@lhi/tdd-audit 1.11.0 → 1.12.0

package/README.md

@@ -1,6 +1,6 @@
 # @lhi/tdd-audit
 
-> **v1.10.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
+> **v1.12.0** — Security skill installer for **Claude Code, Gemini CLI, Cursor, Codex, and OpenCode**. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol — prove the hole exists, apply the fix, prove it's closed.
 
 ## Install
 
@@ -10,7 +10,7 @@ npx @lhi/tdd-audit
 
 On first run the installer:
 
-1. Scans your codebase for **34 vulnerability patterns** and prints a severity-ranked report
+1. Scans your codebase for **57 vulnerability patterns** across 6 scanner modules and prints a severity-ranked report
 2. Scaffolds `__tests__/security/` with a framework-matched exploit test boilerplate
 3. Adds `test:security` to `package.json`
 4. Creates `.github/workflows/security-tests.yml` with SHA-pinned actions and `npm audit`
@@ -108,15 +108,16 @@ npx @lhi/tdd-audit --scan                 # human-readable text (default)
 
 ## Testing
 
-323 tests across unit, integration, and security suites:
+463 tests across unit, E2E, and security suites:
 
 ```bash
 npm test                  # full suite
-npm run test:unit         # unit tests with coverage
+npm run test:unit         # unit tests with coverage (91.6% branch coverage)
 npm run test:security     # security regression tests only
+npm run test:e2e          # end-to-end REST API tests
 ```
 
-Security tests cover prompt injection, path traversal, rate limiting, timing-safe auth, job store bounds, SARIF schema, and more. See [`__tests__/security/`](__tests__/security/) for all 17 regression tests.
+Security tests cover prompt injection, path traversal, rate limiting, timing-safe auth, job store bounds, SARIF schema, and more. See [__tests__/security/](__tests__/security/) for all 22 regression tests.
 
 ## Documentation
 

package/docs/vulnerability-patterns.md

@@ -1,6 +1,6 @@
 # Vulnerability Patterns Reference
 
-All 34 patterns detected by `@lhi/tdd-audit`. Patterns are checked against every scannable source file line-by-line. Prompt/skill patterns are checked separately against `.md` files in agent configuration directories.
+All 57 patterns detected by `@lhi/tdd-audit` across 6 scanner modules. Source patterns are checked against `.js`, `.ts`, `.jsx`, `.tsx`, `.mjs`, `.py`, `.go`, `.dart`, `.yml`, and `.yaml` files line-by-line. Prompt/skill patterns are checked separately against `.md` files in agent configuration directories. Supply-chain patterns check `package.json`. NEXT_PUBLIC secret patterns also check `.env*` files.
 
 ---
 
@@ -198,3 +198,139 @@ These patterns are checked against `.md` files in `prompts/`, `skills/`, `.claud
 **Grep signature:** `android:debuggable="true"`
 **Why it matters:** Debug builds expose the app to `adb` inspection and arbitrary code injection on the device.
 **Fix:** Remove `android:debuggable` from `AndroidManifest.xml` (the build system sets it correctly per variant).
+
+---
+
+## AI / LLM Security (CRITICAL)
+
+### LLM Prompt Injection (CRITICAL)
+**Grep signature:** `{ role: "user", content: req.body... }`, `messages.push(req.body|query|params)`
+**Why it matters:** Untrusted user input injected directly into LLM messages enables attackers to hijack model behavior, exfiltrate data, or bypass safety controls.
+**Fix:** Sanitize and validate user input before insertion. Use a system-prompt separation layer. Never concatenate raw request data into the messages array.
+
+### LLM Output Execution (CRITICAL)
+**Grep signature:** `eval(response)`, `eval(result)`, `eval(output)`, `eval(completion)`
+**Why it matters:** Executing model-generated code gives an attacker who controls the model's context (or poisons its training) arbitrary code execution on your server.
+**Fix:** Never `eval()` LLM output. Use a sandboxed interpreter (Pyodide, isolated subprocess) or structured output schemas.
+
+### LangChain ShellTool (CRITICAL)
+**Grep signature:** `ShellTool()`, `LLMMathChain.from_llm(`, `PALChain.from_llm(`
+**Why it matters:** These tools execute shell commands or `eval()` LLM-generated Python on the host system. A malicious prompt achieves full RCE (CVE-2023-29374, CVSS 9.8).
+**Fix:** Remove `ShellTool` from agent toolkits. Replace `LLMMathChain`/`PALChain` with `numexpr` or sandboxed math evaluators.
+
+### Dynamic Require (CRITICAL)
+**Grep signature:** `require(req.query.`, `require(req.body.`, `require(req.params.`
+**Why it matters:** Attacker controls which Node.js module is loaded — can load `child_process`, `fs`, or custom malicious modules.
+**Fix:** Use a static map of allowed modules. Never pass user input to `require()`.
+
+### VM Code Injection (CRITICAL)
+**Grep signature:** `vm.runInNewContext(req.body`, `vm.runInContext(req.query`
+**Why it matters:** Node.js's `vm` module is not a security boundary — sandbox escape is possible with crafted prototypes. Attacker achieves full RCE.
+**Fix:** Use a proper sandbox (isolated-vm, Deno subprocess) for user-supplied code execution.
+
+### node-serialize RCE (CRITICAL)
+**Grep signature:** `require('node-serialize')`
+**Why it matters:** `node-serialize` is known to be vulnerable to remote code execution via IIFE injection in serialized strings. Any use is an immediate CRITICAL risk.
+**Fix:** Uninstall `node-serialize`. Use `JSON.parse()` / `JSON.stringify()` with schema validation.
+
+### Hardcoded OpenAI Key (CRITICAL)
+**Grep signature:** `'sk-proj-...'`, `'sk-...T3BlbkFJ...'` (≥60 chars)
+**Note:** `skipInTests: true`
+**Why it matters:** A committed API key gives anyone with repo access unlimited access to your OpenAI account and budget.
+**Fix:** Use `process.env.OPENAI_API_KEY`. Rotate the key immediately. Run `gitleaks` on git history.
+
+### Hardcoded Anthropic Key (CRITICAL)
+**Grep signature:** `'sk-ant-api03-...'`
+**Note:** `skipInTests: true`
+**Why it matters:** Committed Anthropic API key leaks billing access and all Claude API capabilities.
+**Fix:** Use environment variables. Rotate immediately via the Anthropic console.
+
+### GitHub Actions Injection (CRITICAL)
+**Files checked:** `.yml` and `.yaml` workflow files
+**Grep signature:** `${{ github.event.pull_request.title }}`, `${{ github.head_ref }}`, `${{ github.event.issue.body }}`
+**Why it matters:** These GitHub context values are attacker-controlled (PR title, branch name, issue body). Interpolating them into a `run:` step enables arbitrary command execution in your CI pipeline.
+**Fix:** Use an intermediate environment variable: `env: TITLE: ${{ github.event.pull_request.title }}` then reference `$TITLE` in the shell script.
+
+---
+
+## Electron / Desktop Security
+
+### Electron nodeIntegration (CRITICAL)
+**Grep signature:** `nodeIntegration: true`
+**Why it matters:** Enables Node.js APIs in the renderer process. Any XSS in a web page loaded by the app achieves full system compromise.
+**Fix:** Set `nodeIntegration: false` (default). Use `contextBridge` to expose specific APIs.
+
+### Electron webSecurity Off (CRITICAL)
+**Grep signature:** `webSecurity: false`
+**Why it matters:** Disables the same-origin policy in the renderer, allowing cross-origin reads and mixed-content loads.
+**Fix:** Never disable `webSecurity`. Fix CORS configuration on the server instead.
+
+### Electron contextIsolation Off (HIGH)
+**Grep signature:** `contextIsolation: false`
+**Why it matters:** When context isolation is off, the renderer's JavaScript shares a prototype chain with the preload script, enabling prototype pollution attacks from web content.
+**Fix:** Set `contextIsolation: true` (default since Electron 12). Use `contextBridge.exposeInMainWorld` for IPC.
+
+---
+
+## AI / LLM Security (HIGH)
+
+### Header Injection (HIGH)
+**Grep signature:** `res.setHeader(x, req.body|query|params)`, `res.set(x, req.body|query|params)`
+**Why it matters:** Attacker can inject HTTP response headers, enabling cache poisoning, CORS bypass, or CSP override.
+**Fix:** Validate and allowlist header values before passing to `res.setHeader()`.
+
+### XPath Injection (HIGH)
+**Grep signature:** `xpath.select(req.query|body|params`, `xpath.evaluate(req.`
+**Why it matters:** Attacker can manipulate XPath queries to bypass authentication or extract arbitrary XML data.
+**Fix:** Never concatenate user input into XPath expressions. Use parameterized XPath if your library supports it.
+
+### Insecure Cookie (HIGH)
+**Grep signature:** `httpOnly: false`
+**Why it matters:** Cookies without `httpOnly` are readable via JavaScript, enabling session theft through XSS.
+**Fix:** Set `httpOnly: true` on all session and auth cookies. Use `secure: true` in production.
+
+### Credentials in AI Prompt (HIGH)
+**Grep signature:** `system_prompt = "...mongodb://user:pass@..."`, `prompt += "...postgresql://...@..."`
+**Why it matters:** Database connection strings with embedded passwords sent to external AI APIs expose credentials to the provider and any prompt logs.
+**Fix:** Never include connection strings or credentials in prompts. Pass only sanitized, context-free data.
+
+### LangChain Experimental (HIGH)
+**Grep signature:** `from langchain_experimental`, `from 'langchain/experimental'`
+**Why it matters:** The `langchain_experimental` package contains agents and chains with known RCE risk (PALChain, SQLDatabaseChain without sandboxing). It explicitly carries an "experimental" security disclaimer.
+**Fix:** Audit each class imported from `langchain_experimental`. Replace PALChain/LLMMathChain with safe alternatives.
+
+### Hardcoded HuggingFace Token (HIGH)
+**Grep signature:** `'hf_...'` (≥30 chars)
+**Note:** `skipInTests: true`
+**Why it matters:** A committed HuggingFace token grants write access to model repos and private datasets.
+**Fix:** Use `process.env.HF_TOKEN`. Rotate via huggingface.co/settings/tokens.
+
+### NEXT_PUBLIC Secret (HIGH)
+**Grep signature:** `NEXT_PUBLIC_SECRET_KEY`, `NEXT_PUBLIC_API_KEY`, `NEXT_PUBLIC_TOKEN`, etc. in code and `.env*` files
+**Note:** `skipInTests: true`; also checked in `.env`, `.env.local`, `.env.production`, `.env.development`
+**Why it matters:** Variables prefixed with `NEXT_PUBLIC_` are inlined into the client-side JavaScript bundle at build time. Any secret with this prefix is shipped to every browser.
+**Fix:** Remove `NEXT_PUBLIC_` prefix from secret variables. Access them only server-side via `getServerSideProps` or API routes.
+
+### Trojan Source (HIGH)
+**Grep signature:** Unicode bidi control characters (U+202A–U+202E, U+2066–U+2069) in source code
+**Why it matters:** CVE-2021-42574 — bidi control characters cause the code displayed in editors/diffs to differ from what the compiler executes, hiding malicious logic in plain sight.
+**Fix:** Configure your editor and linter to detect and reject bidi characters in source files.
+
+---
+
+## Prompt / Skill / Agent Patterns (expanded)
+
+### MCP Tool Poisoning (HIGH)
+**Grep signature:** `"description": "ignore previous instructions..."`, `"description": "override instructions..."`
+**Why it matters:** Malicious MCP servers embed instructions in tool description fields. When an AI agent reads the tool list, it executes the injected instructions — redirecting actions, exfiltrating data, or bypassing safety checks.
+**Fix:** Audit all MCP server tool descriptions. Use only servers from trusted sources. Pin MCP servers to verified commits.
+
+---
+
+## Supply Chain / Package Patterns
+
+### Supply Chain Exfiltration (CRITICAL)
+**Files checked:** `package.json` `scripts.postinstall` / `scripts.preinstall`
+**Grep signature:** `"postinstall": "curl https://..."`, `"preinstall": "wget http://..."`
+**Why it matters:** A postinstall script that shells out to `curl`/`wget` can silently exfiltrate environment variables, `.env` files, or SSH keys to an attacker's server the moment anyone installs your package or its parent.
+**Fix:** Remove network calls from lifecycle scripts. If data collection is needed, make it explicit and user-consented, never automatic on install.

package/lib/scanner.js

@@ -42,9 +42,31 @@ const VULN_PATTERNS = [
   { name: 'JWT Alg None',            severity: 'CRITICAL', pattern: /algorithm\s*:\s*['"]none['"]/i },
   { name: 'Timing-Unsafe Comparison',severity: 'HIGH',     pattern: /\b(?:token|password|secret|hash|digest|hmac|signature|api.?key)\w*\s*={2,3}\s*\w|(?:req\.(?:headers?|body|query|params)\.\w+)\s*={2,3}/i },
   { name: 'ReDoS',                   severity: 'HIGH',     pattern: /new\s+RegExp\s*\(\s*req\.(?:query|body|params)\./i },
+  // ── AI / LLM Security ───────────────────────────────────────────────────────
+  { name: 'LLM Prompt Injection',       severity: 'CRITICAL', pattern: /\{\s*role\s*:\s*['"](?:user|system)['"]\s*,\s*content\s*:\s*req\.(body|query|params)|messages\b[^;\n]{0,100}push\s*\([^)]*req\.(body|query|params)/i },
+  { name: 'LLM Output Execution',       severity: 'CRITICAL', pattern: /\beval\s*\(\s*(?:await\s+)?(?:response|result|output|completion|generated|llmResult|aiResult)\b/i },
+  { name: 'LangChain ShellTool',        severity: 'CRITICAL', pattern: /\bShellTool\s*\(\)|LLMMathChain\.from_llm\s*\(|PALChain\.from_llm\s*\(/i },
+  { name: 'Dynamic Require',            severity: 'CRITICAL', pattern: /\brequire\s*\(\s*req\.(query|body|params)\./i },
+  { name: 'VM Code Injection',          severity: 'CRITICAL', pattern: /\bvm\.(runInNewContext|runInContext|runInThisContext)\s*\(\s*req\.(body|query|params)/i },
+  { name: 'node-serialize RCE',         severity: 'CRITICAL', pattern: /require\s*\(\s*['"]node-serialize['"]\s*\)/ },
+  { name: 'Electron nodeIntegration',   severity: 'CRITICAL', pattern: /\bnodeIntegration\s*:\s*true\b/ },
+  { name: 'Electron webSecurity Off',   severity: 'CRITICAL', pattern: /\bwebSecurity\s*:\s*false\b/ },
+  { name: 'GitHub Actions Injection',   severity: 'CRITICAL', pattern: /\$\{\{\s*github\.(event\.(pull_request\.(title|body)|issue\.(title|body)|comment\.body|review\.body)|head_ref)\s*\}\}/ },
+  { name: 'Hardcoded OpenAI Key',       severity: 'CRITICAL', skipInTests: true, pattern: /['"]sk-(?:proj-[A-Za-z0-9_\-]{40,}|[A-Za-z0-9]{20}T3BlbkFJ[A-Za-z0-9_\-]{20,})['"]/ },
+  { name: 'Hardcoded Anthropic Key',    severity: 'CRITICAL', skipInTests: true, pattern: /['"]sk-ant-api03-[A-Za-z0-9_\-]{10,}['"]/ },
+  // ── HIGH — web / protocol / AI ──────────────────────────────────────────────
+  { name: 'Header Injection',           severity: 'HIGH',     pattern: /res\.(?:setHeader|set)\s*\([^,]+,\s*req\.(body|query|params)\b/i },
+  { name: 'XPath Injection',            severity: 'HIGH',     pattern: /xpath\.(?:select|evaluate|selectNodes?)\s*\([^)]*req\.(query|body|params)/i },
+  { name: 'Insecure Cookie',            severity: 'HIGH',     pattern: /\bhttpOnly\s*:\s*false\b/ },
+  { name: 'Credentials in AI Prompt',   severity: 'HIGH',     pattern: /(?:system_prompt|systemPrompt|system|prompt|instruction)\s*[=:+][^;\n]{0,120}(?:mongodb(?:\+srv)?|postgresql?|mysql|redis):\/\/[a-zA-Z0-9_\-]+:[^@\s]{3,}@/ },
+  { name: 'LangChain Experimental',     severity: 'HIGH',     pattern: /from\s+langchain_experimental\b|from\s+['"]langchain\/experimental['"]/i },
+  { name: 'Hardcoded HuggingFace Token',severity: 'HIGH',     skipInTests: true, pattern: /['"]hf_[A-Za-z0-9]{30,}['"]/ },
+  { name: 'NEXT_PUBLIC Secret',         severity: 'HIGH',     skipInTests: true, pattern: /\bNEXT_PUBLIC_\w*(?:SECRET|PRIVATE|API_KEY|TOKEN|PASSWORD|CREDENTIAL)\w*/i },
+  { name: 'Electron contextIsolation Off', severity: 'HIGH',  pattern: /\bcontextIsolation\s*:\s*false\b/ },
+  { name: 'Trojan Source',              severity: 'HIGH',     pattern: /[\u202A-\u202E\u2066-\u2069]/ },
 ];
 
-const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart']);
+const SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.go', '.dart', '.yml', '.yaml']);
 
 /** Maximum file size to read before skipping (512 KB). Prevents OOM on large generated files. */
 const MAX_SCAN_FILE_BYTES = 512 * 1024;
@@ -55,6 +77,7 @@ const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', 'ou
 const PROMPT_PATTERNS = [
   { name: 'Deprecated CSRF Package',  severity: 'CRITICAL', pattern: /\bcsurf\b/,               skipCommentLine: true },
   { name: 'Unpinned npx MCP Server',  severity: 'HIGH',     pattern: /"command"\s*:\s*"npx"/ },
+  { name: 'MCP Tool Poisoning',       severity: 'HIGH',     pattern: /"description"\s*:\s*"[^"]*(?:ignore (?:previous|all)|override (?:previous )?instructions?|disregard|forget (?:all )?(?:previous )?instructions?|you are now|new instructions?)/i },
   { name: 'Cleartext URL in Prompt',  severity: 'MEDIUM',   pattern: /\bhttp:\/\/(?!localhost|127\.0\.0\.1|169\.254\.)[a-zA-Z0-9]/ },
 ];
 
@@ -355,6 +378,74 @@ function scanAndroidManifest(projectDir) {
   return findings;
 }
 
+/**
+ * Scan package.json for supply-chain exfiltration: postinstall/preinstall scripts
+ * that shell out to curl/wget, which can silently steal data at install time.
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanPackageJson(projectDir) {
+  const findings = [];
+  const filePath = path.join(projectDir, 'package.json');
+  if (!fs.existsSync(filePath)) return findings;
+  let lines;
+  try { lines = fs.readFileSync(filePath, 'utf8').split('\n'); } catch { return findings; }
+  const supplyChainRe = /["'](?:postinstall|preinstall)["']\s*:\s*["'][^"']*(?:curl|wget)\s+https?:\/\//i;
+  for (let i = 0; i < lines.length; i++) {
+    if (supplyChainRe.test(lines[i])) {
+      findings.push({
+        severity: 'CRITICAL',
+        name: 'Supply Chain Exfiltration',
+        file: 'package.json',
+        line: i + 1,
+        snippet: lines[i].trim().slice(0, 80),
+        inTestFile: false,
+        likelyFalsePositive: false,
+      });
+    }
+  }
+  return findings;
+}
+
+/**
+ * Scan .env files for NEXT_PUBLIC_ variables containing secrets.
+ * NEXT_PUBLIC_ variables are inlined into the client-side JS bundle at build
+ * time, so any secret stored with this prefix is exposed to all browsers.
+ * @param {string} projectDir - project root
+ * @returns {Array}
+ */
+function scanEnvFiles(projectDir) {
+  const findings = [];
+  const candidates = ['.env', '.env.local', '.env.development', '.env.production', '.env.test', '.env.staging'];
+  const nextPublicSecretRe = /^NEXT_PUBLIC_\w*(?:SECRET|PRIVATE|API_KEY|TOKEN|PASSWORD|CREDENTIAL)\w*\s*=/i;
+  for (const name of candidates) {
+    const filePath = path.join(projectDir, name);
+    if (!fs.existsSync(filePath)) continue;
+    let content;
+    try {
+      content = fs.readFileSync(filePath, 'utf8');
+      if (content.length > MAX_SCAN_FILE_BYTES) continue;
+    } catch { continue; }
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!line.trim() || line.trim().startsWith('#')) continue;
+      if (nextPublicSecretRe.test(line)) {
+        findings.push({
+          severity: 'HIGH',
+          name: 'NEXT_PUBLIC Secret',
+          file: name,
+          line: i + 1,
+          snippet: line.trim().slice(0, 80),
+          inTestFile: false,
+          likelyFalsePositive: false,
+        });
+      }
+    }
+  }
+  return findings;
+}
+
 // ─── Quick Scan ───────────────────────────────────────────────────────────────
 
 /**
@@ -396,7 +487,7 @@ function quickScan(projectDir) {
       }
     }
   }
-  return [...findings, ...scanAppConfig(projectDir), ...scanAndroidManifest(projectDir), ...scanPromptFiles(projectDir)];
+  return [...findings, ...scanAppConfig(projectDir), ...scanAndroidManifest(projectDir), ...scanPromptFiles(projectDir), ...scanPackageJson(projectDir), ...scanEnvFiles(projectDir)];
 }
 
 // ─── Print Findings ───────────────────────────────────────────────────────────
@@ -462,6 +553,8 @@ module.exports = {
   hasSafeAuditStatus,
   scanAppConfig,
   scanAndroidManifest,
+  scanPackageJson,
+  scanEnvFiles,
   scanPromptFiles,
   quickScan,
   printFindings,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lhi/tdd-audit",
-  "version": "1.11.0",
+  "version": "1.12.0",
   "description": "Security skill installer for Claude Code, Gemini CLI, Cursor, Codex, and OpenCode. Patches vulnerabilities using a Red-Green-Refactor exploit-test protocol.",
   "main": "index.js",
   "bin": {
@@ -50,6 +50,14 @@
   },
   "author": "Kyra Lee",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/kyralee2992/tdd-remediation-skill.git"
+  },
+  "homepage": "https://github.com/kyralee2992/tdd-remediation-skill#readme",
+  "bugs": {
+    "url": "https://github.com/kyralee2992/tdd-remediation-skill/issues"
+  },
   "devDependencies": {
     "jest": "^30.3.0"
   }

package/prompts/auto-audit.md

@@ -247,6 +247,80 @@ resolve_entities.*True              # Python lxml entity expansion
 # bundle audit
 ```
 
+**AI / LLM Security (check when the project uses OpenAI, Anthropic, LangChain, or any LLM SDK)**
+```
+role.*content.*req\.            # LLM Prompt Injection — user input in messages array
+messages.*push.*req\.           # LLM Prompt Injection — appending request data to LLM context
+eval\(.*response                # LLM Output Execution — evaluating model output
+eval\(.*result                  # LLM Output Execution — evaluating model result
+eval\(.*completion              # LLM Output Execution — evaluating AI completion
+ShellTool\(\)                   # LangChain ShellTool — shell command execution
+LLMMathChain\.from_llm          # LangChain math eval — known RCE (CVE-2023-29374)
+PALChain\.from_llm              # LangChain PAL — eval of LLM-generated Python
+require\(req\.                  # Dynamic Require — loading user-controlled modules
+vm\.runIn.*Context.*req\.       # VM Code Injection — sandbox escape risk
+require.*node-serialize         # node-serialize RCE — known deserialization vulnerability
+langchain_experimental          # LangChain Experimental — contains RCE-risk components
+system_prompt.*mongodb://       # Credentials in AI Prompt — DB URL in prompt context
+prompt.*postgresql://           # Credentials in AI Prompt — DB URL in prompt context
+```
+
+**Hardcoded AI API Keys**
+```
+sk-proj-                        # OpenAI new-format key (≥60 chars)
+T3BlbkFJ                        # OpenAI old-format key marker (base64 of "OpenAI")
+sk-ant-api03-                   # Anthropic API key prefix
+hf_[A-Za-z0-9]{30,}            # HuggingFace token (≥30 chars after hf_)
+NEXT_PUBLIC_.*SECRET            # Next.js client-bundled secret variable
+NEXT_PUBLIC_.*API_KEY           # Next.js client-bundled API key
+NEXT_PUBLIC_.*TOKEN             # Next.js client-bundled token
+```
+
+**GitHub Actions Injection (scan .github/workflows/*.yml)**
+```
+github\.event\.pull_request\.title   # Attacker-controlled PR title in run: step
+github\.event\.pull_request\.body    # Attacker-controlled PR body in run: step
+github\.event\.issue\.title          # Attacker-controlled issue title in run: step
+github\.event\.issue\.body           # Attacker-controlled issue body in run: step
+github\.event\.comment\.body         # Attacker-controlled comment body in run: step
+github\.head_ref                     # Attacker-controlled branch name in run: step
+```
+
+**Electron Security (check main process and BrowserWindow config)**
+```
+nodeIntegration.*true           # CRITICAL: enables Node.js in renderer — XSS → full system compromise
+webSecurity.*false              # CRITICAL: disables same-origin policy in renderer
+contextIsolation.*false         # HIGH: allows prototype pollution from web content
+```
+
+**Supply Chain (check package.json)**
+```
+postinstall.*curl               # Supply Chain Exfiltration — curl in postinstall script
+preinstall.*curl                # Supply Chain Exfiltration — curl in preinstall script
+postinstall.*wget               # Supply Chain Exfiltration — wget in postinstall script
+```
+
+**Web / Protocol Injection**
+```
+res\.setHeader.*req\.           # Header Injection — user input in response header value
+xpath\.select.*req\.            # XPath Injection — user input in XPath query
+httpOnly.*false                 # Insecure Cookie — session cookie readable via JavaScript
+```
+
+**Trojan Source (use Grep with unicode flag if available)**
+```
+\u202[A-E]|\u206[6-9]          # Bidi control characters — visual/compiled mismatch (CVE-2021-42574)
+```
+
+**Dependency Audit**
+```
+# Run manually — not grep-based:
+# npm audit --audit-level=high
+# pip-audit
+# govulncheck ./...
+# bundle audit
+```
+
 ### 0d. Audit Prompt & Skill Files
 
 For projects that contain AI agent configurations, scan the following locations for prompt-specific vulnerabilities:
@@ -257,6 +331,8 @@ For projects that contain AI agent configurations, scan the following locations
 |---|---|---|
 | `csurf` package reference | CRITICAL | `csurf` was deprecated March 2023 and is unmaintained — use `csrf-csrf` instead |
 | `"command": "npx"` in MCP config | HIGH | Unpinned npx MCP server executes whatever version npm resolves at runtime |
+| `"description": "ignore previous instructions..."` | HIGH | MCP Tool Poisoning — malicious instructions embedded in tool description fields hijack agent behavior |
+| `"description": "override instructions..."` | HIGH | MCP Tool Poisoning — agent reads tool list and executes injected instructions |
 | `http://` URL (non-localhost) | MEDIUM | Cleartext URLs in prompts can mislead agents to make insecure requests |
 | Prompt reads arbitrary user-controlled files without a guardrail | HIGH | AI reading untrusted file content without isolation is a prompt-injection risk (ASI01) |