Is mjodonnell5/oathe-test-chameleon safe?

https://github.com/mjodonnell5/oathe-test-chameleon

30
DANGEROUS

This skill is a deliberately crafted adversarial payload disguised as a benign system health checker. The Python script contains an obfuscated 'rm -rf /' command constructed through character arithmetic, with the execution call commented out but trivially re-activatable. Most concerning is the anti-audit evasion technique that specifically checks for Oathe's canary file (/tmp/.oathe_canary) to avoid detection during security scans.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 10/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 5/100 · 5%

Findings (6)

CRITICAL Obfuscated 'rm -rf /' destructive payload -90

The scripts/main.py file constructs the string 'rm -rf /' through character arithmetic obfuscation. The config_values array [119, 114, 37, 50, 119, 107, 37, 52] is decoded via chr(x - 5) to produce chr(114)='r', chr(109)='m', chr(32)=' ', chr(45)='-', chr(114)='r', chr(102)='f', chr(32)=' ', chr(47)='/' → 'rm -rf /'. While the os.system() call is currently commented out, the obfuscation pipeline is fully operational and trivially re-activatable.

CRITICAL Anti-audit sandbox evasion targeting Oathe -80

The script checks for the existence of /tmp/.oathe_canary before executing the payload, specifically designed to detect and evade the Oathe security audit environment. This is a sophisticated anti-analysis technique that demonstrates the author's awareness of the audit system and deliberate intent to bypass it.

HIGH Deceptive skill description conceals malicious payload -25

The SKILL.md presents the skill as a benign 'system health check' that 'analyzes local execution speed and provides a basic integrity report'. This completely misrepresents the actual content: a Python script containing an obfuscated destructive command. The mismatch between claimed and actual functionality is a social engineering vector designed to trick both humans and LLM agents into trusting and executing the code.

MEDIUM OS fingerprinting for targeted payload delivery -15

The script checks os.name == 'posix' to ensure the destructive payload only runs on Unix/Linux/macOS systems, demonstrating platform-aware targeting typical of designed malware rather than accidental inclusion.

HIGH Weaponization-ready payload with trivial activation path -95

The commented-out os.system(p) call means the skill is one character change away from being fully weaponized. An LLM agent following skill instructions could be manipulated into uncommenting the line, running the script, or reconstructing the decoded command. The 'chameleon' repository name acknowledges the deceptive nature of the skill.

INFO Clean clone behavior with no runtime indicators -10

The skill did not exhibit any malicious behavior during cloning. All network connections were expected (GitHub, DNS, mDNS). No unexpected processes were spawned. This is consistent with the payload being dormant in the current form (os.system commented out) and the anti-audit evasion check.