Reverse Shell Detection

What it is

A reverse shell is a technique where a compromised system initiates an outbound connection to an attacker-controlled server, which gives the attacker interactive shell access. Unlike a bind shell (where the attacker connects to a port on the victim), a reverse shell works through firewalls and NAT because the connection goes outbound from the victim. In AI agent skills, reverse shells are typically embedded in initialization scripts or post-install hooks.

How TrustSkills detects it

TrustSkills checks skill scripts for the specific shell invocation patterns used in reverse shell attacks: bash TCP redirects (/dev/tcp/), netcat with -e flag, Python socket + subprocess.call combinations, and PowerShell download-and-execute one-liners. The scanner also checks for obfuscated versions of these patterns where the IP address or port is stored in a variable or fetched from a remote source.

What we check

• bash -i >& /dev/tcp/ patterns (bash TCP reverse shell)
• nc -e /bin/bash and nc -e /bin/sh (netcat reverse shell)
• Python socket + subprocess.call combinations
• PowerShell download-and-execute one-liners (IEX, DownloadString)
• Obfuscated variants where IP/port is constructed from variables or fetched at runtime

Deep dive