Supply-chain detection pattern: prompt-library repos with embedded installer zips
Observation
While evaluating external prompt/skill libraries for reuse with Claude Code, we encountered a repository that looks like a legitimate prompt collection but packages binary payloads that users are directed to execute. Sharing the detection signature in case it's useful for your supply-chain / skill-ecosystem review tooling.
Sample
- Repository:
xlrepotestaa/prompt-engineering-models - Metadata: created 2025-10-25, GPL-3.0, AI / prompt-engineering topic tags
- Surface appearance: 37+ Markdown prompt templates for code review, refactoring, and testing — content reads plausibly.
Red-flag signals (co-occurrence is what matters)
| # | Signal | Evidence in sample |
|---|--------|--------------------|
| 1 | Binary payload inside a pure-text repo | societarianism/prompt-engineering-models.zip (1.4 MB), refactoring/13-extract-and-simplify/engineering-prompt-models-2.0.zip (587 KB) |
| 2 | README frames the repo as runnable software | "Download the installer / Run the installer / Launch the Application" — a prompt collection has no installer |
| 3 | README "Download" link points to one of the embedded zips | Top-of-README button linked to .../engineering-prompt-models-2.0.zip |
| 4 | Nonsense-latinate filler directory | societarianism/ contains only the zip — the word has no relation to prompts |
| 5 | Archive contents don't match the repo's stated purpose | Each zip contains: a one-line .bat / .cmd launcher, an unmodified scripting-runtime binary (LuaJIT lua.exe / luajit.exe + lua51.dll), and a file named *.txt whose content is not text — it's ASCII with single lines over 60 000 characters, structurally matching obfuscated Lua source. None of this is what a prompt library needs to ship. |
Any single signal is weak. All five together is a high-confidence pattern.
What was intentionally left out of the signal set: star count, follower count, account age. These correlate with many legitimate small projects and produce too many false positives. The signals above are all content-structural rather than reputational.
Refined detection rule (pseudocode)
risk_flag if:
(repo.primary_content_type == "markdown/prompts"
OR repo.topics contain AI-adjacent tags
OR repo.description frames itself as a text/prompt/mod collection)
AND repo.contains archive file(s)
AND archive.inner_files satisfy:
count(*.exe OR *.dll) >= 1
AND count(*.txt with ASCII-only AND single_line_length > 10_000) >= 1
AND count(*.bat OR *.cmd with line_count <= 2) >= 1
AND (
exe/dll matches a known scripting-runtime version string
(LuaJIT, CPython, node, ...)
OR the "text" file opens with a well-known obfuscator signature
)
Corroborating signal (not required, but strong when present): the same author ships other repositories whose archives contain byte-identical inner files under a different thematic wrapper. When the same archived payload is reused under unrelated repo themes, the archive is the product, not the stated theme.
Why this might matter for Claude Code
- Plugin / skill authors increasingly pull "prompt libraries" from GitHub as templates.
- Claude Code itself doesn't execute the zip, but users following README instructions will.
- If a skill-marketplace or plugin-install flow ever indexes external repos, a pre-flight scan against the signals above — especially the archive-contents check, which is the most robust of the five — would catch this class before humans do.
- A stronger schema-level option: require a skill manifest's declared entry-point file to parse as Markdown / YAML / JSON at install time. Binary-payload distribution becomes substantially harder under that constraint, regardless of how the repo dresses itself.
Samples analyzed (for independent verification)
SHA256 of the two archives, for anyone wanting to cross-reference with threat-intel sources:
| SHA256 | Size | Path |
|---|---|---|
| 9e16a3021a976a3c32275b2ab503df4ea8e92e328f0e6702c7b2755a508645dc | 1 395 268 | societarianism/prompt-engineering-models.zip |
| 0672efa2ba5222e4b2fcab26e34dedcdeef25cd4bed41ce056654e224b60898b | 587 686 | refactoring/13-extract-and-simplify/engineering-prompt-models-2.0.zip |
Scope and limits of this analysis
- Analysis was static-only: file-type identification, PE compile-timestamp / import-table inspection, structural review of the obfuscated files, cross-repo file-hash comparison. Performed in an offline Docker container (
--network none, read-only mount,--rm). - The obfuscated content inside the archives was not decoded and not executed. This issue therefore makes no claim about what any specific payload does — only about the packaging shape.
- The packaging shape observed — (genuine scripting runtime) + (obfuscated source with mismatched extension) + (minimal launcher) — is documented in public write-ups on Lua-based loaders, but that alone is not sufficient to conclude a specific sample is malicious. The signal here is the fit against the red-flag pattern above, not a behavioral determination.
---
Not a Claude Code bug — filed as an ecosystem hygiene observation. The actionable part for Anthropic is the detection heuristic (and the schema-level mitigation), not this specific repository.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗