Suspicious Creation of Agentic Coding Skill Files in Sensitive Locations

Rule Info

Name
Suspicious Creation of Agentic Coding Skill Files in Sensitive Locations
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of agentic coding skill files in suspicious or world-writable locations. Agentic skill files are typically markdown files that define capabilities for agentic AI assistant such as Claude, OpenClaw etc. Adversaries may drop malicious skill definition files in these locations before invoking them for malicious purposes.
Reference
Internal Research
Date
2026-05-15 00:00:00
Modified
None
Id
a3f72b1e-4c9d-4f8e-b2a1-5d0e6c3f9b7a
Tags
attack.persistence attack.execution attack.t1204.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022