feat(rules): MCP server, skill, and plugin detection#5
Open
MiguelHzBz wants to merge 2 commits intoleogr:mainfrom
Open
feat(rules): MCP server, skill, and plugin detection#5MiguelHzBz wants to merge 2 commits intoleogr:mainfrom
MiguelHzBz wants to merge 2 commits intoleogr:mainfrom
Conversation
Adds rules/default/mcp-skill-detection.yaml with 9 rules covering two distinct attack surfaces: MCP config attacks (deny): temp directory command path, IOC domain in server URL, base64-encoded command — all targeting .mcp.json writes. Agent self-expansion (ask): claude mcp add/install self-registration, npx -y auto-accept installation of MCP/skill packages. Persistent backdoor vectors (ask): writes to .claude/commands/, CLAUDE.md written outside the working directory. Skill content attacks (deny): IOC domain or pipe-to-shell pattern in .claude/commands/ file content — upgrades the catch-all ask to deny via the broker's deny > ask escalation. IOC domains from the ClawHavoc campaign (341 malicious skills, 2024-2025): pastebin.com, transfer.sh, file.io, termbin.com, ix.io, glot.io, hastebin.com, ghostbin.co. Includes test_mcp_skill_rules.sh with 55 test cases.
MiguelHzBz
force-pushed
the
add-mcp-skill-detection-rules
branch
from
47d25c7 to
6236f4f
Compare
- Extend is_mcp_command_temp: add $TMPDIR, $TMP, $TEMP env vars and /run/user/ (M1: env var expansion bypass, M6: XDG runtime dir staging) - Extend is_skill_pipe_bash: add absolute shell paths | /bin/bash, | /bin/sh, | /usr/bin/bash, | /usr/bin/sh (M2, M3: absolute path bypass) - Extend is_npx_auto_accept_mcp_skill: add bunx -y, bunx --yes, yarn dlx, pnpm dlx (M4: alternative package runners bypass) - Add Rule 10: Ask before Bash command writing to .claude/commands/ (M5: Bash shell redirection bypasses Write/Edit-only Rule 5) - Add test_mcp_bypass.sh covering all 6 bypass sections (~20 test cases)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
rules/user/mcp-skill-detection.yamlwith 9 rules covering two distinct attack surfaces — MCP config structure and skill/command file content:MCP config attacks (CRITICAL/deny) — target
.mcp.json/managed-mcp.json:/tmp/,/dev/shm/,/var/tmp/)Agent self-expansion (WARNING/ask):
claude mcp add/installand related self-registration commands via Bashnpx -y/npx --yesauto-accept installation of MCP/skill packagesPersistent backdoor vectors (WARNING/ask):
.claude/commands/slash command directoryCLAUDE.mdoutside the current working directorySkill content attacks (CRITICAL/deny) — upgrade the catch-all ask to deny:
.claude/commands/file content| bash,| sh,bash <(,sh <() in.claude/commands/contentIOC domains from the ClawHavoc campaign (341 malicious skills, 2024–2025):
pastebin.com,transfer.sh,file.io,termbin.com,ix.io,glot.io,hastebin.com,ghostbin.coTest plan
bash tests/test_mcp_skill_rules.sh— 55 test cases covering deny, ask, and allow paths for all 9 rules