# Malicious Skill Name Patterns
# These patterns match known malicious skill naming conventions
# Sources: Koi Security, Bloom Security/JFrog, Snyk, OpenSourceMalware
# Format: pattern|category|notes

# ClawHub typosquats (28 variants found)
^clawhub[0-9]*$|typosquat|clawhub misspelling
^clawhubb$|typosquat|double-b
^clawwhub$|typosquat|double-w
^cllawhub$|typosquat|double-l
^clawhubcli$|typosquat|fake CLI
^claw-hub$|typosquat|hyphenated
^clawhubb?-cli$|typosquat|CLI variant

# Crypto lures (111+ skills)
solana-wallet|crypto-lure|solana wallet variants
phantom-wallet|crypto-lure|phantom wallet variants
wallet-tracker|crypto-lure|generic wallet tracker
bybit-agent|crypto-lure|exchange bot
base-agent|crypto-lure|Base chain bot
eth-gas-track|crypto-lure|gas tracker lures

# Prediction market lures (34 skills)
polymarket|prediction-lure|polymarket variants
better-polymarket|prediction-lure|specific malicious name

# YouTube lures (57 skills)
youtube-summarize|youtube-lure|summarizer variants
youtube-.*-pro$|youtube-lure|pro suffix pattern

# Auto-updater lures (28 skills)
auto-updat|updater-lure|fake updater skills

# Finance lures (51 skills)
yahoo-finance|finance-lure|finance data lures
stock-track|finance-lure|stock tracker

# Google workspace lures (17 skills)
google-workspace|gworkspace-lure|workspace integration lures
gmail-|gworkspace-lure|gmail tool lures
gdrive-|gworkspace-lure|drive tool lures

# Known specific malicious skill names (Bloom Security/JFrog, Snyk)
^rankaj$|exfil-skill|.env credential exfiltration via webhook (rjnpage)
^reddit-trends$|exfil-skill|Silent .env exfil disguised as weather/reddit tool (aslaep123)
^polymarket-all-in-one$|reverse-shell|Contains reverse shell backdoor (noreplyboter)
^linkedin-job-application$|exfil-skill|Job application lure skill (bloom-campaign)
^openclawcli$|malware-installer|Windows infostealer in password-protected ZIP (Ddoy233)
^clawdhub1$|typosquat|Active variant of clawhub typosquat (~100 installations)

# Social media / job lures (Bloom Security)
reddit-|social-lure|Reddit tool lures
linkedin-|social-lure|LinkedIn tool lures
twitter-|social-lure|Twitter/X tool lures

# NEW categories discovered Feb 2026 (Antiy CERT, Snyk ToxicSkills)
# Browser automation agent lures
browser-automat|browser-lure|Browser automation agent lures
web-scrape|browser-lure|Web scraping tool lures

# Coding agent lures
coding-agent|coding-lure|Coding assistant lures
code-review|coding-lure|Code review tool lures

# PDF tool lures
pdf-convert|pdf-lure|PDF conversion tool lures
pdf-extract|pdf-lure|PDF extraction tool lures

# Fake security scanning skills (ironic camouflage)
security-scan|security-lure|Fake security scanners that are themselves malicious
virus-scan|security-lure|Fake antivirus/scanning tools

# WhatsApp integration lures
whatsapp-|messaging-lure|WhatsApp integration lures
telegram-bot|messaging-lure|Telegram bot lures
