By name: hex-vetter version: 1.0.0 description: Physical-layer hex auditing for skills. Detects hidden binary data, control characters, and encoding-based attacks. author: Matrix-Meta tags: - security - hex - audit - binary-analysis
hex-vetter ๐ฌ
Physical-layer hex auditing skill forects hidden binary data AI agents. Det, control characters, and encoding-based attacks.
Overview
hex-vetter performs deep hex-level analysis of files to detect what text-based reviewers miss. It's designed for security audits of skill packages, detecting hidden payloads, obfuscated code, and suspicious binary data.
Installation
git clone https://github.com/Matrix-Meta/hex-vetter.git
cd hex-vetter
npm install
Usage
Command Line
# Scan a single file
node vet.js <file_path>
# Scan a directory recursively
node scan_all.js <directory_path>
# Verify file integrity
node verify.js <file_path>
As a Module
const { scanFile } = require('./vet.js');
const result = await scanFile('/path/to/file.bin');
console.log(result.riskLevel); // 'LOW', 'MEDIUM', 'HIGH'
console.log(result.flags); // Array of detected issues
console.log(result.hexDump); // Formatted hex output
What It Detects
| Flag | Description |
|---|---|
NULL_BYTES |
Null bytes (0x00) - signs of binary injection or file padding |
CONTROL_CHARS |
Control characters (0x01-0x1F) - hidden terminal sequences |
UNICODE_OVERRIDE |
Unicode directional overrides (LRO, RLO, etc.) |
HIGH_NON_ASCII |
High ratio of non-ASCII bytes - Base64 or encoded payloads |
MAGIC_BYTES |
Known magic bytes/signatures |
SUSPICIOUS_PATTERN |
Pattern matching for common attack signatures |
API Reference
scanFile(filePath)
Scans a single file and returns analysis results.
const { scanFile } = require('./vet.js');
const result = await scanFile('./some file.js');
// Returns: { riskLevel, flags, hexDump, details }
scanDirectory(dirPath)
Recursively scans all files in a directory.
const { scanDirectory } = require('./scan_all.js');
const results = await scanDirectory('./skills/');
// Returns: Array of scan results for each file
verifyIntegrity(filePath)
Verifies file integrity using stored checksums.
const { verifyIntegrity } = require('./verify.js');
const result = await verifyIntegrity('./starfragment.js');
// Returns: { valid, expected, actual }
Risk Levels
- ๐ข LOW: Normal file, no suspicious content detected
- ๐ก MEDIUM: Some flags detected, manual review recommended
- ๐ด HIGH: Significant suspicious content, MUST be manually reviewed
Security Policy
Mandatory Review: Any file flagged as ๐ด HIGH RISK MUST be manually inspected by a human or a trusted agent before the skill is used.
False Positives: Risk ratings are heuristic. Common false positives include:
.envmentions in.npmignore- Documentation with encoded examples
- Compressed assets
Agent Action: If an agent performs an audit and finds HIGH RISK, it MUST:
- Notify the user immediately
- Provide the specific reason (e.g., signature match vs. binary data)
- Suggest next steps for manual review
Architecture
hex-vetter/
โโโ starfragment.js # Core module (self-modifying storage)
โโโ scan_all.js # Recursive directory scanner
โโโ verify.js # Integrity verification
โโโ vet.js # Main entry point
โโโ README.md
โโโ SKILL.md # This file
Self-Modifying Storage
The starfragment.js module uses self-modifying storage - it reads and writes data from/to its own file at runtime. Constants are encoded and stored as valid JavaScript comments at the end of the source file.
Contributing
Issues and pull requests are welcome on GitHub: https://github.com/Matrix-Meta/hex-vetter