feat(yara): add agent skill abuse signatures#1
Conversation
Signed-off-by: teixeira0xfffff <denunciarameacas@gmail.com>
|
This rule does not flag all pip install commands as high critical issues, the detection is specifically scoped to pip install operations that fetch packages directly from remote URLs or Git repositories over HTTP/HTTPS. The intention is to identify installations that bypass the normal package repository workflow and pull code directly from external sources: pip install hxxps://example.com/package.whl |
|
Updated the remote bootstrap YARA rule to remove generic |
rng1995
left a comment
There was a problem hiding this comment.
APPROVE — well-scoped, high-quality addition.
Correctness ✅
- All 5 rules compile cleanly and I ran each against the included fixtures: 5 positive + 4 negative cases all behave as asserted.
- The multi-indicator conditions (
any of ($secret_*) and any of ($send_*) and any of ($collector_*), the$agent_context and any of ($inj_*)gating, the2 of ($inj_*)fallback) are good design for keeping false positives low on documentation-heavy skill bundles. - The negative tests are a particularly nice touch and correctly do not fire: common
curl … | sh/irm … | iexinstallers,eval(fetch(...))/eval(await fetch(...))without a.text()response read, and doc-only credential references.
Consistency ✅
- Meta schema (
description/category/severity/confidence/reference), thecategoryvalues (malware,hack_tool), and the stringifiedconfidenceall match the existing rule files and thestatic_yaranode's_CATEGORY_MAP/_parse_metaexpectations, so rule IDs and severities map correctly. SPDX header matches repo convention.
Security ✅
- Detection targets the stated abuse classes (webhook exfil, remote bootstrap, hidden prompt injection, MCP/tool metadata poisoning incl. zero-width/RTL bytes, destructive autonomous actions) without obvious bypass-by-construction. No ReDoS concern given YARA's non-backtracking regex engine.
Minor / optional (non-blocking):
$long_base64([A-Za-z0-9+/]{120,}) gated behind a$schema_*key may occasionally fire on large/minified JSON manifests or embedded base64 assets. Appropriately gated — just flagging as a tuning watch-item.$pip_remote_installwill also match legitimatepip install git+https://…; fine as a heuristic, just noting.- The new file is missing a trailing newline.
Thanks for the thorough tests — approving.
Adds a new built-in YARA rule file focused on AI agent skill abuse patterns: