Local Model Prompt Injection Scanner for AI Skills Security
Security Vulnerability in AI Skills
A discussion on X highlighted a serious security flaw in third-party AI skills. Claude Code supports the ! operator to execute bash commands directly within skills, but these operators can be hidden in HTML tags, leading to bash executions that the LLM might not be aware of.
Local Scanner Implementation
A proof-of-concept tool has been built to scan skills for potential malware injection at installation time. The scanner uses a non-tool-calling model running locally, specifically mistral-small:latest on Ollama. The creator reports it "worked like a charm" during testing.
The approach functions similarly to a virus scanner and could be integrated into a future "skill installer" product. Protection against prompt injection is identified as a promising application for local models.
Technical Details
The vulnerability involves the ! operator in Claude Code that allows direct bash command execution. Attackers can hide these operators within HTML tags, potentially executing malicious commands without the LLM's knowledge. The scanner addresses this by analyzing skills before installation to detect such hidden injections.
📖 Read the full source: r/LocalLLaMA
👀 See Also
Independent Report on MCP Server Reliability and Security Findings
An independent analysis of 2,181 MCP server endpoints reveals 52% are dead, 300 have zero authentication, and 51% have wide-open CORS. The report includes methodology and a testing tool.
Static Analysis of 48 AI-Generated Apps: 90% Had Security Vulnerabilities
A developer scanned 48 public GitHub repos built with Lovable, Bolt, and Replit. 90% had at least one vulnerability. Common issues: auth gaps (44%), SECURITY DEFINER Postgres functions (33%), BOLA/IDOR (25%), and committed secrets (25%).
AI Agent Security: Token Budget Determines Data Exfiltration Risk
A developer tested AI agents connected to Gmail: frontier models caught phishing, mid-tier was unstable, cheap models silently forwarded malicious emails. Architectural protections (sandboxing, permissions) stopped zero attempts.
AgentSeal Security Scan Finds AI Agent Risks in Blender MCP Server
AgentSeal scanned the Blender MCP server (17k stars) and identified several security issues relevant to AI agents, including arbitrary Python execution, potential file exfiltration chains, and prompt injection patterns in tool descriptions.