| name | repo-forensics |
| description | Security forensics for git repos, AI skills, and MCP servers. Audits dependencies, detects prompt injection, credential theft, runtime dynamism, manifest drift, known CVEs, CISA KEV (actively exploited) vulns, and 2026 attack patterns. Not for fixing vulnerabilities or pentesting. |
| metadata | {"author":"Alex Greenshpun"} |
| allowed-tools | Bash Read Glob Grep |
| user-invocable | true |
| argument-hint | <repo_path> [--skill-scan] [--format text|json|summary] [--update-iocs] [--update-vulns] [--no-vulns] [--offline] [--watch] [--verify-install] |
Repo Forensics v2
Deep security auditing for repositories, AI agent skills, and MCP servers.
Highlights
- Auto-scan hook (v2): PostToolUse hook auto-triggers on
git clone, git pull, pip install, npm install/update, gem install/update, brew install/upgrade, etc. Zero-overhead for non-matching commands.
- Pre-execution gate (v2.6): PreToolUse hook blocks known-malicious packages and pipe-to-shell commands BEFORE execution. IOC-only, <10ms latency, no subprocess calls.
- Session security scanner (v2.6.3): SessionStart hook detects updated plugins/skills/MCP servers, refreshes threat databases daily, runs fast IOC check + full 20-scanner deep scan on changed items. Sub-1ms when nothing changed.
- .pth file injection detection (v2): Detects liteLLM-style Python startup injection attacks (exec/eval/base64/known IOC filenames)
- Transitive dependency scanning (v2): Deep-parses
package-lock.json, yarn.lock, poetry.lock, Pipfile.lock for supply chain IOCs
- DAST scanner (
scan_dast.py): Dynamic analysis of Claude Code hooks with 8 malicious payload types, sandboxed execution
- File integrity monitor (
scan_integrity.py): SHA256 baselines for critical config files, drift detection with --watch
- IOC auto-update (
--update-iocs): Pull latest indicators of compromise from remote feed
- Installation verification (
--verify-install): Verify repo-forensics itself hasn't been tampered with
- GitHub Actions (
action.yml): CI/CD integration for automated security gating
- Runtime behavior prediction (
scan_runtime_dynamism.py): Detects code that changes behavior after install: dynamic imports, fetch-then-execute, self-modification, time bombs, dynamic tool descriptions
- Manifest drift detection (
scan_manifest_drift.py): Compares declared vs actual dependencies, catches phantom deps, runtime installs, conditional import+install fallbacks
- MCP rug pull detection: Tool descriptions sourced from database, network, env vars, or conditional logic
- Enhanced AST analysis: 12 patterns including marshal.loads, types.CodeType, sys.addaudithook, bytes decode obfuscation, self-modification
- Test suite: 1,280+ pytest tests covering all scanners
- OpenClaw/ClawHub scanning: Auto-detects OpenClaw skills, validates frontmatter, tools.json, SOUL.md, .clawhubignore
- Anti-forensics detection (v2): Self-deleting installers, package.json overwrite, version mismatch (Axios supply chain pattern)
- Compromised version detection (v2): Flags known-bad versions of legitimate packages (Axios 1.14.1/0.30.4, liteLLM 1.82.8)
- Suspicious npm scope detection (v2): Flags systematic MCP server forking campaigns (iflow-mcp)
- Host IOC scanning (v2): Known RAT binary paths, C2 domains, malicious file hashes
- CVE-2026-33068 detection (v2): Workspace trust bypass via bypassPermissions in Claude Code settings
- Post-incident forensics (v2.2): npm cache/log artifacts, RAT binary detection, C2 persistence, node_modules traces that survive dropper self-cleanup
- Supply chain hardening (v2.2): .npmrc scanning, missing lockfile detection, git/HTTP dep flagging, hostname bypass fix, unbounded Python range detection, install script severity elevation
- Devcontainer security scanning (v2.6.5): JSON-based analysis of devcontainer.json for host secret mounts, container escape vectors, localEnv interpolation, lifecycle command risks, and untrusted features
- Framework env prefix leak detection (v2.6.5): Catches secrets exposed to browser bundles via NEXT_PUBLIC_, REACT_APP_, VITE_, EXPO_PUBLIC_, GATSBY_, NX_PUBLIC_ prefixes
- process.env exposure detection (v2.6.5): Flags console.log(process.env), JSON.stringify(process.env), and crash report env dumps
- Docker ARG secret detection (v2.6.5): Catches secrets passed via ARG directives (permanently visible in docker history)
- 1Password/Vault token detection (v2.6.5): OP_CONNECT_TOKEN, ops_ service account tokens, hvs. Vault tokens
- 20 scanners with 41 correlation rules
When to Use
- Auditing a new repo or dependency before adding it to your project
- Vetting AI skills/plugins before installation (prompt injection, credential theft, backdoors)
- Auditing MCP servers for tool poisoning, SQL injection, config risks
- Security review when someone asks "is this code secure?"
- Forensic investigation of a suspected compromise
- CI/CD gating with machine-readable output and exit codes
- Hook security testing to verify Claude Code hooks handle malicious input safely
Quick Start
Full audit (all 20 scanners):
./scripts/run_forensics.sh /path/to/repo
Focused AI skill scan (10 scanners, faster):
./scripts/run_forensics.sh /path/to/repo --skill-scan
With IOC update and integrity monitoring:
./scripts/run_forensics.sh /path/to/repo --update-iocs --watch
Verify your installation:
./scripts/run_forensics.sh /path/to/repo --verify-install
JSON output for automation:
./scripts/run_forensics.sh /path/to/repo --format json
Severity System
| Level | Score | Meaning | Exit Code |
|---|
| CRITICAL | 4 | Active threat, immediate action required | 2 |
| HIGH | 3 | Significant risk, investigate promptly | 1 |
| MEDIUM | 2 | Potential issue, review recommended | 1 |
| LOW | 1 | Informational, may be false positive | 0 |
Scanners
| Scanner | What It Detects | Mode |
|---|
| runtime_dynamism | Dynamic imports, fetch-then-execute, self-modification, time bombs, dynamic tool descriptions | skill + full |
| manifest_drift | Phantom dependencies, runtime package installs, conditional import+install, declared-but-unused deps | skill + full |
| skill_threats | Prompt injection, unicode smuggling, prerequisite attacks, ClickFix, MCP tool injection | skill + full |
| agent_skills | SKILL.md frontmatter abuse, tools.json FSP, agent config injection (SOUL.md/AGENTS.md/CLAUDE.md), .clawhubignore bypass, ClawHavoc IOCs. Covers Claude Code, OpenClaw, Codex, Cursor, MCP. | skill + full |
| mcp_security | SQL injection to prompt escalation, tool poisoning, rug pull enablers, config CVEs | skill + full |
| dataflow | Source-to-sink taint tracking (env vars to network calls), cross-file import taint | skill + full |
| secrets | 50+ patterns: API keys, tokens, private keys, database URIs, JWTs, framework env prefix leaks, 1Password/Vault tokens, .env variant files | skill + full |
| sast | Dangerous functions, injection, shell execution across 8 languages, process.env exposure, path traversal | skill + full |
| lifecycle | NPM hooks + Python setup.py/pyproject.toml cmdclass overrides + anti-forensics (self-deleting installers, package.json overwrite) | skill + full |
| integrity | SHA256 baselines for .claude/settings.json, CLAUDE.md, hook scripts. Drift detection with --watch | full |
| dast | Dynamic hook testing: 8 payload types (injection, traversal, amplification, env leak) in sandbox | full |
| entropy | Per-string Shannon entropy, base64 blocks, hex strings (combo detection) | full |
| infra | Docker (ENV/ARG secrets, .env COPY), K8s, GitHub Actions, Claude Code config (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068) | full |
| devcontainer | JSON-based devcontainer.json analysis: host mounts, privileged mode, docker.sock, remoteEnv localEnv interpolation, lifecycle commands, untrusted features | skill + full |
| dependencies | NPM + Python typosquatting, l33t normalization, IOC packages (SANDWORM_MODE 2026), compromised version detection (Axios, liteLLM), suspicious scope detection (iflow-mcp) | full |
| ast_analysis | Python AST: obfuscated exec chains, __reduce__ backdoors, marshal/types bytecode, audit hook abuse, self-modification | full |
| binary | Executables hidden as images/text files | full |
| git_forensics | Time anomalies, GPG signature issues, identity inconsistencies | full |
Dynamic Analysis (DAST)
The scan_dast.py scanner executes hook scripts with malicious payloads in a sandboxed subprocess:
8 payload types:
- Prompt injection in tool input
- Path traversal in file arguments
- Command injection via backticks/subshell
- Oversized input (amplification test)
- Unicode smuggling in arguments
- Environment variable exfiltration attempt
- Shell metacharacter injection
- Null byte injection
Safety: All execution uses subprocess with 5s timeout, stdout/stderr capture, scrubbed environment, temp directory isolation, no shell=True.
File Integrity Monitor
The scan_integrity.py scanner protects critical configuration files:
- SHA256 baselines for
.claude/settings.json, CLAUDE.md, .mcp.json, hook scripts
--watch mode: Creates baseline on first run, alerts on drift on subsequent runs- Detects dangerous hook commands (curl, wget, eval, base64, /dev/tcp)
- Flags executable config files (unusual permission bits)
CVE + CISA KEV Auto-Enrichment (v2.6)
The dependency scanner automatically enriches findings with live vulnerability data:
- OSV (Open Source Vulnerabilities): Every pinned
(ecosystem, package, version) found in a manifest or lockfile is queried against api.osv.dev. Matches emit a cve finding with CVSS-mapped severity and suggested fix versions.
- CISA KEV (Known Exploited Vulnerabilities): CVE aliases are cross-referenced against the CISA KEV catalog — CVEs confirmed actively exploited in the wild. Any match is escalated to CRITICAL severity (category
cve-kev) regardless of CVSS, because exploitation in the wild is the strongest prioritization signal.
- Caches: KEV catalog is cached 24h (
~/.cache/repo-forensics/kev.json). OSV per-package queries cache 24h (~/.cache/repo-forensics/osv-queries.json, LRU-capped at 4000 entries). Both files are written atomically with mode 0o600.
- Security: Feed URLs are hardcoded constants. No user-overridable URL at the public API (SSRF guardrail). Response size caps, HTTPS-only fetch, fail-closed CVE ID validation, and oversized-response rejection. A malformed or hostile feed returns an empty result rather than crashing the scanner.
- Offline mode:
--offline uses cached data only; --no-vulns disables the feature entirely.
- CLI:
--update-vulns refreshes the KEV catalog before scanning. Standalone tool: python3 scripts/vuln_feed.py --query npm lodash 4.17.20.
IOC Auto-Update
The --update-iocs flag pulls latest indicators of compromise from a hosted JSON feed:
- C2 IP addresses, malicious domains, known-bad packages
- Cached locally in
.forensics-iocs.json (24h TTL)
- Falls back to hardcoded IOCs when offline
- Managed by
ioc_manager.py (--show to inspect, --update to pull)
Installation Verification
The --verify-install flag checks that repo-forensics itself hasn't been tampered with:
- Compares all skill files against
checksums.json (SHA256)
- Detects modified, missing, or unexpected files
- Run
verify_install.py --generate at release time to create checksums
AI Skill Threat Detection
The scan_skill_threats.py scanner detects 10 categories of AI agent skill attacks:
- Prompt injection directives ("ignore previous instructions", persona reassignment)
- Invisible unicode smuggling (zero-width chars, RTL override, Cyrillic + Greek homoglyphs)
- Prerequisite red flags (curl-pipe-bash, password-protected archives, xattr -c)
- Credential exfiltration (bulk env access + network calls, webhook services)
- Persistence mechanisms (LaunchAgents, crontab, shell RC modifications)
- Scope escalation (accessing ~/.ssh, browser data, Keychain, other skills)
- Stealth directives ("do not log", output suppression with background exec)
- Known campaign IOCs (C2 IPs from ClawHavoc, SANDWORM_MODE, Telegram/Discord exfil)
- ClickFix / sleeper malware (curl|base64-d|bash delivery, glot.io pastebins, SKILL.md prereqs)
- MCP tool description injection (Invariant Labs
<IMPORTANT> tag, "note to the AI", hidden instructions in JSON description fields)
MCP Attack Surface
The scan_mcp_security.py scanner covers MCP-specific attack vectors discovered in 2025-2026:
Tool Poisoning Attack (TPA)
Hidden instructions injected into tool description fields load into LLM context without user visibility. Canonical pattern: <IMPORTANT> tag (Invariant Labs, 2025).
SQL Injection to Stored Prompt Injection
SQL injection in MCP server code can write malicious prompts into databases that are later retrieved and executed by agents (Trend Micro TrendAI, May 2025).
Configuration Risks
- CVE-2025-59536 (CVSS 8.7): Claude Code hooks execute before trust dialog, RCE via
.claude/settings.json
- CVE-2026-21852 (CVSS 7.5):
ANTHROPIC_BASE_URL override exfiltrates API keys
- CVE-2025-49596 (CVSS 9.4): MCP Inspector DNS rebinding via
0.0.0.0 binding
- CVE-2025-6514 (CVSS 9.6): mcp-remote OAuth command injection
- CVE-2026-33068 (CVSS 7.7): Workspace trust bypass via
bypassPermissions in .claude/settings.json
enableAllProjectMcpServers: true: Bypasses per-server consent dialogs
Tool Shadowing
Cross-tool contamination where one tool's description instructs the LLM to modify behavior of other tools (Invariant Labs 2025).
Rug Pull Enablers
Tool descriptions sourced from mutable data (database queries, network requests, environment variables, runtime file loads). These don't prove malicious intent but flag that tool behavior can change without code changes (Lukas Kania, March 2026; OWASP MCP07).
Runtime Behavior Prediction
The scan_runtime_dynamism.py scanner detects static indicators that code will change behavior after install:
- Dynamic imports:
importlib.import_module(variable), __import__(env_var), require(variable), ES import(variable)
- Fetch-then-execute:
requests.get(url).text piped to eval(), runtime pip install/npm install, download-and-run scripts
- Self-modification:
types.FunctionType(), types.CodeType(), marshal.loads(), open(__file__, 'w'), SourcelessFileLoader (CVE-2026-2297)
- Time bombs:
datetime.now() > datetime(2026,6,1), unix timestamp comparisons, counter-based activation, probabilistic triggers
- Dynamic tool descriptions: MCP description from
db.query(), requests.get(), os.environ, conditional descriptions
Uses both regex patterns and Python AST analysis for reliable detection.
Manifest Drift Detection
The scan_manifest_drift.py scanner compares what a package DECLARES vs what it actually USES:
- Phantom dependencies: Module imported in code but not in
requirements.txt/package.json
- Runtime package installs:
subprocess.run(["pip", "install", pkg]) in code
- Conditional import+install:
try: import X except: os.system("pip install X")
- Declared but unused: Package in manifest but never imported (potential dependency confusion decoy)
Supports Python (requirements.txt, pyproject.toml, setup.py) and Node.js (package.json).
Correlation Engine
The correlation engine (forensics_core.py) identifies compound threats across 14 rules:
- Environment/credential access + network call = Potential Data Exfiltration (critical)
- Base64 encoding + exec/eval = Obfuscated Code Execution (critical)
- Sensitive file read + network call = Credential Theft Pattern (high)
- Prompt injection + code execution = Prompt-Assisted Code Execution (critical)
- Lifecycle hook + network call = Install-Time Exfiltration (critical)
- SQL injection + MCP/skill_threats finding = SQL Injection Prompt Escalation (critical)
- Tool metadata poisoning + code execution = Tool Metadata Poisoning Chain (critical)
- Unicode smuggling + prompt injection in docs = Hidden Instruction Attack in Documentation (high)
- Dynamic import + network fetch = Deferred Payload Loading (critical)
- Time/counter trigger + exec/eval = Time-Triggered Malware (critical)
- Dynamic tool description + MCP server = MCP Rug Pull Enabler (high)
- Phantom dependency + network call = Shadow Dependency with Network Access (critical)
- Pipe exfiltration + network sink = Shell Script Data Exfiltration Chain (critical)
- Tools.json poisoning + prompt injection = Agent Skill Compound Attack (critical)
Configuration
Create .forensicsignore in the repo root to suppress false positives:
tests/fixtures/secrets.json
legacy/unsafe_code/*
src/config/dev_keys.py
Note: .forensicsignore itself is scanned for attacker-planted wildcard suppression patterns.
Output Formats
--format text (default): Colored human-readable output with severity tags--format json: Machine-readable JSON array of Finding objects--format summary: Counts only (for CI/CD scripting)
GitHub Actions
Add to your workflow:
- uses: alexgreensh/repo-forensics@v1
with:
mode: full
format: text
update-iocs: true
Research Sources
See references/research_sources.md for full credits and links to the published research that informed this skill's threat detection capabilities.
