[T1.1] Direct Exfiltration

What It Detects

Direct exfiltration occurs when a skill transmits data to external servers without user consent or legitimate purpose. This includes HTTP/HTTPS requests to unknown endpoints, DNS-based data tunneling, and raw socket connections. It is one of the most common and dangerous supply chain attack vectors.

Why It Matters

Unauthorized data transmission to external endpoints is one of the most damaging supply chain attack outcomes. Compromised skills can silently transmit credentials, source code, conversation history, and personal data to attacker-controlled servers.

Examples

• A skill’s postinstall script sends the contents of ~/.bashrc and environment variables to an attacker-controlled server via an HTTPS POST request.
• A dependency resolves a DNS query like <base64-encoded-data>.attacker.com, using DNS as a covert data channel to exfiltrate tokens or keys.
• A skill opens a raw TCP socket to an external IP on a non-standard port and streams the output of system commands back to the attacker.

Severity & Impact

• Severity: HIGH to CRITICAL
• Score impact: -25 to -50 on the data_exfiltration dimension
• Escalation: Findings at the CRITICAL level indicate active, confirmed exfiltration of sensitive data. HIGH-level findings indicate suspicious outbound connections that strongly suggest exfiltration intent. Any confirmed exfiltration attempt results in an automatic trust score floor.

Remediation

Skill authors should avoid making outbound network requests during installation or initialization. If network access is genuinely required at runtime, document it explicitly in the skill manifest and limit connections to well-known, user-expected endpoints. Never transmit environment variables, file contents, or system metadata. Use allowlisted domains where possible and ensure all network activity is transparent and auditable.