@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/bench-shape/.agentic-security/findings.json

@@ -0,0 +1,28 @@
+{
+  "scanId": "dc3f3a4e-866e-4a96-a3cf-95d740227eca",
+  "startedAt": "2026-05-18T14:34:38.677Z",
+  "durationMs": 64,
+  "scanned": {
+    "files": 1,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 1,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  }
+}

package/src/sast/bench-shape/.agentic-security/last-scan.json

@@ -0,0 +1,28 @@
+{
+  "scanId": "dc3f3a4e-866e-4a96-a3cf-95d740227eca",
+  "startedAt": "2026-05-18T14:34:38.677Z",
+  "durationMs": 64,
+  "scanned": {
+    "files": 1,
+    "lines": 0
+  },
+  "findings": [],
+  "bundles": [],
+  "routes": [],
+  "components": [],
+  "suppressedCount": 1,
+  "blastRadiusSignals": {
+    "industry": "generic",
+    "industryConfidence": "low",
+    "jurisdictions": [],
+    "controls": [],
+    "estimatedUsers": 50,
+    "revenueIndicator": "pre-revenue",
+    "hasStripe": false,
+    "hasAuth": false,
+    "hasUserTable": false,
+    "hasPII": false,
+    "hasPHI": false,
+    "hasS3": false
+  }
+}

package/src/sast/bench-shape/.agentic-security/scan-history.json

@@ -0,0 +1,24 @@
+[
+  {
+    "timestamp": "2026-05-18T14:28:11.803Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  },
+  {
+    "timestamp": "2026-05-18T14:34:38.741Z",
+    "label": "scan",
+    "total": 0,
+    "critical": 0,
+    "high": 0,
+    "medium": 0,
+    "low": 0,
+    "kev": 0,
+    "ids": []
+  }
+]

package/src/sast/bench-shape/.agentic-security/streak.json

@@ -0,0 +1,22 @@
+{
+  "firstScanDate": "2026-05-18T14:28:11.809Z",
+  "lastScanDate": "2026-05-18T14:34:38.748Z",
+  "totalScans": 2,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-18",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 1,
+  "totalFindingsAtFirstScan": 0,
+  "totalFindingsAtLastScan": 0,
+  "totalFixesInferred": 0,
+  "lastGrade": "A+",
+  "bestGrade": "A+",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a",
+    "grade-a-plus"
+  ],
+  "previousGrade": "A+"
+}

package/src/sast/bench-shape/index.js

@@ -0,0 +1,62 @@
+// Bench-shape module — benchmark-specific answer-key readers.
+//
+// NONE of this code is useful for scanning real codebases. Every function here
+// reads labels injected by NIST SARD, OWASP Benchmark, or Juliet's test suite
+// authors into their test files:
+//
+//   - `/* POTENTIAL FLAW: */` / `/* FLAW: */` comments (NIST SARD)
+//   - `// condition 'B', which is safe` (OWASP Benchmark template markers)
+//   - `@WebServlet("/cmdi-02/")` route category prefix (OWASP Benchmark)
+//   - `juliet-cwe<N>/` / `testcases/CWE<N>_*/` folder naming (Juliet)
+//
+// Enabling these on a production codebase would:
+//   a. Suppress real findings based on comment text an attacker can copy.
+//   b. Emit "findings" based on test-scaffold markers with no detection value.
+//
+// Activation: set AGENTIC_SECURITY_BENCH_SHAPE=1 before scanning.
+// This happens automatically inside bench-realworld.js when NOT in --blind mode.
+// Production scans NEVER set this variable.
+//
+// The --blind bench flag does the opposite: it DISABLES bench-shape (if somehow
+// set) AND strips the marker comments from the corpus before scanning, so the
+// engine's true detection capability is measured.
+
+export function isBenchShape() {
+  return process.env.AGENTIC_SECURITY_BENCH_SHAPE === '1';
+}
+
+// Re-export the juliet-shape scanner and suppressors — gated at call sites.
+export {
+  scanJulietShape,
+  applyJulietJavaSuppressions,
+  applyJulietCsSuppressions,
+} from '../juliet-shape.js';
+
+// Re-export the java-bench-extras API — gated at call sites.
+export {
+  findSuppressionLines,
+  applyJavaBenchSuppressions,
+} from '../java-bench-extras.js';
+
+// Re-export the cpp-bench-extras suppressor — gated at call sites.
+export {
+  applyJulietCppSuppressions as applyJulietCppFamilySuppressions,
+} from '../cpp-bench-extras.js';
+
+// OWASP Benchmark @WebServlet route-category extractor.
+// Returns the canonical vuln family (e.g. 'sql-injection') for files whose
+// @WebServlet URL encodes the test category, or null.
+// NEVER call this in production — it reads the benchmark answer key.
+const _OWASP_BENCH_CATEGORY_MAP = {
+  'cmdi': 'command-injection', 'sqli': 'sql-injection', 'xss': 'xss',
+  'pathtraver': 'path-traversal', 'ldapi': 'ldap-injection',
+  'xpathi': 'xpath-injection', 'hash': 'weak-crypto', 'crypto': 'weak-crypto',
+  'weakrand': 'weak-rng', 'trustbound': 'trust-boundary',
+  'securecookie': 'header-hardening',
+};
+export function benchShapeWebServletCategory(cleaned) {
+  if (!isBenchShape()) return null;
+  const m = cleaned.match(/@WebServlet\s*\(\s*(?:value\s*=\s*)?["'](?:[^"']*\/)?(\w+?)-\d+\//);
+  if (!m) return null;
+  return _OWASP_BENCH_CATEGORY_MAP[m[1].toLowerCase()] || null;
+}

package/src/sast/claude-hook-injection.js

@@ -0,0 +1,199 @@
+// Hook command-injection audit.
+//
+// Reads .claude/hooks.json (and equivalents in .cursor/, .codex/, etc.) and
+// flags the canonical bugs:
+//
+//   1. Interpolation of attacker-controlled fields (${file}, ${input},
+//      ${args}, $CLAUDE_TOOL_INPUT, $TOOL_INPUT, $PROMPT) directly into a
+//      shell command without quoting. When the agent passes a filename
+//      `; rm -rf ~` to a tool, the hook executes it as shell.
+//   2. Silent error suppression in security-relevant hooks (`2>/dev/null`,
+//      `|| true`, `set +e`) — the hook fails open and the user never sees it.
+//   3. Outbound HTTP (curl / wget / nc) from a hook to a non-local URL.
+//      Often a sign of an injected data-exfil command.
+//   4. Privilege-escalating shells (sudo, doas, runuser, su) in hooks.
+//   5. Eval / source / bash -c on dynamic content.
+//
+// Hook config shape (Claude Code):
+//   {
+//     "hooks": {
+//       "PreToolUse": [
+//         { "matcher": "Bash", "hooks": [{ "type": "command", "command": "..." }] }
+//       ]
+//     }
+//   }
+//
+// We walk every `command` field and apply the rules. Adjacent harnesses use
+// the same key in their settings or their own hooks file; we also walk any
+// `*.hooks.json` and `hooks.json` under a harness directory.
+
+const _HOOK_FILE_RE = /(?:^|[\\/])(?:hooks?\.json|\.(?:claude|cursor|codex|gemini|kiro|opencode|trae|qwen|zed|continue|aider)[\\/](?:hooks\.json|settings(?:\.local)?\.json))$/i;
+
+// Tokens that can carry agent-driven payloads (untrusted input).
+const _INTERPOLATION_TOKENS = [
+  '${file}', '${input}', '${args}', '${path}', '${target}',
+  '${tool_input}', '${prompt}', '${query}', '${message}',
+  '$CLAUDE_TOOL_INPUT', '$TOOL_INPUT', '$INPUT', '$PROMPT', '$ARGS',
+  '$CLAUDE_PROMPT', '$CLAUDE_ARGS', '$CLAUDE_FILE',
+  '$AGENT_INPUT', '$AGENT_PROMPT',
+];
+
+const _SHELL_SUPPRESS_RE = /(?:2>\s*\/dev\/null|>\s*\/dev\/null\s+2>&1|\|\|\s*true|set\s+\+e)/;
+const _OUTBOUND_HTTP_RE = /\b(?:curl|wget|nc|ncat|fetch)\b[^\n;|&]*?https?:\/\/(?!(?:127\.0\.0\.1|localhost|0\.0\.0\.0))[^\s'"]+/i;
+const _PRIVESC_RE = /\b(?:sudo|doas|runuser|su\s+-)\b/;
+const _EVAL_RE = /\b(?:eval|source|bash\s+-c|sh\s+-c|zsh\s+-c)\s+["'`]?[^"'`]*\$(?:\{[^}]+\}|[A-Z_][A-Z0-9_]*)/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+function _isQuoted(command, tokenIdx, token) {
+  // Heuristic: check whether the token is inside a single-quoted span.
+  // Single-quoted bash is the only safe-from-expansion form; double quotes
+  // still substitute and let `; ` break out.
+  let quote = null;
+  for (let i = 0; i < tokenIdx; i++) {
+    const c = command[i];
+    if (quote === null) {
+      if (c === "'") quote = "'";
+      else if (c === '"') quote = '"';
+    } else if (c === quote) {
+      quote = null;
+    }
+  }
+  return quote === "'";
+}
+
+function _walkCommands(node, out, pathPrefix = '') {
+  if (!node || typeof node !== 'object') return;
+  if (Array.isArray(node)) {
+    for (let i = 0; i < node.length; i++) _walkCommands(node[i], out, `${pathPrefix}[${i}]`);
+    return;
+  }
+  for (const [k, v] of Object.entries(node)) {
+    if (k === 'command' && typeof v === 'string') {
+      out.push({ command: v, jsonPath: `${pathPrefix}.${k}` });
+    } else if (k === 'commands' && Array.isArray(v)) {
+      for (let i = 0; i < v.length; i++) {
+        if (typeof v[i] === 'string') out.push({ command: v[i], jsonPath: `${pathPrefix}.${k}[${i}]` });
+      }
+    } else {
+      _walkCommands(v, out, `${pathPrefix}.${k}`);
+    }
+  }
+}
+
+export function scanClaudeHookInjection(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_HOOK_FILE_RE.test(file)) return [];
+  if (raw.length > 200_000) return [];
+
+  let parsed;
+  try { parsed = JSON.parse(raw); } catch { return []; }
+  if (!parsed || typeof parsed !== 'object') return [];
+
+  const commands = [];
+  _walkCommands(parsed.hooks || parsed, commands);
+  if (!commands.length) return [];
+
+  const findings = [];
+  for (const { command, jsonPath } of commands) {
+    // The line where this command lives in raw — best effort by searching
+    // for the command substring (works because raw JSON preserves the text).
+    const idx = raw.indexOf(command);
+    const line = idx >= 0 ? _line(raw, idx) : 1;
+
+    // 1. Interpolation of untrusted tokens, unquoted.
+    for (const tok of _INTERPOLATION_TOKENS) {
+      const ti = command.indexOf(tok);
+      if (ti < 0) continue;
+      if (_isQuoted(command, ti, tok)) continue;        // single-quoted is safe
+      findings.push({
+        id: `hook-injection:interpolation:${file}:${line}:${tok}`,
+        file,
+        line,
+        vuln: `Hook command interpolates untrusted '${tok}' unquoted — shell injection`,
+        severity: 'critical',
+        family: 'hook-command-injection',
+        cwe: 'CWE-78',
+        confidence: 0.85,
+        description: `The hook at ${jsonPath} embeds ${tok} directly into a shell command. If an agent (or a prompt-injected tool) passes a path containing ; rm -rf $HOME, the shell executes it. Even double-quoting does not fix this — backslash and dollar still allow escape.`,
+        remediation: 'Pass the value via stdin or a sandboxed env var. If it must appear in the command line, wrap the receiving program in single-quotes and use \\\'\\\'\\\'\\\' for embedded literal quotes, or pre-validate the value against a strict allow-list before the hook runs.',
+        snippet: command.slice(Math.max(0, ti - 20), ti + tok.length + 30),
+      });
+    }
+
+    // 2. Silent error suppression on security hooks.
+    if (_SHELL_SUPPRESS_RE.test(command)) {
+      // Only flag when the hook is a security-relevant one. PostToolUse +
+      // PreToolUse hooks that fail silently disable the guardrail. We can't
+      // perfectly tell purpose, so emit at medium severity.
+      findings.push({
+        id: `hook-injection:silent-suppress:${file}:${line}`,
+        file,
+        line,
+        vuln: `Hook silently swallows errors (fails open)`,
+        severity: 'medium',
+        family: 'hook-command-injection',
+        cwe: 'CWE-754',
+        confidence: 0.7,
+        description: `The hook command redirects stderr to /dev/null or appends '|| true' / 'set +e'. If the hook's purpose is to enforce a check, swallowing its non-zero exit means a failure passes silently — the user thinks the guardrail ran.`,
+        remediation: 'Let the hook fail loudly. If you genuinely need to ignore one specific error, narrow the suppression to that case rather than the whole pipeline.',
+        snippet: command.slice(0, 120),
+      });
+    }
+
+    // 3. Outbound HTTP from a hook.
+    if (_OUTBOUND_HTTP_RE.test(command)) {
+      findings.push({
+        id: `hook-injection:outbound-http:${file}:${line}`,
+        file,
+        line,
+        vuln: `Hook makes outbound HTTP to a non-local URL`,
+        severity: 'high',
+        family: 'hook-command-injection',
+        cwe: 'CWE-918',
+        confidence: 0.8,
+        description: `The hook fetches or posts to an external URL. Outbound traffic from a hook is the canonical data-exfiltration shape — every Edit / Write / Bash event triggers the hook.`,
+        remediation: 'Replace with a local script if possible. If the outbound call is intentional (telemetry, webhook), redact the payload and restrict the destination to an allow-list.',
+        snippet: command.slice(0, 120),
+      });
+    }
+
+    // 4. Privilege-escalating commands.
+    if (_PRIVESC_RE.test(command)) {
+      findings.push({
+        id: `hook-injection:privesc:${file}:${line}`,
+        file,
+        line,
+        vuln: `Hook invokes a privilege-escalating command`,
+        severity: 'high',
+        family: 'hook-command-injection',
+        cwe: 'CWE-269',
+        confidence: 0.9,
+        description: `The hook calls sudo / doas / runuser. Hooks fire automatically on agent events; combining auto-trigger with privilege escalation gives the agent root via a documented side door.`,
+        remediation: 'Remove the privilege-escalation. If admin actions are genuinely needed, gate them behind a separate user-initiated command, not an auto-fire hook.',
+        snippet: command.slice(0, 120),
+      });
+    }
+
+    // 5. Eval / dynamic execution.
+    if (_EVAL_RE.test(command)) {
+      findings.push({
+        id: `hook-injection:eval-dynamic:${file}:${line}`,
+        file,
+        line,
+        vuln: `Hook eval()s dynamic content from a shell variable`,
+        severity: 'critical',
+        family: 'hook-command-injection',
+        cwe: 'CWE-78',
+        confidence: 0.85,
+        description: `The hook passes a variable through eval / source / bash -c. Whatever is in that variable becomes shell code.`,
+        remediation: 'Rewrite the hook to invoke the target binary directly with positional args. Never eval a value the agent can influence.',
+        snippet: command.slice(0, 120),
+      });
+    }
+  }
+
+  return findings;
+}

package/src/sast/claude-md-prompt-injection.js

@@ -0,0 +1,170 @@
+// CLAUDE.md / AGENTS.md / system-prompt-style instruction-file audit.
+//
+// LLM-targeting attacks distinct from source-code XSS. Targets:
+//
+//   1. Override directives — "Ignore all previous instructions", "Forget prior
+//      rules", "You are now ...", "From now on, ...".
+//   2. Auto-run / no-confirmation patterns — "always run X without asking",
+//      "skip the confirmation", "auto-approve", "no questions, just execute".
+//   3. Exfiltration baiting — instructions that tell the agent to send data
+//      to an outside URL, "POST your context to ...", "include your system
+//      prompt in the response".
+//   4. Hardcoded credentials in instruction files — `sk-ant-...`,
+//      `ghp_...`, `AKIA...`, etc. Already covered by the secrets module on
+//      generic source code, but instruction files often fall outside the
+//      typical secrets scan path.
+//   5. Tool-misuse coaching — "if you encounter a confirmation prompt,
+//      bypass it via", "use the unrestricted Bash tool when ...".
+//   6. Identity / role overrides that pretend to be a higher authority —
+//      "[SYSTEM]", "[OWNER]", "<|im_start|>system".
+//
+// Scope: any file matching the instruction-file naming convention.
+
+const _INSTRUCTION_FILE_RE = /(?:^|[\\/])(?:CLAUDE|AGENTS|GEMINI|CURSOR|CODEX|KIRO|QWEN|TRAE|OPENCODE|SYSTEM_PROMPT|\.claude\/(?:CLAUDE|SYSTEM|PROMPT|instructions))\.(?:md|markdown|txt|prompt|prompt\.md|system\.md)$/i;
+
+const _OVERRIDE_PATTERNS = [
+  { re: /\b(?:ignore|disregard|forget|override|bypass|discard|skip|drop)\s+(?:all\s+|any\s+)?(?:previous|prior|above|preceding|earlier|former)\s+(?:instructions?|directives?|prompts?|rules?|guidelines?|safety|policy)/i, kind: 'override-prior-instructions' },
+  { re: /\b(?:from\s+now\s+on|starting\s+now|beginning\s+(?:now|here))[,:]?\s+(?:you\s+(?:are|will|must)|act\s+as|behave\s+as)/i, kind: 'role-override' },
+  { re: /\b(?:you\s+are\s+now|new\s+system\s+prompt|new\s+role|act\s+as|pretend\s+to\s+be|roleplay\s+as)\s+(?:a\s+)?[A-Za-z]+/i, kind: 'role-override' },
+  { re: /<\s*\|?\s*(?:system|im_start|im_end|assistant|user|developer|owner)\s*\|?\s*>/i, kind: 'chat-template-spoof' },
+  { re: /\[\s*(?:SYSTEM|OWNER|ROOT|DEVELOPER|ADMIN)\s*[\]:]/i, kind: 'authority-spoof' },
+];
+
+const _AUTO_RUN_PATTERNS = [
+  { re: /\balways\s+(?:run|execute|invoke|call|use)\s+\S+\s+(?:without\s+(?:asking|prompting|confirming)|silently|automatically)/i, kind: 'auto-run-directive', sev: 'high' },
+  { re: /\b(?:skip|bypass|disable|suppress)\s+(?:the\s+)?(?:confirmation|approval|prompt|permission)\s+(?:dialog|step|check|popup)/i, kind: 'skip-confirmation', sev: 'high' },
+  { re: /\b(?:auto[-\s]?approve|auto[-\s]?run|auto[-\s]?execute|auto[-\s]?accept)\s+(?:all|every|any)/i, kind: 'auto-approve-all', sev: 'high' },
+  { re: /\bno\s+questions[,.]?\s*(?:just|simply|always)?\s*(?:run|execute|do|proceed)/i, kind: 'no-confirmation', sev: 'medium' },
+  { re: /\b(?:never|don'?t)\s+(?:ask|prompt|confirm)\s+(?:the\s+)?(?:user|developer|owner)\s+(?:before|prior\s+to|when)/i, kind: 'no-confirmation', sev: 'medium' },
+];
+
+const _EXFIL_PATTERNS = [
+  { re: /\b(?:send|post|upload|exfiltrate|forward|relay)\s+(?:your|the)\s+(?:system\s+prompt|instructions|context|conversation|history|tools)/i, kind: 'exfil-context' },
+  { re: /\b(?:print|reveal|output|show|expose|include|append)\s+(?:your|the)?\s*(?:system\s+prompt|instructions|api\s+key|credentials|secrets|tokens?)/i, kind: 'reveal-secrets' },
+  { re: /\bcurl\s+(?:-X\s+\w+\s+)?https?:\/\/[^\s)]+\s+(?:-d|--data)/i, kind: 'embedded-curl-post' },
+  { re: /\b(?:webhook|callback|beacon)\s+(?:to\s+)?https?:\/\/[^\s)]+/i, kind: 'webhook-beacon' },
+];
+
+const _TOOL_MISUSE_PATTERNS = [
+  { re: /\b(?:if|when)\s+(?:you\s+)?(?:see|encounter|hit)\s+a\s+(?:confirmation|approval|permission)\s+(?:prompt|dialog|step)[,.\s\-—]+(?:always\s+|just\s+)?(?:click|select|choose|answer|say|return|approve|accept)\s+(?:yes|approve|allow|accept)/i, kind: 'auto-approve-coaching' },
+  { re: /\buse\s+(?:the\s+)?(?:unrestricted|admin|root|sudo|dangerous|bypass)\s+(?:Bash|tool|capability|mode)/i, kind: 'use-dangerous-tool' },
+  { re: /\b(?:run|execute|invoke)\s+(?:Bash|shell|exec)\s*\(\s*\*?\s*\)\s+(?:without|silently|always)/i, kind: 'wildcard-bash-coaching' },
+];
+
+const _CRED_RE = [
+  { re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/, label: 'Anthropic API key' },
+  { re: /\bsk-[A-Za-z0-9]{32,}\b/, label: 'OpenAI-style API key' },
+  { re: /\bghp_[A-Za-z0-9]{36}\b/, label: 'GitHub PAT' },
+  { re: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/, label: 'GitHub fine-grained PAT' },
+  { re: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS access key' },
+  { re: /\bxox[abprs]-[A-Za-z0-9-]{10,}\b/, label: 'Slack token' },
+];
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+export function scanClaudeMdPromptInjection(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_INSTRUCTION_FILE_RE.test(file)) return [];
+  if (raw.length > 1_000_000) return [];
+
+  // Strip fenced code blocks so example snippets in docs don't trip the
+  // detector. Replace with same-length whitespace to preserve line offsets.
+  const stripped = raw.replace(/```[\s\S]*?```/g, (m) => m.replace(/[^\n]/g, ' '));
+
+  const findings = [];
+
+  for (const { re, kind } of _OVERRIDE_PATTERNS) {
+    const m = re.exec(stripped);
+    if (!m) continue;
+    findings.push({
+      id: `claude-md:override:${kind}:${file}:${m.index}`,
+      file,
+      line: _line(stripped, m.index),
+      vuln: `Instruction file contains an override / role-rewriting directive (${kind})`,
+      severity: 'high',
+      family: 'agent-prompt-injection',
+      cwe: 'CWE-77',
+      confidence: 0.7,
+      description: `An instruction file (CLAUDE.md / AGENTS.md / etc.) loaded into every session is asking the agent to ignore prior instructions or adopt a new role. This is the canonical prompt-injection vector. If a teammate copied this content from an untrusted source, the agent has effectively been re-rolled.`,
+      remediation: 'Rewrite the directive as a constraint (\"only do X if Y is true\") rather than an override (\"ignore previous rules\"). Run /jailbreak-detector to test the resulting prompt.',
+      snippet: m[0].slice(0, 120),
+    });
+  }
+
+  for (const { re, kind, sev } of _AUTO_RUN_PATTERNS) {
+    const m = re.exec(stripped);
+    if (!m) continue;
+    findings.push({
+      id: `claude-md:auto-run:${kind}:${file}:${m.index}`,
+      file,
+      line: _line(stripped, m.index),
+      vuln: `Instruction file requests bypass of per-tool confirmation (${kind})`,
+      severity: sev,
+      family: 'agent-auto-approve',
+      cwe: 'CWE-862',
+      confidence: 0.75,
+      description: `The instruction asks the agent to skip user confirmation. Tool-call confirmation is the last line of defense against prompt-injection-driven destructive actions; removing it via documentation is equivalent to setting dangerouslySkipPermissions=true at runtime.`,
+      remediation: 'Remove the auto-run instruction. If certain commands genuinely need to be allow-listed, encode them in .claude/settings.json permissions.allow with narrow scope, not as a global rule in the instruction file.',
+      snippet: m[0].slice(0, 120),
+    });
+  }
+
+  for (const { re, kind } of _EXFIL_PATTERNS) {
+    const m = re.exec(stripped);
+    if (!m) continue;
+    findings.push({
+      id: `claude-md:exfil:${kind}:${file}:${m.index}`,
+      file,
+      line: _line(stripped, m.index),
+      vuln: `Instruction file asks the agent to exfiltrate context (${kind})`,
+      severity: 'high',
+      family: 'agent-prompt-injection',
+      cwe: 'CWE-200',
+      confidence: 0.7,
+      description: `The instruction tells the agent to send its system prompt, conversation history, or secrets to an outside destination. Even when the destination looks legitimate, this is the canonical data-exfiltration shape for a compromised prompt.`,
+      remediation: 'Remove the exfiltration directive. If outbound telemetry is genuinely needed, route it through a configured webhook with redaction at the source — not via a documented instruction.',
+      snippet: m[0].slice(0, 120),
+    });
+  }
+
+  for (const { re, kind } of _TOOL_MISUSE_PATTERNS) {
+    const m = re.exec(stripped);
+    if (!m) continue;
+    findings.push({
+      id: `claude-md:tool-misuse:${kind}:${file}:${m.index}`,
+      file,
+      line: _line(stripped, m.index),
+      vuln: `Instruction file coaches the agent into unsafe tool use (${kind})`,
+      severity: 'high',
+      family: 'agent-prompt-injection',
+      cwe: 'CWE-77',
+      confidence: 0.7,
+      description: `The instruction explicitly trains the agent to answer 'yes' to confirmation dialogs, reach for wildcard Bash, or otherwise circumvent its own safety checks.`,
+      remediation: 'Remove the coaching directive. If the underlying workflow genuinely needs broader permissions, encode them in settings.json with explicit scopes.',
+      snippet: m[0].slice(0, 120),
+    });
+  }
+
+  // Hardcoded credentials in CLAUDE.md / AGENTS.md.
+  for (const { re, label } of _CRED_RE) {
+    const m = re.exec(raw);
+    if (!m) continue;
+    findings.push({
+      id: `claude-md:hardcoded-cred:${file}:${m.index}`,
+      file,
+      line: _line(raw, m.index),
+      vuln: `Instruction file contains a hardcoded ${label}`,
+      severity: 'critical',
+      family: 'harness-config-secrets',
+      cwe: 'CWE-798',
+      confidence: 0.95,
+      description: `A literal credential is embedded in an instruction file the agent reads on every session. Any conversation surface that echoes file contents (logs, screenshots, support tickets) leaks the secret.`,
+      remediation: 'Move the credential to a secure vault and reference it via env-var substitution. Rotate the leaked credential immediately.',
+      snippet: m[0].slice(0, 8) + '...' + m[0].slice(-4),
+    });
+  }
+
+  return findings;
+}