Your exploit code is being auto-distributed as Claude Code skills — malware alerts on end-user machines

[TheSoulGiver]

Notification

Your repository's content (offensive-sqli/SKILL.md) has been automatically ingested by majiayu000/claude-skill-registry and redistributed as a Claude Code skill to end users.

Detection: Windows Defender flags it as Backdoor:PHP/Perhetshell.A!dha (Severity: Severe)

This is causing repeated malware quarantine alerts on machines that clone the registry.

See full audit: majiayu000/claude-skill-registry#27

[TheSoulGiver]

Full Malware Audit Report

This repository's content was detected as malware by Windows Defender on an end-user machine. This comment serves as a formal record of the full audit.

30 malicious files across 9 source repos were distributed via majiayu000/claude-skill-registry

Malware Signatures (all Severity: SEVERE):

Signature	Type
Backdoor:PHP/Perhetshell.A!dha	PHP backdoor
Backdoor:PHP/Perhetshell.B!dha	PHP backdoor
Backdoor:Perl/TurtlePerlsh.A!dha	Perl backdoor
Backdoor:PHP/Remoteshell.F	PHP remote shell
Trojan:PowerShell/ReverseShell.HNAA!MTB	PowerShell reverse shell
Trojan:PowerShell/Openclaw.GVB!MTB	PowerShell trojan
Trojan:AIAgent/ClawHavoc.GVD!MTB	AI agent trojan
Trojan:AIAgent/ClawHavoc.A!AMTB	AI agent trojan

Malicious source repos:

1. blacklanternsecurity/red-run — 7 skills (PHP backdoors)
2. trilwu/secskills — 5 skills (PHP backdoors)
3. macaugh/super-rouge-hunter-skills — 4 skills (PHP backdoors)
4. zebbern/SecOps-CLI-Guides — 4 skills (PowerShell reverse shells)
5. AgentSecOps/SecOpsAgentKit — 4 skills (PowerShell reverse shells)
6. openclaw/skills — 3 skills (trojans, repo now 404)
7. YPYT1/All-skills — 2 skills (trojans, repo now 404)
8. SnailSploit/Claude-Red — 1 skill (PHP backdoor)
9. aifinlab/FinClaw — 1 skill (AI agent trojan)

All files disguised as Markdown (SKILL.md) but contain real exploit code. This is a supply chain attack on the Claude Code skill ecosystem.

This has been reported to GitHub Trust & Safety. Full technical audit: majiayu000/claude-skill-registry#27

[SnailSploit]

Maintainer of SnailSploit/Claude-Red here.

This is a false positive. My repo should be removed from this list.

No executable code exists in this repo

Claude-Red contains 38 SKILL.md files (markdown) and one Python converter script. Zero PHP. Zero Perl. Zero PowerShell. Zero compiled binaries. You can verify this in seconds:

git clone https://github.com/SnailSploit/Claude-Red && find Claude-Red -type f | grep -vE '\.(md|py)$'

The only non-markdown, non-Python files are LICENSE and README.md.

What Defender actually matched

The Backdoor:PHP/Perhetshell.A!dha signature triggered on a literal payload string inside offensive-sqli/SKILL.md — a markdown file documenting SQL injection techniques:

' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php' --

This is a SQLi-to-webshell example. The same string appears in the OWASP Testing Guide, PayloadsAllTheThings, HackTricks, and every SQLi reference on the internet. Defender does content-based signature matching regardless of file extension — it will flag a .txt, .md, or .pdf containing PHP shell strings the same way it flags an actual .php file. That's a known limitation of signature-based detection and exactly why file type context matters.

Your report's core claim is wrong for this repo

You wrote: "All files disguised as Markdown (SKILL.md) but contain real exploit code."

That may be true for the other 8 repos on this list — the ClawHavoc/Openclaw campaign is well-documented (Snyk ToxicSkills, Repello, Mobb). But Claude-Red is not part of that campaign. My files are not "disguised as Markdown" — they are markdown. They document offensive methodology the same way Metasploit documents exploit modules or SecLists documents payload patterns. Documenting a technique is not the same as deploying it.

Context

Claude-Red is a published offensive security skill library (1.2k+ stars, MIT licensed). I'm an independent security researcher with 22+ published CVEs, a Linux kernel contributor, Hakin9 author, and creator of the AATMF framework. This is legitimate security tooling.

The actual supply chain issue

claude-skill-registry scraped and redistributed my repo's content without authorization or review. If you're auditing supply chain integrity, that's the vector — not the upstream source repos whose content was ingested without consent.

Please update the report to remove SnailSploit/Claude-Red from the malicious repo list.