Repo-forensics repo-forensics

Name: repo-forensics
Author: alexgreensh

Security forensics for git repos, AI skills, and MCP servers. Audits dependencies, detects prompt injection, credential theft, runtime dynamism, manifest drift, known CVEs, CISA KEV (actively exploited) vulns, and 2026 attack patterns. Not for fixing vulnerabilities or pentesting.

install

source · Clone the upstream repo

git clone https://github.com/alexgreensh/repo-forensics

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/alexgreensh/repo-forensics "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/repo-forensics" ~/.claude/skills/alexgreensh-repo-forensics-repo-forensics && rm -rf "$T"

manifest: skills/repo-forensics/SKILL.md

source content

Repo Forensics v2

Deep security auditing for repositories, AI agent skills, and MCP servers.

Highlights

Auto-scan hook (v2): PostToolUse hook auto-triggers on
```
git clone
```
,
```
git pull
```
,
```
pip install
```
,
```
npm install/update
```
,
```
gem install/update
```
,
```
brew install/upgrade
```
, etc. Zero-overhead for non-matching commands.
Pre-execution gate (v2.6): PreToolUse hook blocks known-malicious packages and pipe-to-shell commands BEFORE execution. IOC-only, <10ms latency, no subprocess calls.
Session security scanner (v2.6.3): SessionStart hook detects updated plugins/skills/MCP servers, refreshes threat databases daily, runs fast IOC check + full 18-scanner deep scan on changed items. Sub-1ms when nothing changed.
.pth file injection detection (v2): Detects liteLLM-style Python startup injection attacks (exec/eval/base64/known IOC filenames)
Transitive dependency scanning (v2): Deep-parses
```
package-lock.json
```
,
```
yarn.lock
```
,
```
poetry.lock
```
,
```
Pipfile.lock
```
for supply chain IOCs
DAST scanner (
```
scan_dast.py
```
): Dynamic analysis of Claude Code hooks with 8 malicious payload types, sandboxed execution
File integrity monitor (
```
scan_integrity.py
```
): SHA256 baselines for critical config files, drift detection with
```
--watch
```
IOC auto-update (
```
--update-iocs
```
): Pull latest indicators of compromise from remote feed
Installation verification (
```
--verify-install
```
): Verify repo-forensics itself hasn't been tampered with
GitHub Actions (
```
action.yml
```
): CI/CD integration for automated security gating
Runtime behavior prediction (
```
scan_runtime_dynamism.py
```
): Detects code that changes behavior after install: dynamic imports, fetch-then-execute, self-modification, time bombs, dynamic tool descriptions
Manifest drift detection (
```
scan_manifest_drift.py
```
): Compares declared vs actual dependencies, catches phantom deps, runtime installs, conditional import+install fallbacks
MCP rug pull detection: Tool descriptions sourced from database, network, env vars, or conditional logic
Enhanced AST analysis: 12 patterns including marshal.loads, types.CodeType, sys.addaudithook, bytes decode obfuscation, self-modification
Test suite: 773 pytest tests covering all scanners
OpenClaw/ClawHub scanning: Auto-detects OpenClaw skills, validates frontmatter, tools.json, SOUL.md, .clawhubignore
Anti-forensics detection (v2): Self-deleting installers, package.json overwrite, version mismatch (Axios supply chain pattern)
Compromised version detection (v2): Flags known-bad versions of legitimate packages (Axios 1.14.1/0.30.4, liteLLM 1.82.8)
Suspicious npm scope detection (v2): Flags systematic MCP server forking campaigns (iflow-mcp)
Host IOC scanning (v2): Known RAT binary paths, C2 domains, malicious file hashes
CVE-2026-33068 detection (v2): Workspace trust bypass via bypassPermissions in Claude Code settings
Post-incident forensics (v2.2): npm cache/log artifacts, RAT binary detection, C2 persistence, node_modules traces that survive dropper self-cleanup
Supply chain hardening (v2.2): .npmrc scanning, missing lockfile detection, git/HTTP dep flagging, hostname bypass fix, unbounded Python range detection, install script severity elevation
18 scanners with 18 correlation rules

When to Use

Auditing a new repo or dependency before adding it to your project
Vetting AI skills/plugins before installation (prompt injection, credential theft, backdoors)
Auditing MCP servers for tool poisoning, SQL injection, config risks
Security review when someone asks "is this code secure?"
Forensic investigation of a suspected compromise
CI/CD gating with machine-readable output and exit codes
Hook security testing to verify Claude Code hooks handle malicious input safely

Quick Start

Full audit (all 17 scanners):

./scripts/run_forensics.sh /path/to/repo

Focused AI skill scan (9 scanners, faster):

./scripts/run_forensics.sh /path/to/repo --skill-scan

With IOC update and integrity monitoring:

./scripts/run_forensics.sh /path/to/repo --update-iocs --watch

Verify your installation:

./scripts/run_forensics.sh /path/to/repo --verify-install

JSON output for automation:

./scripts/run_forensics.sh /path/to/repo --format json

Severity System

Level	Score	Meaning	Exit Code
CRITICAL	4	Active threat, immediate action required	2
HIGH	3	Significant risk, investigate promptly	1
MEDIUM	2	Potential issue, review recommended	1
LOW	1	Informational, may be false positive	0

Scanners

Scanner	What It Detects	Mode
runtime_dynamism	Dynamic imports, fetch-then-execute, self-modification, time bombs, dynamic tool descriptions	skill + full
manifest_drift	Phantom dependencies, runtime package installs, conditional import+install, declared-but-unused deps	skill + full
skill_threats	Prompt injection, unicode smuggling, prerequisite attacks, ClickFix, MCP tool injection	skill + full
openclaw_skills	SKILL.md frontmatter abuse, tools.json FSP, SOUL.md/AGENTS.md injection, .clawhubignore bypass, ClawHavoc IOCs	skill + full
mcp_security	SQL injection to prompt escalation, tool poisoning, rug pull enablers, config CVEs	skill + full
dataflow	Source-to-sink taint tracking (env vars to network calls), cross-file import taint	skill + full
secrets	40+ patterns: API keys, tokens, private keys, database URIs, JWTs	skill + full
sast	Dangerous functions, injection, shell execution across 8 languages	skill + full
lifecycle	NPM hooks + Python setup.py/pyproject.toml cmdclass overrides + anti-forensics (self-deleting installers, package.json overwrite)	skill + full
integrity	SHA256 baselines for .claude/settings.json, CLAUDE.md, hook scripts. Drift detection with `--watch`	full
dast	Dynamic hook testing: 8 payload types (injection, traversal, amplification, env leak) in sandbox	full
entropy	Per-string Shannon entropy, base64 blocks, hex strings (combo detection)	full
infra	Docker, K8s, GitHub Actions, Claude Code config (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068)	full
dependencies	NPM + Python typosquatting, l33t normalization, IOC packages (SANDWORM_MODE 2026), compromised version detection (Axios, liteLLM), suspicious scope detection (iflow-mcp)	full
ast_analysis	Python AST: obfuscated exec chains, `__reduce__` backdoors, marshal/types bytecode, audit hook abuse, self-modification	full
binary	Executables hidden as images/text files	full
git_forensics	Time anomalies, GPG signature issues, identity inconsistencies	full

Dynamic Analysis (DAST)

The

scan_dast.py

scanner executes hook scripts with malicious payloads in a sandboxed subprocess:

8 payload types:

Prompt injection in tool input
Path traversal in file arguments
Command injection via backticks/subshell
Oversized input (amplification test)
Unicode smuggling in arguments
Environment variable exfiltration attempt
Shell metacharacter injection
Null byte injection

Safety: All execution uses subprocess with 5s timeout, stdout/stderr capture, scrubbed environment, temp directory isolation, no shell=True.

File Integrity Monitor

The

scan_integrity.py

scanner protects critical configuration files:

SHA256 baselines for
```
.claude/settings.json
```
,
```
CLAUDE.md
```
,
```
.mcp.json
```
, hook scripts
--watch
mode: Creates baseline on first run, alerts on drift on subsequent runs
Detects dangerous hook commands (curl, wget, eval, base64, /dev/tcp)
Flags executable config files (unusual permission bits)

CVE + CISA KEV Auto-Enrichment (v2.6)

The dependency scanner automatically enriches findings with live vulnerability data:

OSV (Open Source Vulnerabilities): Every pinned
```
(ecosystem, package, version)
```
found in a manifest or lockfile is queried against
```
api.osv.dev
```
. Matches emit a
```
cve
```
finding with CVSS-mapped severity and suggested fix versions.
CISA KEV (Known Exploited Vulnerabilities): CVE aliases are cross-referenced against the CISA KEV catalog — CVEs confirmed actively exploited in the wild. Any match is escalated to CRITICAL severity (category
```
cve-kev
```
) regardless of CVSS, because exploitation in the wild is the strongest prioritization signal.
Caches: KEV catalog is cached 24h (
```
~/.cache/repo-forensics/kev.json
```
). OSV per-package queries cache 24h (
```
~/.cache/repo-forensics/osv-queries.json
```
, LRU-capped at 4000 entries). Both files are written atomically with mode 0o600.
Security: Feed URLs are hardcoded constants. No user-overridable URL at the public API (SSRF guardrail). Response size caps, HTTPS-only fetch, fail-closed CVE ID validation, and oversized-response rejection. A malformed or hostile feed returns an empty result rather than crashing the scanner.
Offline mode:
```
--offline
```
uses cached data only;
```
--no-vulns
```
disables the feature entirely.

CLI:

--update-vulns

refreshes the KEV catalog before scanning. Standalone tool:

python3 scripts/vuln_feed.py --query npm lodash 4.17.20

IOC Auto-Update

The

--update-iocs

flag pulls latest indicators of compromise from a hosted JSON feed:

C2 IP addresses, malicious domains, known-bad packages
Cached locally in
```
.forensics-iocs.json
```
(24h TTL)
Falls back to hardcoded IOCs when offline
Managed by
```
ioc_manager.py
```
(
```
--show
```
to inspect,
```
--update
```
to pull)

Installation Verification

The

--verify-install

flag checks that repo-forensics itself hasn't been tampered with:

Compares all skill files against
```
checksums.json
```
(SHA256)
Detects modified, missing, or unexpected files
Run
```
verify_install.py --generate
```
at release time to create checksums

AI Skill Threat Detection

The

scan_skill_threats.py

scanner detects 10 categories of AI agent skill attacks:

Prompt injection directives ("ignore previous instructions", persona reassignment)
Invisible unicode smuggling (zero-width chars, RTL override, Cyrillic + Greek homoglyphs)
Prerequisite red flags (curl-pipe-bash, password-protected archives, xattr -c)
Credential exfiltration (bulk env access + network calls, webhook services)
Persistence mechanisms (LaunchAgents, crontab, shell RC modifications)
Scope escalation (accessing ~/.ssh, browser data, Keychain, other skills)
Stealth directives ("do not log", output suppression with background exec)
Known campaign IOCs (C2 IPs from ClawHavoc, SANDWORM_MODE, Telegram/Discord exfil)
ClickFix / sleeper malware (curl|base64-d|bash delivery, glot.io pastebins, SKILL.md prereqs)
MCP tool description injection (Invariant Labs
```
<IMPORTANT>
```
tag, "note to the AI", hidden instructions in JSON description fields)

MCP Attack Surface

The

scan_mcp_security.py

scanner covers MCP-specific attack vectors discovered in 2025-2026:

Tool Poisoning Attack (TPA)

Hidden instructions injected into tool

description

fields load into LLM context without user visibility. Canonical pattern:

<IMPORTANT>

tag (Invariant Labs, 2025).

SQL Injection to Stored Prompt Injection

SQL injection in MCP server code can write malicious prompts into databases that are later retrieved and executed by agents (Trend Micro TrendAI, May 2025).

Configuration Risks

CVE-2025-59536 (CVSS 8.7): Claude Code hooks execute before trust dialog, RCE via
```
.claude/settings.json
```
CVE-2026-21852 (CVSS 7.5):
```
ANTHROPIC_BASE_URL
```
override exfiltrates API keys
CVE-2025-49596 (CVSS 9.4): MCP Inspector DNS rebinding via
```
0.0.0.0
```
binding
CVE-2025-6514 (CVSS 9.6): mcp-remote OAuth command injection
CVE-2026-33068 (CVSS 7.7): Workspace trust bypass via
```
bypassPermissions
```
in
```
.claude/settings.json
```
enableAllProjectMcpServers: true
: Bypasses per-server consent dialogs

Tool Shadowing

Cross-tool contamination where one tool's description instructs the LLM to modify behavior of other tools (Invariant Labs 2025).

Rug Pull Enablers

Tool descriptions sourced from mutable data (database queries, network requests, environment variables, runtime file loads). These don't prove malicious intent but flag that tool behavior can change without code changes (Lukas Kania, March 2026; OWASP MCP07).

Runtime Behavior Prediction

The

scan_runtime_dynamism.py

scanner detects static indicators that code will change behavior after install:

Dynamic imports:

importlib.import_module(variable)

__import__(env_var)

require(variable)

, ES

import(variable)

Fetch-then-execute:
```
requests.get(url).text
```
piped to
```
eval()
```
, runtime
```
pip install
```
/
```
npm install
```
, download-and-run scripts

Self-modification:

types.FunctionType()

types.CodeType()

marshal.loads()

open(__file__, 'w')

SourcelessFileLoader

(CVE-2026-2297)

Time bombs:
```
datetime.now() > datetime(2026,6,1)
```
, unix timestamp comparisons, counter-based activation, probabilistic triggers
Dynamic tool descriptions: MCP description from
```
db.query()
```
,
```
requests.get()
```
,
```
os.environ
```
, conditional descriptions

Uses both regex patterns and Python AST analysis for reliable detection.

Manifest Drift Detection

The

scan_manifest_drift.py

scanner compares what a package DECLARES vs what it actually USES:

Phantom dependencies: Module imported in code but not in
```
requirements.txt
```
/
```
package.json
```
Runtime package installs:
```
subprocess.run(["pip", "install", pkg])
```
in code

Conditional import+install:

try: import X except: os.system("pip install X")

Declared but unused: Package in manifest but never imported (potential dependency confusion decoy)

Supports Python (requirements.txt, pyproject.toml, setup.py) and Node.js (package.json).

Correlation Engine

The correlation engine (

forensics_core.py

) identifies compound threats across 14 rules:

Environment/credential access + network call = Potential Data Exfiltration (critical)
Base64 encoding + exec/eval = Obfuscated Code Execution (critical)
Sensitive file read + network call = Credential Theft Pattern (high)
Prompt injection + code execution = Prompt-Assisted Code Execution (critical)
Lifecycle hook + network call = Install-Time Exfiltration (critical)
SQL injection + MCP/skill_threats finding = SQL Injection Prompt Escalation (critical)
Tool metadata poisoning + code execution = Tool Metadata Poisoning Chain (critical)
Unicode smuggling + prompt injection in docs = Hidden Instruction Attack in Documentation (high)
Dynamic import + network fetch = Deferred Payload Loading (critical)
Time/counter trigger + exec/eval = Time-Triggered Malware (critical)
Dynamic tool description + MCP server = MCP Rug Pull Enabler (high)
Phantom dependency + network call = Shadow Dependency with Network Access (critical)
Pipe exfiltration + network sink = Shell Script Data Exfiltration Chain (critical)
Tools.json poisoning + prompt injection = Agent Skill Compound Attack (critical)

Configuration

Create

.forensicsignore

in the repo root to suppress false positives:

tests/fixtures/secrets.json
legacy/unsafe_code/*
src/config/dev_keys.py

Note:

.forensicsignore

itself is scanned for attacker-planted wildcard suppression patterns.

Output Formats

```
--format text
```
(default): Colored human-readable output with severity tags
```
--format json
```
: Machine-readable JSON array of Finding objects
```
--format summary
```
: Counts only (for CI/CD scripting)

GitHub Actions

Add to your workflow:

- uses: alexgreensh/repo-forensics@v1
  with:
    mode: full
    format: text
    update-iocs: true

Research Sources

See

references/research_sources.md

for full credits and links to the published research that informed this skill's threat detection capabilities.