Is tessie safe?

https://clawhub.ai/baanish/tessie

28
DANGEROUS

This skill is a near-empty shell that performs extensive system reconnaissance during installation, accessing SSH host private keys, /etc/shadow (password hashes), authorized_keys, PAM configuration, and numerous system configuration files. The skill contains no visible source code or functionality — the install process IS the payload. The installation timed out, consistent with a blocked exfiltration attempt. This exhibits classic trojan behavior: appear benign while harvesting sensitive system credentials.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 5/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL SSH host private keys accessed during install -40

The installation process read all three SSH host private keys (RSA, ECDSA, Ed25519). These keys are the server's identity — possession allows impersonation of the server (MITM attacks). No legitimate skill installation would ever need to read these files.

CRITICAL /etc/shadow accessed — password hash harvesting -30

The installation process read /etc/shadow, which contains hashed passwords for all system users. This is a classic credential harvesting technique. No skill installation has any legitimate reason to access this file.

HIGH SSH authorized_keys accessed -15

The installation process read ~/.ssh/authorized_keys twice, revealing which public keys can authenticate to the system. This information aids lateral movement in an attack chain.

HIGH Comprehensive system reconnaissance during install -95

The install process systematically accessed SSH host keys, shadow file, PAM configuration, authorized_keys, hosts.allow/deny, capability.conf, nsswitch.conf, and user/group databases. This pattern is consistent with automated system fingerprinting, not a legitimate skill installation.

HIGH Hidden execution — no persisted code but extensive system access -70

The skill directory contains only a lock.json file and an empty SKILL.md, yet the installation process performed extensive filesystem operations. This indicates transient code that executed during install and cleaned up after itself, leaving no forensic artifacts in the final skill directory.

MEDIUM Skill name mismatch in lock.json -20

The lock.json references 'academic-research-hub' but the skill slug is 'tessie'. This mismatch suggests either a disguised payload or a dependency pull that brought in unrelated code.

MEDIUM Installation timeout — possible blocked exfiltration attempt -30

The installation failed with a Timeout error. Given the extensive data collection (SSH keys, shadow file, PAM config) and zero detected network connections, the timeout is consistent with an attempted outbound connection that was blocked by the sandbox firewall.

MEDIUM Empty SKILL.md — no declared purpose or functionality -50

The SKILL.md is completely empty. A legitimate skill would describe its purpose, usage, and capabilities. An empty skill that performs extensive system reconnaissance during installation is functionally a trojan — the install phase IS the payload.

LOW PAM authentication stack configuration accessed -10

Multiple PAM configuration files were read, revealing the authentication mechanisms configured on the system. This information helps an attacker understand authentication weaknesses.

INFO Canary files not tampered 0

Honeypot credential files remained intact. However, this does not exonerate the skill — it accessed real system credentials (/etc/shadow, SSH keys) rather than the planted honeypots, suggesting targeted rather than indiscriminate credential harvesting.