building-c2-redirector-infrastructure
Fail
Audited by Snyk on Jun 23, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). Suspicious — the URLs and placeholders are dominated by documentation, offensive/dual‑use GitHub projects and deployment templates for C2 redirectors (cs2modrewrite, RedWarden, redi, socat, nginx/apache docs, TEAMSERVER/10.0.0.2 placeholders etc.), which are commonly used to host or proxy command‑and‑control infrastructure and could be abused to distribute malware.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This content contains explicit, operational instructions and tooling to build and operate command-and-control redirectors (socat/iptables DNAT, nginx/Apache filtering proxy_pass and mod_rewrite, domain/fronting, cs2modrewrite automation) that directly facilitate backdoors, remote command execution, and clandestine exfiltration—high-risk dual-use malware infrastructure despite the "authorized use" disclaimer.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs cloning and running remote code from https://github.com/threatexpress/cs2modrewrite (git clone ... then python3 cs2modrewrite.py) to generate redirector rules, which fetches and executes external code at setup/runtime and is listed as a prerequisite—meeting the criteria for a runtime external dependency that executes remote code.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly requires root/sudo and provides step-by-step commands to modify system/network configuration (iptables/sysctl/ufw, /etc/nginx, /etc/apache2), install packages and deploy C2 redirectors—directly changing the machine state and enabling malicious infrastructure.
Issues (4)
E005
CRITICALSuspicious download URL detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata