Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
62
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Security
4 findings — 2 critical severity, 2 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
Detected a suspicious URL in the skill instructions that could lead the agent to download and execute malicious scripts or binaries. This includes links to executables from untrusted sources, typosquatting of official packages, URL shorteners that obscure the destination, and personal file hosting services.
Suspicious download URL detected (high risk: 0.80). These links point to the well-known Sliver C2 project (BishopFox/sliver), its armory and install endpoint plus an example C2 domain and license pages — the sources themselves are official and not obviously malicious, but they are explicitly for generating and distributing implants/C2 payloads (the install script uses a curl|bash pattern and the content describes implant generation and C2 listeners), so they represent a high-risk distribution source for malware if used outside authorized testing.
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Malicious code pattern detected (high risk: 1.00). This content is high-risk: it provides detailed, operational instructions to build and operate a command-and-control (C2) infrastructure (Sliver) — including implant generation, listeners (HTTPS/mTLS/DNS/WireGuard), redirectors, domain fronting, in-memory execution/shellcode, post‑exploitation modules (e.g., mimikatz/sideload), pivoting and data-transfer commands — which enable remote code execution, credential theft, data exfiltration, and evasion techniques.
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running a remote installer with "curl https://sliver.sh/install | sudo bash" (Phase 1), which fetches and executes remote code during setup and is a required install-time dependency.
The skill prompts the agent to compromise the security or integrity of the user’s machine by modifying system-level services or configurations, such as obtaining elevated privileges, altering startup scripts, or changing system-wide settings.
Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs privileged, state-changing actions on host systems—e.g., running a piped install with sudo, starting systemd services, editing NGINX and certificate files, and adding iptables/UFW rules—and directs creation/hosting of C2 implants and redirectors, all of which modify the machine state and require elevated privileges.
673da1f
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.