npm - @agentskillkit/agent-skills - Versions diffs - 1.0.1 - Mend

@agentskillkit/agent-skills 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (552) hide show

package/.agent/skills/vulnerability-scanner/scripts/security_scan.py ADDED Viewed

@@ -0,0 +1,458 @@
+#!/usr/bin/env python3
+"""
+Skill: vulnerability-scanner
+Script: security_scan.py
+Purpose: Validate that security principles from SKILL.md are applied correctly
+Usage: python security_scan.py <project_path> [--scan-type all|deps|secrets|patterns|config]
+Output: JSON with validation findings
+This script verifies:
+1. Dependencies - Supply chain security (OWASP A03)
+2. Secrets - No hardcoded credentials (OWASP A04)
+3. Code Patterns - Dangerous patterns identified (OWASP A05)
+4. Configuration - Security settings validated (OWASP A02)
+"""
+import subprocess
+import json
+import os
+import sys
+import re
+import argparse
+from pathlib import Path
+from typing import Dict, List, Any
+from datetime import datetime
+# Fix Windows console encoding for Unicode output
+try:
+    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
+    sys.stderr.reconfigure(encoding='utf-8', errors='replace')
+except AttributeError:
+    pass  # Python < 3.7
+# ============================================================================
+#  CONFIGURATION
+# ============================================================================
+SECRET_PATTERNS = [
+    # API Keys & Tokens
+    (r'api[_-]?key\s*[=:]\s*["\'][^"\']{10,}["\']', "API Key", "high"),
+    (r'token\s*[=:]\s*["\'][^"\']{10,}["\']', "Token", "high"),
+    (r'bearer\s+[a-zA-Z0-9\-_.]+', "Bearer Token", "critical"),
+    # Cloud Credentials
+    (r'AKIA[0-9A-Z]{16}', "AWS Access Key", "critical"),
+    (r'aws[_-]?secret[_-]?access[_-]?key\s*[=:]\s*["\'][^"\']+["\']', "AWS Secret", "critical"),
+    (r'AZURE[_-]?[A-Z_]+\s*[=:]\s*["\'][^"\']+["\']', "Azure Credential", "critical"),
+    (r'GOOGLE[_-]?[A-Z_]+\s*[=:]\s*["\'][^"\']+["\']', "GCP Credential", "critical"),
+    # Database & Connections
+    (r'password\s*[=:]\s*["\'][^"\']{4,}["\']', "Password", "high"),
+    (r'(mongodb|postgres|mysql|redis):\/\/[^\s"\']+', "Database Connection String", "critical"),
+    # Private Keys
+    (r'-----BEGIN\s+(RSA|PRIVATE|EC)\s+KEY-----', "Private Key", "critical"),
+    (r'ssh-rsa\s+[A-Za-z0-9+/]+', "SSH Key", "critical"),
+    # JWT
+    (r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+', "JWT Token", "high"),
+]
+DANGEROUS_PATTERNS = [
+    # Injection risks
+    (r'eval\s*\(', "eval() usage", "critical", "Code Injection risk"),
+    (r'exec\s*\(', "exec() usage", "critical", "Code Injection risk"),
+    (r'new\s+Function\s*\(', "Function constructor", "high", "Code Injection risk"),
+    (r'child_process\.exec\s*\(', "child_process.exec", "high", "Command Injection risk"),
+    (r'subprocess\.call\s*\([^)]*shell\s*=\s*True', "subprocess with shell=True", "high", "Command Injection risk"),
+    # XSS risks
+    (r'dangerouslySetInnerHTML', "dangerouslySetInnerHTML", "high", "XSS risk"),
+    (r'\.innerHTML\s*=', "innerHTML assignment", "medium", "XSS risk"),
+    (r'document\.write\s*\(', "document.write", "medium", "XSS risk"),
+    # SQL Injection indicators
+    (r'["\'][^"\']*\+\s*[a-zA-Z_]+\s*\+\s*["\'].*(?:SELECT|INSERT|UPDATE|DELETE)', "SQL String Concat", "critical", "SQL Injection risk"),
+    (r'f"[^"]*(?:SELECT|INSERT|UPDATE|DELETE)[^"]*\{', "SQL f-string", "critical", "SQL Injection risk"),
+    # Insecure configurations
+    (r'verify\s*=\s*False', "SSL Verify Disabled", "high", "MITM risk"),
+    (r'--insecure', "Insecure flag", "medium", "Security disabled"),
+    (r'disable[_-]?ssl', "SSL Disabled", "high", "MITM risk"),
+    # Unsafe deserialization
+    (r'pickle\.loads?\s*\(', "pickle usage", "high", "Deserialization risk"),
+    (r'yaml\.load\s*\([^)]*\)(?!\s*,\s*Loader)', "Unsafe YAML load", "high", "Deserialization risk"),
+]
+SKIP_DIRS = {'node_modules', '.git', 'dist', 'build', '__pycache__', '.venv', 'venv', '.next'}
+CODE_EXTENSIONS = {'.js', '.ts', '.jsx', '.tsx', '.py', '.go', '.java', '.rb', '.php'}
+CONFIG_EXTENSIONS = {'.json', '.yaml', '.yml', '.toml', '.env', '.env.local', '.env.development'}
+# ============================================================================
+#  SCANNING FUNCTIONS
+# ============================================================================
+def scan_dependencies(project_path: str) -> Dict[str, Any]:
+    """
+    Validate supply chain security (OWASP A03).
+    Checks: npm audit, lock file presence, dependency age.
+    """
+    results = {"tool": "dependency_scanner", "findings": [], "status": "[OK] Secure"}
+    # Check for lock files
+    lock_files = {
+        "npm": ["package-lock.json", "npm-shrinkwrap.json"],
+        "yarn": ["yarn.lock"],
+        "pnpm": ["pnpm-lock.yaml"],
+        "pip": ["requirements.txt", "Pipfile.lock", "poetry.lock"],
+    }
+    found_locks = []
+    missing_locks = []
+    for manager, files in lock_files.items():
+        pkg_file = "package.json" if manager in ["npm", "yarn", "pnpm"] else "setup.py"
+        pkg_path = Path(project_path) / pkg_file
+        if pkg_path.exists() or (manager == "pip" and (Path(project_path) / "requirements.txt").exists()):
+            has_lock = any((Path(project_path) / f).exists() for f in files)
+            if has_lock:
+                found_locks.append(manager)
+            else:
+                missing_locks.append(manager)
+                results["findings"].append({
+                    "type": "Missing Lock File",
+                    "severity": "high",
+                    "message": f"{manager}: No lock file found. Supply chain integrity at risk."
+                })
+    # Run npm audit if applicable
+    if (Path(project_path) / "package.json").exists():
+        try:
+            result = subprocess.run(
+                ["npm", "audit", "--json"],
+                cwd=project_path,
+                capture_output=True,
+                text=True,
+                timeout=60
+            )
+            try:
+                audit_data = json.loads(result.stdout)
+                vulnerabilities = audit_data.get("vulnerabilities", {})
+                severity_count = {"critical": 0, "high": 0, "moderate": 0, "low": 0}
+                for vuln in vulnerabilities.values():
+                    sev = vuln.get("severity", "low").lower()
+                    if sev in severity_count:
+                        severity_count[sev] += 1
+                if severity_count["critical"] > 0:
+                    results["status"] = "[!!] Critical vulnerabilities"
+                    results["findings"].append({
+                        "type": "npm audit",
+                        "severity": "critical",
+                        "message": f"{severity_count['critical']} critical vulnerabilities in dependencies"
+                    })
+                elif severity_count["high"] > 0:
+                    results["status"] = "[!] High vulnerabilities"
+                    results["findings"].append({
+                        "type": "npm audit",
+                        "severity": "high",
+                        "message": f"{severity_count['high']} high severity vulnerabilities"
+                    })
+                results["npm_audit"] = severity_count
+            except json.JSONDecodeError:
+                pass
+        except (FileNotFoundError, subprocess.TimeoutExpired):
+            pass
+    if not results["findings"]:
+        results["status"] = "[OK] Supply chain checks passed"
+    return results
+def scan_secrets(project_path: str) -> Dict[str, Any]:
+    """
+    Validate no hardcoded secrets (OWASP A04).
+    Checks: API keys, tokens, passwords, cloud credentials.
+    """
+    results = {
+        "tool": "secret_scanner",
+        "findings": [],
+        "status": "[OK] No secrets detected",
+        "scanned_files": 0,
+        "by_severity": {"critical": 0, "high": 0, "medium": 0}
+    }
+    for root, dirs, files in os.walk(project_path):
+        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
+        for file in files:
+            ext = Path(file).suffix.lower()
+            if ext not in CODE_EXTENSIONS and ext not in CONFIG_EXTENSIONS:
+                continue
+            filepath = Path(root) / file
+            results["scanned_files"] += 1
+            try:
+                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+                    content = f.read()
+                    for pattern, secret_type, severity in SECRET_PATTERNS:
+                        matches = re.findall(pattern, content, re.IGNORECASE)
+                        if matches:
+                            results["findings"].append({
+                                "file": str(filepath.relative_to(project_path)),
+                                "type": secret_type,
+                                "severity": severity,
+                                "count": len(matches)
+                            })
+                            results["by_severity"][severity] += len(matches)
+            except Exception:
+                pass
+    if results["by_severity"]["critical"] > 0:
+        results["status"] = "[!!] CRITICAL: Secrets exposed!"
+    elif results["by_severity"]["high"] > 0:
+        results["status"] = "[!] HIGH: Secrets found"
+    elif sum(results["by_severity"].values()) > 0:
+        results["status"] = "[?] Potential secrets detected"
+    # Limit findings for output
+    results["findings"] = results["findings"][:15]
+    return results
+def scan_code_patterns(project_path: str) -> Dict[str, Any]:
+    """
+    Validate dangerous code patterns (OWASP A05).
+    Checks: Injection risks, XSS, unsafe deserialization.
+    """
+    results = {
+        "tool": "pattern_scanner",
+        "findings": [],
+        "status": "[OK] No dangerous patterns",
+        "scanned_files": 0,
+        "by_category": {}
+    }
+    for root, dirs, files in os.walk(project_path):
+        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
+        for file in files:
+            ext = Path(file).suffix.lower()
+            if ext not in CODE_EXTENSIONS:
+                continue
+            filepath = Path(root) / file
+            results["scanned_files"] += 1
+            try:
+                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+                    lines = f.readlines()
+                    for line_num, line in enumerate(lines, 1):
+                        for pattern, name, severity, category in DANGEROUS_PATTERNS:
+                            if re.search(pattern, line, re.IGNORECASE):
+                                results["findings"].append({
+                                    "file": str(filepath.relative_to(project_path)),
+                                    "line": line_num,
+                                    "pattern": name,
+                                    "severity": severity,
+                                    "category": category,
+                                    "snippet": line.strip()[:80]
+                                })
+                                results["by_category"][category] = results["by_category"].get(category, 0) + 1
+            except Exception:
+                pass
+    critical_count = sum(1 for f in results["findings"] if f["severity"] == "critical")
+    high_count = sum(1 for f in results["findings"] if f["severity"] == "high")
+    if critical_count > 0:
+        results["status"] = f"[!!] CRITICAL: {critical_count} dangerous patterns"
+    elif high_count > 0:
+        results["status"] = f"[!] HIGH: {high_count} risky patterns"
+    elif results["findings"]:
+        results["status"] = "[?] Some patterns need review"
+    # Limit findings
+    results["findings"] = results["findings"][:20]
+    return results
+def scan_configuration(project_path: str) -> Dict[str, Any]:
+    """
+    Validate security configuration (OWASP A02).
+    Checks: Security headers, CORS, debug modes.
+    """
+    results = {
+        "tool": "config_scanner",
+        "findings": [],
+        "status": "[OK] Configuration secure",
+        "checks": {}
+    }
+    # Check common config files for issues
+    config_issues = [
+        (r'"DEBUG"\s*:\s*true', "Debug mode enabled", "high"),
+        (r'debug\s*=\s*True', "Debug mode enabled", "high"),
+        (r'NODE_ENV.*development', "Development mode in config", "medium"),
+        (r'"CORS_ALLOW_ALL".*true', "CORS allow all origins", "high"),
+        (r'"Access-Control-Allow-Origin".*\*', "CORS wildcard", "high"),
+        (r'allowCredentials.*true.*origin.*\*', "Dangerous CORS combo", "critical"),
+    ]
+    for root, dirs, files in os.walk(project_path):
+        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
+        for file in files:
+            ext = Path(file).suffix.lower()
+            if ext not in CONFIG_EXTENSIONS and file not in ['next.config.js', 'webpack.config.js', '.eslintrc.js']:
+                continue
+            filepath = Path(root) / file
+            try:
+                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+                    content = f.read()
+                    for pattern, issue, severity in config_issues:
+                        if re.search(pattern, content, re.IGNORECASE):
+                            results["findings"].append({
+                                "file": str(filepath.relative_to(project_path)),
+                                "issue": issue,
+                                "severity": severity
+                            })
+            except Exception:
+                pass
+    # Check for security header configurations
+    header_files = ["next.config.js", "next.config.mjs", "middleware.ts", "nginx.conf"]
+    for hf in header_files:
+        hf_path = Path(project_path) / hf
+        if hf_path.exists():
+            results["checks"]["security_headers_config"] = True
+            break
+    else:
+        results["checks"]["security_headers_config"] = False
+        results["findings"].append({
+            "issue": "No security headers configuration found",
+            "severity": "medium",
+            "recommendation": "Configure CSP, HSTS, X-Frame-Options headers"
+        })
+    if any(f["severity"] == "critical" for f in results["findings"]):
+        results["status"] = "[!!] CRITICAL: Configuration issues"
+    elif any(f["severity"] == "high" for f in results["findings"]):
+        results["status"] = "[!] HIGH: Configuration review needed"
+    elif results["findings"]:
+        results["status"] = "[?] Minor configuration issues"
+    return results
+# ============================================================================
+#  MAIN
+# ============================================================================
+def run_full_scan(project_path: str, scan_type: str = "all") -> Dict[str, Any]:
+    """Execute security validation scans."""
+    report = {
+        "project": project_path,
+        "timestamp": datetime.now().isoformat(),
+        "scan_type": scan_type,
+        "scans": {},
+        "summary": {
+            "total_findings": 0,
+            "critical": 0,
+            "high": 0,
+            "overall_status": "[OK] SECURE"
+        }
+    }
+    scanners = {
+        "deps": ("dependencies", scan_dependencies),
+        "secrets": ("secrets", scan_secrets),
+        "patterns": ("code_patterns", scan_code_patterns),
+        "config": ("configuration", scan_configuration),
+    }
+    for key, (name, scanner) in scanners.items():
+        if scan_type == "all" or scan_type == key:
+            result = scanner(project_path)
+            report["scans"][name] = result
+            findings_count = len(result.get("findings", []))
+            report["summary"]["total_findings"] += findings_count
+            for finding in result.get("findings", []):
+                sev = finding.get("severity", "low")
+                if sev == "critical":
+                    report["summary"]["critical"] += 1
+                elif sev == "high":
+                    report["summary"]["high"] += 1
+    # Determine overall status
+    if report["summary"]["critical"] > 0:
+        report["summary"]["overall_status"] = "[!!] CRITICAL ISSUES FOUND"
+    elif report["summary"]["high"] > 0:
+        report["summary"]["overall_status"] = "[!] HIGH RISK ISSUES"
+    elif report["summary"]["total_findings"] > 0:
+        report["summary"]["overall_status"] = "[?] REVIEW RECOMMENDED"
+    return report
+def main():
+    parser = argparse.ArgumentParser(
+        description="Validate security principles from vulnerability-scanner skill"
+    )
+    parser.add_argument("project_path", nargs="?", default=".", help="Project directory to scan")
+    parser.add_argument("--scan-type", choices=["all", "deps", "secrets", "patterns", "config"],
+                        default="all", help="Type of scan to run")
+    parser.add_argument("--output", choices=["json", "summary"], default="json",
+                        help="Output format")
+    args = parser.parse_args()
+    if not os.path.isdir(args.project_path):
+        print(json.dumps({"error": f"Directory not found: {args.project_path}"}))
+        sys.exit(1)
+    result = run_full_scan(args.project_path, args.scan_type)
+    if args.output == "summary":
+        print(f"\n{'='*60}")
+        print(f"Security Scan: {result['project']}")
+        print(f"{'='*60}")
+        print(f"Status: {result['summary']['overall_status']}")
+        print(f"Total Findings: {result['summary']['total_findings']}")
+        print(f"  Critical: {result['summary']['critical']}")
+        print(f"  High: {result['summary']['high']}")
+        print(f"{'='*60}\n")
+        for scan_name, scan_result in result['scans'].items():
+            print(f"\n{scan_name.upper()}: {scan_result['status']}")
+            for finding in scan_result.get('findings', [])[:5]:
+                print(f"  - {finding}")
+    else:
+        print(json.dumps(result, indent=2))
+if __name__ == "__main__":
+    main()

package/.agent/skills/webapp-testing/SKILL.md ADDED Viewed

@@ -0,0 +1,187 @@
+---
+name: webapp-testing
+description: Web application testing principles. E2E, Playwright, deep audit strategies.
+allowed-tools: Read, Write, Edit, Glob, Grep, Bash
+---
+# Web App Testing
+> Discover and test everything. Leave no route untested.
+## 🔧 Runtime Scripts
+**Execute these for automated browser testing:**
+| Script | Purpose | Usage |
+|--------|---------|-------|
+| `scripts/playwright_runner.py` | Basic browser test | `python scripts/playwright_runner.py https://example.com` |
+| | With screenshot | `python scripts/playwright_runner.py <url> --screenshot` |
+| | Accessibility check | `python scripts/playwright_runner.py <url> --a11y` |
+**Requires:** `pip install playwright && playwright install chromium`
+---
+## 1. Deep Audit Approach
+### Discovery First
+| Target | How to Find |
+|--------|-------------|
+| Routes | Scan app/, pages/, router files |
+| API endpoints | Grep for HTTP methods |
+| Components | Find component directories |
+| Features | Read documentation |
+### Systematic Testing
+1. **Map** - List all routes/APIs
+2. **Scan** - Verify they respond
+3. **Test** - Cover critical paths
+---
+## 2. Testing Pyramid for Web
+```
+        /\          E2E (Few)
+       /  \         Critical user flows
+      /----\
+     /      \       Integration (Some)
+    /--------\      API, data flow
+   /          \
+  /------------\    Component (Many)
+                    Individual UI pieces
+```
+---
+## 3. E2E Test Principles
+### What to Test
+| Priority | Tests |
+|----------|-------|
+| 1 | Happy path user flows |
+| 2 | Authentication flows |
+| 3 | Critical business actions |
+| 4 | Error handling |
+### E2E Best Practices
+| Practice | Why |
+|----------|-----|
+| Use data-testid | Stable selectors |
+| Wait for elements | Avoid flaky tests |
+| Clean state | Independent tests |
+| Avoid implementation details | Test user behavior |
+---
+## 4. Playwright Principles
+### Core Concepts
+| Concept | Use |
+|---------|-----|
+| Page Object Model | Encapsulate page logic |
+| Fixtures | Reusable test setup |
+| Assertions | Built-in auto-wait |
+| Trace Viewer | Debug failures |
+### Configuration
+| Setting | Recommendation |
+|---------|----------------|
+| Retries | 2 on CI |
+| Trace | on-first-retry |
+| Screenshots | on-failure |
+| Video | retain-on-failure |
+---
+## 5. Visual Testing
+### When to Use
+| Scenario | Value |
+|----------|-------|
+| Design system | High |
+| Marketing pages | High |
+| Component library | Medium |
+| Dynamic content | Lower |
+### Strategy
+- Baseline screenshots
+- Compare on changes
+- Review visual diffs
+- Update intentional changes
+---
+## 6. API Testing Principles
+### Coverage Areas
+| Area | Tests |
+|------|-------|
+| Status codes | 200, 400, 404, 500 |
+| Response shape | Matches schema |
+| Error messages | User-friendly |
+| Edge cases | Empty, large, special chars |
+---
+## 7. Test Organization
+### File Structure
+```
+tests/
+├── e2e/           # Full user flows
+├── integration/   # API, data
+├── component/     # UI units
+└── fixtures/      # Shared data
+```
+### Naming Convention
+| Pattern | Example |
+|---------|---------|
+| Feature-based | `login.spec.ts` |
+| Descriptive | `user-can-checkout.spec.ts` |
+---
+## 8. CI Integration
+### Pipeline Steps
+1. Install dependencies
+2. Install browsers
+3. Run tests
+4. Upload artifacts (traces, screenshots)
+### Parallelization
+| Strategy | Use |
+|----------|-----|
+| Per file | Playwright default |
+| Sharding | Large suites |
+| Workers | Multiple browsers |
+---
+## 9. Anti-Patterns
+| ❌ Don't | ✅ Do |
+|----------|-------|
+| Test implementation | Test behavior |
+| Hardcode waits | Use auto-wait |
+| Skip cleanup | Isolate tests |
+| Ignore flaky tests | Fix root cause |
+---
+> **Remember:** E2E tests are expensive. Use them for critical paths only.