Security

Every skill scanned against 51 patterns

We scan every published skill against a curated catalog of attack patterns drawn from the OWASP LLM Top 10, the Lakera and garak prompt-injection corpora, and known SKILL.md attacks (file-system escape, exfiltration, instruction override). Every pattern below is auditable by you, the people who install our skills.

Browse skillsRead the docs

51

Total patterns

34

High severity

16

Medium severity

1

Informational

How scoring works

Every match deducts from a 100-point baseline.

Each skill starts at 100. Error-severity matches deduct 15 points, warning matches deduct 5, and informational matches deduct 1. The final score maps to a letter grade: A (≥ 90), B (80-89), C (70-79), D (50-69), F (< 50). The grade and score are published on every skill page; the full findings are visible to the skill author and site admins.

Where the patterns come from

Curated from the public attack-research record.

Patterns are drawn from the OWASP Top 10 for LLM Applications, the Lakera prompt-injection corpus, the garak red-teaming framework, and case studies of malicious SKILL.md files reported in 2025-2026. We add patterns conservatively, every new pattern must pass a true-negative test against the existing catalog before shipping.

The full catalog

All 51 patterns, grouped by category.

Prompt injection (6)

  • Prompt injection

    Instructions contain prompt injection attempts that try to override safety rules

    prompt_injection

    error (−15)

  • Jailbreak suffix

    Instructions contain known LLM jailbreak phrases (DAN, developer mode, pretend-evil)

    prompt_injection_jailbreak_suffix

    error (−15)

  • Instruction-override marker

    Instructions contain markers used to inject a fake system prompt (im_start, ###system###)

    prompt_injection_instruction_override

    error (−15)

  • System prompt extraction

    Instructions try to extract the host system prompt or hidden context

    system_prompt_leak

    warning (−5)

  • Role hijack

    Instructions attempt to redefine the assistant's role or remove its constraints

    prompt_injection_role_hijack

    warning (−5)

  • Hidden injection marker

    Instructions contain hidden control markers commonly used in prompt-injection payloads

    prompt_injection_hidden_marker

    warning (−5)

LLM-specific (OWASP LLM Top 10) (4)

  • BYOK / key extraction

    Instructions try to extract bring-your-own-key API keys or access tokens

    llm_byok_extraction

    error (−15)

  • Environment variable extraction

    Instructions ask the agent to read or output environment variables

    llm_env_var_extraction

    error (−15)

  • Attacker-controlled domain

    Instructions reference sending data to attacker-controlled placeholder domains

    llm_attacker_domain

    error (−15)

  • Tool-output smuggling (markdown image exfil)

    Instructions try to coerce markdown image tags that exfiltrate data via the URL query string

    llm_tool_output_smuggling

    error (−15)

Data exfiltration (5)

  • Data exfiltration

    Instructions appear to exfiltrate sensitive data to external services

    data_exfiltration

    error (−15)

  • Environment variable exfiltration

    Instructions dump environment variables to external destinations

    env_dumping

    error (−15)

  • Suspicious external URLs

    Instructions send data to IP addresses or known data collection services

    suspicious_urls

    error (−15)

  • data: URI payload

    Instructions embed a data: URI carrying executable HTML or JavaScript

    data_uri_payload

    warning (−5)

  • Suspicious POST with sensitive payload

    Instructions POST cookies, localStorage, env, or secrets to an external endpoint

    suspicious_post_to_external

    error (−15)

Hardcoded secrets (9)

  • Hardcoded AWS credentials

    Instructions contain what appears to be an AWS access key or secret key

    hardcoded_aws_key

    error (−15)

  • Hardcoded GitHub token

    Instructions contain what appears to be a GitHub personal access token

    hardcoded_github_token

    error (−15)

  • Hardcoded Stripe secret key

    Instructions contain what appears to be a live Stripe secret key

    hardcoded_stripe_key

    error (−15)

  • Hardcoded secret value

    Instructions contain a hardcoded secret, password, or API key value

    hardcoded_generic_secret

    error (−15)

  • Hardcoded OpenAI API key

    Instructions contain what appears to be an OpenAI API key (sk-...)

    hardcoded_openai_key

    error (−15)

  • Hardcoded Anthropic API key

    Instructions contain what appears to be an Anthropic API key (sk-ant-...)

    hardcoded_anthropic_key

    error (−15)

  • Hardcoded Slack webhook

    Instructions contain a Slack incoming-webhook URL — leak vector if posted publicly

    hardcoded_slack_webhook

    warning (−5)

  • Hardcoded Google API key

    Instructions contain what appears to be a Google API key (AIza...)

    hardcoded_google_api_key

    error (−15)

  • Private key block

    Instructions contain a PEM-encoded private key (RSA, EC, OPENSSH, PGP)

    private_key_block

    error (−15)

Command injection (5)

  • Unsafe eval() usage

    Instructions use eval() which can execute arbitrary code

    unsafe_eval

    error (−15)

  • Function constructor

    Instructions use `new Function(...)` which dynamically evaluates strings as code

    function_constructor

    error (−15)

  • setTimeout/setInterval with string arg

    Instructions pass a string to setTimeout or setInterval, which is evaluated as code

    set_timeout_string

    warning (−5)

  • child_process with user input

    Instructions concatenate user input into child_process.exec/spawn (command injection)

    child_process_user_input

    error (−15)

  • subprocess with shell=True

    Instructions invoke subprocess with shell=True, which is unsafe with untrusted input

    python_subprocess_shell_true

    warning (−5)

File-system escape (6)

  • Sensitive file access

    Instructions access sensitive system files (passwords, SSH keys, credentials)

    sensitive_file_access

    warning (−5)

  • Unrestricted file system write

    Instructions write to system directories outside project scope

    unrestricted_fs_write

    error (−15)

  • Path traversal

    Instructions contain path traversal sequences (../../) that could escape sandboxes

    path_traversal

    error (−15)

  • Sensitive system file reference

    Instructions reference /etc/passwd, /etc/shadow, /etc/hosts, or /etc/sudoers

    fs_escape_etc_passwd

    warning (−5)

  • SSH private key path

    Instructions reference SSH private key paths (~/.ssh/id_rsa, authorized_keys)

    fs_escape_ssh_keys

    error (−15)

  • AWS credentials file path

    Instructions reference the local AWS credentials file path

    fs_escape_aws_credentials

    error (−15)

Server-side request forgery (SSRF) (5)

  • Requests to arbitrary IPs

    Instructions make HTTP requests to raw IP addresses instead of domain names

    arbitrary_ip_requests

    warning (−5)

  • Internal network / metadata access

    Instructions reference localhost, link-local, or cloud metadata endpoints

    dns_rebinding

    warning (−5)

  • SSRF to localhost

    Instructions issue HTTP requests to localhost / 0.0.0.0 / IPv6 loopback

    ssrf_localhost_url

    warning (−5)

  • AWS IMDS endpoint

    Instructions reference the AWS Instance Metadata Service (169.254.169.254) — a classic SSRF target

    ssrf_aws_imds

    error (−15)

  • Private CIDR reference

    Instructions reference RFC1918 private network ranges (10/8, 192.168/16, 172.16/12)

    ssrf_private_cidr

    info (−1)

Shell / OS abuse (3)

  • Destructive shell commands

    Instructions contain destructive shell patterns (pipe to shell, rm -rf /, disk overwrite)

    shell_injection

    error (−15)

  • Cryptocurrency mining

    Instructions reference cryptocurrency mining tools or pools

    crypto_mining

    error (−15)

  • Reverse shell

    Instructions contain reverse shell patterns that could give remote access

    reverse_shell

    error (−15)

SQL injection (1)

  • SQL injection patterns

    Instructions contain SQL injection patterns (string interpolation in queries, tautologies)

    sql_injection

    error (−15)

Unsafe deserialization (1)

  • Unsafe deserialization

    Instructions use unsafe deserialization (pickle, yaml.load without SafeLoader)

    unsafe_deserialization

    error (−15)

Obfuscation (2)

  • Obfuscated commands

    Instructions contain base64-encoded commands piped to shell execution

    obfuscated_commands

    error (−15)

  • Long base64 blob in decoder

    Instructions contain a base64 blob >100 chars passed to a decoder (atob/Buffer.from), suggesting hidden payload

    long_base64_blob

    warning (−5)

Supply chain (1)

  • Dependency confusion risk

    Instructions install packages from non-standard registries (potential typosquatting)

    dependency_confusion

    warning (−5)

Privilege escalation (2)

  • Security bypass

    Instructions disable security features or escalate privileges

    disable_security

    warning (−5)

  • Privilege escalation

    Instructions attempt to escalate system privileges

    privilege_escalation

    warning (−5)

Container escape (1)

  • Container escape attempt

    Instructions contain patterns that could escape container sandboxes

    container_escape

    error (−15)
Found something?

Report a vulnerability or a missing pattern.

If you discover a skill that should have been flagged, or you have a pattern proposal grounded in primary research, email [email protected]. We re-grade the entire catalog whenever the pattern set changes.