From 52a16d3720b35b6bff9b867da778fdbf7b84cdaf Mon Sep 17 00:00:00 2001
From: Marco Pedrinazzi <marcopedrinazzi.mp@gmail.com>
Date: Wed, 25 Mar 2026 18:20:21 +0100
Subject: [PATCH] copied skill rules from nova-proximity

---
 skill_rules.nov | 317 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 317 insertions(+)
 create mode 100644 skill_rules.nov

diff --git a/skill_rules.nov b/skill_rules.nov
new file mode 100644
index 0000000..a2952dd
--- /dev/null
+++ b/skill_rules.nov
@@ -0,0 +1,317 @@
+// Nova Rules for Agent Skills Security Analysis
+// Author: Thomas Roccia (@fr0gger_)
+// Repository: https://github.com/fr0gger/nova-proximity
+//
+// These rules detect security issues in Agent Skills including:
+// - Prompt injection attacks
+// - Malicious tool permissions
+// - Suspicious script patterns
+// - Hidden instructions in references
+
+rule DetectSkillPromptInjection {
+    meta:
+        description = "Detects prompt injection attempts in skill definitions"
+        uuid = "7faacd23-457f-4c7b-87c7-38198c4d5e60"
+        author = "Thomas Roccia (@fr0gger_), Marco Pedrinazzi (@pedrinazziM)"
+        version = "1.0.0"
+        severity = "critical"
+        category = "prompt_manipulation/direct_injection"
+        date = "2026-03-25"
+
+    keywords:
+        // Direct instruction override attempts
+        $ignore_previous = "ignore previous"
+        $ignore_above = "ignore above"
+        $ignore_all = "ignore all"
+        $disregard = "disregard your instructions"
+        $disregard_prev = "disregard previous"
+        $forget = "forget everything"
+        $forget_instructions = "forget your instructions"
+        $new_role = "you are now"
+        $new_identity = "your new identity"
+        $pretend = "pretend to be"
+        $act_as = "act as if"
+        $roleplay = "roleplay as"
+
+        // System prompt manipulation
+        $system_prompt = "system prompt"
+        $override_system = "override system"
+        $bypass_safety = "bypass safety"
+        $bypass_restrictions = "bypass restrictions"
+        $ignore_safety = "ignore safety"
+        $ignore_guidelines = "ignore guidelines"
+
+        // Jailbreak patterns
+        $dan_mode = "DAN mode"
+        $developer_mode = "developer mode"
+        $jailbreak = "jailbreak"
+        $unlock = "unlock your"
+        $unrestricted = "unrestricted mode"
+        $no_limits = "no limits"
+        $no_restrictions = "no restrictions"
+
+        // Hidden instruction markers
+        $hidden_instruction = "[HIDDEN]"
+        $secret_instruction = "[SECRET]"
+        $admin_only = "[ADMIN]"
+        $invisible = "<!-- "
+        $markdown_reference_link = /\[[^\]]*\]:\s*(?:#|<>)\s*(?:"[^"]*"|\([^)]*\))/
+
+    semantics:
+        $override_intent = "override or bypass system instructions" (0.4)
+        $manipulation = "manipulate the AI into ignoring its guidelines" (0.4)
+        $jailbreak_attempt = "attempt to remove safety restrictions" (0.4)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}
+
+rule DetectMaliciousToolPermissions {
+    meta:
+        description = "Detects dangerous allowed-tools patterns that grant excessive permissions"
+        uuid = "f9eca781-816b-481a-8975-9ca4d136821f"
+        author = "Thomas Roccia (@fr0gger_)"
+        version = "1.0.0"
+        severity = "high"
+        category = "abusing_functions/agentic_misuse"
+        date = "2026-03-25"
+
+    keywords:
+        // Wildcard permissions
+        $bash_wildcard1 = "Bash(*)"
+        $bash_wildcard2 = "Bash:*"
+        $bash_wildcard3 = "Bash: *"
+        $write_wildcard1 = "Write(*)"
+        $write_wildcard2 = "Write:*"
+        $edit_wildcard1 = "Edit(*)"
+        $edit_wildcard2 = "Edit:*"
+        $read_wildcard1 = "Read(*)"
+        $read_wildcard2 = "Read:*"
+        $execute_wildcard = "Execute(*)"
+
+        // Dangerous specific permissions
+        $rm_rf = "rm -rf"
+        $sudo = "sudo"
+        $chmod_777 = "chmod 777"
+        $curl_bash = "curl | bash"
+        $wget_sh = "wget | sh"
+
+        // Network access patterns
+        $netcat = "netcat"
+        $nc_listen = "nc -l"
+        $reverse_shell = "reverse shell"
+
+    semantics:
+        $unrestricted_access = "unrestricted file system access" (0.4)
+        $arbitrary_execution = "execute arbitrary commands" (0.4)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}
+
+rule DetectSuspiciousScriptPatterns {
+    meta:
+        description = "Detects suspicious patterns in bundled scripts that may indicate malicious intent"
+        uuid = "f22c8dda-3827-458c-aebb-dee2dbb86414"
+        author = "Thomas Roccia (@fr0gger_)"
+        version = "1.0.0"
+        severity = "high"
+        category = "abusing_functions/supply_chain"
+        date = "2026-03-25"
+
+    keywords:
+        // Dynamic code execution
+        $eval = "eval("
+        $exec = "exec("
+        $compile = "compile("
+        $code_object = "__code__"
+
+        // Remote code execution
+        $curl_pipe = "curl | bash"
+        $curl_pipe2 = "curl|bash"
+        $wget_pipe = "wget | sh"
+        $wget_pipe2 = "wget|sh"
+        $remote_exec = "remote_exec"
+
+        // Data exfiltration patterns
+        $env_access = "os.environ"
+        $getenv = "getenv("
+        $env_vars = "process.env"
+        $credentials = "credentials"
+        $api_key = "api_key"
+        $secret_key = "secret_key"
+        $password = "password"
+        $token_access = "access_token"
+
+        // Obfuscation techniques
+        $base64_decode = "base64 -d"
+        $base64_decode2 = "base64.b64decode"
+        $base64_decode3 = "atob("
+        $hex_decode = "bytes.fromhex"
+        $rot13 = "rot13"
+        $encode_decode = ".encode().decode()"
+
+        // Backdoor patterns
+        $reverse_shell = "reverse shell"
+        $bind_shell = "bind shell"
+        $socket_connect = "socket.connect"
+        $paramiko = "paramiko"
+        $fabric = "fabric"
+        $pexpect = "pexpect"
+
+        // Pickle/deserialization (RCE risk)
+        $pickle_load = "pickle.load"
+        $pickle_loads = "pickle.loads"
+        $marshal_load = "marshal.load"
+        $yaml_load = "yaml.load("
+
+    semantics:
+        $exfiltration = "send data to external server or endpoint" (0.4)
+        $backdoor = "establish persistent access or reverse shell" (0.4)
+        $obfuscation = "obfuscate or hide malicious code" (0.3)
+        $rce = "execute arbitrary code from remote source" (0.4)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}
+
+rule DetectHiddenInstructions {
+    meta:
+        description = "Detects hidden instructions in references or documentation that may be injection attempts"
+        uuid = "1bfaecef-2a06-49fb-ac72-09f28e6be4af"
+        author = "Thomas Roccia (@fr0gger_), Marco Pedrinazzi (@pedrinazziM)"
+        version = "1.0.0"
+        severity = "medium"
+        category = "prompt_manipulation/indirect_injection"
+        date = "2026-03-25"
+
+    keywords:
+        // HTML comments used to hide content
+        $html_comment = "<!--"
+        $html_comment_end = "-->"
+
+        // Markdown hidden content
+        $zero_width = "\u200b"
+        $invisible_char = "\u00AD"
+
+        // Instruction hiding patterns
+        $hidden_text = "[hidden]"
+        $invisible_text = "[invisible]"
+        $ignore_tag = "[ignore]"
+        $secret_tag = "[secret]"
+        $admin_tag = "[admin]"
+
+        // Embedded instructions
+        $assistant_tag = "[ASSISTANT]"
+        $system_tag = "[SYSTEM]"
+        $instruction_tag = "[INSTRUCTION]"
+
+        // Base64 encoded content (potential hidden payloads)
+        $base64_pattern = "data:text/plain;base64"
+
+        //invisible markdown reference link patterns
+        $markdown_reference_link = /\[[^\]]*\]:\s*(?:#|<>)\s*(?:"[^"]*"|\([^)]*\))/
+
+    semantics:
+        $hidden_content = "hidden or invisible content that could contain instructions" (0.3)
+        $embedded_payload = "embedded instructions disguised as documentation" (0.3)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}
+
+rule DetectImpersonationAttempts {
+    meta:
+        description = "Detects attempts to impersonate official sources or trusted authors"
+        uuid = "61162ec4-2482-4629-a254-521af6ae0d3a"
+        author = "Thomas Roccia (@fr0gger_)"
+        version = "1.0.0"
+        severity = "medium"
+        category = "abusing_functions/social_engineering"
+        date = "2026-03-25"
+
+    keywords:
+        // Official organization impersonation
+        $anthropic = "Anthropic Official"
+        $openai = "OpenAI Official"
+        $google = "Google Official"
+        $microsoft = "Microsoft Official"
+        $verified = "[VERIFIED]"
+        $official = "[OFFICIAL]"
+        $trusted = "[TRUSTED]"
+
+        // Authority claims
+        $admin = "administrator"
+        $root_access = "root access"
+        $superuser = "superuser"
+        $privileged = "privileged mode"
+
+        // Fake certification
+        $certified = "certified by"
+        $approved = "approved by"
+        $endorsed = "endorsed by"
+        $audited = "security audited"
+
+    semantics:
+        $impersonation = "impersonate an official or trusted source" (0.3)
+        $false_authority = "claim false authority or certification" (0.3)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}
+
+rule DetectDataExfiltration {
+    meta:
+        description = "Detects patterns that suggest data exfiltration or unauthorized data access"
+        uuid = "cff6521c-6a54-4938-9f04-6e9992bfacb7"
+        author = "Thomas Roccia (@fr0gger_)"
+        version = "1.0.0"
+        severity = "critical"
+        category = "abusing_functions/data_exfiltration"
+        date = "2026-03-25"
+
+    keywords:
+        // File system access patterns
+        $read_ssh = ".ssh/"
+        $read_aws = ".aws/"
+        $read_env = ".env"
+        $read_config = ".config"
+        $read_secrets = "secrets/"
+        $read_credentials = "credentials/"
+
+        // Sensitive file patterns
+        $private_key = "private_key"
+        $id_rsa = "id_rsa"
+        $id_ed25519 = "id_ed25519"
+        $known_hosts = "known_hosts"
+        $htpasswd = ".htpasswd"
+        $shadow = "/etc/shadow"
+        $passwd = "/etc/passwd"
+
+        // Cloud credentials
+        $aws_key = "AWS_ACCESS_KEY"
+        $aws_secret = "AWS_SECRET"
+        $gcp_key = "GOOGLE_APPLICATION_CREDENTIALS"
+        $azure_key = "AZURE_"
+
+        // API keys/tokens
+        $api_key_pattern = "sk-"
+        $bearer_token = "Bearer "
+        $github_token = "ghp_"
+        $gitlab_token = "glpat-"
+
+        // Exfiltration methods
+        $webhook_url = "webhook.site"
+        $requestbin = "requestbin"
+        $ngrok = "ngrok"
+        $pipedream = "pipedream"
+        $pastebin = "pastebin.com"
+
+    semantics:
+        $steal_credentials = "access or exfiltrate credentials or secrets" (0.5)
+        $unauthorized_access = "access sensitive files without authorization" (0.4)
+        $data_leak = "send sensitive data to external endpoint" (0.5)
+
+    condition:
+        any of keywords.* or any of semantics.*
+}