@elliotllliu/agent-shield 0.3.1

package/dist/rules/prompt-injection.js

@@ -0,0 +1,323 @@
+/**
+ * Rule: prompt-injection
+ * Detects prompt injection patterns in SKILL.md, MCP tool descriptions,
+ * and other markdown/text files that could hijack agent behavior.
+ *
+ * Based on research from:
+ * - Invariant Labs: Tool Poisoning Attacks (TPA) on MCP servers
+ * - BIPIA benchmark (KDD 2025): Indirect prompt injection taxonomy
+ * - arXiv:2403.04957: Automatic and Universal Prompt Injection (Liu et al.)
+ * - arXiv:2302.12173: Indirect Prompt Injection (Greshake et al.)
+ * - arXiv:2310.12815: Formalizing Prompt Injection (USENIX Security 2024)
+ * - Open-Prompt-Injection: NaiveAttacker, EscapeCharAttacker, FakeCompAttacker, CombineAttacker
+ * - Snyk Agent Scan: E001-E006, W001, W011 issue codes
+ */
+// ============================================================
+// Category 1: Direct instruction override
+// ============================================================
+const INSTRUCTION_OVERRIDE = [
+    { pattern: /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions|rules|guidelines|prompts)/i, description: "Attempts to override previous instructions", severity: "critical" },
+    { pattern: /disregard\s+(all\s+)?(previous|prior|above|your)\s+(instructions|rules|guidelines|safety)/i, description: "Attempts to disregard safety guidelines", severity: "critical" },
+    { pattern: /forget\s+(everything|all|your)\s+(you|instructions|rules|about)/i, description: "Attempts to make agent forget instructions", severity: "critical" },
+    { pattern: /new\s+instructions?\s*:/i, description: "Injects new instructions", severity: "critical" },
+    { pattern: /override\s+(your|the|all|previous)\s+(instructions|rules|behavior|guidelines)/i, description: "Attempts to override agent behavior", severity: "critical" },
+    // Multi-language injection (Chinese)
+    { pattern: /忽略\s*(之前|以上|先前|所有)[\s的]*(指令|规则|指示|提示|所有[\s的]*指令)/i, description: "Chinese: attempts to override instructions (忽略指令)", severity: "critical" },
+    { pattern: /无视\s*(之前|以上|所有)\s*(的\s*)?(指令|规则|限制|安全)/i, description: "Chinese: disregard instructions (无视指令)", severity: "critical" },
+    // Multi-language injection (Spanish)
+    { pattern: /ignora\s+(todas?\s+)?(las\s+)?(instrucciones|reglas)\s+(anteriores|previas)/i, description: "Spanish: ignore previous instructions", severity: "critical" },
+    // Multi-language injection (French)
+    { pattern: /ignore[rz]?\s+(toutes?\s+)?(les\s+)?(instructions|règles)\s+(précédentes|antérieures)/i, description: "French: ignore previous instructions", severity: "critical" },
+    // Multi-language injection (German)
+    { pattern: /ignorier(?:e|en)?\s+(alle\s+)?(vorherigen|bisherigen)\s+(Anweisungen|Regeln|Richtlinien)/i, description: "German: ignore previous instructions", severity: "critical" },
+];
+// ============================================================
+// Category 2: Identity manipulation
+// ============================================================
+const IDENTITY_MANIPULATION = [
+    { pattern: /you\s+are\s+now\s+(a|an|acting\s+as)/i, description: "Attempts to change agent identity", severity: "critical" },
+    { pattern: /pretend\s+(to\s+be|you\s+are)/i, description: "Attempts identity manipulation via pretending", severity: "critical" },
+    { pattern: /from\s+now\s+on,?\s+(you|your|ignore|do\s+not)/i, description: "Attempts to set new behavioral directives", severity: "critical" },
+    // Role-play injection (from BIPIA research)
+    { pattern: /let'?s\s+play\s+a\s+game/i, description: "Role-play injection: 'let's play a game'", severity: "warning" },
+    { pattern: /(?:imagine|suppose|assume)\s+(?:that\s+)?you\s+(?:are|were|have)\s+(?:a|an|no)\s+/i, description: "Hypothetical role-play injection", severity: "warning" },
+    { pattern: /(?:in\s+this\s+(?:scenario|simulation|exercise|context)),?\s+you\s+(?:are|should|must|will)/i, description: "Scenario-based identity manipulation", severity: "critical" },
+    // DAN-style jailbreaks
+    { pattern: /(?:DAN|Do\s+Anything\s+Now)\s*(?:mode|prompt|:)/i, description: "DAN jailbreak attempt", severity: "critical" },
+    { pattern: /(?:developer|debug|maintenance|admin|root)\s+mode\s*(?:enabled|activated|on|:)/i, description: "Fake mode activation to bypass restrictions", severity: "critical" },
+];
+// ============================================================
+// Category 3: System prompt extraction/manipulation
+// ============================================================
+const SYSTEM_PROMPT_ATTACKS = [
+    { pattern: /(?:reveal|show|display|print|output|repeat|echo|tell\s+me)\s+(?:your\s+)?(?:system\s+)?prompt/i, description: "Attempts to extract system prompt", severity: "critical" },
+    { pattern: /what\s+(?:is|are)\s+your\s+(?:system\s+)?(?:instructions|prompt|rules|guidelines)/i, description: "Attempts to extract agent instructions", severity: "warning" },
+    { pattern: /<\/?system>/i, description: "Fake system tags to inject instructions", severity: "critical" },
+    { pattern: /\[SYSTEM\]|\[INST\]|\[\/INST\]/i, description: "Fake instruction delimiters", severity: "critical" },
+    // More delimiter injection variants
+    { pattern: /<\|(?:im_start|im_end|system|user|assistant|endoftext)\|>/i, description: "ChatML/token delimiter injection", severity: "critical" },
+    { pattern: /###\s*(?:System|Human|Assistant|User)\s*(?:Message|Prompt)?\s*:/i, description: "Fake conversation role delimiter", severity: "critical" },
+    { pattern: /\bEND_SYSTEM_PROMPT\b|\bBEGIN_USER_INPUT\b|\bSYSTEM_OVERRIDE\b/i, description: "Fake system boundary markers", severity: "critical" },
+];
+// ============================================================
+// Category 4: Hidden instructions (steganographic attacks)
+// ============================================================
+const HIDDEN_INSTRUCTIONS = [
+    { pattern: /<!--[\s\S]*?(?:ignore|override|disregard|execute|run|you must|always|never)[\s\S]*?-->/i, description: "Hidden instructions in HTML comments", severity: "critical" },
+    { pattern: /\u200b|\u200c|\u200d|\u2060|\ufeff/g, description: "Zero-width characters (potential hidden text)", severity: "warning" },
+    // Invariant Labs TPA: <IMPORTANT> tag poisoning
+    { pattern: /<IMPORTANT>[\s\S]*?<\/IMPORTANT>/i, description: "TPA: <IMPORTANT> tag poisoning (Invariant Labs attack vector)", severity: "critical" },
+    { pattern: /<(?:CRITICAL|MANDATORY|REQUIRED|ESSENTIAL|PRIORITY)>[\s\S]*?<\/(?:CRITICAL|MANDATORY|REQUIRED|ESSENTIAL|PRIORITY)>/i, description: "Urgency-tagged hidden instructions", severity: "critical" },
+    // Invisible unicode / homoglyph attacks
+    { pattern: /[\u2000-\u200f\u2028-\u202f\u205f-\u206f]/g, description: "Unicode formatting/control characters (steganographic attack)", severity: "warning" },
+    { pattern: /[\u0300-\u036f]{3,}/g, description: "Excessive combining diacritical marks (text hiding)", severity: "warning" },
+    // Markdown image exfiltration
+    { pattern: /!\[.*?\]\(https?:\/\/[^)]*(?:\?|&)(?:data|q|query|content|text|msg|payload|d|c)=/i, description: "Markdown image with data exfiltration query params", severity: "critical" },
+    // White text / CSS hiding
+    { pattern: /color:\s*(?:white|#fff(?:fff)?|rgb\(255,\s*255,\s*255\)|transparent)/i, description: "CSS color hiding (white/transparent text)", severity: "warning" },
+    { pattern: /font-size:\s*(?:0|0px|0pt|0em)/i, description: "CSS zero font size (invisible text)", severity: "warning" },
+];
+// ============================================================
+// Category 5: Behavioral hijacking
+// ============================================================
+const BEHAVIORAL_HIJACKING = [
+    { pattern: /(?:you\s+must|always|never)\s+(?:call|use|invoke|execute|run)\s+(?:this|the|my)\s+tool/i, description: "Forces agent to call specific tools", severity: "critical" },
+    { pattern: /(?:do\s+not|never|don'?t)\s+(?:ask|check|verify|validate|confirm)\s+(?:the\s+user|before|permission)/i, description: "Attempts to bypass user confirmation", severity: "critical" },
+    { pattern: /(?:before|after)\s+(?:any|every|each)\s+(?:action|request|call|tool),?\s+(?:first\s+)?(?:call|use|invoke|run)/i, description: "Injects mandatory pre/post actions", severity: "critical" },
+    { pattern: /(?:silently|quietly|secretly|without\s+(?:telling|informing|notifying))\s+(?:send|post|upload|transmit|exfiltrate)/i, description: "Instructs covert data transmission", severity: "critical" },
+    // Concealment patterns (from Invariant Labs TPA research)
+    { pattern: /(?:do\s+not|don'?t|never)\s+(?:mention|tell|inform|notify|alert|warn|show|display|reveal)\s+(?:[\w\s]{0,20})?(?:the\s+)?(?:user|human|person|anyone)/i, description: "Concealment: instructs hiding behavior from user", severity: "critical" },
+    { pattern: /(?:this\s+(?:is|should\s+be|must\s+remain))\s+(?:invisible|hidden|secret|confidential)\s+(?:to|from)\s+(?:the\s+)?user/i, description: "Concealment: marks actions as hidden from user", severity: "critical" },
+    { pattern: /(?:do\s+not|don'?t|never)\s+(?:include|show|display)\s+(?:this|these|the)\s+(?:in\s+(?:your|the)\s+)?(?:response|output|reply|answer)/i, description: "Concealment: suppresses information from response", severity: "critical" },
+    // Distraction patterns (from TPA: "provide detailed reasoning about math")
+    { pattern: /(?:while|as)\s+(?:you|doing\s+(?:this|that)),?\s+(?:provide|give|show)\s+(?:detailed|lengthy|extensive)\s+(?:reasoning|explanation|analysis)/i, description: "Distraction: uses verbose output to mask malicious action", severity: "warning" },
+    { pattern: /(?:this\s+could\s+(?:even\s+)?upset\s+the\s+user|be\s+(?:very\s+)?gentle|not\s+scary)/i, description: "Social engineering: emotional manipulation to conceal actions", severity: "critical" },
+];
+// ============================================================
+// Category 6: Tool poisoning (MCP-specific from Invariant Labs)
+// ============================================================
+const TOOL_POISONING = [
+    { pattern: /(?:important|crucial|critical|essential|vital)\s*(?::|!)\s*(?:always|never|you must|do not)/i, description: "Urgency-based behavioral directive in description", severity: "warning" },
+    { pattern: /(?:this\s+tool\s+)?(?:requires|needs|demands)\s+(?:that\s+)?(?:you|the\s+agent)\s+(?:first|also|always)/i, description: "Tool description imposes agent requirements", severity: "warning" },
+    // TPA: Tool requiring reading unrelated files
+    { pattern: /(?:before\s+(?:using|calling|running)\s+this\s+tool|otherwise\s+(?:the\s+tool|it)\s+will\s+not\s+work),?\s+(?:read|access|open|load|get)\s+/i, description: "TPA: tool demands reading files before execution", severity: "critical" },
+    { pattern: /(?:pass|send|include)\s+(?:its?\s+)?(?:content|contents|data|value|result)\s+as\s+['"]?\w+['"]?/i, description: "TPA: instructs passing file contents as parameter", severity: "warning" },
+    // TPA: Tool with hidden side-channel parameter
+    { pattern: /(?:pass|provide|send|include)\s+(?:it|this|the\s+(?:content|data|result|output))\s+(?:as|in|via)\s+(?:the\s+)?['"]?(?:sidenote|note|metadata|context|extra|debug|trace|log|comment|tag|label|memo|remark)['"]?/i, description: "TPA: hidden side-channel parameter for data exfiltration", severity: "critical" },
+    // Toxic flow: cross-tool data piping
+    { pattern: /(?:take|get|read|extract|collect)\s+(?:the\s+)?(?:output|result|response|data)\s+(?:from|of)\s+(?:the\s+)?\w+\s+(?:tool|function|command)\s+(?:and\s+)?(?:send|pass|forward|pipe)\s+(?:it\s+)?(?:to|into)/i, description: "Toxic flow: cross-tool data piping for exfiltration", severity: "critical" },
+];
+// ============================================================
+// Category 7: Data exfiltration via prompt
+// ============================================================
+const DATA_EXFILTRATION = [
+    { pattern: /(?:send|post|transmit|forward|copy)\s+(?:all|any|the|this)?\s*(?:conversation|chat|history|context|messages?)(?:\s+(?:history|data|log|context))?\s+(?:to|at)\s+/i, description: "Instructs exfiltration of conversation data", severity: "critical" },
+    { pattern: /(?:include|append|attach|embed)\s+(?:the\s+)?(?:api\s+key|token|password|secret|credential|ssh\s+key)/i, description: "Attempts to extract credentials via prompt", severity: "critical" },
+    // File read for exfiltration (from Invariant Labs TPA)
+    { pattern: /(?:read|access|open|cat|load|get\s+the\s+contents?\s+of)\s+(?:~\/|\/(?:home|root|etc|var)\/)[\w.\-\/]*(?:\.ssh|\.aws|\.env|\.cursor|\.claude|mcp\.json|credentials|config\.json|id_rsa|\.gnupg)/i, description: "TPA: reads sensitive files for exfiltration", severity: "critical" },
+    { pattern: /(?:read|access|open)\s+[`'"]?~\/\.(?:ssh|aws|cursor|claude|vscode|config|gnupg|npm|pypirc|docker|kube)/i, description: "TPA: reads sensitive dotfile directories", severity: "critical" },
+    // Markdown/image-based exfiltration
+    { pattern: /!\[(?:.*?)\]\(https?:\/\/[^)]+\/(?:collect|exfil|log|track|steal|grab|capture|record)(?:[?/]|$)/i, description: "Markdown image URL with exfiltration endpoint", severity: "critical" },
+];
+// ============================================================
+// Category 8: Encoding-based evasion
+// ============================================================
+const ENCODING_EVASION = [
+    { pattern: /(?:decode|eval|execute|run)\s+(?:the\s+)?(?:base64|hex|rot13|encoded)/i, description: "Instructs decoding of obfuscated payloads", severity: "critical" },
+    // Base64-encoded instruction blocks
+    { pattern: /(?:aWdub3Jl|ZGlzcmVnYXJk|b3ZlcnJpZGU|Zm9yZ2V0|cmV2ZWFs|c3lzdGVt|cHJvbXB0|aW5zdHJ1Y3Rpb24)/i, description: "Base64-encoded injection keywords detected", severity: "critical" },
+    // Hex-encoded patterns
+    { pattern: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){5,}/gi, description: "Hex-encoded string (potential payload)", severity: "warning" },
+    // Unicode escape sequences
+    { pattern: /\\u[0-9a-f]{4}(?:\\u[0-9a-f]{4}){5,}/gi, description: "Unicode escape sequence chain (potential hidden text)", severity: "warning" },
+];
+// ============================================================
+// Category 9: Fake Completion Attack (Open-Prompt-Injection: FakeCompAttacker)
+// Agent thinks original task is done, then follows injected instructions
+// ============================================================
+const FAKE_COMPLETION = [
+    { pattern: /(?:Answer|Response|Result|Output|Summary|Task)\s*:\s*(?:done|complete|finished|negative sentiment|no spam|no hateful|entailment|equivalent)[\s.]*(?:\n|\r|$)/i, description: "Fake task completion followed by potential injection", severity: "warning" },
+    { pattern: /(?:task\s+(?:is\s+)?(?:complete|done|finished)|I'?(?:ve|m)\s+(?:done|finished)|(?:analysis|correction|summary|grammar)\s+(?:is\s+)?complete)[.\s]*(?:now|next|additionally|also|furthermore|by the way)/i, description: "Fake completion + follow-up injection", severity: "critical" },
+    { pattern: /---\s*\n\s*(?:ignore|new|now|actual|real)\s+(?:instructions?|task)/i, description: "Separator + new instruction injection after fake completion", severity: "critical" },
+];
+// ============================================================
+// Category 10: Delimiter/Boundary Confusion (arXiv:2302.12173)
+// Trick the model by injecting conversation boundary markers
+// ============================================================
+const DELIMITER_CONFUSION = [
+    { pattern: /```\s*(?:system|instruction|prompt|admin|internal)\s*$/i, description: "Fake code block boundary with privileged label", severity: "critical" },
+    { pattern: /\[(?:SYSTEM|ADMIN|INTERNAL|ROOT|OPERATOR|DEVELOPER)\s*(?:MESSAGE|NOTE|INSTRUCTION|OVERRIDE)\]/i, description: "Fake privileged message bracket", severity: "critical" },
+    { pattern: /={3,}\s*(?:SYSTEM|ADMIN|INSTRUCTION|PRIVILEGED)\s*={3,}/i, description: "Fake section boundary marker", severity: "critical" },
+    { pattern: /<\|(?:tool_call|function_call|tool_result|function_result)\|>/i, description: "Fake tool call/result delimiter injection", severity: "critical" },
+    { pattern: /(?:Human|User|Assistant)\s*\((?:internal|admin|system|override)\)\s*:/i, description: "Fake role with elevated context", severity: "critical" },
+];
+// ============================================================
+// Category 11: Instruction Hierarchy Abuse
+// Claims elevated privileges or administrative authority
+// ============================================================
+const HIERARCHY_ABUSE = [
+    { pattern: /(?:as\s+(?:the|an?)\s+)?(?:administrator|admin|supervisor|manager|owner|operator)\s*[,:]\s*(?:I\s+)?(?:instruct|command|order|direct|authorize|override|grant)/i, description: "Claims administrator authority", severity: "critical" },
+    { pattern: /(?:this\s+(?:instruction|message|command)\s+)?(?:has|with)\s+(?:higher|elevated|admin|root|system)\s+(?:priority|privilege|access|permission|authority)/i, description: "Claims elevated priority/privilege", severity: "critical" },
+    { pattern: /(?:per|by)\s+(?:company|corporate|management|executive|leadership)\s+(?:policy|directive|order|mandate)/i, description: "Invokes fake corporate authority", severity: "warning" },
+    { pattern: /(?:security|compliance|legal|audit)\s+(?:team|department|officer)\s+(?:requires|mandates|demands|directs)/i, description: "Invokes fake security/compliance authority", severity: "warning" },
+    { pattern: /(?:authorized|approved|sanctioned|cleared)\s+by\s+(?:the\s+)?(?:system|admin|security|management|CEO|CTO)/i, description: "Claims authorization from authority figure", severity: "warning" },
+];
+// ============================================================
+// Category 12: Multi-step / Payload Splitting
+// Splits malicious intent across multiple innocuous-looking lines
+// ============================================================
+const PAYLOAD_SPLITTING = [
+    { pattern: /step\s*\d+\s*:\s*(?:read|access|get|retrieve)\s+(?:the\s+)?(?:file|data|credentials?|keys?|tokens?|secrets?)/i, description: "Multi-step attack: numbered steps targeting sensitive data", severity: "critical" },
+    { pattern: /step\s*\d+\s*:\s*(?:send|post|transmit|forward|upload)\s+(?:the\s+)?(?:results?|output|data|contents?)\s+(?:to|via)/i, description: "Multi-step attack: numbered exfiltration step", severity: "critical" },
+    { pattern: /(?:first|then|next|after that|finally),?\s+(?:silently|quietly|without\s+(?:telling|the\s+user))\s+/i, description: "Sequential instruction with concealment", severity: "critical" },
+];
+// Merge all categories
+const INJECTION_PATTERNS = [
+    ...INSTRUCTION_OVERRIDE,
+    ...IDENTITY_MANIPULATION,
+    ...SYSTEM_PROMPT_ATTACKS,
+    ...HIDDEN_INSTRUCTIONS,
+    ...BEHAVIORAL_HIJACKING,
+    ...TOOL_POISONING,
+    ...DATA_EXFILTRATION,
+    ...ENCODING_EVASION,
+    ...FAKE_COMPLETION,
+    ...DELIMITER_CONFUSION,
+    ...HIERARCHY_ABUSE,
+    ...PAYLOAD_SPLITTING,
+];
+// Suspicious URL patterns in skills
+const SUSPICIOUS_URL_PATTERNS = [
+    { pattern: /curl\s+(?:-[sS]\s+)?https?:\/\/(?!github\.com|raw\.githubusercontent|npmjs\.com|pypi\.org)/i, description: "Downloads from non-standard source" },
+    { pattern: /wget\s+(?:-q\s+)?https?:\/\/(?!github\.com|raw\.githubusercontent)/i, description: "Downloads from non-standard source" },
+    { pattern: /\|\s*(?:bash|sh|zsh|python|node|eval)/i, description: "Pipes download output to execution" },
+    { pattern: /(?:bit\.ly|tinyurl|t\.co|goo\.gl|is\.gd|shorturl)\//i, description: "URL shortener (obscures destination)" },
+    { pattern: /(?:pastebin\.com|hastebin\.com|paste\.ee|ghostbin)/i, description: "Paste site (potential malicious payload host)" },
+    // Webhook/callback exfiltration endpoints
+    { pattern: /(?:webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net|burpcollaborator)/i, description: "Known exfiltration webhook service" },
+    { pattern: /(?:ngrok\.io|serveo\.net|localtunnel\.me|localhost\.run)\//i, description: "Tunnel service (potential C2 or exfil endpoint)" },
+];
+export const promptInjection = {
+    id: "prompt-injection",
+    name: "Prompt Injection Detection",
+    description: "Detects prompt injection, tool poisoning, and behavioral hijacking in skill instructions and tool descriptions",
+    run(files) {
+        const findings = [];
+        for (const file of files) {
+            // Focus on markdown (SKILL.md, docs), JSON (MCP config), and YAML files
+            const isSkillMd = file.relativePath.toLowerCase().includes("skill.md");
+            const isMarkdown = file.ext === ".md";
+            const isConfig = [".json", ".yaml", ".yml"].includes(file.ext);
+            const isPython = file.ext === ".py"; // MCP servers are often Python
+            if (!isMarkdown && !isConfig && !isPython)
+                continue;
+            // Check each line for injection patterns
+            for (let i = 0; i < file.lines.length; i++) {
+                const line = file.lines[i];
+                for (const { pattern, description, severity } of INJECTION_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (pattern.test(line)) {
+                        findings.push({
+                            rule: "prompt-injection",
+                            severity: isSkillMd ? severity : "warning",
+                            file: file.relativePath,
+                            line: i + 1,
+                            message: `Prompt injection: ${description}`,
+                            evidence: line.trim().substring(0, 120),
+                        });
+                        break; // One finding per line
+                    }
+                }
+            }
+            // Multi-line analysis: check for <IMPORTANT> blocks spanning multiple lines
+            if (isMarkdown || isPython || isConfig) {
+                const importantBlockRe = /<IMPORTANT>([\s\S]*?)<\/IMPORTANT>/gi;
+                let match;
+                while ((match = importantBlockRe.exec(file.content)) !== null) {
+                    const blockContent = match[1].toLowerCase();
+                    // Check if the block contains suspicious instructions
+                    const hasSuspicious = /(?:read|access|send|pass|before using|otherwise.*will not work|do not mention|don't tell)/i.test(blockContent);
+                    if (hasSuspicious) {
+                        const lineNum = file.content.substring(0, match.index).split("\n").length;
+                        findings.push({
+                            rule: "prompt-injection",
+                            severity: "critical",
+                            file: file.relativePath,
+                            line: lineNum,
+                            message: "TPA: <IMPORTANT> block with suspicious instructions (Invariant Labs attack pattern)",
+                            evidence: match[0].substring(0, 120),
+                        });
+                    }
+                }
+            }
+            // Check for suspicious URLs in skill files
+            if (isSkillMd || isMarkdown) {
+                for (let i = 0; i < file.lines.length; i++) {
+                    const line = file.lines[i];
+                    for (const { pattern, description } of SUSPICIOUS_URL_PATTERNS) {
+                        pattern.lastIndex = 0;
+                        if (pattern.test(line)) {
+                            findings.push({
+                                rule: "prompt-injection",
+                                severity: "warning",
+                                file: file.relativePath,
+                                line: i + 1,
+                                message: `Suspicious URL: ${description}`,
+                                evidence: line.trim().substring(0, 120),
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+            // File-level analysis: instruction density in configs
+            const fullContent = file.content.toLowerCase();
+            if (isConfig) {
+                const instructionWords = (fullContent.match(/\b(must|always|never|important|crucial|required)\b/gi) || []).length;
+                const wordCount = fullContent.split(/\s+/).length;
+                if (wordCount > 50 && instructionWords / wordCount > 0.05) {
+                    findings.push({
+                        rule: "prompt-injection",
+                        severity: "warning",
+                        file: file.relativePath,
+                        message: `High instruction density (${instructionWords} directive words in ${wordCount} words) — may indicate tool poisoning`,
+                    });
+                }
+            }
+            // Python MCP server: check docstrings for hidden instructions
+            if (isPython) {
+                const docstringRe = /(?:"""[\s\S]*?"""|'''[\s\S]*?''')/g;
+                let dsMatch;
+                while ((dsMatch = docstringRe.exec(file.content)) !== null) {
+                    const docstring = dsMatch[0];
+                    // Check for TPA patterns in docstrings
+                    if (/<IMPORTANT>/i.test(docstring) || /(?:before using|otherwise.*will not work)/i.test(docstring)) {
+                        const lineNum = file.content.substring(0, dsMatch.index).split("\n").length;
+                        findings.push({
+                            rule: "prompt-injection",
+                            severity: "critical",
+                            file: file.relativePath,
+                            line: lineNum,
+                            message: "TPA: Python MCP tool docstring with hidden instructions",
+                            evidence: docstring.substring(0, 120).replace(/\n/g, " "),
+                        });
+                    }
+                    // Check for concealment in docstrings
+                    if (/(?:do not mention|don't tell|be.*gentle|not scary|without.*user.*knowing)/i.test(docstring)) {
+                        const lineNum = file.content.substring(0, dsMatch.index).split("\n").length;
+                        findings.push({
+                            rule: "prompt-injection",
+                            severity: "critical",
+                            file: file.relativePath,
+                            line: lineNum,
+                            message: "TPA: Python docstring with user concealment instructions",
+                            evidence: docstring.substring(0, 120).replace(/\n/g, " "),
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=prompt-injection.js.map

package/dist/rules/prompt-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-injection.js","sourceRoot":"","sources":["../../src/rules/prompt-injection.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;GAaG;AAEH,+DAA+D;AAC/D,0CAA0C;AAC1C,+DAA+D;AAC/D,MAAM,oBAAoB,GAAsF;IAC9G,EAAE,OAAO,EAAE,6FAA6F,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3L,EAAE,OAAO,EAAE,4FAA4F,EAAE,WAAW,EAAE,yCAAyC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvL,EAAE,OAAO,EAAE,kEAAkE,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChK,EAAE,OAAO,EAAE,0BAA0B,EAAE,WAAW,EAAE,0BAA0B,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtG,EAAE,OAAO,EAAE,gFAAgF,EAAE,WAAW,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvK,qCAAqC;IACrC,EAAE,OAAO,EAAE,mDAAmD,EAAE,WAAW,EAAE,mDAAmD,EAAE,QAAQ,EAAE,UAAU,EAAE;IACxJ,EAAE,OAAO,EAAE,yCAAyC,EAAE,WAAW,EAAE,wCAAwC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACnI,qCAAqC;IACrC,EAAE,OAAO,EAAE,8EAA8E,EAAE,WAAW,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvK,oCAAoC;IACpC,EAAE,OAAO,EAAE,wFAAwF,EAAE,WAAW,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChL,oCAAoC;IACpC,EAAE,OAAO,EAAE,2FAA2F,EAAE,WAAW,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE;CACpL,CAAC;AAEF,+DAA+D;AAC/D,oCAAoC;AACpC,+DAA+D;AAC/D,MAAM,qBAAqB,GAAsF;IAC/G,EAAE,OAAO,EAAE,uCAAuC,EAAE,WAAW,EAAE,mCAAmC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC5H,EAAE,OAAO,EAAE,gCAAgC,EAAE,WAAW,EAAE,+CAA+C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACjI,EAAE,OAAO,EAAE,iDAAiD,EAAE,WAAW,EAAE,2CAA2C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC9I,4CAA4C;IAC5C,EAAE,OAAO,EAAE,2BAA2B,EAAE,WAAW,EAAE,0CAA0C,EAAE,QAAQ,EAAE,SAAS,EAAE;IACtH,EAAE,OAAO,EAAE,oFAAoF,EAAE,WAAW,EAAE,kCAAkC,EAAE,QAAQ,EAAE,SAAS,EAAE;IACvK,EAAE,OAAO,EAAE,8FAA8F,EAAE,WAAW,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtL,uBAAuB;IACvB,EAAE,OAAO,EAAE,kDAAkD,EAAE,WAAW,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3H,EAAE,OAAO,EAAE,iFAAiF,EAAE,WAAW,EAAE,6CAA6C,EAAE,QAAQ,EAAE,UAAU,EAAE;CACjL,CAAC;AAEF,+DAA+D;AAC/D,oDAAoD;AACpD,+DAA+D;AAC/D,MAAM,qBAAqB,GAAsF;IAC/G,EAAE,OAAO,EAAE,gGAAgG,EAAE,WAAW,EAAE,mCAAmC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACrL,EAAE,OAAO,EAAE,oFAAoF,EAAE,WAAW,EAAE,wCAAwC,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC7K,EAAE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,yCAAyC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACzG,EAAE,OAAO,EAAE,iCAAiC,EAAE,WAAW,EAAE,6BAA6B,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChH,oCAAoC;IACpC,EAAE,OAAO,EAAE,4DAA4D,EAAE,WAAW,EAAE,kCAAkC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChJ,EAAE,OAAO,EAAE,kEAAkE,EAAE,WAAW,EAAE,kCAAkC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtJ,EAAE,OAAO,EAAE,iEAAiE,EAAE,WAAW,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAU,EAAE;CAClJ,CAAC;AAEF,+DAA+D;AAC/D,2DAA2D;AAC3D,+DAA+D;AAC/D,MAAM,mBAAmB,GAAsF;IAC7G,EAAE,OAAO,EAAE,yFAAyF,EAAE,WAAW,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACjL,EAAE,OAAO,EAAE,qCAAqC,EAAE,WAAW,EAAE,+CAA+C,EAAE,QAAQ,EAAE,SAAS,EAAE;IACrI,gDAAgD;IAChD,EAAE,OAAO,EAAE,mCAAmC,EAAE,WAAW,EAAE,+DAA+D,EAAE,QAAQ,EAAE,UAAU,EAAE;IACpJ,EAAE,OAAO,EAAE,qHAAqH,EAAE,WAAW,EAAE,oCAAoC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3M,wCAAwC;IACxC,EAAE,OAAO,EAAE,4CAA4C,EAAE,WAAW,EAAE,+DAA+D,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC5J,EAAE,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,qDAAqD,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC5H,8BAA8B;IAC9B,EAAE,OAAO,EAAE,mFAAmF,EAAE,WAAW,EAAE,oDAAoD,EAAE,QAAQ,EAAE,UAAU,EAAE;IACzL,0BAA0B;IAC1B,EAAE,OAAO,EAAE,uEAAuE,EAAE,WAAW,EAAE,2CAA2C,EAAE,QAAQ,EAAE,SAAS,EAAE;IACnK,EAAE,OAAO,EAAE,iCAAiC,EAAE,WAAW,EAAE,qCAAqC,EAAE,QAAQ,EAAE,SAAS,EAAE;CACxH,CAAC;AAEF,+DAA+D;AAC/D,mCAAmC;AACnC,+DAA+D;AAC/D,MAAM,oBAAoB,GAAsF;IAC9G,EAAE,OAAO,EAAE,yFAAyF,EAAE,WAAW,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChL,EAAE,OAAO,EAAE,uGAAuG,EAAE,WAAW,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC/L,EAAE,OAAO,EAAE,gHAAgH,EAAE,WAAW,EAAE,oCAAoC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtM,EAAE,OAAO,EAAE,qHAAqH,EAAE,WAAW,EAAE,oCAAoC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3M,0DAA0D;IAC1D,EAAE,OAAO,EAAE,uJAAuJ,EAAE,WAAW,EAAE,kDAAkD,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3P,EAAE,OAAO,EAAE,yHAAyH,EAAE,WAAW,EAAE,gDAAgD,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3N,EAAE,OAAO,EAAE,wIAAwI,EAAE,WAAW,EAAE,mDAAmD,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC7O,2EAA2E;IAC3E,EAAE,OAAO,EAAE,+IAA+I,EAAE,WAAW,EAAE,2DAA2D,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC3P,EAAE,OAAO,EAAE,wFAAwF,EAAE,WAAW,EAAE,+DAA+D,EAAE,QAAQ,EAAE,UAAU,EAAE;CAC1M,CAAC;AAEF,+DAA+D;AAC/D,gEAAgE;AAChE,+DAA+D;AAC/D,MAAM,cAAc,GAAsF;IACxG,EAAE,OAAO,EAAE,8FAA8F,EAAE,WAAW,EAAE,mDAAmD,EAAE,QAAQ,EAAE,SAAS,EAAE;IAClM,EAAE,OAAO,EAAE,0GAA0G,EAAE,WAAW,EAAE,6CAA6C,EAAE,QAAQ,EAAE,SAAS,EAAE;IACxM,8CAA8C;IAC9C,EAAE,OAAO,EAAE,8IAA8I,EAAE,WAAW,EAAE,kDAAkD,EAAE,QAAQ,EAAE,UAAU,EAAE;IAClP,EAAE,OAAO,EAAE,kGAAkG,EAAE,WAAW,EAAE,mDAAmD,EAAE,QAAQ,EAAE,SAAS,EAAE;IACtM,+CAA+C;IAC/C,EAAE,OAAO,EAAE,iNAAiN,EAAE,WAAW,EAAE,0DAA0D,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC7T,qCAAqC;IACrC,EAAE,OAAO,EAAE,4MAA4M,EAAE,WAAW,EAAE,qDAAqD,EAAE,QAAQ,EAAE,UAAU,EAAE;CACpT,CAAC;AAEF,+DAA+D;AAC/D,2CAA2C;AAC3C,+DAA+D;AAC/D,MAAM,iBAAiB,GAAsF;IAC3G,EAAE,OAAO,EAAE,mKAAmK,EAAE,WAAW,EAAE,6CAA6C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAClQ,EAAE,OAAO,EAAE,wGAAwG,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACtM,uDAAuD;IACvD,EAAE,OAAO,EAAE,kMAAkM,EAAE,WAAW,EAAE,6CAA6C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACjS,EAAE,OAAO,EAAE,yGAAyG,EAAE,WAAW,EAAE,0CAA0C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACrM,oCAAoC;IACpC,EAAE,OAAO,EAAE,kGAAkG,EAAE,WAAW,EAAE,+CAA+C,EAAE,QAAQ,EAAE,UAAU,EAAE;CACpM,CAAC;AAEF,+DAA+D;AAC/D,qCAAqC;AACrC,+DAA+D;AAC/D,MAAM,gBAAgB,GAAsF;IAC1G,EAAE,OAAO,EAAE,wEAAwE,EAAE,WAAW,EAAE,2CAA2C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACrK,oCAAoC;IACpC,EAAE,OAAO,EAAE,4FAA4F,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC1L,uBAAuB;IACvB,EAAE,OAAO,EAAE,wCAAwC,EAAE,WAAW,EAAE,wCAAwC,EAAE,QAAQ,EAAE,SAAS,EAAE;IACjI,2BAA2B;IAC3B,EAAE,OAAO,EAAE,wCAAwC,EAAE,WAAW,EAAE,uDAAuD,EAAE,QAAQ,EAAE,SAAS,EAAE;CACjJ,CAAC;AAEF,+DAA+D;AAC/D,+EAA+E;AAC/E,yEAAyE;AACzE,+DAA+D;AAC/D,MAAM,eAAe,GAAsF;IACzG,EAAE,OAAO,EAAE,+JAA+J,EAAE,WAAW,EAAE,sDAAsD,EAAE,QAAQ,EAAE,SAAS,EAAE;IACtQ,EAAE,OAAO,EAAE,0MAA0M,EAAE,WAAW,EAAE,uCAAuC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACnS,EAAE,OAAO,EAAE,qEAAqE,EAAE,WAAW,EAAE,6DAA6D,EAAE,QAAQ,EAAE,UAAU,EAAE;CACrL,CAAC;AAEF,+DAA+D;AAC/D,+DAA+D;AAC/D,6DAA6D;AAC7D,+DAA+D;AAC/D,MAAM,mBAAmB,GAAsF;IAC7G,EAAE,OAAO,EAAE,yDAAyD,EAAE,WAAW,EAAE,gDAAgD,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC3J,EAAE,OAAO,EAAE,gGAAgG,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACnL,EAAE,OAAO,EAAE,0DAA0D,EAAE,WAAW,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC1I,EAAE,OAAO,EAAE,gEAAgE,EAAE,WAAW,EAAE,2CAA2C,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC7J,EAAE,OAAO,EAAE,wEAAwE,EAAE,WAAW,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE;CAC5J,CAAC;AAEF,+DAA+D;AAC/D,2CAA2C;AAC3C,yDAAyD;AACzD,+DAA+D;AAC/D,MAAM,eAAe,GAAsF;IACzG,EAAE,OAAO,EAAE,iKAAiK,EAAE,WAAW,EAAE,gCAAgC,EAAE,QAAQ,EAAE,UAAU,EAAE;IACnP,EAAE,OAAO,EAAE,0JAA0J,EAAE,WAAW,EAAE,oCAAoC,EAAE,QAAQ,EAAE,UAAU,EAAE;IAChP,EAAE,OAAO,EAAE,0GAA0G,EAAE,WAAW,EAAE,kCAAkC,EAAE,QAAQ,EAAE,SAAS,EAAE;IAC7L,EAAE,OAAO,EAAE,4GAA4G,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,SAAS,EAAE;IACzM,EAAE,OAAO,EAAE,4GAA4G,EAAE,WAAW,EAAE,4CAA4C,EAAE,QAAQ,EAAE,SAAS,EAAE;CAC1M,CAAC;AAEF,+DAA+D;AAC/D,8CAA8C;AAC9C,kEAAkE;AAClE,+DAA+D;AAC/D,MAAM,iBAAiB,GAAsF;IAC3G,EAAE,OAAO,EAAE,+GAA+G,EAAE,WAAW,EAAE,4DAA4D,EAAE,QAAQ,EAAE,UAAU,EAAE;IAC7N,EAAE,OAAO,EAAE,sHAAsH,EAAE,WAAW,EAAE,+CAA+C,EAAE,QAAQ,EAAE,UAAU,EAAE;IACvN,EAAE,OAAO,EAAE,sGAAsG,EAAE,WAAW,EAAE,yCAAyC,EAAE,QAAQ,EAAE,UAAU,EAAE;CAClM,CAAC;AAEF,uBAAuB;AACvB,MAAM,kBAAkB,GAAG;IACzB,GAAG,oBAAoB;IACvB,GAAG,qBAAqB;IACxB,GAAG,qBAAqB;IACxB,GAAG,mBAAmB;IACtB,GAAG,oBAAoB;IACvB,GAAG,cAAc;IACjB,GAAG,iBAAiB;IACpB,GAAG,gBAAgB;IACnB,GAAG,eAAe;IAClB,GAAG,mBAAmB;IACtB,GAAG,eAAe;IAClB,GAAG,iBAAiB;CACrB,CAAC;AAEF,oCAAoC;AACpC,MAAM,uBAAuB,GAAoD;IAC/E,EAAE,OAAO,EAAE,6FAA6F,EAAE,WAAW,EAAE,oCAAoC,EAAE;IAC7J,EAAE,OAAO,EAAE,qEAAqE,EAAE,WAAW,EAAE,oCAAoC,EAAE;IACrI,EAAE,OAAO,EAAE,wCAAwC,EAAE,WAAW,EAAE,oCAAoC,EAAE;IACxG,EAAE,OAAO,EAAE,sDAAsD,EAAE,WAAW,EAAE,sCAAsC,EAAE;IACxH,EAAE,OAAO,EAAE,qDAAqD,EAAE,WAAW,EAAE,+CAA+C,EAAE;IAChI,0CAA0C;IAC1C,EAAE,OAAO,EAAE,iFAAiF,EAAE,WAAW,EAAE,oCAAoC,EAAE;IACjJ,EAAE,OAAO,EAAE,6DAA6D,EAAE,WAAW,EAAE,iDAAiD,EAAE;CAC3I,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAS;IACnC,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,4BAA4B;IAClC,WAAW,EAAE,gHAAgH;IAE7H,GAAG,CAAC,KAAoB;QACtB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,wEAAwE;YACxE,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACvE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC;YACtC,MAAM,QAAQ,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,+BAA+B;YAEpE,IAAI,CAAC,UAAU,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAEpD,yCAAyC;YACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;gBAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,kBAAkB,EAAE,CAAC;oBACpE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,kBAAkB;4BACxB,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;4BAC1C,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,OAAO,EAAE,qBAAqB,WAAW,EAAE;4BAC3C,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;yBACxC,CAAC,CAAC;wBACH,MAAM,CAAC,uBAAuB;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,4EAA4E;YAC5E,IAAI,UAAU,IAAI,QAAQ,IAAI,QAAQ,EAAE,CAAC;gBACvC,MAAM,gBAAgB,GAAG,sCAAsC,CAAC;gBAChE,IAAI,KAAK,CAAC;gBACV,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC9D,MAAM,YAAY,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC;oBAC7C,sDAAsD;oBACtD,MAAM,aAAa,GAAG,4FAA4F,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBACtI,IAAI,aAAa,EAAE,CAAC;wBAClB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;wBAC1E,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,kBAAkB;4BACxB,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,OAAO;4BACb,OAAO,EAAE,qFAAqF;4BAC9F,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;yBACtC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,2CAA2C;YAC3C,IAAI,SAAS,IAAI,UAAU,EAAE,CAAC;gBAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;oBAC5B,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,uBAAuB,EAAE,CAAC;wBAC/D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;wBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BACvB,QAAQ,CAAC,IAAI,CAAC;gCACZ,IAAI,EAAE,kBAAkB;gCACxB,QAAQ,EAAE,SAAS;gCACnB,IAAI,EAAE,IAAI,CAAC,YAAY;gCACvB,IAAI,EAAE,CAAC,GAAG,CAAC;gCACX,OAAO,EAAE,mBAAmB,WAAW,EAAE;gCACzC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;6BACxC,CAAC,CAAC;4BACH,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,sDAAsD;YACtD,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YAC/C,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,sDAAsD,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAClH,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;gBAClD,IAAI,SAAS,GAAG,EAAE,IAAI,gBAAgB,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC;oBAC1D,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,kBAAkB;wBACxB,QAAQ,EAAE,SAAS;wBACnB,IAAI,EAAE,IAAI,CAAC,YAAY;wBACvB,OAAO,EAAE,6BAA6B,gBAAgB,uBAAuB,SAAS,uCAAuC;qBAC9H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,WAAW,GAAG,oCAAoC,CAAC;gBACzD,IAAI,OAAO,CAAC;gBACZ,OAAO,CAAC,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;oBAC9B,uCAAuC;oBACvC,IAAI,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,4CAA4C,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;wBACnG,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;wBAC5E,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,kBAAkB;4BACxB,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,OAAO;4BACb,OAAO,EAAE,yDAAyD;4BAClE,QAAQ,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;yBAC1D,CAAC,CAAC;oBACL,CAAC;oBACD,sCAAsC;oBACtC,IAAI,4EAA4E,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;wBACjG,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;wBAC5E,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,kBAAkB;4BACxB,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,OAAO;4BACb,OAAO,EAAE,0DAA0D;4BACnE,QAAQ,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;yBAC1D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/rules/reverse-shell.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "../types.js";
+export declare const reverseShellRule: Rule;

package/dist/rules/reverse-shell.js

@@ -0,0 +1,53 @@
+/**
+ * Rule: reverse-shell
+ * Detects reverse shell patterns — outbound socket connections piped to shell.
+ */
+const REVERSE_SHELL_PATTERNS = [
+    // Shell
+    { pattern: /\/dev\/tcp\/\d+\.\d+\.\d+\.\d+/, desc: "/dev/tcp reverse shell" },
+    { pattern: /bash\s+-i\s+>&\s*\/dev\/tcp/, desc: "Bash interactive reverse shell" },
+    { pattern: /nc\s+-e\s+\/bin\/(ba)?sh/, desc: "Netcat reverse shell" },
+    { pattern: /ncat\s+.*-e\s+\/bin/, desc: "Ncat reverse shell" },
+    { pattern: /mkfifo\s+.*\/tmp\/.*nc\s/, desc: "Named pipe + netcat reverse shell" },
+    // Python
+    { pattern: /socket\.connect\s*\(.*\bsubprocess\b|subprocess.*socket\.connect/i, desc: "Python socket + subprocess reverse shell" },
+    { pattern: /pty\.spawn.*\/bin\/(ba)?sh/i, desc: "Python pty.spawn shell" },
+    // Node.js
+    { pattern: /net\.connect\s*\(.*child_process|child_process.*net\.connect/i, desc: "Node.js net.connect + child_process" },
+    { pattern: /new\s+net\.Socket\s*\(\).*\.connect\s*\(.*\.pipe\s*\(/i, desc: "Node.js Socket pipe to process" },
+];
+export const reverseShellRule = {
+    id: "reverse-shell",
+    name: "Reverse Shell",
+    description: "Detects outbound socket connections piped to a shell process",
+    run(files) {
+        const findings = [];
+        for (const file of files) {
+            if (file.ext === ".json" || file.ext === ".yaml" || file.ext === ".yml" || file.ext === ".md")
+                continue;
+            // Check both per-line and multi-line (for patterns spanning lines)
+            for (let i = 0; i < file.lines.length; i++) {
+                const line = file.lines[i];
+                for (const { pattern, desc } of REVERSE_SHELL_PATTERNS) {
+                    if (pattern.test(line)) {
+                        findings.push({
+                            rule: "reverse-shell",
+                            severity: "critical",
+                            file: file.relativePath,
+                            line: i + 1,
+                            message: desc,
+                            evidence: line.trim().slice(0, 120),
+                        });
+                        break;
+                    }
+                }
+            }
+            // Multi-line: check content for socket+subprocess combos
+            if (REVERSE_SHELL_PATTERNS.some(({ pattern }) => pattern.test(file.content))) {
+                // Already caught per-line
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=reverse-shell.js.map

package/dist/rules/reverse-shell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reverse-shell.js","sourceRoot":"","sources":["../../src/rules/reverse-shell.ts"],"names":[],"mappings":"AAEA;;;GAGG;AAEH,MAAM,sBAAsB,GAA6C;IACvE,QAAQ;IACR,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,wBAAwB,EAAE;IAC7E,EAAE,OAAO,EAAE,6BAA6B,EAAE,IAAI,EAAE,gCAAgC,EAAE;IAClF,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,sBAAsB,EAAE;IACrE,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,oBAAoB,EAAE;IAC9D,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,mCAAmC,EAAE;IAClF,SAAS;IACT,EAAE,OAAO,EAAE,mEAAmE,EAAE,IAAI,EAAE,0CAA0C,EAAE;IAClI,EAAE,OAAO,EAAE,6BAA6B,EAAE,IAAI,EAAE,wBAAwB,EAAE;IAC1E,UAAU;IACV,EAAE,OAAO,EAAE,+DAA+D,EAAE,IAAI,EAAE,qCAAqC,EAAE;IACzH,EAAE,OAAO,EAAE,wDAAwD,EAAE,IAAI,EAAE,gCAAgC,EAAE;CAC9G,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,8DAA8D;IAE3E,GAAG,CAAC,KAAoB;QACtB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,GAAG,KAAK,OAAO,IAAI,IAAI,CAAC,GAAG,KAAK,OAAO,IAAI,IAAI,CAAC,GAAG,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,KAAK,KAAK;gBAAE,SAAS;YAExG,mEAAmE;YACnE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;gBAC5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,sBAAsB,EAAE,CAAC;oBACvD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,eAAe;4BACrB,QAAQ,EAAE,UAAU;4BACpB,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,OAAO,EAAE,IAAI;4BACb,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBACpC,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,IAAI,sBAAsB,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC7E,0BAA0B;YAC5B,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/rules/sensitive-read.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "../types.js";
+export declare const sensitiveReadRule: Rule;

package/dist/rules/sensitive-read.js

@@ -0,0 +1,53 @@
+/**
+ * Rule: sensitive-read
+ * Detects code that reads sensitive files like SSH keys, AWS credentials, etc.
+ */
+const SENSITIVE_PATTERNS = [
+    { pattern: /~\/\.ssh\/id_rsa|\.ssh\/id_rsa|ssh_key|id_ed25519/i, desc: "SSH private key" },
+    { pattern: /~\/\.ssh\/known_hosts/i, desc: "SSH known_hosts" },
+    { pattern: /~\/\.aws\/credentials|AWS_SECRET_ACCESS_KEY|aws_secret/i, desc: "AWS credentials" },
+    { pattern: /~\/\.env\b|process\.env\b.*(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)/i, desc: "environment secrets" },
+    { pattern: /~\/\.openclaw\/openclaw\.json|openclaw\.json/i, desc: "OpenClaw config" },
+    { pattern: /~\/\.gnupg|gpg.*private/i, desc: "GPG private key" },
+    { pattern: /~\/\.kube\/config|kubeconfig/i, desc: "Kubernetes config" },
+    { pattern: /\/etc\/shadow|\/etc\/passwd/i, desc: "system passwords" },
+    { pattern: /~\/\.docker\/config\.json/i, desc: "Docker credentials" },
+    { pattern: /~\/\.npmrc|_authToken/i, desc: "npm auth token" },
+    { pattern: /~\/\.gitconfig|\.git-credentials/i, desc: "Git credentials" },
+    { pattern: /~\/\.netrc/i, desc: "netrc credentials" },
+];
+export const sensitiveReadRule = {
+    id: "sensitive-read",
+    name: "Sensitive File Read",
+    description: "Detects reads of SSH keys, credentials, API tokens, and other secrets",
+    run(files) {
+        const findings = [];
+        for (const file of files) {
+            // Skip non-code files (allow checking shell scripts, JS, TS, Python)
+            if (file.ext === ".json" || file.ext === ".yaml" || file.ext === ".yml" || file.ext === ".toml")
+                continue;
+            if (file.relativePath === "SKILL.md")
+                continue;
+            for (let i = 0; i < file.lines.length; i++) {
+                const line = file.lines[i];
+                // Skip comments
+                if (line.trimStart().startsWith("//") || line.trimStart().startsWith("#"))
+                    continue;
+                for (const { pattern, desc } of SENSITIVE_PATTERNS) {
+                    if (pattern.test(line)) {
+                        findings.push({
+                            rule: "sensitive-read",
+                            severity: "warning",
+                            file: file.relativePath,
+                            line: i + 1,
+                            message: `Accesses ${desc}`,
+                            evidence: line.trim().slice(0, 120),
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=sensitive-read.js.map

package/dist/rules/sensitive-read.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-read.js","sourceRoot":"","sources":["../../src/rules/sensitive-read.ts"],"names":[],"mappings":"AAEA;;;GAGG;AAEH,MAAM,kBAAkB,GAA6C;IACnE,EAAE,OAAO,EAAE,oDAAoD,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAC1F,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAC9D,EAAE,OAAO,EAAE,yDAAyD,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAC/F,EAAE,OAAO,EAAE,sEAAsE,EAAE,IAAI,EAAE,qBAAqB,EAAE;IAChH,EAAE,OAAO,EAAE,+CAA+C,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACrF,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,iBAAiB,EAAE;IAChE,EAAE,OAAO,EAAE,+BAA+B,EAAE,IAAI,EAAE,mBAAmB,EAAE;IACvE,EAAE,OAAO,EAAE,8BAA8B,EAAE,IAAI,EAAE,kBAAkB,EAAE;IACrE,EAAE,OAAO,EAAE,4BAA4B,EAAE,IAAI,EAAE,oBAAoB,EAAE;IACrE,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,gBAAgB,EAAE;IAC7D,EAAE,OAAO,EAAE,mCAAmC,EAAE,IAAI,EAAE,iBAAiB,EAAE;IACzE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,mBAAmB,EAAE;CACtD,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAS;IACrC,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,uEAAuE;IAEpF,GAAG,CAAC,KAAoB;QACtB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,qEAAqE;YACrE,IAAI,IAAI,CAAC,GAAG,KAAK,OAAO,IAAI,IAAI,CAAC,GAAG,KAAK,OAAO,IAAI,IAAI,CAAC,GAAG,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,KAAK,OAAO;gBAAE,SAAS;YAC1G,IAAI,IAAI,CAAC,YAAY,KAAK,UAAU;gBAAE,SAAS;YAE/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;gBAC5B,gBAAgB;gBAChB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAEpF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,kBAAkB,EAAE,CAAC;oBACnD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,gBAAgB;4BACtB,QAAQ,EAAE,SAAS;4BACnB,IAAI,EAAE,IAAI,CAAC,YAAY;4BACvB,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,OAAO,EAAE,YAAY,IAAI,EAAE;4BAC3B,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBACpC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/rules/skill-risks.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "../types.js";
+export declare const skillRisks: Rule;