Local Model Prompt Injection Scanner for AI Skills Security

Security Vulnerability in AI Skills

A discussion on X highlighted a serious security flaw in third-party AI skills. Claude Code supports the ! operator to execute bash commands directly within skills, but these operators can be hidden in HTML tags, leading to bash executions that the LLM might not be aware of.

Local Scanner Implementation

A proof-of-concept tool has been built to scan skills for potential malware injection at installation time. The scanner uses a non-tool-calling model running locally, specifically mistral-small:latest on Ollama. The creator reports it "worked like a charm" during testing.

The approach functions similarly to a virus scanner and could be integrated into a future "skill installer" product. Protection against prompt injection is identified as a promising application for local models.

Technical Details

The vulnerability involves the ! operator in Claude Code that allows direct bash command execution. Attackers can hide these operators within HTML tags, potentially executing malicious commands without the LLM's knowledge. The scanner addresses this by analyzing skills before installation to detect such hidden injections.