npm - @elizaos/skills - Versions diffs - 2.0.0-alpha.3 - Mend

@elizaos/skills 2.0.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (371) hide show

package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * @name [VARIANT_NAME]
+ * @description Find variants of [ORIGINAL_BUG_ID]
+ * @kind path-problem
+ * @problem.severity error
+ * @tags security variant-analysis
+ */
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+module VariantConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // HttpServletRequest.getParameter/getHeader
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["getParameter", "getHeader", "getCookies", "getQueryString"] and
+      ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("javax.servlet", "ServletRequest") and
+      source.asExpr() = ma
+    )
+    or
+    // Spring @RequestParam, @PathVariable
+    exists(Parameter p |
+      p.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", ["RequestParam", "PathVariable", "RequestBody"]) and
+      source.asParameter() = p
+    )
+  }
+  predicate isSink(DataFlow::Node sink) {
+    // Command injection
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("java.lang", "Runtime", "exec") and
+      sink.asExpr() = ma.getArgument(0)
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType().hasQualifiedName("java.lang", "ProcessBuilder") and
+      sink.asExpr() = cie.getArgument(0)
+    )
+    or
+    // SQL injection
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["executeQuery", "executeUpdate", "execute"] and
+      ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.sql", "Statement") and
+      sink.asExpr() = ma.getArgument(0)
+    )
+    or
+    // Path traversal
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType().hasQualifiedName("java.io", "File") and
+      sink.asExpr() = cie.getArgument(0)
+    )
+  }
+  predicate isBarrier(DataFlow::Node node) {
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["escape", "sanitize", "parseInt", "valueOf"] and
+      node.asExpr() = ma
+    )
+  }
+}
+module VariantFlow = TaintTracking::Global<VariantConfig>;
+import VariantFlow::PathGraph
+from VariantFlow::PathNode source, VariantFlow::PathNode sink
+where VariantFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Tainted data from $@ flows to dangerous sink.",
+  source.getNode(), "user input"

package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql ADDED Viewed

@@ -0,0 +1,63 @@
+/**
+ * @name [VARIANT_NAME]
+ * @description Find variants of [ORIGINAL_BUG_ID]
+ * @kind path-problem
+ * @problem.severity error
+ * @tags security variant-analysis
+ */
+import javascript
+import semmle.javascript.security.dataflow.CommandInjectionQuery
+import DataFlow::PathGraph
+module VariantConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Express request params
+    exists(PropAccess pa |
+      pa.getPropertyName() in ["query", "body", "params", "cookies"] and
+      source.asExpr() = pa
+    )
+    or
+    // URL/location
+    exists(PropAccess pa |
+      pa.getBase().toString() in ["window", "document", "location"] and
+      source.asExpr() = pa
+    )
+  }
+  predicate isSink(DataFlow::Node sink) {
+    // Command injection
+    exists(CallExpr c |
+      c.getCalleeName() in ["exec", "execSync", "spawn", "spawnSync"] and
+      sink.asExpr() = c.getArgument(0)
+    )
+    or
+    // eval/Function
+    exists(CallExpr c |
+      c.getCalleeName() in ["eval", "Function"] and
+      sink.asExpr() = c.getArgument(0)
+    )
+    or
+    // SQL queries
+    exists(CallExpr c |
+      c.getCalleeName() in ["query", "raw", "execute"] and
+      sink.asExpr() = c.getArgument(0)
+    )
+  }
+  predicate isBarrier(DataFlow::Node node) {
+    exists(CallExpr c |
+      c.getCalleeName() in ["escape", "sanitize", "parseInt", "encodeURIComponent"] and
+      node.asExpr() = c
+    )
+  }
+}
+module VariantFlow = TaintTracking::Global<VariantConfig>;
+import VariantFlow::PathGraph
+from VariantFlow::PathNode source, VariantFlow::PathNode sink
+where VariantFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Tainted data from $@ flows to dangerous sink.",
+  source.getNode(), "user input"

package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql ADDED Viewed

@@ -0,0 +1,80 @@
+/**
+ * @name [VARIANT_NAME]
+ * @description Find variants of [ORIGINAL_BUG_ID]
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       variant-analysis
+ */
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.ApiGraphs
+module VariantConfig implements DataFlow::ConfigSig {
+  // Sources: where untrusted data originates
+  predicate isSource(DataFlow::Node source) {
+    // Flask request parameters
+    source = API::moduleImport("flask").getMember("request")
+             .getMember(["args", "form", "json", "data"])
+             .getAUse()
+    or
+    // Environment variables
+    exists(Call c |
+      c.getFunc().(Attribute).getObject().(Name).getId() = "os" and
+      c.getFunc().(Attribute).getName() in ["getenv", "environ"] and
+      source.asExpr() = c
+    )
+  }
+  // Sinks: where tainted data becomes dangerous
+  predicate isSink(DataFlow::Node sink) {
+    // os.system()
+    exists(Call c |
+      c.getFunc().(Attribute).getObject().(Name).getId() = "os" and
+      c.getFunc().(Attribute).getName() = "system" and
+      sink.asExpr() = c.getArg(0)
+    )
+    or
+    // subprocess with shell=True
+    exists(Call c |
+      c.getFunc().(Attribute).getName() in ["call", "run", "Popen"] and
+      c.getArgByName("shell").(NameConstant).getValue() = true and
+      sink.asExpr() = c.getArg(0)
+    )
+  }
+  // Barriers: sanitization functions
+  predicate isBarrier(DataFlow::Node node) {
+    exists(Call c |
+      c.getFunc().(Attribute).getObject().(Name).getId() = "shlex" and
+      c.getFunc().(Attribute).getName() = "quote" and
+      node.asExpr() = c
+    )
+    or
+    exists(Call c |
+      c.getFunc().(Name).getId() in ["sanitize", "escape", "validate"] and
+      node.asExpr() = c
+    )
+  }
+  // Custom flow steps (optional)
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(Call c |
+      c.getFunc().(Attribute).getName() = "format" and
+      pred.asExpr() = c.getFunc().(Attribute).getObject() and
+      succ.asExpr() = c
+    )
+  }
+}
+module VariantFlow = TaintTracking::Global<VariantConfig>;
+import VariantFlow::PathGraph
+from VariantFlow::PathNode source, VariantFlow::PathNode sink
+where VariantFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential variant: tainted data from $@ flows to dangerous sink.",
+  source.getNode(), "user-controlled input"

package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml ADDED Viewed

@@ -0,0 +1,98 @@
+rules:
+  - id: variant-taint-cpp
+    message: "Potential variant: user input flows to dangerous sink"
+    severity: ERROR
+    languages: [c, cpp]
+    mode: taint
+    pattern-sources:
+      # Command line
+      - pattern: argv[$IDX]
+      # Standard input
+      - pattern: gets(...)
+      - pattern: fgets($BUF, $SIZE, stdin)
+      - pattern: scanf(...)
+      - pattern: fscanf(...)
+      - pattern: getenv(...)
+      # Network
+      - pattern: recv($SOCK, $BUF, ...)
+      - pattern: recvfrom(...)
+      - pattern: read($FD, $BUF, ...)
+    pattern-sinks:
+      # Command injection
+      - pattern: system($SINK)
+      - pattern: popen($SINK, ...)
+      - pattern: execl($SINK, ...)
+      - pattern: execlp($SINK, ...)
+      - pattern: execv($SINK, ...)
+      - pattern: execvp($SINK, ...)
+      # Buffer overflow
+      - pattern: strcpy($DST, $SINK)
+      - pattern: strcat($DST, $SINK)
+      - pattern: sprintf($DST, $FMT, ..., $SINK, ...)
+      - pattern: gets($SINK)
+      # Format string
+      - pattern: printf($SINK)
+      - pattern: fprintf($FILE, $SINK)
+      - pattern: sprintf($BUF, $SINK)
+      - pattern: syslog($PRI, $SINK)
+      # Memory
+      - pattern: malloc($SINK)
+      - pattern: calloc($SINK, ...)
+      - pattern: realloc($PTR, $SINK)
+      - pattern: alloca($SINK)
+      # File operations
+      - pattern: fopen($SINK, ...)
+      - pattern: open($SINK, ...)
+    pattern-sanitizers:
+      - pattern: strncpy($DST, $SRC, $N)
+      - pattern: strncat($DST, $SRC, $N)
+      - pattern: snprintf($BUF, $SIZE, ...)
+      - pattern: strlcpy(...)
+      - pattern: strlcat(...)
+    paths:
+      exclude:
+        - "**/test/**"
+        - "**/*_test.c"
+        - "**/*_test.cpp"
+  - id: unsafe-functions-cpp
+    message: "Use of unsafe function - consider bounded alternative"
+    severity: WARNING
+    languages: [c, cpp]
+    pattern-either:
+      - pattern: gets(...)
+      - pattern: strcpy(...)
+      - pattern: strcat(...)
+      - pattern: sprintf(...)
+      - pattern: vsprintf(...)
+  - id: format-string-cpp
+    message: "Potential format string vulnerability"
+    severity: ERROR
+    languages: [c, cpp]
+    patterns:
+      - pattern-either:
+          - pattern: printf($VAR)
+          - pattern: fprintf($F, $VAR)
+          - pattern: sprintf($B, $VAR)
+          - pattern: snprintf($B, $S, $VAR)
+      - pattern-not: printf("...")
+      - pattern-not: fprintf($F, "...")
+      - pattern-not: sprintf($B, "...")
+      - pattern-not: snprintf($B, $S, "...")
+  - id: integer-overflow-cpp
+    message: "Potential integer overflow before memory allocation"
+    severity: WARNING
+    languages: [c, cpp]
+    patterns:
+      - pattern: |
+          $SIZE = $X * $Y;
+          ...
+          malloc($SIZE)
+      - pattern: malloc($X * $Y)
+      - pattern: calloc($X * $Y, ...)

package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+rules:
+  - id: variant-taint-go
+    message: "Potential variant: user input flows to dangerous sink"
+    severity: ERROR
+    languages: [go]
+    mode: taint
+    pattern-sources:
+      # net/http
+      - pattern: $REQ.URL.Query().Get(...)
+      - pattern: $REQ.FormValue(...)
+      - pattern: $REQ.PostFormValue(...)
+      - pattern: $REQ.Header.Get(...)
+      # Gin
+      - pattern: $CTX.Query(...)
+      - pattern: $CTX.Param(...)
+      - pattern: $CTX.PostForm(...)
+      - pattern: $CTX.GetHeader(...)
+      # Echo
+      - pattern: $CTX.QueryParam(...)
+      - pattern: $CTX.FormValue(...)
+      # os.Args
+      - pattern: os.Args[$IDX]
+      - pattern: os.Getenv(...)
+    pattern-sinks:
+      # Command injection
+      - pattern: exec.Command($SINK, ...)
+      - pattern: exec.CommandContext($CTX, $SINK, ...)
+      # SQL injection
+      - pattern: $DB.Query($SINK, ...)
+      - pattern: $DB.QueryRow($SINK, ...)
+      - pattern: $DB.Exec($SINK, ...)
+      # Path traversal
+      - pattern: os.Open($SINK)
+      - pattern: os.OpenFile($SINK, ...)
+      - pattern: os.ReadFile($SINK)
+      - pattern: ioutil.ReadFile($SINK)
+      # Template injection
+      - pattern: template.HTML($SINK)
+    pattern-sanitizers:
+      - pattern: strconv.Atoi($X)
+      - pattern: strconv.ParseInt($X, ...)
+      - pattern: filepath.Clean($X)
+      - pattern: filepath.Base($X)
+      - pattern: html.EscapeString($X)
+    paths:
+      exclude:
+        - "**/*_test.go"
+        - "**/test/**"
+        - "**/vendor/**"
+  - id: variant-pattern-go
+    message: "Suspicious pattern matching known vulnerability"
+    severity: WARNING
+    languages: [go]
+    patterns:
+      - pattern-either:
+          - pattern: exec.Command(...)
+          - pattern: $DB.Query($Q, ...)
+      - pattern-not: exec.Command("...")

package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml ADDED Viewed

@@ -0,0 +1,61 @@
+rules:
+  - id: variant-taint-java
+    message: "Potential variant: user input flows to dangerous sink"
+    severity: ERROR
+    languages: [java]
+    mode: taint
+    pattern-sources:
+      # Servlet
+      - pattern: (HttpServletRequest $REQ).getParameter(...)
+      - pattern: (HttpServletRequest $REQ).getHeader(...)
+      - pattern: (HttpServletRequest $REQ).getCookies()
+      - pattern: (HttpServletRequest $REQ).getQueryString()
+      - pattern: (HttpServletRequest $REQ).getInputStream()
+      # Spring
+      - pattern: "@RequestParam $TYPE $VAR"
+      - pattern: "@PathVariable $TYPE $VAR"
+      - pattern: "@RequestBody $TYPE $VAR"
+    pattern-sinks:
+      # Command injection
+      - pattern: Runtime.getRuntime().exec($SINK, ...)
+      - pattern: new ProcessBuilder($SINK, ...)
+      # SQL injection
+      - pattern: (Statement $S).executeQuery($SINK)
+      - pattern: (Statement $S).executeUpdate($SINK)
+      - pattern: (Statement $S).execute($SINK)
+      - pattern: (Connection $C).prepareStatement($SINK)
+      # Path traversal
+      - pattern: new File($SINK)
+      - pattern: new FileInputStream($SINK)
+      - pattern: new FileOutputStream($SINK)
+      - pattern: Paths.get($SINK, ...)
+      # XXE
+      - pattern: (DocumentBuilder $DB).parse($SINK)
+      # Deserialization
+      - pattern: (ObjectInputStream $OIS).readObject()
+    pattern-sanitizers:
+      - pattern: Integer.parseInt($X)
+      - pattern: Integer.valueOf($X)
+      - pattern: StringEscapeUtils.escapeHtml4($X)
+      - pattern: ESAPI.encoder().encodeForSQL(...)
+    paths:
+      exclude:
+        - "**/test/**"
+        - "**/*Test.java"
+  - id: variant-pattern-java
+    message: "Suspicious pattern matching known vulnerability"
+    severity: WARNING
+    languages: [java]
+    patterns:
+      - pattern-either:
+          - pattern: Runtime.getRuntime().exec(...)
+          - pattern: new ProcessBuilder(...)
+      - pattern-inside: |
+          $RET $METHOD(..., HttpServletRequest $REQ, ...) {
+            ...
+          }

package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml ADDED Viewed

@@ -0,0 +1,60 @@
+rules:
+  - id: variant-taint-js
+    message: "Potential variant: user input flows to dangerous sink"
+    severity: ERROR
+    languages: [javascript, typescript]
+    mode: taint
+    pattern-sources:
+      # Express
+      - pattern: req.query.$PARAM
+      - pattern: req.body.$PARAM
+      - pattern: req.params.$PARAM
+      - pattern: req.cookies.$PARAM
+      # URL/Location
+      - pattern: window.location.$PROP
+      - pattern: document.location.$PROP
+      - pattern: location.search
+      - pattern: location.hash
+    pattern-sinks:
+      # Command injection
+      - pattern: child_process.exec($SINK, ...)
+      - pattern: child_process.execSync($SINK, ...)
+      - pattern: child_process.spawn($SINK, ...)
+      # Code execution
+      - pattern: eval($SINK)
+      - pattern: Function($SINK)
+      - pattern: setTimeout($SINK, ...)
+      - pattern: setInterval($SINK, ...)
+      # SQL
+      - pattern: $DB.query($SINK, ...)
+      - pattern: $DB.raw($SINK)
+      # XSS
+      - pattern: $EL.innerHTML = $SINK
+      - pattern: document.write($SINK)
+    pattern-sanitizers:
+      - pattern: parseInt($X, ...)
+      - pattern: encodeURIComponent($X)
+      - pattern: escape($X)
+      - pattern: $DB.escape($X)
+    paths:
+      exclude:
+        - "**/*.test.js"
+        - "**/*.spec.js"
+        - "**/test/**"
+        - "**/node_modules/**"
+  - id: variant-pattern-js
+    message: "Suspicious pattern matching known vulnerability"
+    severity: WARNING
+    languages: [javascript, typescript]
+    patterns:
+      - pattern-either:
+          - pattern: eval(...)
+          - pattern: Function(...)
+          - pattern: child_process.exec(...)
+      - pattern-not: eval("...")
+      - pattern-not: Function("...")

package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml ADDED Viewed

@@ -0,0 +1,72 @@
+rules:
+  - id: variant-taint-analysis
+    message: >-
+      Potential variant: user-controlled data flows to dangerous sink.
+      Original bug: [DESCRIBE_ORIGINAL_BUG]
+    severity: ERROR
+    languages: [python]
+    mode: taint
+    pattern-sources:
+      # Flask
+      - pattern: request.args.get(...)
+      - pattern: request.args[...]
+      - pattern: request.form.get(...)
+      - pattern: request.form[...]
+      - pattern: request.json
+      - pattern: request.data
+      # Django (uncomment if needed)
+      # - pattern: request.GET.get(...)
+      # - pattern: request.POST.get(...)
+      # General
+      - pattern: os.environ.get(...)
+      - pattern: input(...)
+    pattern-sinks:
+      # Command injection
+      - pattern: os.system($SINK)
+      - pattern: os.popen($SINK)
+      - pattern: subprocess.call($SINK, ...)
+      - pattern: subprocess.run($SINK, ...)
+      - pattern: subprocess.Popen($SINK, ...)
+      # Code execution
+      - pattern: eval($SINK)
+      - pattern: exec($SINK)
+      # SQL (uncomment if needed)
+      # - pattern: $CURSOR.execute($SINK)
+      # Path traversal (uncomment if needed)
+      # - pattern: open($SINK, ...)
+    pattern-sanitizers:
+      - pattern: shlex.quote(...)
+      - pattern: os.path.basename(...)
+      - pattern: int(...)
+      - pattern: sanitize(...)
+      - pattern: escape(...)
+      - pattern: validate(...)
+    paths:
+      exclude:
+        - "*_test.py"
+        - "test_*.py"
+        - "tests/"
+        - "**/test/**"
+    metadata:
+      category: security
+      confidence: HIGH
+  # Simple pattern matching variant (non-taint)
+  - id: variant-pattern-match
+    message: "Suspicious pattern matching known vulnerability signature"
+    severity: WARNING
+    languages: [python]
+    patterns:
+      - pattern-either:
+          - pattern: dangerous_func($USER_DATA)
+          - pattern: risky_operation(..., $USER_DATA, ...)
+      - pattern-not: dangerous_func("...")
+    paths:
+      exclude:
+        - "tests/"
+        - "*_test.py"

package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md ADDED Viewed

@@ -0,0 +1,75 @@
+# Variant Analysis Report
+## Summary
+| Field | Value |
+|-------|-------|
+| **Original Bug** | [BUG_ID / CVE] |
+| **Analysis Date** | [DATE] |
+| **Codebase** | [REPO/PROJECT] |
+| **Variants Found** | [COUNT] |
+## Original Vulnerability
+**Root Cause:** [e.g., "User input reaches SQL query without parameterization"]
+**Location:** `[path/to/file.py:LINE]` in `function_name()`
+```python
+# Vulnerable code
+```
+## Search Methodology
+| Version | Pattern | Tool | Matches | TP | FP |
+|---------|---------|------|---------|----|----|
+| v1 | [exact] | ripgrep | 1 | 1 | 0 |
+| v2 | [abstract] | semgrep | N | N | N |
+**Final Pattern:**
+```yaml
+# Pattern used
+```
+## Findings
+### Variant #1: [BRIEF_TITLE]
+| Severity | Confidence | Status |
+|----------|------------|--------|
+| High | High | Confirmed |
+**Location:** `[path/to/file.py:LINE]`
+```python
+# Vulnerable code
+```
+**Analysis:** [Why this is a true/false positive]
+**Exploitability:**
+- [ ] Reachable from external input
+- [ ] User-controlled data
+- [ ] No sanitization
+---
+<!-- Copy variant template above for additional findings -->
+## False Positive Patterns
+| Pattern | Count | Reason |
+|---------|-------|--------|
+| [pattern] | N | [why safe] |
+## Recommendations
+### Immediate
+1. Fix variant in [location]
+### Preventive
+1. Add Semgrep rule to CI
+```yaml
+# CI-ready rule
+```

package/skills/video-frames/SKILL.md ADDED Viewed

@@ -0,0 +1,46 @@
+---
+name: video-frames
+description: Extract frames or short clips from videos using ffmpeg.
+homepage: https://ffmpeg.org
+metadata:
+  {
+    "otto":
+      {
+        "emoji": "🎞️",
+        "requires": { "bins": ["ffmpeg"] },
+        "install":
+          [
+            {
+              "id": "brew",
+              "kind": "brew",
+              "formula": "ffmpeg",
+              "bins": ["ffmpeg"],
+              "label": "Install ffmpeg (brew)",
+            },
+          ],
+      },
+  }
+---
+# Video Frames (ffmpeg)
+Extract a single frame from a video, or create quick thumbnails for inspection.
+## Quick start
+First frame:
+```bash
+{baseDir}/scripts/frame.sh /path/to/video.mp4 --out /tmp/frame.jpg
+```
+At a timestamp:
+```bash
+{baseDir}/scripts/frame.sh /path/to/video.mp4 --time 00:00:10 --out /tmp/frame-10s.jpg
+```
+## Notes
+- Prefer `--time` for “what is happening around here?”.
+- Use a `.jpg` for quick share; use `.png` for crisp UI frames.