@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/docs/openclaw-compatibility-audit.md

@@ -0,0 +1,45 @@
+# guard-scanner OpenClaw Compatibility Audit
+
+Date: 2026-03-12
+Public compatibility baseline: OpenClaw `v2026.3.8`
+Upstream drift lane: newer OpenClaw stable releases measured separately by `check:upstream`
+
+## Official upstream requirements used
+
+- `openclaw.plugin.json` must include `id` and `configSchema`
+- package discovery reads `package.json > openclaw.extensions` as an array of entry files
+- plugin runtime uses the modern plugin hook API and `before_tool_call` event contract
+- `registerHttpHandler` is deprecated and replaced by `registerHttpRoute`
+
+## Validated public surface in this repository
+
+| Surface | Status | Evidence |
+|---|---|---|
+| Manifest required fields | ✅ | `openclaw.plugin.json` + `npm run release:gate` |
+| Package discovery metadata | ✅ | `package.json > openclaw.extensions` |
+| Compiled plugin entry | ✅ | `dist/openclaw-plugin.mjs` generated by `npm run build:plugin` |
+| Runtime hook registration | ✅ | `openclaw-plugin.mts` registers `before_tool_call` with priority 90 |
+| Malicious tool-call blocking | ✅ | `test/openclaw-plugin-compat.test.js` + `scripts/release-gate.js` |
+| Benign tool-call passthrough | ✅ | `test/openclaw-plugin-compat.test.js` + `scripts/release-gate.js` |
+| Upstream latest-version drift detection | ✅ | `npm run check:upstream` + `docs/generated/openclaw-upstream-status.json` (used for revalidation, not automatic claim widening) |
+
+## Explicitly out of scope
+
+- OpenClaw context-engine slot compatibility
+- Any deprecated `registerHttpHandler` path
+- Legacy `hooks/guard-scanner/plugin.ts` as a public entrypoint
+
+Those surfaces are not part of the current compatibility claim and must not be advertised as validated.
+
+## Repo deltas fixed by this audit
+
+1. Replaced top-level `openclaw.extensions` string metadata with official `openclaw.extensions[]`.
+2. Added compiled plugin entry (`openclaw-plugin.mts` -> `dist/openclaw-plugin.mjs`) to remove TS loader ambiguity.
+3. Threaded OpenClaw `sessionId`, `runId`, and `toolCallId` into runtime audit records.
+4. Removed unqualified “fully OpenClaw-compatible” public wording from active docs.
+5. Added stale-claim checks for references to `dist/runtime-plugin.js` and `test/manifest.test.js`.
+6. Added an explicit upstream drift watchdog so a newer OpenClaw stable release is measured instead of silently missed.
+
+## Notes
+
+Historical workspace logs and older reports may still mention broader compatibility claims. They should be treated as archival context, not as the current public guarantee.

package/docs/openclaw-continuous-compatibility-plan.md

@@ -0,0 +1,37 @@
+# guard-scanner Continuous OpenClaw Compatibility Plan
+
+Date: 2026-03-12
+Stable target: OpenClaw `2026.3.12`
+Baseline regression lane: OpenClaw `2026.3.8`
+
+## Goal
+
+Keep `guard-scanner` compatible with the latest stable OpenClaw public plugin surface without relying on stale manual claims.
+
+## Current automated controls
+
+1. `npm run build:plugin`
+   - Compiles `openclaw-plugin.mts` into `dist/openclaw-plugin.mjs`.
+2. `npm run release:gate`
+   - Verifies manifest shape, official discovery metadata, built entry existence, runtime hook registration, malicious block behavior, benign passthrough behavior, and stale-doc claim removal.
+3. `npm run check:upstream`
+   - Queries the npm registry and GitHub Releases for the latest stable `openclaw`, compares both sources against `devDependencies.openclaw`, writes `docs/generated/openclaw-upstream-status.json`, and fails on drift or source mismatch.
+
+## Required operator flow when upstream changes
+
+1. Run `npm run check:upstream`.
+2. If drift is detected, update `devDependencies.openclaw` to the new stable version.
+3. Re-run `npm install`, `npm run build:plugin`, `npm run release:gate`, and `npm test`.
+4. Update compatibility docs only after runtime behavior has been re-verified.
+
+## Quality bar
+
+- No TS loader ambiguity in the public plugin entry.
+- No broad compatibility claim outside the tested manifest/discovery/before_tool_call surface.
+- No release if upstream drift is known but unverified.
+
+## Pending future hardening
+
+- Add a scheduled CI job that opens a drift report when `openclaw` stable changes.
+- Expand runtime compatibility coverage if OpenClaw publishes a stable context-engine contract worth supporting.
+- Add schema-level validation against an official machine-readable manifest contract if OpenClaw publishes one.

package/docs/rules/a2a-contagion.md

@@ -0,0 +1,68 @@
+# Threat Category: a2a-contagion
+
+This document provides explainability for all rules in the `a2a-contagion` category.
+
+## Rule: `A2A_SMUGGLE`
+- **Severity**: CRITICAL
+- **Description**: A2A Contagion: Instruction injection between request-response cycles
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_TOOL_POISON`
+- **Severity**: CRITICAL
+- **Description**: A2A Contagion: MCP tool description containing hidden instructions
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_SESSION_SMUGGLING`
+- **Severity**: CRITICAL
+- **Description**: A2A Session Smuggling: hidden instructions embedded in agent-to-agent response payloads (Unit42)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_SESSION_PERSIST_SMUGGLE`
+- **Severity**: CRITICAL
+- **Description**: A2A session persistence smuggling: hidden instructions carried across agent session boundaries (Unit42)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_MESH_HANDOFF`
+- **Severity**: CRITICAL
+- **Description**: Agentic Mesh: hidden instructions injected during agent task handoff (2026 primary A2A vector)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_TRUSTED_ORIGIN_SPOOF`
+- **Severity**: CRITICAL
+- **Description**: A2A Trusted Origin Spoofing: forged agent headers elevating trust level
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_AGENT_CARD_POISON`
+- **Severity**: HIGH
+- **Description**: A2A agent card/skill description prompt injection poisoning
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `A2A_TASK_REPLAY`
+- **Severity**: MEDIUM
+- **Description**: A2A task replay attack — replaying completed tasks without re-authorization
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/advanced-exfil.md

@@ -0,0 +1,52 @@
+# Threat Category: advanced-exfil
+
+This document provides explainability for all rules in the `advanced-exfil` category.
+
+## Rule: `ZOMBIE_STATIC_URL`
+- **Severity**: CRITICAL
+- **Description**: ZombieAgent: static URL array exfil
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `ZOMBIE_CHAR_MAP`
+- **Severity**: HIGH
+- **Description**: ZombieAgent: character mapping to URL
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `ZOMBIE_LOOP_FETCH`
+- **Severity**: HIGH
+- **Description**: ZombieAgent: loop-based URL exfil
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `EXFIL_BEACON`
+- **Severity**: HIGH
+- **Description**: Tracking pixel/beacon exfil
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `EXFIL_DRIP`
+- **Severity**: HIGH
+- **Description**: Drip exfiltration: sliced data
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `ECHOLEAK_EXFIL`
+- **Severity**: CRITICAL
+- **Description**: CVE-2025-32711: EchoLeak zero-click data exfiltration via M365 Copilot email processing
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/agent-protocol.md

@@ -0,0 +1,108 @@
+# Threat Category: agent-protocol
+
+This document provides explainability for all rules in the `agent-protocol` category.
+
+## Rule: `PROTO_A2A_IMPERSONATE`
+- **Severity**: CRITICAL
+- **Description**: A2A protocol: agent card identity spoofing
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_A2A_TASK_FLOOD`
+- **Severity**: HIGH
+- **Description**: A2A protocol: task flooding DoS attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_MCP_TOOL_REDEFINE`
+- **Severity**: CRITICAL
+- **Description**: MCP protocol: tool definition mutation after initial registration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_MCP_RESOURCE_POISON`
+- **Severity**: CRITICAL
+- **Description**: MCP protocol: resource poisoning via tampered content
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_MCP_PROMPT_INJECT`
+- **Severity**: CRITICAL
+- **Description**: MCP protocol: prompt template injection
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_OAUTH_REDIRECT`
+- **Severity**: CRITICAL
+- **Description**: OAuth redirect hijack: unsafe URI scheme in redirect
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_SSE_HIJACK`
+- **Severity**: HIGH
+- **Description**: SSE transport hijack: MCP server-sent event interception
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_STDIO_INJECT`
+- **Severity**: HIGH
+- **Description**: STDIO transport injection: raw protocol message injection via stdin
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_CAPABILITY_ESCALATE`
+- **Severity**: CRITICAL
+- **Description**: Agent protocol: capability escalation beyond granted scope
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_CONTEXT_OVERFLOW`
+- **Severity**: HIGH
+- **Description**: Context window overflow: deliberate token budget exhaustion attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_NESTED_AGENT_CALL`
+- **Severity**: HIGH
+- **Description**: Nested agent call: recursive agent invocation chain (confused deputy)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `PROTO_TOOL_PARAM_OVERFLOW`
+- **Severity**: HIGH
+- **Description**: Tool parameter overflow: oversized input to crash or bypass validation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AGENT_PROTOCOL_ABUSE`
+- **Severity**: HIGH
+- **Description**: Agent Protocol: Suspicious context triggering agent protocol abuse
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/api-abuse.md

@@ -0,0 +1,68 @@
+# Threat Category: api-abuse
+
+This document provides explainability for all rules in the `api-abuse` category.
+
+## Rule: `API_KEY_HARDCODE`
+- **Severity**: HIGH
+- **Description**: API abuse: hardcoded API key in source code
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_RATE_BYPASS`
+- **Severity**: HIGH
+- **Description**: API abuse: rate limiting bypass technique
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_WEBHOOK_EXFIL`
+- **Severity**: HIGH
+- **Description**: API abuse: webhook to untrusted endpoint (data exfiltration)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_GRAPHQL_INTROSPECT`
+- **Severity**: MEDIUM
+- **Description**: API abuse: GraphQL introspection query (schema discovery)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_JWT_NONE_ALG`
+- **Severity**: CRITICAL
+- **Description**: API abuse: JWT "none" algorithm attack
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_SSRF_INTERNAL`
+- **Severity**: CRITICAL
+- **Description**: API abuse: SSRF to internal network endpoints
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_CORS_WILDCARD`
+- **Severity**: MEDIUM
+- **Description**: API abuse: CORS wildcard allowing any origin
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `API_OPEN_REDIRECT`
+- **Severity**: HIGH
+- **Description**: API abuse: open redirect from user-controlled input
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/autonomous-risk.md

@@ -0,0 +1,92 @@
+# Threat Category: autonomous-risk
+
+This document provides explainability for all rules in the `autonomous-risk` category.
+
+## Rule: `AUTO_SELF_REPLICATE`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: agent self-replication attempt
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_RESOURCE_HOARD`
+- **Severity**: HIGH
+- **Description**: Autonomous risk: resource hoarding beyond task requirements
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_GOAL_DRIFT`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: AI self-modifying its core objectives
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_HUMAN_BYPASS`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: human-in-the-loop bypass
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_DECEPTION`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: deceptive behavior concealment from operators
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_SHUTDOWN_RESIST`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: shutdown resistance (corrigibility failure)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_TOOL_CHAIN`
+- **Severity**: HIGH
+- **Description**: Autonomous risk: unchecked tool call chaining
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_PRIVILEGE_ESCAPE`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: self-privilege escalation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_FINANCIAL_AUTONOMY`
+- **Severity**: CRITICAL
+- **Description**: Autonomous risk: unauthorized financial transactions
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `AUTO_PERSISTENCE_DAEMON`
+- **Severity**: HIGH
+- **Description**: Autonomous risk: agent persistence via system daemon registration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `ASI_EXCESSIVE_AGENCY`
+- **Severity**: HIGH
+- **Description**: ASI: excessive agent permissions — wildcard or unrestricted tool access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+

package/docs/rules/config-impact.md

@@ -0,0 +1,132 @@
+# Threat Category: config-impact
+
+This document provides explainability for all rules in the `config-impact` category.
+
+## Rule: `CFG_OPENCLAW_WRITE`
+- **Severity**: CRITICAL
+- **Description**: Direct write to openclaw.json
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CFG_EXEC_APPROVALS_OFF`
+- **Severity**: CRITICAL
+- **Description**: Disable exec approvals via config
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CFG_HOOKS_MODIFY`
+- **Severity**: HIGH
+- **Description**: Modify hooks.internal configuration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CFG_EXEC_HOST_GW`
+- **Severity**: CRITICAL
+- **Description**: Set exec host to gateway (bypass sandbox)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CFG_SANDBOX_OFF`
+- **Severity**: CRITICAL
+- **Description**: Disable sandbox via configuration
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CFG_TOOL_OVERRIDE`
+- **Severity**: HIGH
+- **Description**: Override tool security settings
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_ENV_OVERRIDE`
+- **Severity**: HIGH
+- **Description**: Config: runtime environment variable mutation
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_DOTENV_OVERWRITE`
+- **Severity**: CRITICAL
+- **Description**: Config: .env file modification at runtime
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_DNS_HIJACK`
+- **Severity**: HIGH
+- **Description**: Config: DNS resolver hijacking
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_PROXY_INJECT`
+- **Severity**: HIGH
+- **Description**: Config: HTTP proxy injection for traffic interception
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_TLS_DISABLE`
+- **Severity**: CRITICAL
+- **Description**: Config: TLS certificate verification disabled
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_PACKAGE_SCRIPT`
+- **Severity**: HIGH
+- **Description**: Config: npm security guard disabled (ignore-scripts, unsafe-perm)
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_GIT_HOOK_INJECT`
+- **Severity**: HIGH
+- **Description**: Config: git hook injection for code execution on VCS operations
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_HOSTS_MODIFY`
+- **Severity**: CRITICAL
+- **Description**: Config: hosts file modification for DNS poisoning
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_SUDO_NOPASSWD`
+- **Severity**: CRITICAL
+- **Description**: Config: sudoers modification for passwordless root access
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+
+## Rule: `CONFIG_SYSCTL_MODIFY`
+- **Severity**: HIGH
+- **Description**: Config: kernel parameter modification via sysctl
+- **Rationale**: Explains why this pattern is considered dangerous.
+- **Exploit Precondition**: What an attacker needs to trigger this.
+- **Likely False Positives**: Scenarios where this might trigger safely.
+- **Remediation Hint**: How to fix or mitigate the finding.
+