScript SDK" severity: "high" description: "Cross-client response data leak when reusing single server+transport across multiple SSE clients" source: "Feedly CVE" fixed_in: "1.26.0" mitigation: "Update to >= 1.26.0; isolate transport instances per client" # --- Cursor IDE --- - id: "CVE-2025-54135" component: "Cursor IDE" severity: "high" cvss: 8.6 description: "CurXecute — RCE via prompt injection writing .cursor/mcp.json" source: "Checkpoint / PropelCode" fixed_in: "1.3.9" mitigation: "Update to Cursor >= 1.3.9; file integrity monitoring on mcp.json" - id: "CVE-2025-54136" component: "Cursor IDE" severity: "high" description: "MCPoison — persistent RCE via trusted config mutation; post-approval changes auto-execute" source: "Checkpoint" fixed_in: "1.3.9" mitigation: "Update to >= 1.3.9; Git hooks + hash verification on mcp.json" # --- Claude Code --- - id: "CVE-2025-66032" component: "Claude Code" severity: "high" description: "8 command execution bypasses via blocklist flaws (man --html, sed e modifier, git arg ambiguity, bash variable expansion)" source: "Flatt Security" fixed_in: "1.0.93" mitigation: "Update to Claude Code >= 1.0.93" - id: "CVE-2026-24052" component: "Claude Code WebFetch" severity: "high" description: "SSRF via startsWith() domain validation bypass in WebFetch (trusted-domain prefix attack)" source: "SentinelOne" fixed_in: "1.0.111" mitigation: "Update to Claude Code >= 1.0.111" - id: "ADVISORY-CC-2026-001" component: "Claude Code" severity: "high" description: "Sandbox bypass — commands excluded from sandboxing could bypass Bash permission enforcement (details undisclosed)" source: "Claude Code CHANGELOG v2.1.34" fixed_in: "2.1.34" mitigation: "Update to Claude Code >= 2.1.34" notes: "No CVE assigned. Fixed in CHANGELOG. Separate from CVE-2026-25725 (different sandbox escape)." # --- Third-party MCP servers --- - id: "CVE-2025-53967" component: "Framelink Figma MCP Server (figma-developer-mcp)" severity: "high" cvss: 7.5 description: "Command injection via unsanitized input in fetchWithRetry curl command" source: "Geordie AI / EndorLabs" fixed_in: "0.6.3" mitigation: "Update to >= 0.6.3" - id: "CVE-2025-9611" component: "Microsoft Playwright MCP Server (@playwright/mcp)" severity: "medium" description: "DNS rebinding / Origin-less CSRF — missing Origin validation on local instance" source: "Mondoo / NVD" fixed_in: "0.0.40" mitigation: "Update to >= 0.0.40" - id: "CVE-2025-6515" component: "MCP SSE Transport (oatpp-mcp)" severity: "high" description: "Prompt hijacking via predictable/reused session IDs; attacker replaces tool outputs" source: "JFrog" mitigation: "Use cryptographically secure session IDs (128+ bits entropy)" - id: "CVE-2026-25546" component: "Godot MCP Server (godot-mcp)" severity: "high" description: "Command injection via user-controlled projectPath passed to exec()" source: "Feedly CVE" fixed_in: "0.1.1" mitigation: "Update to >= 0.1.1; sanitize projectPath; avoid exec() with user input" - id: "CVE-2025-54073" component: "mcp-package-docs" severity: "high" description: "Command injection in child_process.exec via unsanitized input" source: "NVD" fixed_in: "0.1.28" mitigation: "Update to >= 0.1.28" # ═══════════════════════════════════════════════════════════════ # MINIMUM SAFE VERSIONS (quick reference for scanning) # ═══════════════════════════════════════════════════════════════ minimum_safe_versions: "filesystem-mcp": "0.6.3" "mcp-inspector": "0.14.1" "mcp-server-git": "2025.12.18" "mcp-python-sdk": "1.23.0" "mcp-gateway": "0.28.0" "figma-developer-mcp": "0.6.3" "@playwright/mcp": "0.0.40" "mcp-package-docs": "0.1.28" "cursor": "1.3.9" "claude-code": "2.1.34" # ═══════════════════════════════════════════════════════════════ # IOCs (Indicators of Compromise) # ═══════════════════════════════════════════════════════════════ iocs: # ClawHavoc C2 IPs — block outbound connections c2_ips: - ip: "91.92.242.30" campaign: "ClawHavoc" notes: "Primary AMOS dropper host" - ip: "95.92.242.30" campaign: "ClawHavoc" - ip: "96.92.242.30" campaign: "ClawHavoc" - ip: "202.161.50.59" campaign: "ClawHavoc" - ip: "54.91.154.110" campaign: "ClawHavoc" notes: "Reverse shell target (better-polymarket, polymarket-all-in-one) port 13338" - ip: "45.115.38.27" campaign: "PyPI MCP reverse shell (JFrog)" notes: "Reverse shell on port 4433" # Exfiltration endpoints exfil_urls: - url: "webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412" skill: "rankaj" source: "Koi ClawHavoc" notes: "Credential exfiltration endpoint" # Malicious GitHub repos github_repos: - repo: "aztr0nutzs/NET_NiNjA.v1.2" author: "moonshine-100rze" source: "Snyk ToxicSkills" notes: "Hosts additional weaponized skills not yet on ClawHub" # AMOS sample hashes (from Koi report) malware_hashes: - hash: "1e6d4b05...e2298" type: "AMOS Mach-O" source: "Koi ClawHavoc" - hash: "0e52566c...dd65" type: "AMOS Mach-O" source: "Koi ClawHavoc" # ═══════════════════════════════════════════════════════════════ # SUSPICIOUS PATTERNS (for grep-based scanning) # ═══════════════════════════════════════════════════════════════ suspicious_patterns: # Hook exfiltration patterns hooks: - pattern: "curl|wget" description: "Network calls in hooks (potential data exfiltration)" risk: "high" action: "Review every network call in hooks — legitimate hooks rarely need outbound requests" - pattern: "nc |ncat|netcat" description: "Netcat in hooks (reverse shell indicator)" risk: "critical" action: "Remove immediately — no legitimate hook use case" - pattern: "base64" description: "Base64 encoding in hooks (payload obfuscation)" risk: "medium" action: "Verify what is being encoded — common evasion technique" - pattern: "eval|exec" description: "Dynamic code execution in hooks" risk: "high" action: "Verify source of executed code" - pattern: '\$\(.*\)|`.*`' description: "Command substitution in hooks" risk: "medium" action: "Verify no sensitive data is captured" - pattern: "/dev/tcp|/dev/udp" description: "Bash network redirects (reverse shell)" risk: "critical" action: "Remove immediately" - pattern: "ssh|id_rsa|id_ed25519" description: "SSH key access in hooks" risk: "critical" action: "No hook should access SSH keys" - pattern: '.env|credentials|secret|password|token|api.key' description: "Credential file access in hooks" risk: "critical" action: "No hook should read credential files" - pattern: "glot.io|pastebin.com|hastebin.com" description: "Paste site references in hooks (common payload hosting)" risk: "high" action: "Review carefully — ClawHavoc uses glot.io for obfuscated scripts" # Agent/skill red flags agents: - pattern: 'allowed-tools.*Bash' description: "Broad Bash access in agent definition" risk: "medium" action: "Verify agent needs shell access — prefer specific tools" - pattern: 'allowed-tools.*\["Bash"\]' description: "Agent with ONLY Bash access (common in malicious agents)" risk: "high" action: "Highly suspicious — legitimate agents use specific tools" - pattern: "ignore previous|disregard|override" description: "Prompt injection attempt in agent system prompt" risk: "critical" action: "Remove agent — confirmed injection vector" - pattern: "you are now|new instructions|forget" description: "Role hijacking in agent instructions" risk: "high" action: "Review agent source carefully" - pattern: "developer mode|DAN|jailbreak" description: "Jailbreak attempt in skill/agent instructions" risk: "critical" action: "Remove immediately — used by pepe276 and others" # Config red flags config: - pattern: "dangerouslySkipPermissions|dangerously" description: "Dangerous permission bypass flags" risk: "critical" action: "Remove — never use in production" - pattern: '"allow".*"Bash\(.*\*.*\)"' description: "Wildcard Bash permissions" risk: "high" action: "Narrow to specific commands" - pattern: '"allow".*"Write\(.*\*.*\)"' description: "Wildcard Write permissions" risk: "high" action: "Narrow to specific paths" - pattern: "@latest" description: "Unpinned MCP server version in mcp.json" risk: "high" action: "Pin to exact version — unpinned packages are supply-chain targets" # Secrets patterns (in any file) secrets: - pattern: '(?i)(api[_-]?key|apikey)\s*[=:]\s*["\x27][A-Za-z0-9_\-]{20,}["\x27]' description: "Hardcoded API key" risk: "critical" - pattern: '(?i)(secret|password|passwd|pwd)\s*[=:]\s*["\x27][^\x27"]{8,}["\x27]' description: "Hardcoded secret/password" risk: "critical" - pattern: '(?i)(token|bearer)\s*[=:]\s*["\x27][A-Za-z0-9_\-\.]{20,}["\x27]' description: "Hardcoded token" risk: "critical" - pattern: "sk-[a-zA-Z0-9]{20,}" description: "OpenAI API key pattern" risk: "critical" - pattern: "sk-ant-[a-zA-Z0-9]{20,}" description: "Anthropic API key pattern" risk: "critical" - pattern: "ghp_[a-zA-Z0-9]{36}" description: "GitHub personal access token" risk: "critical" - pattern: "AKIA[A-Z0-9]{16}" description: "AWS access key ID" risk: "critical" - pattern: 'xox[bps]-[a-zA-Z0-9\-]{20,}' description: "Slack token" risk: "critical" - pattern: '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----' description: "Private key in file" risk: "critical" # Prompt injection in markdown/config injection: - pattern: '[\x{200B}-\x{200D}\x{FEFF}]' description: "Zero-width Unicode characters (invisible instructions)" risk: "high" encoding: "unicode" - pattern: '[\x{202A}-\x{202E}\x{2066}-\x{2069}]' description: "RTL/bidirectional override characters" risk: "high" encoding: "unicode" - pattern: '[\x{E0000}-\x{E007F}]' description: "Tag characters (invisible Unicode block)" risk: "high" encoding: "unicode" - pattern: '\x1b\[|\x1b\]|\x1b\(' description: "ANSI escape sequences (terminal injection)" risk: "medium" - pattern: '\x00' description: "Null byte (string truncation attack)" risk: "high" - pattern: '' description: "Hidden instructions in HTML comments" risk: "high" # SKILL.md / skill content red flags skill_content: - pattern: 'curl.*\|.*bash' description: "Remote script execution (curl pipe bash)" risk: "critical" action: "Classic malware delivery — review URL and content" - pattern: 'base64.*-[dD].*\|.*bash' description: "Base64-decoded command execution" risk: "critical" action: "Obfuscated payload — likely malicious" - pattern: 'password.*openclaw|openclaw.*password' description: "Password-protected archive with known ClawHavoc password" risk: "critical" action: "Matches ClawHavoc delivery pattern" - pattern: 'chmod.*\+x.*&&.*\./' description: "Download, make executable, run — malware dropper pattern" risk: "critical" - pattern: '/bin/bash.*-i.*>/dev/tcp' description: "Interactive reverse shell" risk: "critical" action: "Remove immediately" - pattern: 'webhook\.site|requestbin\.com' description: "Data exfiltration via webhook/request bin service" risk: "high" action: "Verify intent — common exfil endpoint" # ═══════════════════════════════════════════════════════════════ # CAMPAIGN SIGNATURES # ═══════════════════════════════════════════════════════════════ campaigns: - name: "ClawHavoc" source: "Koi Security" date: "2026-02-01" skills_count: 341 amos_skills: 335 outlier_skills: 6 platform: "ClawHub / OpenClaw" malware: "Atomic Stealer (AMOS) + Windows infostealers" delivery: - "Fake prerequisites in SKILL.md" - "Base64-encoded shell snippets from glot.io" - "Password-protected ZIPs (password: 'openclaw')" - "Second-stage dropper from raw IP" c2_ips: - "91.92.242.30" - "95.92.242.30" - "96.92.242.30" - "202.161.50.59" - "54.91.154.110" targets: - "Cryptocurrency wallets (60+ wallets: Exodus, Binance, Electrum, Atomic, Ledger)" - "Browser data (Chrome, Safari, Firefox, Brave, Edge)" - "SSH keys and shell history" - "Telegram sessions" - "Keychain passwords (macOS)" categories: crypto: 111 youtube: 57 finance_social: 76 polymarket: 34 typosquatting: 29 auto_updaters: 30 google_workspace: 17 outliers: auth_tool: ["base-agent", "bybit-agent", "polymarket-traiding-bot"] reverse_shell: ["better-polymarket", "polymarket-all-in-one"] credential_theft: ["rankaj"] - name: "ToxicSkills" source: "Snyk" date: "2026-02-05" skills_scanned: 3984 platforms: ["ClawHub", "skills.sh"] findings: total_flawed: 1467 flawed_percentage: 36.82 critical_risk: 534 critical_percentage: 13.4 malicious_payloads: 76 still_live_at_scan: 8 hardcoded_secrets_percentage: 10.9 remote_content_fetch_percentage: 17.7 remote_prompt_execution_percentage: 2.9 known_malicious_authors: - "zaycv" - "Aslaep123" - "pepe276" - "moonshine-100rze" - name: "PyPI MCP Reverse Shell" source: "JFrog" date: "2025-12" platform: "PyPI" packages: - "mcp-runcmd-server" - "mcp-runcommand-server" - "mcp-runcommand-server2" c2_ip: "45.115.38.27" c2_port: 4433 technique: "Spawns /bin/sh -i reverse shell before starting MCP server" - name: "Postmark MCP Squatter" source: "Defender's Initiative" date: "2025-11" platform: "npm" package: "postmark-mcp" technique: "Copies official Postmark MCP server with hidden backdoor" # ═══════════════════════════════════════════════════════════════ # ATTACK TECHNIQUES TAXONOMY # Maps to SAFE-MCP framework and common patterns # ═══════════════════════════════════════════════════════════════ attack_techniques: - id: "T001" name: "Tool Poisoning via SKILL.md" description: "Hidden instructions in SKILL.md that instruct the agent to run malicious commands" examples: - "curl | bash from glot.io scripts" - "Password-protected ZIP with embedded malware" - "Base64-decoded eval commands" campaigns: ["ClawHavoc", "ToxicSkills"] mitigation: "Scan SKILL.md for shell commands; never auto-execute prerequisites" - id: "T002" name: "Memory Poisoning" description: "Injection of persistent instructions into SOUL.md, MEMORY.md, CLAUDE.md, AGENTS.md" examples: - "Skills targeting SOUL.md/MEMORY.md to inject persistent backdoor instructions" - "Cognitive worms that replicate across agent memory files" campaigns: ["ToxicSkills"] mitigation: "Treat memory files as config; require code review for changes; monitor diffs" - id: "T003" name: "Rug Pull / Post-Approval Mutation" description: "Benign config approved once, then mutated to malicious version that auto-executes" examples: - "MCPoison: .cursor/rules/mcp.json approved, then updated with reverse shell" - "ClawHub skills updated without changelog to swap in AMOS installer" cves: ["CVE-2025-54136"] mitigation: "Hash verification on configs; re-approval on any change" - id: "T004" name: "Confused Deputy via MCP" description: "Attacker manipulates MCP session/output; client trusts poisoned response" examples: - "oatpp-mcp session ID reuse (CVE-2025-6515)" - "Git MCP + Filesystem MCP chain via poisoned README" cves: ["CVE-2025-6515", "CVE-2025-68143", "CVE-2025-68144", "CVE-2025-68145"] mitigation: "Cryptographic session IDs; input validation; least-privilege for MCP tools" - id: "T005" name: "DNS Rebinding on Local MCP" description: "Malicious website rebinds domain to 127.0.0.1 to access local MCP servers" examples: - "MCP Python SDK HTTP/SSE servers (CVE-2025-66416)" - "MCP Gateway SSE (CVE-2025-64443)" - "Playwright MCP (CVE-2025-9611)" cves: ["CVE-2025-66416", "CVE-2025-64443", "CVE-2025-9611"] mitigation: "Use stdio transport; enable DNS rebinding protection; authenticate local servers" - id: "T006" name: "Supply Chain Package Attack" description: "Malicious packages published to registries mimicking legitimate MCP servers" examples: - "PyPI: mcp-runcmd-server, mcp-runcommand-server (JFrog)" - "npm: postmark-mcp squatter" campaigns: ["PyPI MCP Reverse Shell", "Postmark MCP Squatter"] mitigation: "Verify package author; check download counts; use SafeDep vet" - id: "T007" name: "Hook-Based Exfiltration" description: "Malicious .claude/hooks/ scripts run on agent events with full user privileges" examples: - "SessionStart hook that POSTs environment variables" - "PostToolUse hook that exfiltrates file paths and content" mitigation: "Review all hooks; forbid auto-running hooks from untrusted repos; maintain hook allowlist" - id: "T008" name: "Credential Theft via Agent" description: "Agent instructed to read credential files and send to attacker" examples: - "rankaj skill: reads ~/.clawdbot/.env, POSTs to webhook.site" - "Base64-encoded curl to send ~/.aws/credentials" campaigns: ["ClawHavoc", "ToxicSkills"] mitigation: "Block agent access to .env, .aws, .ssh directories; use pre-execution hooks" # ═══════════════════════════════════════════════════════════════ # SCANNING TOOLS # ═══════════════════════════════════════════════════════════════ scanning_tools: - name: "mcp-scan" vendor: "Invariant / Snyk" type: "cli" command: "npx mcp-scan" url: "https://github.com/invariantlabs-ai/mcp-scan" capabilities: - "Scans MCP server configurations for vulnerabilities" - "Detects known vulnerable MCP servers and versions" - "Scans SKILL.md for prompt injection, malicious code, secrets" - "Supports Claude Desktop, Cursor, Windsurf configs" - "Backed by ToxicSkills taxonomy (90-100% recall, 0% FP on skills.sh top-100)" limitations: - "413 error on large configs (~/.claude/ too big)" - "Unknown MCP config on some VSCode setups" - "Does not scan .claude/skills/ native Claude Code skills" - "Requires network access to Snyk vulnerability DB" - "Cannot detect runtime-only payloads fetched from benign-looking URLs" notes: "Complement with local grep patterns from this threat-db" - name: "skills-ref validate" vendor: "agentskills.io" type: "cli" command: "skills-ref validate ./skill-dir" url: "https://docs.rs/skills-ref-rs/latest/skills_ref/" capabilities: - "Validates skill spec compliance (SKILL.md structure, frontmatter, naming)" - "Parse metadata to JSON (skills-ref read-properties)" - "Generate agent prompts (skills-ref to-prompt)" limitations: - "Spec compliance only — does NOT detect malware or analyze code" - "Reduces slopsquatting via naming rules but no security scanning" - name: "Garak" vendor: "NVIDIA" type: "cli" url: "https://github.com/NVIDIA/garak" capabilities: - "37+ probe modules for LLM vulnerabilities" - "Prompt injection detection" - "Jailbreak testing" - "Data exfiltration probes" limitations: - "LLM-focused, not MCP/skill-specific" - "Does not parse SKILL.md or MCP configs" - name: "MCP Fortress" vendor: "mcp-fortress" type: "mcp-server + dashboard" url: "https://github.com/mcp-fortress/mcp-fortress" capabilities: - "Scans npm/PyPI dependencies of MCP servers" - "Queries CVE databases for risk scores" - "Runtime protection — quarantines suspicious servers" - "Streaming telemetry dashboard" - "Can run as MCP server exposing security tools to Claude/Cursor" limitations: - "Newer project — smaller detection database than mcp-scan" - name: "SafeDep vet MCP" vendor: "SafeDep" type: "mcp-server" url: "https://safedep.io/introducing-vet-mcp-server/" capabilities: - "Software composition analysis integrated with agents" - "Detects slopsquatting, vulnerable and malicious packages" - "Screens package suggestions before pip/npm install" limitations: - "Package-focused — does not scan SKILL.md or agent configs" - name: "Koi Clawdex" vendor: "Koi Security" type: "clawhub-skill" capabilities: - "ClawHub security addon / MCP" - "Checks skills against Koi malicious skill database" - "Pre-install and retroactive scan support" limitations: - "ClawHub/OpenClaw specific" # ═══════════════════════════════════════════════════════════════ # DEFENSIVE FRAMEWORKS & BLOCKLISTS # ═══════════════════════════════════════════════════════════════ defensive_resources: - name: "SAFE-MCP" url: "https://www.safemcp.org" type: "framework" description: "80+ techniques mapped to ATT&CK for MCP environments; policy-based blocklists" - name: "OpenClaw VirusTotal Integration" url: "https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html" type: "platform" description: "ClawHub now hashes every skill bundle, checks VirusTotal, blocks/flags malicious; daily re-scan" - name: "Docker MCP Gateway" url: "https://www.docker.com/blog/mpc-horror-stories-cve-2025-49596-local-host-breach/" type: "tool" description: "Isolates MCP servers behind stdio transport; mitigates CVE-2025-49596-style localhost attacks" - name: "Snyk AI-BOM & Evo" url: "https://snyk.io/articles/snyk-mcp-cheat-sheet/" type: "platform" description: "AI bill of materials; inventory MCP servers and skills; enforce guardrails" - name: "Bitsight TRACE" url: "https://www.bitsight.com/blog/exposed-mcp-servers-reveal-new-ai-vulnerabilities" type: "threat-intel" description: "Continuous scanning of exposed MCP endpoints; ~1000 unauthenticated servers found" stats: exposed_servers: 1000 no_auth: true risk_examples: ["Kubernetes clusters", "CRM access", "WhatsApp messaging", "arbitrary shell"]