@musashishao/agent-kit 1.6.1 → 1.6.2

package/.agent/skills/ai-security-guardrails/scripts/prompt_injection_scanner.py

@@ -0,0 +1,230 @@
+#!/usr/bin/env python3
+"""
+Skill: ai-security-guardrails
+Script: prompt_injection_scanner.py
+Purpose: Scan code for prompt injection vulnerabilities and AI security issues
+Usage: python prompt_injection_scanner.py <project_path> [--output json|summary]
+Output: JSON with security findings
+
+This script checks for:
+1. Unsafe prompt construction (string concatenation)
+2. Missing input sanitization
+3. Direct output rendering
+4. Insecure tool/function patterns
+"""
+import os
+import sys
+import re
+import json
+import argparse
+from pathlib import Path
+from typing import Dict, List, Any
+from datetime import datetime
+
+# Fix console encoding
+try:
+    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
+    sys.stderr.reconfigure(encoding='utf-8', errors='replace')
+except AttributeError:
+    pass
+
+# ============================================================================
+#  CONFIGURATION
+# ============================================================================
+
+SKIP_DIRS = {'node_modules', '.git', 'dist', 'build', '__pycache__', '.venv', 'venv', '.next'}
+CODE_EXTENSIONS = {'.js', '.ts', '.jsx', '.tsx', '.py', '.go'}
+
+# Vulnerability patterns
+INJECTION_PATTERNS = [
+    # Unsafe prompt construction
+    (r'`[^`]*\$\{[^}]*user[^}]*\}[^`]*`.*(?:openai|anthropic|llm|prompt)',
+     "Template literal with user input in prompt", "high", "LLM01"),
+    (r'f"[^"]*\{[^}]*user[^}]*\}[^"]*".*(?:prompt|message|content)',
+     "F-string with user input in prompt", "high", "LLM01"),
+    (r'prompt\s*[+=]\s*user',
+     "String concatenation in prompt", "high", "LLM01"),
+    (r'messages\.(?:push|append)\s*\([^)]*user',
+     "Direct user input in messages array", "medium", "LLM01"),
+    
+    # Missing sanitization
+    (r'(?:req|request)\.(?:body|query|params)\.[a-zA-Z]+\s*(?:\)|,)',
+     "Direct request input usage (check for sanitization)", "medium", "LLM01"),
+    
+    # Insecure output handling
+    (r'dangerouslySetInnerHTML.*(?:response|completion|output)',
+     "LLM output in dangerouslySetInnerHTML", "critical", "LLM02"),
+    (r'innerHTML\s*=.*(?:response|completion|output)',
+     "LLM output in innerHTML", "critical", "LLM02"),
+    (r'eval\s*\(.*(?:response|completion|output)',
+     "Eval on LLM output", "critical", "LLM02"),
+    (r'exec\s*\(.*(?:response|completion|output)',
+     "Exec on LLM output", "critical", "LLM02"),
+    
+    # Function/tool calling risks
+    (r'function[_-]?call.*(?:execute|run|eval)',
+     "Dynamic function execution from LLM", "high", "LLM07"),
+    (r'tool[_-]?use.*(?:shell|exec|system)',
+     "Shell execution in tool", "critical", "LLM07"),
+    
+    # Sensitive data in prompts
+    (r'(?:api[_-]?key|password|secret|token)\s*.*(?:prompt|message)',
+     "Potential secret in prompt construction", "high", "LLM06"),
+    (r'(?:system[_-]?prompt|instructions).*(?:include|contain).*(?:key|password)',
+     "Secret reference in system prompt", "high", "LLM06"),
+]
+
+# Good patterns (reduce false positives)
+SAFE_PATTERNS = [
+    r'sanitize',
+    r'validate',
+    r'escape',
+    r'filter',
+    r'clean',
+]
+
+
+# ============================================================================
+#  SCANNING FUNCTIONS
+# ============================================================================
+
+def is_likely_safe(line: str) -> bool:
+    """Check if line contains safety measures."""
+    return any(re.search(pattern, line, re.IGNORECASE) for pattern in SAFE_PATTERNS)
+
+
+def scan_file(filepath: Path, project_path: Path) -> List[Dict[str, Any]]:
+    """Scan a single file for injection vulnerabilities."""
+    findings = []
+    
+    try:
+        with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
+            lines = f.readlines()
+            
+            for line_num, line in enumerate(lines, 1):
+                # Skip comments
+                stripped = line.strip()
+                if stripped.startswith('//') or stripped.startswith('#') or stripped.startswith('*'):
+                    continue
+                
+                for pattern, desc, severity, owasp in INJECTION_PATTERNS:
+                    if re.search(pattern, line, re.IGNORECASE):
+                        # Check for nearby safety measures
+                        context_start = max(0, line_num - 3)
+                        context_end = min(len(lines), line_num + 2)
+                        context = ''.join(lines[context_start:context_end])
+                        
+                        if is_likely_safe(context):
+                            severity = "low"  # Downgrade if safety measures nearby
+                        
+                        findings.append({
+                            "file": str(filepath.relative_to(project_path)),
+                            "line": line_num,
+                            "issue": desc,
+                            "severity": severity,
+                            "owasp": owasp,
+                            "snippet": line.strip()[:100]
+                        })
+    except Exception as e:
+        pass
+    
+    return findings
+
+
+def scan_project(project_path: str) -> Dict[str, Any]:
+    """Scan entire project for AI security vulnerabilities."""
+    results = {
+        "project": project_path,
+        "timestamp": datetime.now().isoformat(),
+        "findings": [],
+        "summary": {
+            "total": 0,
+            "critical": 0,
+            "high": 0,
+            "medium": 0,
+            "low": 0,
+            "by_owasp": {}
+        }
+    }
+    
+    project = Path(project_path)
+    
+    for root, dirs, files in os.walk(project):
+        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
+        
+        for file in files:
+            ext = Path(file).suffix.lower()
+            if ext not in CODE_EXTENSIONS:
+                continue
+            
+            filepath = Path(root) / file
+            file_findings = scan_file(filepath, project)
+            results["findings"].extend(file_findings)
+    
+    # Calculate summary
+    for finding in results["findings"]:
+        results["summary"]["total"] += 1
+        results["summary"][finding["severity"]] += 1
+        
+        owasp = finding["owasp"]
+        results["summary"]["by_owasp"][owasp] = results["summary"]["by_owasp"].get(owasp, 0) + 1
+    
+    # Determine status
+    if results["summary"]["critical"] > 0:
+        results["status"] = "[!!] CRITICAL: AI Security vulnerabilities found"
+    elif results["summary"]["high"] > 0:
+        results["status"] = "[!] HIGH: Security issues need attention"
+    elif results["summary"]["medium"] > 0:
+        results["status"] = "[?] REVIEW: Potential issues found"
+    else:
+        results["status"] = "[OK] No major AI security issues detected"
+    
+    return results
+
+
+# ============================================================================
+#  MAIN
+# ============================================================================
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Scan for AI/LLM security vulnerabilities (OWASP LLM Top 10)"
+    )
+    parser.add_argument("project_path", nargs="?", default=".", help="Project directory to scan")
+    parser.add_argument("--output", choices=["json", "summary"], default="json",
+                        help="Output format")
+    
+    args = parser.parse_args()
+    
+    if not os.path.isdir(args.project_path):
+        print(json.dumps({"error": f"Directory not found: {args.project_path}"}))
+        sys.exit(1)
+    
+    results = scan_project(args.project_path)
+    
+    if args.output == "summary":
+        print(f"\n{'='*60}")
+        print(f"AI Security Scan: {results['project']}")
+        print(f"{'='*60}")
+        print(f"Status: {results['status']}")
+        print(f"\nFindings by Severity:")
+        print(f"  Critical: {results['summary']['critical']}")
+        print(f"  High:     {results['summary']['high']}")
+        print(f"  Medium:   {results['summary']['medium']}")
+        print(f"  Low:      {results['summary']['low']}")
+        print(f"\nFindings by OWASP Category:")
+        for owasp, count in sorted(results['summary']['by_owasp'].items()):
+            print(f"  {owasp}: {count}")
+        print(f"{'='*60}\n")
+        
+        if results['findings']:
+            print("Top Issues:")
+            for finding in results['findings'][:10]:
+                print(f"  [{finding['severity'].upper()}] {finding['file']}:{finding['line']}")
+                print(f"    {finding['issue']}")
+    else:
+        print(json.dumps(results, indent=2))
+
+
+if __name__ == "__main__":
+    main()

package/.agent/skills/compliance-for-ai/SKILL.md

@@ -0,0 +1,411 @@
+---
+name: compliance-for-ai
+description: GDPR/CCPA requirements for AI systems, SOC2 controls for AI, AI Act (EU) compliance checklist, audit trail requirements, model governance framework.
+allowed-tools: Read, Glob, Grep
+skills:
+  - ai-security-guardrails
+  - privacy-preserving-dev
+---
+
+# Compliance for AI
+
+> Navigate the regulatory landscape for AI systems. Compliance by design.
+
+---
+
+## 1. Regulatory Overview
+
+### Key Regulations
+
+| Regulation | Scope | AI Focus |
+|------------|-------|----------|
+| **GDPR** | EU data protection | Automated decision-making, profiling |
+| **CCPA/CPRA** | California privacy | AI inference controls |
+| **EU AI Act** | AI-specific regulation | Risk-based classification |
+| **SOC2** | Trust services | AI system controls |
+| **HIPAA** | Healthcare (US) | AI in medical decisions |
+| **NIST AI RMF** | US AI risk management | Voluntary framework |
+
+---
+
+## 2. GDPR for AI Systems
+
+### Key Requirements
+
+| Article | Requirement | AI Application |
+|---------|-------------|----------------|
+| **Art. 13-14** | Transparency | Disclose AI is used |
+| **Art. 15** | Right to Access | Explain AI decisions |
+| **Art. 22** | Automated Decision-Making | Human override option |
+| **Art. 17** | Right to Erasure | Remove from training data |
+| **Art. 25** | Privacy by Design | Build privacy into AI |
+
+### Automated Decision-Making (Art. 22)
+
+```
+When AI makes decisions with "legal or similarly significant effects":
+├── User must be informed about automated processing
+├── User can request human review
+├── Meaningful information about logic must be provided
+└── Suitable safeguards must exist
+```
+
+### Implementation Checklist
+
+- [ ] Disclosure that AI is used
+- [ ] "Meaningful information" about AI logic provided
+- [ ] Human review mechanism for significant decisions
+- [ ] Opt-out option for automated processing
+- [ ] Data minimization in AI training
+- [ ] Right to erasure includes training data
+- [ ] DPIA (Data Protection Impact Assessment) completed
+
+---
+
+## 3. EU AI Act Compliance
+
+### Risk Classification
+
+| Risk Level | Examples | Requirements |
+|------------|----------|--------------|
+| **Unacceptable** | Social scoring, manipulation | Prohibited |
+| **High Risk** | HR AI, credit scoring, healthcare | Strict controls |
+| **Limited Risk** | Chatbots, emotion recognition | Transparency |
+| **Minimal Risk** | Spam filters, games | None |
+
+### High-Risk AI Requirements
+
+```
+High-Risk AI Systems Must Have:
+├── Risk Management System
+│   ├── Identify foreseeable risks
+│   ├── Estimate risks
+│   ├── Adopt mitigation measures
+│   └── Monitor post-deployment
+├── Data Governance
+│   ├── Training data quality
+│   ├── Bias examination
+│   └── Data minimization
+├── Technical Documentation
+│   ├── System description
+│   ├── Design specifications
+│   └── Monitoring capabilities
+├── Record-Keeping
+│   ├── Logs must be automatic
+│   ├── Traceability ensured
+│   └── Retention periods set
+├── Human Oversight
+│   ├── Ability to override
+│   ├── Ability to stop
+│   └── Awareness of automation bias
+└── Accuracy & Robustness
+    ├── Performance metrics defined
+    ├── Cybersecurity measures
+    └── Resilience to errors
+```
+
+### Limited Risk Requirements
+
+| Requirement | Implementation |
+|-------------|----------------|
+| **Transparency** | "This is an AI assistant" disclosure |
+| **Emotion recognition** | Inform when detecting emotions |
+| **Deep fakes** | Label generated content |
+
+---
+
+## 4. SOC2 Controls for AI
+
+### Trust Service Criteria
+
+| Category | AI-Specific Controls |
+|----------|---------------------|
+| **Security** | Model access controls, API auth |
+| **Availability** | Model redundancy, fallback |
+| **Processing Integrity** | Output validation, hallucination detection |
+| **Confidentiality** | Training data protection, prompt security |
+| **Privacy** | PII in prompts/outputs, data minimization |
+
+### Control Examples
+
+```yaml
+# Example SOC2 control mapping
+controls:
+  - id: CC6.1
+    title: Logical Access Controls
+    ai_implementation:
+      - API key management
+      - Model access by role
+      - Audit logging of AI usage
+      
+  - id: CC7.2
+    title: System Monitoring
+    ai_implementation:
+      - LLM response monitoring
+      - Hallucination detection alerts
+      - Token usage tracking
+      
+  - id: PI1.4
+    title: Personal Information Handling
+    ai_implementation:
+      - PII redaction in prompts
+      - Output scanning for PII
+      - Training data audit
+```
+
+---
+
+## 5. Audit Trail Requirements
+
+### What to Log
+
+| Event | Required Data |
+|-------|---------------|
+| **AI Request** | Timestamp, user, input hash, model |
+| **AI Response** | Output hash, latency, tokens, cost |
+| **Human Override** | Who, when, original vs new decision |
+| **Model Change** | Version, deployment, rollback |
+| **Access** | Who accessed what, when |
+
+### Log Format
+
+```json
+{
+  "event_type": "ai_decision",
+  "timestamp": "2025-01-25T10:30:00Z",
+  "trace_id": "abc123",
+  "user_id": "usr_xxx",
+  "model": "gpt-4",
+  "model_version": "0613",
+  "input_hash": "sha256:abc...",
+  "output_hash": "sha256:def...",
+  "decision_type": "credit_assessment",
+  "confidence_score": 0.85,
+  "human_reviewable": true,
+  "metadata": {
+    "tokens_used": 1500,
+    "latency_ms": 1200
+  }
+}
+```
+
+### Retention Requirements
+
+| Regulation | Minimum Retention |
+|------------|-------------------|
+| GDPR | "No longer than necessary" + justify |
+| SOC2 | 1 year minimum |
+| HIPAA | 6 years |
+| Financial | 7 years (typically) |
+
+---
+
+## 6. Model Governance Framework
+
+### Lifecycle Governance
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    MODEL LIFECYCLE                           │
+├──────────────────┬──────────────────┬───────────────────────┤
+│   DEVELOPMENT    │    DEPLOYMENT    │    OPERATIONS         │
+├──────────────────┼──────────────────┼───────────────────────┤
+│ • Data sourcing  │ • Model registry │ • Performance monitor │
+│ • Bias testing   │ • A/B testing    │ • Drift detection     │
+│ • Documentation  │ • Canary deploy  │ • Incident response   │
+│ • Review board   │ • Rollback plan  │ • Retraining triggers │
+└──────────────────┴──────────────────┴───────────────────────┘
+```
+
+### Model Card Template
+
+```markdown
+# Model Card: [Model Name]
+
+## Model Details
+- **Developer:** [Team/Organization]
+- **Version:** [v1.2.3]
+- **Type:** [Classification/Generation/etc.]
+- **License:** [Commercial/Open Source]
+
+## Intended Use
+- **Primary Use:** [What it's for]
+- **Out-of-Scope:** [What it's NOT for]
+- **Users:** [Who should use it]
+
+## Training Data
+- **Sources:** [Where data came from]
+- **Size:** [Dataset size]
+- **Preprocessing:** [How data was cleaned]
+- **Bias Mitigation:** [Steps taken]
+
+## Evaluation
+- **Metrics:** [Accuracy, F1, etc.]
+- **Datasets:** [Test datasets used]
+- **Bias Testing:** [Results]
+
+## Limitations
+- **Known Issues:** [Documented problems]
+- **Failure Modes:** [When it fails]
+- **Update Plan:** [How often updated]
+
+## Ethical Considerations
+- **Potential Harms:** [Possible negative impacts]
+- **Mitigations:** [Steps to reduce harm]
+```
+
+---
+
+## 7. Consent Management for AI
+
+### Consent Types
+
+| Processing Activity | Consent Required? |
+|--------------------|-------------------|
+| AI-assisted recommendations | Legitimate interest (usually) |
+| AI profiling for decisions | Yes (GDPR Art. 22) |
+| Training on user data | Yes |
+| Selling AI inference | Yes |
+
+### Implementation
+
+```typescript
+interface AIConsentRecord {
+  userId: string;
+  consents: {
+    aiAssistance: boolean;      // Using AI in service
+    aiDecisions: boolean;       // AI making decisions
+    aiTraining: boolean;        // Data used for training
+    profileBuilding: boolean;   // AI profiling
+  };
+  version: string;              // Consent form version
+  collectedAt: Date;
+  method: 'explicit' | 'banner' | 'contract';
+}
+
+// Check before AI processing
+async function canProcessWithAI(userId: string, purpose: string): Promise<boolean> {
+  const consent = await getConsentRecord(userId);
+  
+  switch (purpose) {
+    case 'recommendation':
+      return consent.consents.aiAssistance;
+    case 'automated_decision':
+      return consent.consents.aiDecisions;
+    case 'training':
+      return consent.consents.aiTraining;
+    default:
+      return false;
+  }
+}
+```
+
+---
+
+## 8. CCPA/CPRA for AI
+
+### Consumer Rights
+
+| Right | AI Application |
+|-------|----------------|
+| **Know** | Disclose AI categories of use |
+| **Delete** | Remove from training data |
+| **Opt-Out** | Stop using data for AI training |
+| **Non-Discrimination** | Same service without AI consent |
+
+### Profiling Disclosure
+
+```text
+NOTICE: We use automated decision-making technology for:
+- Personalized recommendations
+- Risk assessment
+- Content moderation
+
+You have the right to:
+- Opt-out of profiling-based decisions
+- Request human review of significant decisions
+- Know the logic involved in automated decisions
+```
+
+---
+
+## 9. Compliance Checklist
+
+### Pre-Deployment
+
+- [ ] Regulatory classification determined
+- [ ] DPIA/Risk assessment completed
+- [ ] Model card documented
+- [ ] Bias testing performed
+- [ ] Human oversight mechanism ready
+- [ ] Consent flows implemented
+- [ ] Disclosure text approved
+
+### Operations
+
+- [ ] Audit logging enabled
+- [ ] Retention policies configured
+- [ ] Incident response plan ready
+- [ ] Regular bias monitoring
+- [ ] Quarterly compliance review
+- [ ] Annual third-party audit
+
+### Documentation
+
+- [ ] System architecture documented
+- [ ] Data flow diagrams current
+- [ ] Training data provenance recorded
+- [ ] Change log maintained
+- [ ] Compliance evidence collected
+
+---
+
+## 10. Vendor Assessment
+
+### Third-Party AI Checklist
+
+| Category | Questions |
+|----------|-----------|
+| **Data Processing** | Where is data processed? Subprocessors? |
+| **Model Training** | Is our data used for training? |
+| **Security** | SOC2 certified? ISO 27001? |
+| **Compliance** | GDPR DPA signed? AI Act ready? |
+| **Transparency** | Model cards available? |
+
+### DPA Requirements for AI
+
+```markdown
+## Data Processing Agreement Addendum: AI Services
+
+1. **Data Use**
+   - Data will NOT be used for model training without explicit consent
+   - Data will NOT be shared with other customers
+   - Data will be processed only in approved regions
+
+2. **Model Governance**
+   - Vendor will provide model versioning
+   - Vendor will notify of significant model changes
+   - Vendor will provide performance metrics
+
+3. **Audit Rights**
+   - Customer may request compliance evidence
+   - Vendor will cooperate with regulatory audits
+   - Annual SOC2 report will be provided
+```
+
+---
+
+## 11. Anti-Patterns
+
+| ❌ Don't | ✅ Do |
+|----------|-------|
+| Deploy without risk assessment | Complete DPIA before launch |
+| Hide AI usage from users | Transparent disclosure |
+| Train on all user data | Explicit consent for training |
+| Log everything forever | Defined retention with justification |
+| Ignore jurisdiction differences | Map requirements by region |
+| One-time compliance | Continuous monitoring |
+
+---
+
+> **Remember:** Compliance is not a checkbox—it's an ongoing commitment to ethical AI development.