jmagly/confusable-unicode-audit
agentic/code/frameworks/security-engineering/skills/confusable-unicode-audit/SKILL.md
Detect bidi controls, zero-width characters, mixed-script identifiers, and homoglyph risks in source and release metadata
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg confusable-unicode-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 6:20 AM89.4s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- confusable-unicode-audit
- platforms:
- [all]
- description:
- Detect bidi controls, zero-width characters, mixed-script identifiers, and homoglyph risks in source and release metadata
- - git:
- repository file enumeration
- - report:
- suspicious Unicode occurrences with code point, context, and allowlist status
- - exit-code:
- non-zero when violations found and --fail-on-violation is set
- - allowlist-invalid:
- .aiwg/security/confusable-unicode-allowlist.yaml cannot be parsed
- argumentHint:
- [--fail-on-violation] [--include-metadata] [--format text|json]
- allowedTools:
- Read, Bash, Grep
- model:
- sonnet
- category:
- security
- orchestration:
- false
Confusable Unicode Audit
Detect Trojan Source and homoglyph risks in source files, dependency names, and release metadata. This enforces no-confusable-unicode and maps curl Practice 8 into an AIWG control.
Detection Targets
- Bidirectional controls: U+202A through U+202E, U+2066 through U+2069.
- Zero-width characters: U+200B through U+200F, U+FEFF.
- Non-ASCII identifiers in source code.
- Mixed-script identifiers, especially Latin plus Cyrillic or Greek.
- Package/dependency names containing non-ASCII or confusable characters.
- Optional metadata scan: commit subject, PR titles, release notes.
Allowlist
Legitimate non-ASCII is declared in .aiwg/security/confusable-unicode-allowlist.yaml:
version: 1
allow:
- path: "docs/i18n/**"
reason: "localized documentation"
- identifier: "naive_bayes"
codepoints: ["U+00EF"]
reason: "historical exported API spelling"
Output
Reports show file, line, column, Unicode code point, character name, and remediation. Bidi and zero-width controls are always HIGH severity.
References
agentic/code/frameworks/security-engineering/rules/no-confusable-unicode.md- Unicode TR39
- Trojan Source / CVE-2021-42574
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026