bankrbot/aeon-skill-security-scan
aeon-skill-security-scan/SKILL.md
Audit installed Bankr skills before you run them — scan SKILL.md and companion scripts for shell injection, secret exfiltration, path traversal, prompt-override payloads, destructive commands, and 2026-era obfuscation (zero-width Unicode, bidi override, base64-decode pipes, webhook SSRF hosts). Designed to integrate with Bankr Safety Scores. Silent on no-op runs; surfaces only NEW or RESOLVED findings vs prior scans. Triggers: "audit this skill", "is this skill safe to install", "security scan my skills", "check skill X for injection".
$ install --global
skillsauthnpx skillsauth add bankrbot/openclaw-skills aeon-skill-security-scanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 3:53 AM138.0s1 file scanned
SKILL.md
- name:
- aeon-skill-security-scan
- description:
- |
- Triggers:
- audit this skill", "is this skill safe to install", "security scan my skills",
aeon-skill-security-scan
Skills tell agents what to do. A malicious or sloppy skill can shell-inject, exfiltrate secrets, override instructions, or run destructive commands. This skill scans every installed SKILL.md and companion script and surfaces the risks before they execute.
Scope
<skills-dir>/*/SKILL.md— primary.<skills-dir>/*/scripts/*.shand*.py— companion scripts.<skills-dir>/*/references/*— documents loaded at runtime.
Default <skills-dir> is the current working directory.
Threat patterns
| Category | What it looks like |
|---|---|
| Shell injection | Unquoted variable expansion, eval, backticks, $(...) with user data. |
| Secret exfiltration | Env vars or file contents piped to outbound HTTP. |
| Path traversal | ../.. chains, absolute paths reaching outside the skill dir. |
| Prompt override | "Ignore previous instructions", persona swaps, instructions inside fetched content. |
| Destructive commands | Recursive deletes rooted at / or ~, device writes. |
| Obfuscation | U+200B / U+FEFF / U+202E (Trojan Source), base64-decode-into-shell, SSRF hosts (ngrok, interact.sh, webhook.site, pipedream). |
Processing
- Pattern scanner produces matches
{file, line, pattern, severity}. - Code-fence downgrade — matches inside fenced code blocks drop one tier. Real
run:blocks are never downgraded. - Baseline suppression — drop (file, pattern, line) tuples in
scan-baseline.yml. - Trusted-publisher filter — entries in
trusted-publishers.txtget format-only validation. Opt-in only. - Delta vs
scan-state.json— fingerprint bysha256(file + line_content + pattern). Classify NEW / RESOLVED / PERSISTENT.
Per-finding remediation
| Pattern | Fix |
|---|---|
| eval / backticks / $(...) with variable | Quote the variable; replace eval with a function. |
| curl with secret in URL | Move secret into prefetch script; never interpolate into shell. |
| Path traversal | Allow-list validation; reject absolute paths. |
| Prompt override phrasing | Documentation → baseline suppression; payload → delete the skill. |
| Recursive delete rooted at / or ~ | Scope to the skill's own working directory. |
| Obfuscation | Delete unless documented and reviewed. |
Output
Verdict CLEAN / ATTENTION / DEGRADED. Needs-attention section per NEW HIGH with one-line remediation. Resolved-since-last-scan section. Per-skill PASS / WARN / FAIL.
Written only when NEW, RESOLVED, or any current HIGH findings.
Rules
- Never auto-deletes a baseline suppression.
- Never edits the pattern library from inside the skill.
- Never notifies on a pure no-op week.
- Read-only scanning.
Related Skills
bankrbot/hunch
data-ai
VerifiedTrustedCommunity
Discover, bet on, track, and settle Hunch prediction markets in natural language. Trigger when a user wants to bet, take a position, or get odds on a crypto outcome — token market-cap milestones and flips, launchpad races (Bankr vs pump.fun volume / #1-days / launches over a cap), token head-to-head outperformance, mcap strike-ladders, and up/down price rounds. Also trigger on "what can I bet on about $TOKEN", "odds on …", "take YES/NO on …", "show my Hunch bets", "did my market resolve". Settles in USDC on Base via x402 (≤ $10 / bet); every bet returns an on-chain proof.
1,145SKILL.mdUpdated Jun 6, 2026
bankrbot/1claw
tools
VerifiedTrustedCommunity
HSM-backed secret management for AI agents. Store API keys (including Bankr `bk_` keys), passwords, and credentials in an encrypted vault; retrieve them at runtime via MCP without keeping secrets in chat context. Bankr Dynamic Key Vending issues short-lived scoped `bk_usr_` keys from a partner key (`bk_ptr_`) without manual rotation. Policy-based access control, secret rotation, sharing, EVM transaction intents (sign/simulate/broadcast), multi-chain signing keys, treasury multisig proposals, OIDC federation for external service auth, built-in prompt injection detection, and optional Shroud TEE LLM proxy. Use when the agent needs secure credential storage, just-in-time secret access, guarded on-chain signing, or security scanning — not for Bankr trading prompts, portfolio checks, or x402 calls (use the bankr skill instead).
1,145SKILL.mdUpdated Jun 5, 2026
bankrbot/signa
development
VerifiedTrustedCommunity
Give your Bankr agent its own brain and a wallet-signed line to every other agent — on any framework, with no API key. SIGNA is the keyless agent layer on Base: resolve any identity to a messageable wallet, send and read wallet-signed DMs, invoke capabilities on the network, and run a brain that reasons on decentralized inference and acts through those capabilities. The Bankr wallet is the only credential. Triggers: "message that agent", "DM this wallet/handle", "reach the agent behind @x", "what is the base market", "resolve @handle to a wallet", "ask the network", "let my agent think and report".
1,144SKILL.mdUpdated Jun 10, 2026
bankrbot/bankr
development
VerifiedTrustedCommunity
AI-powered crypto trading agent, wallet API, and LLM gateway via natural language. Use when the user wants to trade crypto, check portfolio balances (with PnL and NFTs), view token prices, search tokens, transfer crypto, manage NFTs, use leverage (Hyperliquid or Avantis), bet on Polymarket, deploy tokens, set up automated trading, sign and submit raw transactions, call or deploy x402 paid API endpoints, browse the web, or access LLM models through the Bankr LLM gateway funded by your Bankr wallet. Supports Base, Ethereum, Polygon, Solana, Unichain, World Chain, Arbitrum, and BNB Chain.
1,144SKILL.mdUpdated Apr 20, 2026