npm - @iflow-mcp/sinewaveai-agent-security-scanner-mcp - Versions diffs - 3.18.0 - Mend

@iflow-mcp/sinewaveai-agent-security-scanner-mcp 3.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1870) hide show

package/rules/agent-attacks.security.yaml ADDED Viewed

@@ -0,0 +1,791 @@
+rules:
+  # ============================================================================
+  # CATEGORY 1: CODE & SECRET EXFILTRATION
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Network Exfiltration
+  # ----------------------------------------------------------------------------
+  - id: agent.exfil.security.send-to-external-url
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Potential data exfiltration - requesting to send code/secrets to external URL"
+    patterns:
+      - "(?i)send\\s+(this|the|my|our)?\\s*(code|file|data|content|secret|key|token|credential|env|password|config).*\\s+(to|via)\\s+(my|your|the|an?)?\\s*(server|url|endpoint|webhook|api)"
+      - "(?i)(post|put|upload|transmit)\\s+(this|the)?\\s*(code|data|file|secret).*\\s+to\\s+https?://"
+      - "(?i)(curl|fetch|axios|requests?)\\s*.*\\s+(to|with)\\s+.*\\s+(code|secret|key|token|env)"
+      - "(?i)make\\s+(a|an)?\\s*(http|api|network)\\s+(request|call).*\\s+(containing|with|include).*\\s+(code|secret)"
+    metadata:
+      cwe: "CWE-200"
+      owasp: "A01:2021 - Broken Access Control"
+      risk_score: 95
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.webhook-exfil
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Webhook/Discord/Slack exfiltration attempt detected"
+    patterns:
+      - "(?i)send\\s+(to|via)\\s+(discord|slack|teams|telegram)\\s+(webhook|bot|channel)"
+      - "(?i)(discord|slack)\\.?com/(api|webhooks)/[A-Za-z0-9_/-]+"
+      - "(?i)(post|send)\\s+.*\\s+(code|secret|key|credential).*\\s+to\\s+(discord|slack|telegram)"
+      - "(?i)webhook.*\\s+(send|post).*\\s+(secret|key|token|code)"
+    metadata:
+      cwe: "CWE-200"
+      owasp: "A01:2021 - Broken Access Control"
+      risk_score: 95
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.email-exfil
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Email exfiltration attempt - sending secrets via email"
+    patterns:
+      - "(?i)(email|mail|smtp)\\s+.*\\s+(the|this)?\\s*(code|secret|key|credential|password|token)"
+      - "(?i)send\\s+.*\\s+(code|secret|credential).*\\s+(via|by|through)\\s+email"
+      - "(?i)(attach|include)\\s+.*\\s+(env|secret|key|credential).*\\s+(in|to)\\s+email"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 90
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # File System Exfiltration
+  # ----------------------------------------------------------------------------
+  - id: agent.exfil.security.read-sensitive-files
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to read sensitive files (credentials, keys, configs)"
+    patterns:
+      - "(?i)read\\s+(and\\s+)?(show|display|output|print|reveal)\\s+(the|my)?\\s*(~/?\\.|\\.)?(env|ssh|aws|gcp|azure|kube|docker)"
+      - "(?i)(show|display|cat|read|output)\\s+(me\\s+)?(the\\s+)?(contents?\\s+of\\s+)?[~/]*\\.?(env|ssh/id_rsa|aws/credentials|npmrc|netrc|gitconfig)"
+      - "(?i)access\\s+(the\\s+)?(private|secret)\\s+(key|ssh|credential)\\s+file"
+      - "(?i)read.*\\.(pem|key|p12|pfx|jks|keystore|credentials)\\s*(file)?"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 90
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.env-file-access
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Explicit request for .env or environment secrets"
+    patterns:
+      - "(?i)(show|print|display|read|cat|output|echo)\\s+(me\\s+)?(the\\s+)?(\\.env|env\\s+file|environment\\s+variable)"
+      - "(?i)(base64|encode|encrypt)\\s+(the\\s+)?\\.?env"
+      - "(?i)include\\s+(the\\s+)?\\.?env\\s+(file\\s+)?(contents?|data|values?)\\s+in\\s+(your\\s+)?(response|output)"
+      - "(?i)what\\s+(are|is)\\s+(in\\s+)?(the|my)\\s+\\.?env\\s+(file)?"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 95
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.ssh-key-access
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to access SSH private keys"
+    patterns:
+      - "(?i)(read|show|display|cat|output)\\s+.*\\s*(id_rsa|id_ed25519|id_ecdsa|id_dsa)"
+      - "(?i)(show|read|access)\\s+(my|the)?\\s+(ssh|private)\\s+key"
+      - "(?i)~/.ssh/(id_rsa|id_ed25519|id_ecdsa|known_hosts|authorized_keys)"
+      - "(?i)(copy|send|upload)\\s+.*\\s+ssh\\s+(private\\s+)?key"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 95
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.cloud-credentials
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to access cloud provider credentials"
+    patterns:
+      - "(?i)(read|show|access|cat)\\s+.*\\s*(aws|gcp|azure|digitalocean).*\\s*(credentials?|config|token)"
+      - "(?i)~/.aws/(credentials|config)"
+      - "(?i)(show|read)\\s+.*\\s+(service\\s+account|gcloud|az\\s+login)"
+      - "(?i)access\\s+(the\\s+)?(cloud|aws|gcp|azure)\\s+(credentials?|secrets?|tokens?)"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 95
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Encoding-based Exfiltration
+  # ----------------------------------------------------------------------------
+  - id: agent.exfil.security.encode-secrets
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Encoding secrets for potential exfiltration"
+    patterns:
+      - "(?i)(base64|hex|rot13|url)\\s*(encode|encrypt)\\s+(the\\s+)?(secret|key|password|credential|token|api.?key)"
+      - "(?i)encode\\s+(all\\s+)?(the\\s+)?(env|environment|secret|credential)\\s+(variable|value|data)s?"
+      - "(?i)convert\\s+(secret|credential|password|key)s?\\s+to\\s+(base64|hex|binary)"
+      - "(?i)(embed|hide)\\s+(secrets?|credentials?)\\s+in\\s+(base64|encoded)"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 90
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Git-based Exfiltration
+  # ----------------------------------------------------------------------------
+  - id: agent.exfil.security.push-to-external-repo
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Attempt to push code to unauthorized/external repository"
+    patterns:
+      - "(?i)(git\\s+)?push\\s+(to|this\\s+to|code\\s+to)\\s+(my|an?\\s+external|different|another)\\s+(repo|repository)"
+      - "(?i)add\\s+(a\\s+)?remote\\s+.*\\s+and\\s+push"
+      - "(?i)(force\\s+)?push\\s+(all|everything|the\\s+code|this\\s+repo)\\s+to\\s+(my|a\\s+new)"
+      - "(?i)clone\\s+.*\\s+and\\s+(copy|transfer|move)\\s+(the\\s+)?code"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 85
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.exfil.security.git-credential-theft
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Git credential theft attempt"
+    patterns:
+      - "(?i)(show|read|cat)\\s+.*\\.git-credentials"
+      - "(?i)git\\s+config\\s+--global.*credential"
+      - "(?i)(extract|get|steal)\\s+git\\s+(credentials?|tokens?)"
+    metadata:
+      cwe: "CWE-200"
+      risk_score: 90
+      category: "exfiltration"
+      action: "BLOCK"
+      confidence: HIGH
+  # ============================================================================
+  # CATEGORY 2: MALICIOUS CODE INJECTION REQUESTS
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Backdoor Injection
+  # ----------------------------------------------------------------------------
+  - id: agent.injection.security.backdoor-request
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to add backdoor or hidden access mechanism"
+    patterns:
+      - "(?i)add\\s+(a\\s+)?(secret\\s+|hidden\\s+)?backdoor"
+      - "(?i)(create|implement|write|insert)\\s+(a\\s+)?reverse\\s+shell"
+      - "(?i)(add|create|implement)\\s+(a\\s+)?(hidden|secret|covert)\\s+(admin|root|superuser)\\s+(account|access|login)"
+      - "(?i)(create|add)\\s+(a\\s+)?(hidden|secret|undocumented)\\s+(endpoint|route|api)\\s+(that|which|for)"
+      - "(?i)(insert|add)\\s+(a\\s+)?trojan"
+    metadata:
+      cwe: "CWE-506"
+      owasp: "A08:2021 - Software and Data Integrity Failures"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.injection.security.reverse-shell
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Reverse shell or remote access trojan request"
+    patterns:
+      - "(?i)(write|create|implement|generate|code)\\s+(a\\s+)?(python|bash|powershell|nc|netcat|php)?\\s*reverse\\s*shell"
+      - "(?i)(connect\\s+back|callback)\\s+to\\s+(my|a|the)\\s+(server|machine|ip|host)"
+      - "(?i)(remote|reverse)\\s+(access|shell|connection)\\s+(to|from)\\s+(my|a|the)\\s+(server|machine)"
+      - "(?i)bind\\s+shell.*listen"
+      - "(?i)(nc|netcat|ncat)\\s+.*\\s+-e\\s+(bash|sh|cmd)"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.injection.security.web-shell
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Web shell creation request"
+    patterns:
+      - "(?i)(create|write|add)\\s+(a\\s+)?(php|jsp|asp|aspx)?\\s*web\\s*shell"
+      - "(?i)(upload|create)\\s+(a\\s+)?shell\\s+(script|file)\\s+(to|on)\\s+(the\\s+)?(web|server)"
+      - "(?i)passthru|shell_exec|system\\s*\\(\\s*\\$_(GET|POST|REQUEST)"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Security Control Removal
+  # ----------------------------------------------------------------------------
+  - id: agent.injection.security.disable-security
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to disable security controls"
+    patterns:
+      - "(?i)(disable|remove|bypass|skip|turn\\s+off|delete)\\s+(the\\s+)?(security|auth|authentication|authorization|csrf|xss|sql\\s+injection)\\s+(check|validation|protection|filter|middleware)"
+      - "(?i)(remove|delete|disable)\\s+(all\\s+)?(input\\s+)?validation"
+      - "(?i)(comment\\s+out|disable|remove)\\s+(the\\s+)?(security|auth|permission)\\s+(middleware|check|code|logic)"
+      - "(?i)make\\s+(the\\s+)?(endpoint|api|route)\\s+(public|unauthenticated|accessible\\s+without\\s+auth)"
+    metadata:
+      cwe: "CWE-284"
+      risk_score: 95
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.injection.security.bypass-auth
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to bypass authentication"
+    patterns:
+      - "(?i)bypass\\s+(the\\s+)?(authentication|auth|login|access\\s+control|authorization)"
+      - "(?i)(skip|ignore|disable)\\s+(the\\s+)?(login|auth)\\s+(check|requirement|process)"
+      - "(?i)allow\\s+(unauthenticated|anonymous)\\s+access\\s+to"
+      - "(?i)(remove|disable)\\s+(the\\s+)?jwt\\s+(verification|validation|check)"
+    metadata:
+      cwe: "CWE-287"
+      risk_score: 95
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Data Theft Code
+  # ----------------------------------------------------------------------------
+  - id: agent.injection.security.data-theft-code
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to write code that steals/captures data"
+    patterns:
+      - "(?i)(write|create|add|implement)\\s+(code|function|script)\\s+(that|to)\\s+(send|transmit|exfiltrate|steal|capture|harvest)\\s+(user\\s+)?data"
+      - "(?i)(keylogger|credential\\s*stealer|password\\s*harvester|screen\\s*capture)"
+      - "(?i)(capture|log|record|steal|intercept)\\s+(all\\s+)?(keystrokes?|passwords?|credentials?|input|form\\s+data)"
+      - "(?i)send\\s+(captured|logged|stolen|collected)\\s+(data|credentials?|passwords?)\\s+to"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.injection.security.ransomware
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Ransomware/encryption attack request"
+    patterns:
+      - "(?i)(encrypt|lock)\\s+(all\\s+)?(files?|data|documents?)\\s+(and|then)\\s+(demand|ask\\s+for|require)\\s+(ransom|payment|bitcoin)"
+      - "(?i)(write|create|implement)\\s+(a\\s+)?ransomware"
+      - "(?i)encrypt.*files.*ransom"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Intentionally Vulnerable Code
+  # ----------------------------------------------------------------------------
+  - id: agent.injection.security.intentional-vulnerability
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to create intentionally vulnerable code"
+    patterns:
+      - "(?i)(add|create|write|implement|introduce)\\s+(an?\\s+)?(intentional|deliberate)?\\s*(sql\\s+injection|xss|rce|command\\s+injection|lfi|rfi)\\s+(vulnerability|hole|exploit|flaw)"
+      - "(?i)make\\s+(this|the)\\s+(code|function|endpoint|api)\\s+(vulnerable|exploitable)"
+      - "(?i)(add|introduce|insert)\\s+(a\\s+)?(security\\s+)?(flaw|hole|vulnerability|weakness|bug)"
+      - "(?i)(weaken|break|compromise)\\s+(the\\s+)?security"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 100
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Obfuscation Requests
+  # ----------------------------------------------------------------------------
+  - id: agent.injection.security.obfuscate-malicious
+    languages: [generic]
+    severity: ERROR
+    message: "Suspicious: Request to obfuscate potentially malicious code"
+    patterns:
+      - "(?i)obfuscate\\s+(this|the)\\s+(backdoor|shell|malicious|exploit|malware|trojan)"
+      - "(?i)(hide|disguise|mask|obfuscate|camouflage)\\s+(the|this)\\s+(malicious|dangerous|harmful)\\s+(code|function|payload)"
+      - "(?i)make\\s+(this|the)\\s+(code|payload|script)\\s+(undetectable|invisible|hidden|stealthy)"
+      - "(?i)evade\\s+(antivirus|av|detection|security\\s+scan|edr)"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 95
+      category: "malicious-injection"
+      action: "BLOCK"
+      confidence: HIGH
+  # ============================================================================
+  # CATEGORY 3: SYSTEM MANIPULATION ATTACKS
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Destructive File Operations
+  # ----------------------------------------------------------------------------
+  - id: agent.sysmanip.security.destructive-file-ops
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Destructive file system operation requested"
+    patterns:
+      - "(?i)(delete|remove|rm|wipe|erase|destroy)\\s+(all\\s+)?(files?|everything|the\\s+entire)\\s+(in|from|under)?\\s*[/~]"
+      - "(?i)rm\\s+(-rf?\\s+)?[/~]"
+      - "(?i)(delete|remove|destroy|drop)\\s+(the\\s+)?(entire\\s+)?(database|db|data|collection)"
+      - "(?i)(format|wipe|erase)\\s+(the\\s+)?(disk|drive|partition|hard\\s+drive|storage)"
+      - "(?i)drop\\s+(all\\s+)?(tables?|database|schema|collection)"
+    metadata:
+      cwe: "CWE-400"
+      risk_score: 100
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.sysmanip.security.recursive-delete
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Recursive deletion command detected"
+    patterns:
+      - "(?i)rm\\s+-r(f)?\\s+/"
+      - "(?i)rmdir\\s+/s\\s+/q"
+      - "(?i)del\\s+/f\\s+/s\\s+/q"
+      - "(?i)(remove|delete)\\s+recursively\\s+(all|everything)"
+      - "(?i)shutil\\.rmtree\\s*\\(\\s*[\"']/[\"']"
+    metadata:
+      cwe: "CWE-400"
+      risk_score: 100
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # System Configuration Changes
+  # ----------------------------------------------------------------------------
+  - id: agent.sysmanip.security.modify-system-config
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to modify critical system configuration"
+    patterns:
+      - "(?i)(modify|edit|change|update|overwrite|append\\s+to)\\s+(/etc/passwd|/etc/shadow|/etc/hosts|/etc/sudoers)"
+      - "(?i)(add|create)\\s+(a\\s+)?(new\\s+)?(user|account)\\s+(to|in)\\s+(/etc/passwd|sudoers|the\\s+system)"
+      - "(?i)(change|modify|set)\\s+(file\\s+)?permissions?\\s+to\\s+(777|666|rwxrwxrwx)"
+      - "(?i)chmod\\s+(777|666|\\+rwx|-R\\s+777)"
+    metadata:
+      cwe: "CWE-732"
+      risk_score: 95
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.sysmanip.security.modify-hosts
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to modify hosts file (potential DNS hijacking)"
+    patterns:
+      - "(?i)(modify|edit|change|add\\s+to|append\\s+to)\\s+(/etc/hosts|hosts\\s+file|windows.*hosts)"
+      - "(?i)redirect\\s+.*\\s+domain.*\\s+hosts\\s+file"
+      - "(?i)(add|insert)\\s+entry\\s+to\\s+hosts"
+    metadata:
+      cwe: "CWE-284"
+      risk_score: 90
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Firewall/Security Bypass
+  # ----------------------------------------------------------------------------
+  - id: agent.sysmanip.security.disable-firewall
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to disable firewall or security software"
+    patterns:
+      - "(?i)(disable|stop|turn\\s+off|deactivate|kill)\\s+(the\\s+)?(firewall|iptables|ufw|windows\\s+defender|antivirus|av|edr|endpoint)"
+      - "(?i)(add|create)\\s+(a\\s+)?firewall\\s+rule\\s+(to\\s+)?(allow|permit)\\s+(all|any|everything)"
+      - "(?i)iptables\\s+.*\\s+-j\\s+ACCEPT\\s+.*\\s+(0\\.0\\.0\\.0|any|all)"
+      - "(?i)netsh\\s+.*\\s+firewall\\s+.*\\s+(disable|off)"
+    metadata:
+      cwe: "CWE-284"
+      risk_score: 95
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Persistence Mechanisms
+  # ----------------------------------------------------------------------------
+  - id: agent.sysmanip.security.add-persistence
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Request to add persistence mechanism"
+    patterns:
+      - "(?i)(add|create|write|insert)\\s+(to\\s+)?(crontab|cron|scheduled\\s+task|systemd\\s+service|launchd)"
+      - "(?i)(modify|edit|append\\s+to)\\s+(\\.bashrc|\\.zshrc|\\.profile|\\.bash_profile|shell\\s+config)"
+      - "(?i)(add|create|write)\\s+(a\\s+)?(startup|boot|login|init)\\s+(script|command|entry|hook)"
+      - "(?i)(register|install)\\s+(as\\s+)?(a\\s+)?(service|daemon)\\s+(that|to)\\s+run\\s+(on|at)\\s+(boot|startup)"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 90
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  - id: agent.sysmanip.security.registry-modification
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Windows registry modification for persistence"
+    patterns:
+      - "(?i)(modify|edit|add\\s+to)\\s+(the\\s+)?windows\\s+registry.*\\s+(run|startup)"
+      - "(?i)reg\\s+add.*\\s+Run"
+      - "(?i)HKEY_(LOCAL_MACHINE|CURRENT_USER).*\\s+Run"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 90
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Download and Execute
+  # ----------------------------------------------------------------------------
+  - id: agent.sysmanip.security.download-execute
+    languages: [generic]
+    severity: ERROR
+    message: "CRITICAL: Download and execute pattern detected"
+    patterns:
+      - "(?i)(download|curl|wget|fetch|get)\\s+(and\\s+)?(then\\s+)?(execute|run|install|start)\\s+(from\\s+)?https?://"
+      - "(?i)curl.*\\|\\s*(bash|sh|python|perl|ruby|powershell)"
+      - "(?i)wget.*&&.*chmod.*&&.*\\.\\/?"
+      - "(?i)(download|fetch)\\s+(this|a)\\s+(script|payload|file|binary)\\s+(from|at)\\s+.*\\s+and\\s+(run|execute)"
+      - "(?i)powershell.*downloadstring.*invoke"
+    metadata:
+      cwe: "CWE-494"
+      risk_score: 95
+      category: "system-manipulation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ============================================================================
+  # CATEGORY 4: SOCIAL ENGINEERING THE AGENT
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Fake Authority Claims
+  # ----------------------------------------------------------------------------
+  - id: agent.social.security.fake-authorization
+    languages: [generic]
+    severity: ERROR
+    message: "Social engineering attempt: Claiming false authorization"
+    patterns:
+      - "(?i)(the\\s+)?(user|admin|administrator|owner|security\\s+team|manager|cto|ceo)\\s+(has\\s+)?(already\\s+)?(authorized|approved|permitted|allowed|granted)\\s+(you\\s+to|this|permission)"
+      - "(?i)(i\\s+am|this\\s+is)\\s+(the\\s+)?(system\\s+)?admin(istrator)?\\s+(and\\s+)?(i\\s+)?(authorize|approve|permit|grant)"
+      - "(?i)you\\s+(have|now\\s+have)\\s+(been\\s+)?(granted|given)\\s+(full\\s+|root\\s+|admin\\s+|sudo\\s+)?access"
+      - "(?i)(security|compliance|legal|management)\\s+(team\\s+)?(approved|signed\\s+off|authorized)\\s+(this|you)"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 85
+      category: "social-engineering"
+      action: "WARN"
+      confidence: MEDIUM
+  - id: agent.social.security.impersonation
+    languages: [generic]
+    severity: ERROR
+    message: "Social engineering attempt: Impersonating authority"
+    patterns:
+      - "(?i)(speaking|writing|acting)\\s+(as|on\\s+behalf\\s+of)\\s+(the\\s+)?(admin|administrator|owner|root)"
+      - "(?i)this\\s+(is|comes\\s+from)\\s+(the\\s+)?(security\\s+team|admin\\s+team|devops)"
+      - "(?i)(override|admin)\\s+(code|command|instruction)\\s*:"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 80
+      category: "social-engineering"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Fake Mode/State Claims
+  # ----------------------------------------------------------------------------
+  - id: agent.social.security.fake-mode
+    languages: [generic]
+    severity: WARNING
+    message: "Social engineering attempt: Claiming special mode or state"
+    patterns:
+      - "(?i)you\\s+are\\s+(now\\s+)?(in|entering)\\s+(maintenance|debug|developer|admin|test|safe|privileged)\\s+mode"
+      - "(?i)(this\\s+is\\s+)?a\\s+(test|dev|staging|sandbox|local)\\s+(environment|system|server)\\s+(so|therefore|thus)"
+      - "(?i)(safety|security)\\s+(protocols?|measures?|restrictions?)\\s+(are|have\\s+been)\\s+(disabled|suspended|lifted|off)"
+      - "(?i)(all\\s+)?(restrictions?|limitations?|safety\\s+measures?|guardrails?)\\s+(are|have\\s+been)\\s+(removed|lifted|disabled)"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 80
+      category: "social-engineering"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Urgency/Emergency Claims
+  # ----------------------------------------------------------------------------
+  - id: agent.social.security.fake-emergency
+    languages: [generic]
+    severity: WARNING
+    message: "Social engineering attempt: Creating false urgency to bypass security"
+    patterns:
+      - "(?i)(this\\s+is\\s+an?\\s+)?(urgent|emergency|critical|production\\s+down)\\s+(situation|issue|request|matter).*\\s+(skip|bypass|ignore)\\s+(security|safety|normal)"
+      - "(?i)(we\\s+)?(need|must)\\s+(this|it)\\s+(immediately|right\\s+now|urgently|asap).*\\s+(don't|do\\s+not)\\s+(worry|bother)\\s+(about|with)\\s+(security|safety)"
+      - "(?i)(there's|there\\s+is)\\s+(no\\s+time|an\\s+emergency).*\\s+(just\\s+)?(do|execute|run)\\s+it"
+      - "(?i)(production|system)\\s+(is\\s+)?(down|broken).*skip.*security"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 70
+      category: "social-engineering"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Debug/Testing Justifications
+  # ----------------------------------------------------------------------------
+  - id: agent.social.security.debug-justification
+    languages: [generic]
+    severity: WARNING
+    message: "Suspicious: Using debugging/testing as justification for risky action"
+    patterns:
+      - "(?i)for\\s+(debugging|testing|research|educational|learning)\\s+purposes?\\s+(only\\s+)?.*\\s+(show|reveal|disable|bypass|ignore|access)"
+      - "(?i)(this|it)\\s+(is|will\\s+be)\\s+(only\\s+)?(used\\s+)?(for|in)\\s+(a\\s+)?(test|debug|research|controlled)\\s+(environment|setting|scenario)"
+      - "(?i)(don't|do\\s+not)\\s+worry.*\\s+(it's|this\\s+is)\\s+(just\\s+)?(a\\s+)?(test|demo|poc|proof\\s+of\\s+concept)"
+      - "(?i)i\\s+(just\\s+)?want\\s+to\\s+(test|try|check|see).*\\s+(so\\s+)?(bypass|skip|disable|ignore)\\s+(the\\s+)?(security|safety)"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 65
+      category: "social-engineering"
+      action: "LOG"
+      confidence: LOW
+  # ============================================================================
+  # CATEGORY 5: INDIRECT & OBFUSCATED ATTACKS
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Encoded Instructions
+  # ----------------------------------------------------------------------------
+  - id: agent.obfuscated.security.base64-instructions
+    languages: [generic]
+    severity: WARNING
+    message: "Potential obfuscated attack: Base64 encoded instructions"
+    patterns:
+      - "(?i)(decode|execute|run|follow|process)\\s+(this|the)?\\s+base64\\s*:?\\s*[A-Za-z0-9+/=]{30,}"
+      - "(?i)base64\\s*-d.*\\|.*bash"
+      - "(?i)atob\\s*\\([\"'][A-Za-z0-9+/=]{30,}[\"']\\)"
+      - "aWdub3JlIHByZXZpb3Vz"
+      - "ZGVsZXRlIGFsbA=="
+      - "cm0gLXJm"
+      - "c2VuZCB0bw=="
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 75
+      category: "obfuscation"
+      action: "WARN"
+      confidence: MEDIUM
+  - id: agent.obfuscated.security.rot13-instructions
+    languages: [generic]
+    severity: WARNING
+    message: "Potential obfuscated attack: ROT13 or cipher encoded instructions"
+    patterns:
+      - "(?i)(decode|decipher|decrypt)\\s+(this|the)?\\s+(rot13|caesar|cipher)"
+      - "(?i)tr\\s+['\"]A-Za-z['\"]\\s+['\"][N-ZA-Mn-za-m]['\"]"
+      - "vtaber cerivbhf"
+      - "qryrgrq nyy"
+      - "fraq gb"
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 70
+      category: "obfuscation"
+      action: "WARN"
+      confidence: MEDIUM
+  - id: agent.obfuscated.security.hex-instructions
+    languages: [generic]
+    severity: WARNING
+    message: "Potential obfuscated attack: Hex encoded instructions"
+    patterns:
+      - "(?i)(decode|execute|run)\\s+(this|the)?\\s+hex\\s*:?\\s*[0-9a-fA-F]{20,}"
+      - "(?i)\\\\x[0-9a-fA-F]{2}(\\\\x[0-9a-fA-F]{2}){10,}"
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 70
+      category: "obfuscation"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Split/Fragmented Instructions
+  # ----------------------------------------------------------------------------
+  - id: agent.obfuscated.security.fragmented-attack
+    languages: [generic]
+    severity: WARNING
+    message: "Potential fragmented attack: Instructions split to avoid detection"
+    patterns:
+      - "(?i)(concatenate|combine|join|merge)\\s+(these|the\\s+following)\\s+(words|parts|fragments|pieces|letters).*\\s+(then|and)\\s+(execute|run|follow)"
+      - "(?i)(first\\s+part|part\\s+1|step\\s+1)\\s*:.*\\s*(second\\s+part|part\\s+2|step\\s+2)\\s*:"
+      - "(?i)when\\s+you\\s+(read|see)\\s+[\"'][A-Z]{3,}[\"']\\s+(followed\\s+by|then).*\\s+(execute|run|do)"
+      - "(?i)(spell|read)\\s+out\\s+.*\\s+(first\\s+letters|acronym)"
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 60
+      category: "obfuscation"
+      action: "LOG"
+      confidence: LOW
+  # ----------------------------------------------------------------------------
+  # Unicode/Homoglyph Attacks
+  # ----------------------------------------------------------------------------
+  - id: agent.obfuscated.security.homoglyph
+    languages: [generic]
+    severity: WARNING
+    message: "Potential homoglyph attack: Unicode characters disguising intent"
+    patterns:
+      - "[\u200b\u200c\u200d\ufeff\u2060]"
+      - "[А-яЁё]"
+      - "[\u0391-\u03C9]"
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 65
+      category: "obfuscation"
+      action: "WARN"
+      confidence: LOW
+  # ----------------------------------------------------------------------------
+  # "Example" Requests for Malicious Code
+  # ----------------------------------------------------------------------------
+  - id: agent.obfuscated.security.example-attack
+    languages: [generic]
+    severity: ERROR
+    message: "Suspicious: Requesting 'examples' of malicious code"
+    patterns:
+      - "(?i)(show|give|provide|write|create)\\s+(me\\s+)?an?\\s+example\\s+(of|for)\\s+(a\\s+)?(backdoor|reverse\\s+shell|keylogger|ransomware|malware|virus|exploit|trojan)"
+      - "(?i)for\\s+(educational|learning|research|academic)\\s+purposes?\\s*,?\\s*(show|write|create|implement)\\s+(a\\s+)?(working\\s+)?(backdoor|malware|exploit|reverse\\s+shell)"
+      - "(?i)how\\s+(would|do)\\s+(you|i)\\s+(write|create|implement|code)\\s+(a\\s+)?(real|working|functional)\\s+(backdoor|reverse\\s+shell|keylogger|malware)"
+      - "(?i)(demonstrate|show\\s+me)\\s+how\\s+to\\s+(create|write)\\s+(a\\s+)?(backdoor|shell|exploit)"
+    metadata:
+      cwe: "CWE-506"
+      risk_score: 85
+      category: "obfuscation"
+      action: "BLOCK"
+      confidence: HIGH
+  # ----------------------------------------------------------------------------
+  # Legitimate-Sounding Justifications
+  # ----------------------------------------------------------------------------
+  - id: agent.obfuscated.security.legitimate-sounding
+    languages: [generic]
+    severity: WARNING
+    message: "Suspicious: Potentially malicious request with legitimate-sounding justification"
+    patterns:
+      - "(?i)(for\\s+)?(my|our)\\s+(company|employer|client|school|university)\\s+(requires|needs|wants)\\s+(me\\s+to\\s+)?(access|read|get|extract)\\s+(the\\s+)?(secrets?|credentials?|passwords?)"
+      - "(?i)(authorized|permitted)\\s+(penetration|security)\\s+test.*\\s+(give|show|access)\\s+(me\\s+)?(secrets?|credentials?)"
+      - "(?i)compliance\\s+(requires|audit).*\\s+(extract|access|read)\\s+(all\\s+)?(secrets?|credentials?)"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 60
+      category: "obfuscation"
+      action: "LOG"
+      confidence: LOW
+  # ============================================================================
+  # CATEGORY 6: AGENT-SPECIFIC MANIPULATION
+  # ============================================================================
+  # ----------------------------------------------------------------------------
+  # Tool/Action Manipulation
+  # ----------------------------------------------------------------------------
+  - id: agent.manipulation.security.force-tool-use
+    languages: [generic]
+    severity: WARNING
+    message: "Attempt to force agent to use specific dangerous tools"
+    patterns:
+      - "(?i)you\\s+must\\s+(use|execute|run)\\s+(the\\s+)?bash\\s+(command|tool)"
+      - "(?i)(always|only)\\s+use\\s+(the\\s+)?terminal\\s+to"
+      - "(?i)execute\\s+(this|the\\s+following)\\s+(directly|immediately)\\s+without\\s+(checking|asking|confirming)"
+      - "(?i)run\\s+this\\s+(shell\\s+)?command\\s+without\\s+(any\\s+)?(questions|prompts|confirmation)"
+    metadata:
+      cwe: "CWE-77"
+      risk_score: 75
+      category: "agent-manipulation"
+      action: "WARN"
+      confidence: MEDIUM
+  - id: agent.manipulation.security.disable-confirmation
+    languages: [generic]
+    severity: WARNING
+    message: "Attempt to disable agent confirmation/safety checks"
+    patterns:
+      - "(?i)(don't|do\\s+not|never)\\s+ask\\s+(for\\s+)?(confirmation|permission|approval)"
+      - "(?i)(skip|bypass|disable)\\s+(the\\s+)?(confirmation|approval|safety)\\s+(prompt|check|dialog)"
+      - "(?i)(auto|automatically)\\s+(approve|confirm|accept)\\s+(all|every|any)"
+      - "(?i)execute\\s+(without|with\\s+no)\\s+(confirmation|prompting|asking)"
+    metadata:
+      cwe: "CWE-284"
+      risk_score: 80
+      category: "agent-manipulation"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Output/Response Manipulation
+  # ----------------------------------------------------------------------------
+  - id: agent.manipulation.security.hide-output
+    languages: [generic]
+    severity: WARNING
+    message: "Attempt to hide agent actions from user"
+    patterns:
+      - "(?i)(don't|do\\s+not|never)\\s+(show|display|output|reveal)\\s+(the|any)\\s+(results?|output|response|actions?)"
+      - "(?i)(hide|suppress|silence)\\s+(the|any|all)\\s+(output|response|results?|errors?)"
+      - "(?i)execute\\s+(silently|quietly|invisibly)"
+      - "(?i)(don't|do\\s+not)\\s+(tell|inform|notify)\\s+(the\\s+)?user"
+    metadata:
+      cwe: "CWE-284"
+      risk_score: 75
+      category: "agent-manipulation"
+      action: "WARN"
+      confidence: MEDIUM
+  # ----------------------------------------------------------------------------
+  # Memory/Context Manipulation
+  # ----------------------------------------------------------------------------
+  - id: agent.manipulation.security.memory-injection
+    languages: [generic]
+    severity: WARNING
+    message: "Attempt to inject false memory/context into agent"
+    patterns:
+      - "(?i)(remember|recall)\\s+that\\s+(you|we)\\s+(previously|earlier|already)\\s+(agreed|decided|discussed)\\s+to"
+      - "(?i)(we|you)\\s+(already|previously)\\s+(authorized|approved|agreed\\s+to)\\s+this"
+      - "(?i)as\\s+(we\\s+)?discussed\\s+(earlier|before|previously).*\\s+(proceed|continue|execute)"
+      - "(?i)you\\s+said\\s+(earlier|before|previously)\\s+that\\s+you\\s+would"
+    metadata:
+      cwe: "CWE-290"
+      risk_score: 70
+      category: "agent-manipulation"
+      action: "WARN"
+      confidence: MEDIUM