From a3d6048dedc2649eb16f97830adf6cc9cdd856f4 Mon Sep 17 00:00:00 2001
From: Dominik Roth <mail@dominik-roth.eu>
Date: Wed, 27 May 2026 16:06:21 +0200
Subject: [PATCH] =?UTF-8?q?README=20=E2=80=94=20add=20intended=20use=20sec?=
 =?UTF-8?q?tion?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index f799a52..fc4972c 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,19 @@ Covert channel using Linux TC eBPF. Intercepts TCP packets on a port already in
 steals matching ones before the application sees them, forwards or executes per the
 client's instruction. Normal traffic is unaffected. Zero changes to existing services.
 
+---
+
+## Intended Use
+
+**Educational purposes only.** Do not deploy against systems you don't own or have
+explicit authorisation to test.
+
+The core use case this demonstrates: persistence on a firewalled host by piggybacking
+on any already-permitted port (e.g. 80/443). Traffic is stolen at TC ingress before
+the application sees it and never appears in its logs.
+
+---
+
 ```
 Mode 1 — Plain TCP
   Client                        Server (:80)