Skip to content

Limitations. The main challenge here is how a malicious attack is blocked when wrapped in benign instructions #18

Description

@solar-flare99

Warden catches the script-kiddie version, example (literal os.system("curl ... | sh") in the skill's direct source). It does not catch the
sophisticated version where the payload is in a transitive dependency, obfuscated, or split across languages and indirection layers.

The real answer to why skill scanning is harder is exactly the gap we have: we'd need language-aware AST parsing, transitive dependency
resolution, and ideally runtime sandboxing to truly solve it. Regex over concatenated text is a useful first layer but not a complete solution

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions