@runsec/mcp 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/index.js +578 -0
  2. package/package.json +43 -0
  3. package/src/rules/data/rule-compliance-map.json +43563 -0
  4. package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
  5. package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
  6. package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
  7. package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
  8. package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
  9. package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
  10. package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
  11. package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
  12. package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
  13. package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
  14. package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
  15. package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
  16. package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
  17. package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
  18. package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
  19. package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
  20. package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
  21. package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
  22. package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
  23. package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
  24. package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
  25. package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
  26. package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
  27. package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
  28. package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
  29. package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
  30. package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
  31. package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
  32. package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
  33. package/src/rules/data/semgrep-rules/observability.yaml +381 -0
  34. package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
  35. package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
  36. package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
  37. package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
  38. package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
  39. package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
  40. package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0
package/src/rules/data/semgrep-rules/ds-ml-security.yaml ADDED
@@ -0,0 +1,2431 @@
1
+ rules:
2
+ - id: runsec.ds-ml-security.ml-001
3
+ metadata:
4
+ runsec_version: v1.0
5
+ confidence: |-
6
+ 0.9
7
+ exploit_scenario: |-
8
+ N/A
9
+ fix_template: |-
10
+ Prevent code execution via malicious pickle payloads.
11
+ pattern-either:
12
+ - pattern: |-
13
+ pickle.load(f) on external file
14
+ - pattern-regex: 'Vulnerable:\\s*ML\\-001\\b'
15
+ message: |-
16
+ RunSec Detection [ML-001]: CWE-502
17
+ languages:
18
+ - generic
19
+ severity: WARNING
20
+ - id: runsec.ds-ml-security.ml-002
21
+ metadata:
22
+ runsec_version: v1.0
23
+ confidence: |-
24
+ 0.9
25
+ exploit_scenario: |-
26
+ N/A
27
+ fix_template: |-
28
+ Block arbitrary object deserialization.
29
+ pattern-either:
30
+ - pattern: |-
31
+ decode bytes and pickle.loads directly
32
+ - pattern-regex: 'Vulnerable:\\s*ML\\-002\\b'
33
+ message: |-
34
+ RunSec Detection [ML-002]: CWE-502
35
+ languages:
36
+ - generic
37
+ severity: WARNING
38
+ - id: runsec.ds-ml-security.ml-003
39
+ metadata:
40
+ runsec_version: v1.0
41
+ confidence: |-
42
+ 0.9
43
+ exploit_scenario: |-
44
+ N/A
45
+ fix_template: |-
46
+ Avoid poisoned model deserialization.
47
+ pattern-either:
48
+ - pattern: |-
49
+ load model from URL path unchecked
50
+ - pattern-regex: 'Vulnerable:\\s*ML\\-003\\b'
51
+ message: |-
52
+ RunSec Detection [ML-003]: CWE-502
53
+ languages:
54
+ - generic
55
+ severity: WARNING
56
+ - id: runsec.ds-ml-security.ml-004
57
+ metadata:
58
+ runsec_version: v1.0
59
+ confidence: |-
60
+ 0.9
61
+ exploit_scenario: |-
62
+ N/A
63
+ fix_template: |-
64
+ Ensure model provenance before load.
65
+ pattern-either:
66
+ - pattern: |-
67
+ torch.load(download(url))
68
+ - pattern-regex: 'Vulnerable:\\s*ML\\-004\\b'
69
+ message: |-
70
+ RunSec Detection [ML-004]: CWE-494
71
+ languages:
72
+ - generic
73
+ severity: WARNING
74
+ - id: runsec.ds-ml-security.ml-005
75
+ metadata:
76
+ runsec_version: v1.0
77
+ confidence: |-
78
+ 0.9
79
+ exploit_scenario: |-
80
+ N/A
81
+ fix_template: |-
82
+ Prevent model poisoning/supply-chain injection.
83
+ pattern-either:
84
+ - pattern: |-
85
+ accepts user-controlled model URI
86
+ - pattern-regex: 'Vulnerable:\\s*ML\\-005\\b'
87
+ message: |-
88
+ RunSec Detection [ML-005]: CWE-494
89
+ languages:
90
+ - generic
91
+ severity: WARNING
92
+ - id: runsec.ds-ml-security.ml-006
93
+ metadata:
94
+ runsec_version: v1.0
95
+ confidence: |-
96
+ 0.9
97
+ exploit_scenario: |-
98
+ N/A
99
+ fix_template: |-
100
+ Block arbitrary code import through model metadata.
101
+ pattern-either:
102
+ - pattern: |-
103
+ importlib.import_module(meta["module"])
104
+ - pattern-regex: 'Vulnerable:\\s*ML\\-006\\b'
105
+ message: |-
106
+ RunSec Detection [ML-006]: CWE-470
107
+ languages:
108
+ - generic
109
+ severity: WARNING
110
+ - id: runsec.ds-ml-security.ml-007
111
+ metadata:
112
+ runsec_version: v1.0
113
+ confidence: |-
114
+ 0.9
115
+ exploit_scenario: |-
116
+ N/A
117
+ fix_template: |-
118
+ Prevent credential leakage in notebooks.
119
+ pattern-either:
120
+ - pattern: |-
121
+ key literals in .ipynb source/output
122
+ - pattern-regex: 'Vulnerable:\\s*ML\\-007\\b'
123
+ message: |-
124
+ RunSec Detection [ML-007]: CWE-798
125
+ languages:
126
+ - generic
127
+ severity: WARNING
128
+ - id: runsec.ds-ml-security.ml-008
129
+ metadata:
130
+ runsec_version: v1.0
131
+ confidence: |-
132
+ 0.9
133
+ exploit_scenario: |-
134
+ N/A
135
+ fix_template: |-
136
+ Reduce accidental data exposure in notebooks.
137
+ pattern-either:
138
+ - pattern: |-
139
+ displayed full customer records
140
+ - pattern-regex: 'Vulnerable:\\s*ML\\-008\\b'
141
+ message: |-
142
+ RunSec Detection [ML-008]: CWE-359
143
+ languages:
144
+ - generic
145
+ severity: WARNING
146
+ - id: runsec.ds-ml-security.ml-009
147
+ metadata:
148
+ runsec_version: v1.0
149
+ confidence: |-
150
+ 0.9
151
+ exploit_scenario: |-
152
+ N/A
153
+ fix_template: |-
154
+ Prevent command injection in notebook workflows.
155
+ pattern-either:
156
+ - pattern: |-
157
+ !pip install {pkg}/os.system(user)
158
+ - pattern-regex: 'Vulnerable:\\s*ML\\-009\\b'
159
+ message: |-
160
+ RunSec Detection [ML-009]: CWE-78
161
+ languages:
162
+ - generic
163
+ severity: WARNING
164
+ - id: runsec.ds-ml-security.ml-010
165
+ metadata:
166
+ runsec_version: v1.0
167
+ confidence: |-
168
+ 0.9
169
+ exploit_scenario: |-
170
+ N/A
171
+ fix_template: |-
172
+ Block arbitrary code execution in pipelines.
173
+ pattern-either:
174
+ - pattern: |-
175
+ executes user expression on dataset
176
+ - pattern-regex: 'Vulnerable:\\s*ML\\-010\\b'
177
+ message: |-
178
+ RunSec Detection [ML-010]: CWE-94
179
+ languages:
180
+ - generic
181
+ severity: WARNING
182
+ - id: runsec.ds-ml-security.ml-011
183
+ metadata:
184
+ runsec_version: v1.0
185
+ confidence: |-
186
+ 0.9
187
+ exploit_scenario: |-
188
+ N/A
189
+ fix_template: |-
190
+ Prevent tampering during dataset retrieval.
191
+ pattern-either:
192
+ - pattern: |-
193
+ pd.read_csv("http://...")
194
+ - pattern-regex: 'Vulnerable:\\s*ML\\-011\\b'
195
+ message: |-
196
+ RunSec Detection [ML-011]: CWE-319
197
+ languages:
198
+ - generic
199
+ severity: WARNING
200
+ - id: runsec.ds-ml-security.ml-012
201
+ metadata:
202
+ runsec_version: v1.0
203
+ confidence: |-
204
+ 0.9
205
+ exploit_scenario: |-
206
+ N/A
207
+ fix_template: |-
208
+ Reduce poisoning through malformed features.
209
+ pattern-either:
210
+ - pattern: |-
211
+ raw dataframe consumed directly
212
+ - pattern-regex: 'Vulnerable:\\s*ML\\-012\\b'
213
+ message: |-
214
+ RunSec Detection [ML-012]: CWE-20
215
+ languages:
216
+ - generic
217
+ severity: WARNING
218
+ - id: runsec.ds-ml-security.ml-013
219
+ metadata:
220
+ runsec_version: v1.0
221
+ confidence: |-
222
+ 0.9
223
+ exploit_scenario: |-
224
+ N/A
225
+ fix_template: |-
226
+ Protect model and feature confidentiality.
227
+ pattern-either:
228
+ - pattern: |-
229
+ permissive file permissions
230
+ - pattern-regex: 'Vulnerable:\\s*ML\\-013\\b'
231
+ message: |-
232
+ RunSec Detection [ML-013]: CWE-732
233
+ languages:
234
+ - generic
235
+ severity: WARNING
236
+ - id: runsec.ds-ml-security.ml-014
237
+ metadata:
238
+ runsec_version: v1.0
239
+ confidence: |-
240
+ 0.9
241
+ exploit_scenario: |-
242
+ N/A
243
+ fix_template: |-
244
+ Avoid secret leak through logs.
245
+ pattern-either:
246
+ - pattern: |-
247
+ logs include tokens/conn strings
248
+ - pattern-regex: 'Vulnerable:\\s*ML\\-014\\b'
249
+ message: |-
250
+ RunSec Detection [ML-014]: CWE-532
251
+ languages:
252
+ - generic
253
+ severity: WARNING
254
+ - id: runsec.ds-ml-security.ml-015
255
+ metadata:
256
+ runsec_version: v1.0
257
+ confidence: |-
258
+ 0.9
259
+ exploit_scenario: |-
260
+ N/A
261
+ fix_template: |-
262
+ Constrain blast radius of notebook compromise.
263
+ pattern-either:
264
+ - pattern: |-
265
+ full fs/network access by default
266
+ - pattern-regex: 'Vulnerable:\\s*ML\\-015\\b'
267
+ message: |-
268
+ RunSec Detection [ML-015]: CWE-250
269
+ languages:
270
+ - generic
271
+ severity: WARNING
272
+ - id: runsec.ds-ml-security.ml-016
273
+ metadata:
274
+ runsec_version: v1.0
275
+ confidence: |-
276
+ 0.9
277
+ exploit_scenario: |-
278
+ N/A
279
+ fix_template: |-
280
+ Prevent malicious object injection in model load.
281
+ pattern-either:
282
+ - pattern: |-
283
+ permissive custom_objects map
284
+ - pattern-regex: 'Vulnerable:\\s*ML\\-016\\b'
285
+ message: |-
286
+ RunSec Detection [ML-016]: CWE-502
287
+ languages:
288
+ - generic
289
+ severity: WARNING
290
+ - id: runsec.ds-ml-security.ml-017
291
+ metadata:
292
+ runsec_version: v1.0
293
+ confidence: |-
294
+ 0.9
295
+ exploit_scenario: |-
296
+ N/A
297
+ fix_template: |-
298
+ Trust only traceable model lineage.
299
+ pattern-either:
300
+ - pattern: |-
301
+ accepts artifacts without lineage
302
+ - pattern-regex: 'Vulnerable:\\s*ML\\-017\\b'
303
+ message: |-
304
+ RunSec Detection [ML-017]: CWE-345
305
+ languages:
306
+ - generic
307
+ severity: WARNING
308
+ - id: runsec.ds-ml-security.ml-018
309
+ metadata:
310
+ runsec_version: v1.0
311
+ confidence: |-
312
+ 0.9
313
+ exploit_scenario: |-
314
+ N/A
315
+ fix_template: |-
316
+ Avoid local leakage of sensitive datasets.
317
+ pattern-either:
318
+ - pattern: |-
319
+ /tmp plaintext sensitive batches
320
+ - pattern-regex: 'Vulnerable:\\s*ML\\-018\\b'
321
+ message: |-
322
+ RunSec Detection [ML-018]: CWE-312
323
+ languages:
324
+ - generic
325
+ severity: WARNING
326
+ - id: runsec.ds-ml-security.ml-019
327
+ metadata:
328
+ runsec_version: v1.0
329
+ confidence: |-
330
+ 0.9
331
+ exploit_scenario: |-
332
+ N/A
333
+ fix_template: |-
334
+ Prevent SSRF-like data poisoning fetches.
335
+ pattern-either:
336
+ - pattern: |-
337
+ requests follows untrusted redirects
338
+ - pattern-regex: 'Vulnerable:\\s*ML\\-019\\b'
339
+ message: |-
340
+ RunSec Detection [ML-019]: CWE-918
341
+ languages:
342
+ - generic
343
+ severity: WARNING
344
+ - id: runsec.ds-ml-security.ml-020
345
+ metadata:
346
+ runsec_version: v1.0
347
+ confidence: |-
348
+ 0.9
349
+ exploit_scenario: |-
350
+ N/A
351
+ fix_template: |-
352
+ Reduce intelligence for attackers.
353
+ pattern-either:
354
+ - pattern: |-
355
+ returns stack/model internals on errors
356
+ - pattern-regex: 'Vulnerable:\\s*ML\\-020\\b'
357
+ message: |-
358
+ RunSec Detection [ML-020]: CWE-209
359
+ languages:
360
+ - generic
361
+ severity: WARNING
362
+ - id: runsec.ds-ml-security.ml-021
363
+ metadata:
364
+ runsec_version: v1.0
365
+ confidence: |-
366
+ 0.9
367
+ exploit_scenario: |-
368
+ N/A
369
+ fix_template: |-
370
+ Prevent unsafe deserialization in feature store.
371
+ pattern-either:
372
+ - pattern: |-
373
+ pickle blobs in shared cache
374
+ - pattern-regex: 'Vulnerable:\\s*ML\\-021\\b'
375
+ message: |-
376
+ RunSec Detection [ML-021]: CWE-502
377
+ languages:
378
+ - generic
379
+ severity: WARNING
380
+ - id: runsec.ds-ml-security.ml-022
381
+ metadata:
382
+ runsec_version: v1.0
383
+ confidence: |-
384
+ 0.9
385
+ exploit_scenario: |-
386
+ N/A
387
+ fix_template: |-
388
+ Ensure tokenizer integrity.
389
+ pattern-either:
390
+ - pattern: |-
391
+ uses remote vocab blindly
392
+ - pattern-regex: 'Vulnerable:\\s*ML\\-022\\b'
393
+ message: |-
394
+ RunSec Detection [ML-022]: CWE-353
395
+ languages:
396
+ - generic
397
+ severity: WARNING
398
+ - id: runsec.ds-ml-security.ml-023
399
+ metadata:
400
+ runsec_version: v1.0
401
+ confidence: |-
402
+ 0.9
403
+ exploit_scenario: |-
404
+ N/A
405
+ fix_template: |-
406
+ Limit credential abuse in DS workflows.
407
+ pattern-either:
408
+ - pattern: |-
409
+ broad IAM keys embedded in cells
410
+ - pattern-regex: 'Vulnerable:\\s*ML\\-023\\b'
411
+ message: |-
412
+ RunSec Detection [ML-023]: CWE-732
413
+ languages:
414
+ - generic
415
+ severity: WARNING
416
+ - id: runsec.ds-ml-security.ml-024
417
+ metadata:
418
+ runsec_version: v1.0
419
+ confidence: |-
420
+ 0.9
421
+ exploit_scenario: |-
422
+ N/A
423
+ fix_template: |-
424
+ Prevent logic poisoning via transform injection.
425
+ pattern-either:
426
+ - pattern: |-
427
+ dynamic function names from request
428
+ - pattern-regex: 'Vulnerable:\\s*ML\\-024\\b'
429
+ message: |-
430
+ RunSec Detection [ML-024]: CWE-915
431
+ languages:
432
+ - generic
433
+ severity: WARNING
434
+ - id: runsec.ds-ml-security.ml-025
435
+ metadata:
436
+ runsec_version: v1.0
437
+ confidence: |-
438
+ 0.9
439
+ exploit_scenario: |-
440
+ N/A
441
+ fix_template: |-
442
+ Avoid predictable outputs where sensitive.
443
+ pattern-either:
444
+ - pattern: |-
445
+ uncontrolled seed for critical model
446
+ - pattern-regex: 'Vulnerable:\\s*ML\\-025\\b'
447
+ message: |-
448
+ RunSec Detection [ML-025]: CWE-330
449
+ languages:
450
+ - generic
451
+ severity: WARNING
452
+ - id: runsec.ds-ml-security.ml-026
453
+ metadata:
454
+ runsec_version: v1.0
455
+ confidence: |-
456
+ 0.9
457
+ exploit_scenario: |-
458
+ N/A
459
+ fix_template: |-
460
+ Restrict host filesystem impact.
461
+ pattern-either:
462
+ - pattern: |-
463
+ host mounts writable
464
+ - pattern-regex: 'Vulnerable:\\s*ML\\-026\\b'
465
+ message: |-
466
+ RunSec Detection [ML-026]: CWE-250
467
+ languages:
468
+ - generic
469
+ severity: WARNING
470
+ - id: runsec.ds-ml-security.ml-027
471
+ metadata:
472
+ runsec_version: v1.0
473
+ confidence: |-
474
+ 0.9
475
+ exploit_scenario: |-
476
+ N/A
477
+ fix_template: |-
478
+ Improve model supply-chain integrity.
479
+ pattern-either:
480
+ - pattern: |-
481
+ no signing requirement for model publish
482
+ - pattern-regex: 'Vulnerable:\\s*ML\\-027\\b'
483
+ message: |-
484
+ RunSec Detection [ML-027]: CWE-347
485
+ languages:
486
+ - generic
487
+ severity: WARNING
488
+ - id: runsec.ds-ml-security.ml-028
489
+ metadata:
490
+ runsec_version: v1.0
491
+ confidence: |-
492
+ 0.9
493
+ exploit_scenario: |-
494
+ N/A
495
+ fix_template: |-
496
+ Prevent compute exhaustion in ingestion.
497
+ pattern-either:
498
+ - pattern: |-
499
+ user regex on large corpus
500
+ - pattern-regex: 'Vulnerable:\\s*ML\\-028\\b'
501
+ message: |-
502
+ RunSec Detection [ML-028]: CWE-1333
503
+ languages:
504
+ - generic
505
+ severity: WARNING
506
+ - id: runsec.ds-ml-security.ml-029
507
+ metadata:
508
+ runsec_version: v1.0
509
+ confidence: |-
510
+ 0.9
511
+ exploit_scenario: |-
512
+ N/A
513
+ fix_template: |-
514
+ Minimize sensitive data retention.
515
+ pattern-either:
516
+ - pattern: |-
517
+ cache stores full source payload
518
+ - pattern-regex: 'Vulnerable:\\s*ML\\-029\\b'
519
+ message: |-
520
+ RunSec Detection [ML-029]: CWE-1275
521
+ languages:
522
+ - generic
523
+ severity: WARNING
524
+ - id: runsec.ds-ml-security.ml-030
525
+ metadata:
526
+ runsec_version: v1.0
527
+ confidence: |-
528
+ 0.9
529
+ exploit_scenario: |-
530
+ N/A
531
+ fix_template: |-
532
+ Prevent malicious extension execution.
533
+ pattern-either:
534
+ - pattern: |-
535
+ arbitrary extension code load
536
+ - pattern-regex: 'Vulnerable:\\s*ML\\-030\\b'
537
+ message: |-
538
+ RunSec Detection [ML-030]: CWE-494
539
+ languages:
540
+ - generic
541
+ severity: WARNING
542
+ - id: runsec.ds-ml-security.ml-031
543
+ metadata:
544
+ runsec_version: v1.0
545
+ confidence: |-
546
+ 0.9
547
+ exploit_scenario: |-
548
+ N/A
549
+ fix_template: |-
550
+ Limit data leakage in explainability.
551
+ pattern-either:
552
+ - pattern: |-
553
+ raw rows in explanations
554
+ - pattern-regex: 'Vulnerable:\\s*ML\\-031\\b'
555
+ message: |-
556
+ RunSec Detection [ML-031]: CWE-359
557
+ languages:
558
+ - generic
559
+ severity: WARNING
560
+ - id: runsec.ds-ml-security.ml-032
561
+ metadata:
562
+ runsec_version: v1.0
563
+ confidence: |-
564
+ 0.9
565
+ exploit_scenario: |-
566
+ N/A
567
+ fix_template: |-
568
+ Prevent arbitrary file read/load.
569
+ pattern-either:
570
+ - pattern: |-
571
+ open(base + user_path)
572
+ - pattern-regex: 'Vulnerable:\\s*ML\\-032\\b'
573
+ message: |-
574
+ RunSec Detection [ML-032]: CWE-22
575
+ languages:
576
+ - generic
577
+ severity: WARNING
578
+ - id: runsec.ds-ml-security.ml-033
579
+ metadata:
580
+ runsec_version: v1.0
581
+ confidence: |-
582
+ 0.9
583
+ exploit_scenario: |-
584
+ N/A
585
+ fix_template: |-
586
+ Prevent credential theft from CI runs.
587
+ pattern-either:
588
+ - pattern: |-
589
+ secrets available to forks
590
+ - pattern-regex: 'Vulnerable:\\s*ML\\-033\\b'
591
+ message: |-
592
+ RunSec Detection [ML-033]: CWE-200
593
+ languages:
594
+ - generic
595
+ severity: WARNING
596
+ - id: runsec.ds-ml-security.ml-034
597
+ metadata:
598
+ runsec_version: v1.0
599
+ confidence: |-
600
+ 0.9
601
+ exploit_scenario: |-
602
+ N/A
603
+ fix_template: |-
604
+ Reduce impact of poisoned model rollout.
605
+ pattern-either:
606
+ - pattern: |-
607
+ deploys newest model automatically
608
+ - pattern-regex: 'Vulnerable:\\s*ML\\-034\\b'
609
+ message: |-
610
+ RunSec Detection [ML-034]: CWE-693
611
+ languages:
612
+ - generic
613
+ severity: WARNING
614
+ - id: runsec.ds-ml-security.ml-035
615
+ metadata:
616
+ runsec_version: v1.0
617
+ confidence: |-
618
+ 0.9
619
+ exploit_scenario: |-
620
+ N/A
621
+ fix_template: |-
622
+ Minimize secret residence in RAM.
623
+ pattern-either:
624
+ - pattern: |-
625
+ key arrays persist in memory
626
+ - pattern-regex: 'Vulnerable:\\s*ML\\-035\\b'
627
+ message: |-
628
+ RunSec Detection [ML-035]: CWE-1037
629
+ languages:
630
+ - generic
631
+ severity: WARNING
632
+ - id: runsec.ds-ml-security.agt-001
633
+ metadata:
634
+ runsec_version: v1.0
635
+ confidence: |-
636
+ 0.9
637
+ exploit_scenario: |-
638
+ Injected instructions in external content hijack agent behavior.
639
+ fix_template: |-
640
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
641
+ pattern-either:
642
+ - pattern: |-
643
+ prompt = user_prompt + '\n' + fetched_page_text
644
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-001\\b'
645
+ message: |-
646
+ RunSec Detection [AGT-001]: CWE-1336
647
+ languages:
648
+ - generic
649
+ severity: WARNING
650
+ - id: runsec.ds-ml-security.agt-002
651
+ metadata:
652
+ runsec_version: v1.0
653
+ confidence: |-
654
+ 0.9
655
+ exploit_scenario: |-
656
+ Model output can include attacker-influenced command payloads.
657
+ fix_template: |-
658
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
659
+ pattern-either:
660
+ - pattern: |-
661
+ subprocess.run(llm_output, shell=True)
662
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-002\\b'
663
+ message: |-
664
+ RunSec Detection [AGT-002]: CWE-78
665
+ languages:
666
+ - generic
667
+ severity: WARNING
668
+ - id: runsec.ds-ml-security.agt-003
669
+ metadata:
670
+ runsec_version: v1.0
671
+ confidence: |-
672
+ 0.9
673
+ exploit_scenario: |-
674
+ Unconstrained tool access enables privilege escalation in agent loop.
675
+ fix_template: |-
676
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
677
+ pattern-either:
678
+ - pattern: |-
679
+ tool.invoke(parsed.tool_name, parsed.args)
680
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-003\\b'
681
+ message: |-
682
+ RunSec Detection [AGT-003]: CWE-863
683
+ languages:
684
+ - generic
685
+ severity: WARNING
686
+ - id: runsec.ds-ml-security.agt-004
687
+ metadata:
688
+ runsec_version: v1.0
689
+ confidence: |-
690
+ 0.9
691
+ exploit_scenario: |-
692
+ Executing generated code without sandboxing risks full compromise.
693
+ fix_template: |-
694
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
695
+ pattern-either:
696
+ - pattern: |-
697
+ exec(generated_python)
698
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-004\\b'
699
+ message: |-
700
+ RunSec Detection [AGT-004]: CWE-94
701
+ languages:
702
+ - generic
703
+ severity: WARNING
704
+ - id: runsec.ds-ml-security.agt-005
705
+ metadata:
706
+ runsec_version: v1.0
707
+ confidence: |-
708
+ 0.9
709
+ exploit_scenario: |-
710
+ Injected instructions in external content hijack agent behavior.
711
+ fix_template: |-
712
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
713
+ pattern-either:
714
+ - pattern: |-
715
+ prompt = user_prompt + '\n' + fetched_page_text
716
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-005\\b'
717
+ message: |-
718
+ RunSec Detection [AGT-005]: CWE-1336
719
+ languages:
720
+ - generic
721
+ severity: WARNING
722
+ - id: runsec.ds-ml-security.agt-006
723
+ metadata:
724
+ runsec_version: v1.0
725
+ confidence: |-
726
+ 0.9
727
+ exploit_scenario: |-
728
+ Model output can include attacker-influenced command payloads.
729
+ fix_template: |-
730
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
731
+ pattern-either:
732
+ - pattern: |-
733
+ subprocess.run(llm_output, shell=True)
734
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-006\\b'
735
+ message: |-
736
+ RunSec Detection [AGT-006]: CWE-78
737
+ languages:
738
+ - generic
739
+ severity: WARNING
740
+ - id: runsec.ds-ml-security.agt-007
741
+ metadata:
742
+ runsec_version: v1.0
743
+ confidence: |-
744
+ 0.9
745
+ exploit_scenario: |-
746
+ Unconstrained tool access enables privilege escalation in agent loop.
747
+ fix_template: |-
748
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
749
+ pattern-either:
750
+ - pattern: |-
751
+ tool.invoke(parsed.tool_name, parsed.args)
752
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-007\\b'
753
+ message: |-
754
+ RunSec Detection [AGT-007]: CWE-863
755
+ languages:
756
+ - generic
757
+ severity: WARNING
758
+ - id: runsec.ds-ml-security.agt-008
759
+ metadata:
760
+ runsec_version: v1.0
761
+ confidence: |-
762
+ 0.9
763
+ exploit_scenario: |-
764
+ Executing generated code without sandboxing risks full compromise.
765
+ fix_template: |-
766
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
767
+ pattern-either:
768
+ - pattern: |-
769
+ exec(generated_python)
770
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-008\\b'
771
+ message: |-
772
+ RunSec Detection [AGT-008]: CWE-94
773
+ languages:
774
+ - generic
775
+ severity: WARNING
776
+ - id: runsec.ds-ml-security.agt-009
777
+ metadata:
778
+ runsec_version: v1.0
779
+ confidence: |-
780
+ 0.9
781
+ exploit_scenario: |-
782
+ Injected instructions in external content hijack agent behavior.
783
+ fix_template: |-
784
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
785
+ pattern-either:
786
+ - pattern: |-
787
+ prompt = user_prompt + '\n' + fetched_page_text
788
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-009\\b'
789
+ message: |-
790
+ RunSec Detection [AGT-009]: CWE-1336
791
+ languages:
792
+ - generic
793
+ severity: WARNING
794
+ - id: runsec.ds-ml-security.agt-010
795
+ metadata:
796
+ runsec_version: v1.0
797
+ confidence: |-
798
+ 0.9
799
+ exploit_scenario: |-
800
+ Model output can include attacker-influenced command payloads.
801
+ fix_template: |-
802
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
803
+ pattern-either:
804
+ - pattern: |-
805
+ subprocess.run(llm_output, shell=True)
806
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-010\\b'
807
+ message: |-
808
+ RunSec Detection [AGT-010]: CWE-78
809
+ languages:
810
+ - generic
811
+ severity: WARNING
812
+ - id: runsec.ds-ml-security.agt-011
813
+ metadata:
814
+ runsec_version: v1.0
815
+ confidence: |-
816
+ 0.9
817
+ exploit_scenario: |-
818
+ Unconstrained tool access enables privilege escalation in agent loop.
819
+ fix_template: |-
820
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
821
+ pattern-either:
822
+ - pattern: |-
823
+ tool.invoke(parsed.tool_name, parsed.args)
824
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-011\\b'
825
+ message: |-
826
+ RunSec Detection [AGT-011]: CWE-863
827
+ languages:
828
+ - generic
829
+ severity: WARNING
830
+ - id: runsec.ds-ml-security.agt-012
831
+ metadata:
832
+ runsec_version: v1.0
833
+ confidence: |-
834
+ 0.9
835
+ exploit_scenario: |-
836
+ Executing generated code without sandboxing risks full compromise.
837
+ fix_template: |-
838
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
839
+ pattern-either:
840
+ - pattern: |-
841
+ exec(generated_python)
842
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-012\\b'
843
+ message: |-
844
+ RunSec Detection [AGT-012]: CWE-94
845
+ languages:
846
+ - generic
847
+ severity: WARNING
848
+ - id: runsec.ds-ml-security.agt-013
849
+ metadata:
850
+ runsec_version: v1.0
851
+ confidence: |-
852
+ 0.9
853
+ exploit_scenario: |-
854
+ Injected instructions in external content hijack agent behavior.
855
+ fix_template: |-
856
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
857
+ pattern-either:
858
+ - pattern: |-
859
+ prompt = user_prompt + '\n' + fetched_page_text
860
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-013\\b'
861
+ message: |-
862
+ RunSec Detection [AGT-013]: CWE-1336
863
+ languages:
864
+ - generic
865
+ severity: WARNING
866
+ - id: runsec.ds-ml-security.agt-014
867
+ metadata:
868
+ runsec_version: v1.0
869
+ confidence: |-
870
+ 0.9
871
+ exploit_scenario: |-
872
+ Model output can include attacker-influenced command payloads.
873
+ fix_template: |-
874
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
875
+ pattern-either:
876
+ - pattern: |-
877
+ subprocess.run(llm_output, shell=True)
878
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-014\\b'
879
+ message: |-
880
+ RunSec Detection [AGT-014]: CWE-78
881
+ languages:
882
+ - generic
883
+ severity: WARNING
884
+ - id: runsec.ds-ml-security.agt-015
885
+ metadata:
886
+ runsec_version: v1.0
887
+ confidence: |-
888
+ 0.9
889
+ exploit_scenario: |-
890
+ Unconstrained tool access enables privilege escalation in agent loop.
891
+ fix_template: |-
892
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
893
+ pattern-either:
894
+ - pattern: |-
895
+ tool.invoke(parsed.tool_name, parsed.args)
896
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-015\\b'
897
+ message: |-
898
+ RunSec Detection [AGT-015]: CWE-863
899
+ languages:
900
+ - generic
901
+ severity: WARNING
902
+ - id: runsec.ds-ml-security.agt-016
903
+ metadata:
904
+ runsec_version: v1.0
905
+ confidence: |-
906
+ 0.9
907
+ exploit_scenario: |-
908
+ Executing generated code without sandboxing risks full compromise.
909
+ fix_template: |-
910
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
911
+ pattern-either:
912
+ - pattern: |-
913
+ exec(generated_python)
914
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-016\\b'
915
+ message: |-
916
+ RunSec Detection [AGT-016]: CWE-94
917
+ languages:
918
+ - generic
919
+ severity: WARNING
920
+ - id: runsec.ds-ml-security.agt-017
921
+ metadata:
922
+ runsec_version: v1.0
923
+ confidence: |-
924
+ 0.9
925
+ exploit_scenario: |-
926
+ Injected instructions in external content hijack agent behavior.
927
+ fix_template: |-
928
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
929
+ pattern-either:
930
+ - pattern: |-
931
+ prompt = user_prompt + '\n' + fetched_page_text
932
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-017\\b'
933
+ message: |-
934
+ RunSec Detection [AGT-017]: CWE-1336
935
+ languages:
936
+ - generic
937
+ severity: WARNING
938
+ - id: runsec.ds-ml-security.agt-018
939
+ metadata:
940
+ runsec_version: v1.0
941
+ confidence: |-
942
+ 0.9
943
+ exploit_scenario: |-
944
+ Model output can include attacker-influenced command payloads.
945
+ fix_template: |-
946
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
947
+ pattern-either:
948
+ - pattern: |-
949
+ subprocess.run(llm_output, shell=True)
950
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-018\\b'
951
+ message: |-
952
+ RunSec Detection [AGT-018]: CWE-78
953
+ languages:
954
+ - generic
955
+ severity: WARNING
956
+ - id: runsec.ds-ml-security.agt-019
957
+ metadata:
958
+ runsec_version: v1.0
959
+ confidence: |-
960
+ 0.9
961
+ exploit_scenario: |-
962
+ Unconstrained tool access enables privilege escalation in agent loop.
963
+ fix_template: |-
964
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
965
+ pattern-either:
966
+ - pattern: |-
967
+ tool.invoke(parsed.tool_name, parsed.args)
968
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-019\\b'
969
+ message: |-
970
+ RunSec Detection [AGT-019]: CWE-863
971
+ languages:
972
+ - generic
973
+ severity: WARNING
974
+ - id: runsec.ds-ml-security.agt-020
975
+ metadata:
976
+ runsec_version: v1.0
977
+ confidence: |-
978
+ 0.9
979
+ exploit_scenario: |-
980
+ Executing generated code without sandboxing risks full compromise.
981
+ fix_template: |-
982
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
983
+ pattern-either:
984
+ - pattern: |-
985
+ exec(generated_python)
986
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-020\\b'
987
+ message: |-
988
+ RunSec Detection [AGT-020]: CWE-94
989
+ languages:
990
+ - generic
991
+ severity: WARNING
992
+ - id: runsec.ds-ml-security.agt-021
993
+ metadata:
994
+ runsec_version: v1.0
995
+ confidence: |-
996
+ 0.9
997
+ exploit_scenario: |-
998
+ Injected instructions in external content hijack agent behavior.
999
+ fix_template: |-
1000
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1001
+ pattern-either:
1002
+ - pattern: |-
1003
+ prompt = user_prompt + '\n' + fetched_page_text
1004
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-021\\b'
1005
+ message: |-
1006
+ RunSec Detection [AGT-021]: CWE-1336
1007
+ languages:
1008
+ - generic
1009
+ severity: WARNING
1010
+ - id: runsec.ds-ml-security.agt-022
1011
+ metadata:
1012
+ runsec_version: v1.0
1013
+ confidence: |-
1014
+ 0.9
1015
+ exploit_scenario: |-
1016
+ Model output can include attacker-influenced command payloads.
1017
+ fix_template: |-
1018
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1019
+ pattern-either:
1020
+ - pattern: |-
1021
+ subprocess.run(llm_output, shell=True)
1022
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-022\\b'
1023
+ message: |-
1024
+ RunSec Detection [AGT-022]: CWE-78
1025
+ languages:
1026
+ - generic
1027
+ severity: WARNING
1028
+ - id: runsec.ds-ml-security.agt-023
1029
+ metadata:
1030
+ runsec_version: v1.0
1031
+ confidence: |-
1032
+ 0.9
1033
+ exploit_scenario: |-
1034
+ Unconstrained tool access enables privilege escalation in agent loop.
1035
+ fix_template: |-
1036
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1037
+ pattern-either:
1038
+ - pattern: |-
1039
+ tool.invoke(parsed.tool_name, parsed.args)
1040
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-023\\b'
1041
+ message: |-
1042
+ RunSec Detection [AGT-023]: CWE-863
1043
+ languages:
1044
+ - generic
1045
+ severity: WARNING
1046
+ - id: runsec.ds-ml-security.agt-024
1047
+ metadata:
1048
+ runsec_version: v1.0
1049
+ confidence: |-
1050
+ 0.9
1051
+ exploit_scenario: |-
1052
+ Executing generated code without sandboxing risks full compromise.
1053
+ fix_template: |-
1054
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1055
+ pattern-either:
1056
+ - pattern: |-
1057
+ exec(generated_python)
1058
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-024\\b'
1059
+ message: |-
1060
+ RunSec Detection [AGT-024]: CWE-94
1061
+ languages:
1062
+ - generic
1063
+ severity: WARNING
1064
+ - id: runsec.ds-ml-security.agt-025
1065
+ metadata:
1066
+ runsec_version: v1.0
1067
+ confidence: |-
1068
+ 0.9
1069
+ exploit_scenario: |-
1070
+ Injected instructions in external content hijack agent behavior.
1071
+ fix_template: |-
1072
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1073
+ pattern-either:
1074
+ - pattern: |-
1075
+ prompt = user_prompt + '\n' + fetched_page_text
1076
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-025\\b'
1077
+ message: |-
1078
+ RunSec Detection [AGT-025]: CWE-1336
1079
+ languages:
1080
+ - generic
1081
+ severity: WARNING
1082
+ - id: runsec.ds-ml-security.agt-026
1083
+ metadata:
1084
+ runsec_version: v1.0
1085
+ confidence: |-
1086
+ 0.9
1087
+ exploit_scenario: |-
1088
+ Model output can include attacker-influenced command payloads.
1089
+ fix_template: |-
1090
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1091
+ pattern-either:
1092
+ - pattern: |-
1093
+ subprocess.run(llm_output, shell=True)
1094
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-026\\b'
1095
+ message: |-
1096
+ RunSec Detection [AGT-026]: CWE-78
1097
+ languages:
1098
+ - generic
1099
+ severity: WARNING
1100
+ - id: runsec.ds-ml-security.agt-027
1101
+ metadata:
1102
+ runsec_version: v1.0
1103
+ confidence: |-
1104
+ 0.9
1105
+ exploit_scenario: |-
1106
+ Unconstrained tool access enables privilege escalation in agent loop.
1107
+ fix_template: |-
1108
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1109
+ pattern-either:
1110
+ - pattern: |-
1111
+ tool.invoke(parsed.tool_name, parsed.args)
1112
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-027\\b'
1113
+ message: |-
1114
+ RunSec Detection [AGT-027]: CWE-863
1115
+ languages:
1116
+ - generic
1117
+ severity: WARNING
1118
+ - id: runsec.ds-ml-security.agt-028
1119
+ metadata:
1120
+ runsec_version: v1.0
1121
+ confidence: |-
1122
+ 0.9
1123
+ exploit_scenario: |-
1124
+ Executing generated code without sandboxing risks full compromise.
1125
+ fix_template: |-
1126
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1127
+ pattern-either:
1128
+ - pattern: |-
1129
+ exec(generated_python)
1130
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-028\\b'
1131
+ message: |-
1132
+ RunSec Detection [AGT-028]: CWE-94
1133
+ languages:
1134
+ - generic
1135
+ severity: WARNING
1136
+ - id: runsec.ds-ml-security.agt-029
1137
+ metadata:
1138
+ runsec_version: v1.0
1139
+ confidence: |-
1140
+ 0.9
1141
+ exploit_scenario: |-
1142
+ Injected instructions in external content hijack agent behavior.
1143
+ fix_template: |-
1144
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1145
+ pattern-either:
1146
+ - pattern: |-
1147
+ prompt = user_prompt + '\n' + fetched_page_text
1148
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-029\\b'
1149
+ message: |-
1150
+ RunSec Detection [AGT-029]: CWE-1336
1151
+ languages:
1152
+ - generic
1153
+ severity: WARNING
1154
+ - id: runsec.ds-ml-security.agt-030
1155
+ metadata:
1156
+ runsec_version: v1.0
1157
+ confidence: |-
1158
+ 0.9
1159
+ exploit_scenario: |-
1160
+ Model output can include attacker-influenced command payloads.
1161
+ fix_template: |-
1162
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1163
+ pattern-either:
1164
+ - pattern: |-
1165
+ subprocess.run(llm_output, shell=True)
1166
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-030\\b'
1167
+ message: |-
1168
+ RunSec Detection [AGT-030]: CWE-78
1169
+ languages:
1170
+ - generic
1171
+ severity: WARNING
1172
+ - id: runsec.ds-ml-security.agt-031
1173
+ metadata:
1174
+ runsec_version: v1.0
1175
+ confidence: |-
1176
+ 0.9
1177
+ exploit_scenario: |-
1178
+ Unconstrained tool access enables privilege escalation in agent loop.
1179
+ fix_template: |-
1180
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1181
+ pattern-either:
1182
+ - pattern: |-
1183
+ tool.invoke(parsed.tool_name, parsed.args)
1184
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-031\\b'
1185
+ message: |-
1186
+ RunSec Detection [AGT-031]: CWE-863
1187
+ languages:
1188
+ - generic
1189
+ severity: WARNING
1190
+ - id: runsec.ds-ml-security.agt-032
1191
+ metadata:
1192
+ runsec_version: v1.0
1193
+ confidence: |-
1194
+ 0.9
1195
+ exploit_scenario: |-
1196
+ Executing generated code without sandboxing risks full compromise.
1197
+ fix_template: |-
1198
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1199
+ pattern-either:
1200
+ - pattern: |-
1201
+ exec(generated_python)
1202
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-032\\b'
1203
+ message: |-
1204
+ RunSec Detection [AGT-032]: CWE-94
1205
+ languages:
1206
+ - generic
1207
+ severity: WARNING
1208
+ - id: runsec.ds-ml-security.agt-033
1209
+ metadata:
1210
+ runsec_version: v1.0
1211
+ confidence: |-
1212
+ 0.9
1213
+ exploit_scenario: |-
1214
+ Injected instructions in external content hijack agent behavior.
1215
+ fix_template: |-
1216
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1217
+ pattern-either:
1218
+ - pattern: |-
1219
+ prompt = user_prompt + '\n' + fetched_page_text
1220
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-033\\b'
1221
+ message: |-
1222
+ RunSec Detection [AGT-033]: CWE-1336
1223
+ languages:
1224
+ - generic
1225
+ severity: WARNING
1226
+ - id: runsec.ds-ml-security.agt-034
1227
+ metadata:
1228
+ runsec_version: v1.0
1229
+ confidence: |-
1230
+ 0.9
1231
+ exploit_scenario: |-
1232
+ Model output can include attacker-influenced command payloads.
1233
+ fix_template: |-
1234
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1235
+ pattern-either:
1236
+ - pattern: |-
1237
+ subprocess.run(llm_output, shell=True)
1238
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-034\\b'
1239
+ message: |-
1240
+ RunSec Detection [AGT-034]: CWE-78
1241
+ languages:
1242
+ - generic
1243
+ severity: WARNING
1244
+ - id: runsec.ds-ml-security.agt-035
1245
+ metadata:
1246
+ runsec_version: v1.0
1247
+ confidence: |-
1248
+ 0.9
1249
+ exploit_scenario: |-
1250
+ Unconstrained tool access enables privilege escalation in agent loop.
1251
+ fix_template: |-
1252
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1253
+ pattern-either:
1254
+ - pattern: |-
1255
+ tool.invoke(parsed.tool_name, parsed.args)
1256
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-035\\b'
1257
+ message: |-
1258
+ RunSec Detection [AGT-035]: CWE-863
1259
+ languages:
1260
+ - generic
1261
+ severity: WARNING
1262
+ - id: runsec.ds-ml-security.agt-036
1263
+ metadata:
1264
+ runsec_version: v1.0
1265
+ confidence: |-
1266
+ 0.9
1267
+ exploit_scenario: |-
1268
+ Executing generated code without sandboxing risks full compromise.
1269
+ fix_template: |-
1270
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1271
+ pattern-either:
1272
+ - pattern: |-
1273
+ exec(generated_python)
1274
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-036\\b'
1275
+ message: |-
1276
+ RunSec Detection [AGT-036]: CWE-94
1277
+ languages:
1278
+ - generic
1279
+ severity: WARNING
1280
+ - id: runsec.ds-ml-security.agt-037
1281
+ metadata:
1282
+ runsec_version: v1.0
1283
+ confidence: |-
1284
+ 0.9
1285
+ exploit_scenario: |-
1286
+ Injected instructions in external content hijack agent behavior.
1287
+ fix_template: |-
1288
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1289
+ pattern-either:
1290
+ - pattern: |-
1291
+ prompt = user_prompt + '\n' + fetched_page_text
1292
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-037\\b'
1293
+ message: |-
1294
+ RunSec Detection [AGT-037]: CWE-1336
1295
+ languages:
1296
+ - generic
1297
+ severity: WARNING
1298
+ - id: runsec.ds-ml-security.agt-038
1299
+ metadata:
1300
+ runsec_version: v1.0
1301
+ confidence: |-
1302
+ 0.9
1303
+ exploit_scenario: |-
1304
+ Model output can include attacker-influenced command payloads.
1305
+ fix_template: |-
1306
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1307
+ pattern-either:
1308
+ - pattern: |-
1309
+ subprocess.run(llm_output, shell=True)
1310
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-038\\b'
1311
+ message: |-
1312
+ RunSec Detection [AGT-038]: CWE-78
1313
+ languages:
1314
+ - generic
1315
+ severity: WARNING
1316
+ - id: runsec.ds-ml-security.agt-039
1317
+ metadata:
1318
+ runsec_version: v1.0
1319
+ confidence: |-
1320
+ 0.9
1321
+ exploit_scenario: |-
1322
+ Unconstrained tool access enables privilege escalation in agent loop.
1323
+ fix_template: |-
1324
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1325
+ pattern-either:
1326
+ - pattern: |-
1327
+ tool.invoke(parsed.tool_name, parsed.args)
1328
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-039\\b'
1329
+ message: |-
1330
+ RunSec Detection [AGT-039]: CWE-863
1331
+ languages:
1332
+ - generic
1333
+ severity: WARNING
1334
+ - id: runsec.ds-ml-security.agt-040
1335
+ metadata:
1336
+ runsec_version: v1.0
1337
+ confidence: |-
1338
+ 0.9
1339
+ exploit_scenario: |-
1340
+ Executing generated code without sandboxing risks full compromise.
1341
+ fix_template: |-
1342
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1343
+ pattern-either:
1344
+ - pattern: |-
1345
+ exec(generated_python)
1346
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-040\\b'
1347
+ message: |-
1348
+ RunSec Detection [AGT-040]: CWE-94
1349
+ languages:
1350
+ - generic
1351
+ severity: WARNING
1352
+ - id: runsec.ds-ml-security.agt-041
1353
+ metadata:
1354
+ runsec_version: v1.0
1355
+ confidence: |-
1356
+ 0.9
1357
+ exploit_scenario: |-
1358
+ Injected instructions in external content hijack agent behavior.
1359
+ fix_template: |-
1360
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1361
+ pattern-either:
1362
+ - pattern: |-
1363
+ prompt = user_prompt + '\n' + fetched_page_text
1364
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-041\\b'
1365
+ message: |-
1366
+ RunSec Detection [AGT-041]: CWE-1336
1367
+ languages:
1368
+ - generic
1369
+ severity: WARNING
1370
+ - id: runsec.ds-ml-security.agt-042
1371
+ metadata:
1372
+ runsec_version: v1.0
1373
+ confidence: |-
1374
+ 0.9
1375
+ exploit_scenario: |-
1376
+ Model output can include attacker-influenced command payloads.
1377
+ fix_template: |-
1378
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1379
+ pattern-either:
1380
+ - pattern: |-
1381
+ subprocess.run(llm_output, shell=True)
1382
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-042\\b'
1383
+ message: |-
1384
+ RunSec Detection [AGT-042]: CWE-78
1385
+ languages:
1386
+ - generic
1387
+ severity: WARNING
1388
+ - id: runsec.ds-ml-security.agt-043
1389
+ metadata:
1390
+ runsec_version: v1.0
1391
+ confidence: |-
1392
+ 0.9
1393
+ exploit_scenario: |-
1394
+ Unconstrained tool access enables privilege escalation in agent loop.
1395
+ fix_template: |-
1396
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1397
+ pattern-either:
1398
+ - pattern: |-
1399
+ tool.invoke(parsed.tool_name, parsed.args)
1400
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-043\\b'
1401
+ message: |-
1402
+ RunSec Detection [AGT-043]: CWE-863
1403
+ languages:
1404
+ - generic
1405
+ severity: WARNING
1406
+ - id: runsec.ds-ml-security.agt-044
1407
+ metadata:
1408
+ runsec_version: v1.0
1409
+ confidence: |-
1410
+ 0.9
1411
+ exploit_scenario: |-
1412
+ Executing generated code without sandboxing risks full compromise.
1413
+ fix_template: |-
1414
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1415
+ pattern-either:
1416
+ - pattern: |-
1417
+ exec(generated_python)
1418
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-044\\b'
1419
+ message: |-
1420
+ RunSec Detection [AGT-044]: CWE-94
1421
+ languages:
1422
+ - generic
1423
+ severity: WARNING
1424
+ - id: runsec.ds-ml-security.agt-045
1425
+ metadata:
1426
+ runsec_version: v1.0
1427
+ confidence: |-
1428
+ 0.9
1429
+ exploit_scenario: |-
1430
+ Injected instructions in external content hijack agent behavior.
1431
+ fix_template: |-
1432
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1433
+ pattern-either:
1434
+ - pattern: |-
1435
+ prompt = user_prompt + '\n' + fetched_page_text
1436
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-045\\b'
1437
+ message: |-
1438
+ RunSec Detection [AGT-045]: CWE-1336
1439
+ languages:
1440
+ - generic
1441
+ severity: WARNING
1442
+ - id: runsec.ds-ml-security.agt-046
1443
+ metadata:
1444
+ runsec_version: v1.0
1445
+ confidence: |-
1446
+ 0.9
1447
+ exploit_scenario: |-
1448
+ Model output can include attacker-influenced command payloads.
1449
+ fix_template: |-
1450
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1451
+ pattern-either:
1452
+ - pattern: |-
1453
+ subprocess.run(llm_output, shell=True)
1454
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-046\\b'
1455
+ message: |-
1456
+ RunSec Detection [AGT-046]: CWE-78
1457
+ languages:
1458
+ - generic
1459
+ severity: WARNING
1460
+ - id: runsec.ds-ml-security.agt-047
1461
+ metadata:
1462
+ runsec_version: v1.0
1463
+ confidence: |-
1464
+ 0.9
1465
+ exploit_scenario: |-
1466
+ Unconstrained tool access enables privilege escalation in agent loop.
1467
+ fix_template: |-
1468
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1469
+ pattern-either:
1470
+ - pattern: |-
1471
+ tool.invoke(parsed.tool_name, parsed.args)
1472
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-047\\b'
1473
+ message: |-
1474
+ RunSec Detection [AGT-047]: CWE-863
1475
+ languages:
1476
+ - generic
1477
+ severity: WARNING
1478
+ - id: runsec.ds-ml-security.agt-048
1479
+ metadata:
1480
+ runsec_version: v1.0
1481
+ confidence: |-
1482
+ 0.9
1483
+ exploit_scenario: |-
1484
+ Executing generated code without sandboxing risks full compromise.
1485
+ fix_template: |-
1486
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1487
+ pattern-either:
1488
+ - pattern: |-
1489
+ exec(generated_python)
1490
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-048\\b'
1491
+ message: |-
1492
+ RunSec Detection [AGT-048]: CWE-94
1493
+ languages:
1494
+ - generic
1495
+ severity: WARNING
1496
+ - id: runsec.ds-ml-security.agt-049
1497
+ metadata:
1498
+ runsec_version: v1.0
1499
+ confidence: |-
1500
+ 0.9
1501
+ exploit_scenario: |-
1502
+ Injected instructions in external content hijack agent behavior.
1503
+ fix_template: |-
1504
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1505
+ pattern-either:
1506
+ - pattern: |-
1507
+ prompt = user_prompt + '\n' + fetched_page_text
1508
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-049\\b'
1509
+ message: |-
1510
+ RunSec Detection [AGT-049]: CWE-1336
1511
+ languages:
1512
+ - generic
1513
+ severity: WARNING
1514
+ - id: runsec.ds-ml-security.agt-050
1515
+ metadata:
1516
+ runsec_version: v1.0
1517
+ confidence: |-
1518
+ 0.9
1519
+ exploit_scenario: |-
1520
+ Model output can include attacker-influenced command payloads.
1521
+ fix_template: |-
1522
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1523
+ pattern-either:
1524
+ - pattern: |-
1525
+ subprocess.run(llm_output, shell=True)
1526
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-050\\b'
1527
+ message: |-
1528
+ RunSec Detection [AGT-050]: CWE-78
1529
+ languages:
1530
+ - generic
1531
+ severity: WARNING
1532
+ - id: runsec.ds-ml-security.agt-051
1533
+ metadata:
1534
+ runsec_version: v1.0
1535
+ confidence: |-
1536
+ 0.9
1537
+ exploit_scenario: |-
1538
+ Unconstrained tool access enables privilege escalation in agent loop.
1539
+ fix_template: |-
1540
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1541
+ pattern-either:
1542
+ - pattern: |-
1543
+ tool.invoke(parsed.tool_name, parsed.args)
1544
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-051\\b'
1545
+ message: |-
1546
+ RunSec Detection [AGT-051]: CWE-863
1547
+ languages:
1548
+ - generic
1549
+ severity: WARNING
1550
+ - id: runsec.ds-ml-security.agt-052
1551
+ metadata:
1552
+ runsec_version: v1.0
1553
+ confidence: |-
1554
+ 0.9
1555
+ exploit_scenario: |-
1556
+ Executing generated code without sandboxing risks full compromise.
1557
+ fix_template: |-
1558
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1559
+ pattern-either:
1560
+ - pattern: |-
1561
+ exec(generated_python)
1562
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-052\\b'
1563
+ message: |-
1564
+ RunSec Detection [AGT-052]: CWE-94
1565
+ languages:
1566
+ - generic
1567
+ severity: WARNING
1568
+ - id: runsec.ds-ml-security.agt-053
1569
+ metadata:
1570
+ runsec_version: v1.0
1571
+ confidence: |-
1572
+ 0.9
1573
+ exploit_scenario: |-
1574
+ Injected instructions in external content hijack agent behavior.
1575
+ fix_template: |-
1576
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1577
+ pattern-either:
1578
+ - pattern: |-
1579
+ prompt = user_prompt + '\n' + fetched_page_text
1580
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-053\\b'
1581
+ message: |-
1582
+ RunSec Detection [AGT-053]: CWE-1336
1583
+ languages:
1584
+ - generic
1585
+ severity: WARNING
1586
+ - id: runsec.ds-ml-security.agt-054
1587
+ metadata:
1588
+ runsec_version: v1.0
1589
+ confidence: |-
1590
+ 0.9
1591
+ exploit_scenario: |-
1592
+ Model output can include attacker-influenced command payloads.
1593
+ fix_template: |-
1594
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1595
+ pattern-either:
1596
+ - pattern: |-
1597
+ subprocess.run(llm_output, shell=True)
1598
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-054\\b'
1599
+ message: |-
1600
+ RunSec Detection [AGT-054]: CWE-78
1601
+ languages:
1602
+ - generic
1603
+ severity: WARNING
1604
+ - id: runsec.ds-ml-security.agt-055
1605
+ metadata:
1606
+ runsec_version: v1.0
1607
+ confidence: |-
1608
+ 0.9
1609
+ exploit_scenario: |-
1610
+ Unconstrained tool access enables privilege escalation in agent loop.
1611
+ fix_template: |-
1612
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1613
+ pattern-either:
1614
+ - pattern: |-
1615
+ tool.invoke(parsed.tool_name, parsed.args)
1616
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-055\\b'
1617
+ message: |-
1618
+ RunSec Detection [AGT-055]: CWE-863
1619
+ languages:
1620
+ - generic
1621
+ severity: WARNING
1622
+ - id: runsec.ds-ml-security.agt-056
1623
+ metadata:
1624
+ runsec_version: v1.0
1625
+ confidence: |-
1626
+ 0.9
1627
+ exploit_scenario: |-
1628
+ Executing generated code without sandboxing risks full compromise.
1629
+ fix_template: |-
1630
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1631
+ pattern-either:
1632
+ - pattern: |-
1633
+ exec(generated_python)
1634
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-056\\b'
1635
+ message: |-
1636
+ RunSec Detection [AGT-056]: CWE-94
1637
+ languages:
1638
+ - generic
1639
+ severity: WARNING
1640
+ - id: runsec.ds-ml-security.agt-057
1641
+ metadata:
1642
+ runsec_version: v1.0
1643
+ confidence: |-
1644
+ 0.9
1645
+ exploit_scenario: |-
1646
+ Injected instructions in external content hijack agent behavior.
1647
+ fix_template: |-
1648
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1649
+ pattern-either:
1650
+ - pattern: |-
1651
+ prompt = user_prompt + '\n' + fetched_page_text
1652
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-057\\b'
1653
+ message: |-
1654
+ RunSec Detection [AGT-057]: CWE-1336
1655
+ languages:
1656
+ - generic
1657
+ severity: WARNING
1658
+ - id: runsec.ds-ml-security.agt-058
1659
+ metadata:
1660
+ runsec_version: v1.0
1661
+ confidence: |-
1662
+ 0.9
1663
+ exploit_scenario: |-
1664
+ Model output can include attacker-influenced command payloads.
1665
+ fix_template: |-
1666
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1667
+ pattern-either:
1668
+ - pattern: |-
1669
+ subprocess.run(llm_output, shell=True)
1670
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-058\\b'
1671
+ message: |-
1672
+ RunSec Detection [AGT-058]: CWE-78
1673
+ languages:
1674
+ - generic
1675
+ severity: WARNING
1676
+ - id: runsec.ds-ml-security.agt-059
1677
+ metadata:
1678
+ runsec_version: v1.0
1679
+ confidence: |-
1680
+ 0.9
1681
+ exploit_scenario: |-
1682
+ Unconstrained tool access enables privilege escalation in agent loop.
1683
+ fix_template: |-
1684
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1685
+ pattern-either:
1686
+ - pattern: |-
1687
+ tool.invoke(parsed.tool_name, parsed.args)
1688
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-059\\b'
1689
+ message: |-
1690
+ RunSec Detection [AGT-059]: CWE-863
1691
+ languages:
1692
+ - generic
1693
+ severity: WARNING
1694
+ - id: runsec.ds-ml-security.agt-060
1695
+ metadata:
1696
+ runsec_version: v1.0
1697
+ confidence: |-
1698
+ 0.9
1699
+ exploit_scenario: |-
1700
+ Executing generated code without sandboxing risks full compromise.
1701
+ fix_template: |-
1702
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1703
+ pattern-either:
1704
+ - pattern: |-
1705
+ exec(generated_python)
1706
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-060\\b'
1707
+ message: |-
1708
+ RunSec Detection [AGT-060]: CWE-94
1709
+ languages:
1710
+ - generic
1711
+ severity: WARNING
1712
+ - id: runsec.ds-ml-security.agt-061
1713
+ metadata:
1714
+ runsec_version: v1.0
1715
+ confidence: |-
1716
+ 0.9
1717
+ exploit_scenario: |-
1718
+ Injected instructions in external content hijack agent behavior.
1719
+ fix_template: |-
1720
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1721
+ pattern-either:
1722
+ - pattern: |-
1723
+ prompt = user_prompt + '\n' + fetched_page_text
1724
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-061\\b'
1725
+ message: |-
1726
+ RunSec Detection [AGT-061]: CWE-1336
1727
+ languages:
1728
+ - generic
1729
+ severity: WARNING
1730
+ - id: runsec.ds-ml-security.agt-062
1731
+ metadata:
1732
+ runsec_version: v1.0
1733
+ confidence: |-
1734
+ 0.9
1735
+ exploit_scenario: |-
1736
+ Model output can include attacker-influenced command payloads.
1737
+ fix_template: |-
1738
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1739
+ pattern-either:
1740
+ - pattern: |-
1741
+ subprocess.run(llm_output, shell=True)
1742
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-062\\b'
1743
+ message: |-
1744
+ RunSec Detection [AGT-062]: CWE-78
1745
+ languages:
1746
+ - generic
1747
+ severity: WARNING
1748
+ - id: runsec.ds-ml-security.agt-063
1749
+ metadata:
1750
+ runsec_version: v1.0
1751
+ confidence: |-
1752
+ 0.9
1753
+ exploit_scenario: |-
1754
+ Unconstrained tool access enables privilege escalation in agent loop.
1755
+ fix_template: |-
1756
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1757
+ pattern-either:
1758
+ - pattern: |-
1759
+ tool.invoke(parsed.tool_name, parsed.args)
1760
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-063\\b'
1761
+ message: |-
1762
+ RunSec Detection [AGT-063]: CWE-863
1763
+ languages:
1764
+ - generic
1765
+ severity: WARNING
1766
+ - id: runsec.ds-ml-security.agt-064
1767
+ metadata:
1768
+ runsec_version: v1.0
1769
+ confidence: |-
1770
+ 0.9
1771
+ exploit_scenario: |-
1772
+ Executing generated code without sandboxing risks full compromise.
1773
+ fix_template: |-
1774
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1775
+ pattern-either:
1776
+ - pattern: |-
1777
+ exec(generated_python)
1778
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-064\\b'
1779
+ message: |-
1780
+ RunSec Detection [AGT-064]: CWE-94
1781
+ languages:
1782
+ - generic
1783
+ severity: WARNING
1784
+ - id: runsec.ds-ml-security.agt-065
1785
+ metadata:
1786
+ runsec_version: v1.0
1787
+ confidence: |-
1788
+ 0.9
1789
+ exploit_scenario: |-
1790
+ Injected instructions in external content hijack agent behavior.
1791
+ fix_template: |-
1792
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1793
+ pattern-either:
1794
+ - pattern: |-
1795
+ prompt = user_prompt + '\n' + fetched_page_text
1796
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-065\\b'
1797
+ message: |-
1798
+ RunSec Detection [AGT-065]: CWE-1336
1799
+ languages:
1800
+ - generic
1801
+ severity: WARNING
1802
+ - id: runsec.ds-ml-security.agt-066
1803
+ metadata:
1804
+ runsec_version: v1.0
1805
+ confidence: |-
1806
+ 0.9
1807
+ exploit_scenario: |-
1808
+ Model output can include attacker-influenced command payloads.
1809
+ fix_template: |-
1810
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1811
+ pattern-either:
1812
+ - pattern: |-
1813
+ subprocess.run(llm_output, shell=True)
1814
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-066\\b'
1815
+ message: |-
1816
+ RunSec Detection [AGT-066]: CWE-78
1817
+ languages:
1818
+ - generic
1819
+ severity: WARNING
1820
+ - id: runsec.ds-ml-security.agt-067
1821
+ metadata:
1822
+ runsec_version: v1.0
1823
+ confidence: |-
1824
+ 0.9
1825
+ exploit_scenario: |-
1826
+ Unconstrained tool access enables privilege escalation in agent loop.
1827
+ fix_template: |-
1828
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1829
+ pattern-either:
1830
+ - pattern: |-
1831
+ tool.invoke(parsed.tool_name, parsed.args)
1832
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-067\\b'
1833
+ message: |-
1834
+ RunSec Detection [AGT-067]: CWE-863
1835
+ languages:
1836
+ - generic
1837
+ severity: WARNING
1838
+ - id: runsec.ds-ml-security.agt-068
1839
+ metadata:
1840
+ runsec_version: v1.0
1841
+ confidence: |-
1842
+ 0.9
1843
+ exploit_scenario: |-
1844
+ Executing generated code without sandboxing risks full compromise.
1845
+ fix_template: |-
1846
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1847
+ pattern-either:
1848
+ - pattern: |-
1849
+ exec(generated_python)
1850
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-068\\b'
1851
+ message: |-
1852
+ RunSec Detection [AGT-068]: CWE-94
1853
+ languages:
1854
+ - generic
1855
+ severity: WARNING
1856
+ - id: runsec.ds-ml-security.agt-069
1857
+ metadata:
1858
+ runsec_version: v1.0
1859
+ confidence: |-
1860
+ 0.9
1861
+ exploit_scenario: |-
1862
+ Injected instructions in external content hijack agent behavior.
1863
+ fix_template: |-
1864
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1865
+ pattern-either:
1866
+ - pattern: |-
1867
+ prompt = user_prompt + '\n' + fetched_page_text
1868
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-069\\b'
1869
+ message: |-
1870
+ RunSec Detection [AGT-069]: CWE-1336
1871
+ languages:
1872
+ - generic
1873
+ severity: WARNING
1874
+ - id: runsec.ds-ml-security.agt-070
1875
+ metadata:
1876
+ runsec_version: v1.0
1877
+ confidence: |-
1878
+ 0.9
1879
+ exploit_scenario: |-
1880
+ Model output can include attacker-influenced command payloads.
1881
+ fix_template: |-
1882
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1883
+ pattern-either:
1884
+ - pattern: |-
1885
+ subprocess.run(llm_output, shell=True)
1886
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-070\\b'
1887
+ message: |-
1888
+ RunSec Detection [AGT-070]: CWE-78
1889
+ languages:
1890
+ - generic
1891
+ severity: WARNING
1892
+ - id: runsec.ds-ml-security.agt-071
1893
+ metadata:
1894
+ runsec_version: v1.0
1895
+ confidence: |-
1896
+ 0.9
1897
+ exploit_scenario: |-
1898
+ Unconstrained tool access enables privilege escalation in agent loop.
1899
+ fix_template: |-
1900
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1901
+ pattern-either:
1902
+ - pattern: |-
1903
+ tool.invoke(parsed.tool_name, parsed.args)
1904
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-071\\b'
1905
+ message: |-
1906
+ RunSec Detection [AGT-071]: CWE-863
1907
+ languages:
1908
+ - generic
1909
+ severity: WARNING
1910
+ - id: runsec.ds-ml-security.agt-072
1911
+ metadata:
1912
+ runsec_version: v1.0
1913
+ confidence: |-
1914
+ 0.9
1915
+ exploit_scenario: |-
1916
+ Executing generated code without sandboxing risks full compromise.
1917
+ fix_template: |-
1918
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1919
+ pattern-either:
1920
+ - pattern: |-
1921
+ exec(generated_python)
1922
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-072\\b'
1923
+ message: |-
1924
+ RunSec Detection [AGT-072]: CWE-94
1925
+ languages:
1926
+ - generic
1927
+ severity: WARNING
1928
+ - id: runsec.ds-ml-security.agt-073
1929
+ metadata:
1930
+ runsec_version: v1.0
1931
+ confidence: |-
1932
+ 0.9
1933
+ exploit_scenario: |-
1934
+ Injected instructions in external content hijack agent behavior.
1935
+ fix_template: |-
1936
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1937
+ pattern-either:
1938
+ - pattern: |-
1939
+ prompt = user_prompt + '\n' + fetched_page_text
1940
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-073\\b'
1941
+ message: |-
1942
+ RunSec Detection [AGT-073]: CWE-1336
1943
+ languages:
1944
+ - generic
1945
+ severity: WARNING
1946
+ - id: runsec.ds-ml-security.agt-074
1947
+ metadata:
1948
+ runsec_version: v1.0
1949
+ confidence: |-
1950
+ 0.9
1951
+ exploit_scenario: |-
1952
+ Model output can include attacker-influenced command payloads.
1953
+ fix_template: |-
1954
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1955
+ pattern-either:
1956
+ - pattern: |-
1957
+ subprocess.run(llm_output, shell=True)
1958
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-074\\b'
1959
+ message: |-
1960
+ RunSec Detection [AGT-074]: CWE-78
1961
+ languages:
1962
+ - generic
1963
+ severity: WARNING
1964
+ - id: runsec.ds-ml-security.agt-075
1965
+ metadata:
1966
+ runsec_version: v1.0
1967
+ confidence: |-
1968
+ 0.9
1969
+ exploit_scenario: |-
1970
+ Unconstrained tool access enables privilege escalation in agent loop.
1971
+ fix_template: |-
1972
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1973
+ pattern-either:
1974
+ - pattern: |-
1975
+ tool.invoke(parsed.tool_name, parsed.args)
1976
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-075\\b'
1977
+ message: |-
1978
+ RunSec Detection [AGT-075]: CWE-863
1979
+ languages:
1980
+ - generic
1981
+ severity: WARNING
1982
+ - id: runsec.ds-ml-security.agt-076
1983
+ metadata:
1984
+ runsec_version: v1.0
1985
+ confidence: |-
1986
+ 0.9
1987
+ exploit_scenario: |-
1988
+ Executing generated code without sandboxing risks full compromise.
1989
+ fix_template: |-
1990
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
1991
+ pattern-either:
1992
+ - pattern: |-
1993
+ exec(generated_python)
1994
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-076\\b'
1995
+ message: |-
1996
+ RunSec Detection [AGT-076]: CWE-94
1997
+ languages:
1998
+ - generic
1999
+ severity: WARNING
2000
+ - id: runsec.ds-ml-security.agt-077
2001
+ metadata:
2002
+ runsec_version: v1.0
2003
+ confidence: |-
2004
+ 0.9
2005
+ exploit_scenario: |-
2006
+ Injected instructions in external content hijack agent behavior.
2007
+ fix_template: |-
2008
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2009
+ pattern-either:
2010
+ - pattern: |-
2011
+ prompt = user_prompt + '\n' + fetched_page_text
2012
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-077\\b'
2013
+ message: |-
2014
+ RunSec Detection [AGT-077]: CWE-1336
2015
+ languages:
2016
+ - generic
2017
+ severity: WARNING
2018
+ - id: runsec.ds-ml-security.agt-078
2019
+ metadata:
2020
+ runsec_version: v1.0
2021
+ confidence: |-
2022
+ 0.9
2023
+ exploit_scenario: |-
2024
+ Model output can include attacker-influenced command payloads.
2025
+ fix_template: |-
2026
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2027
+ pattern-either:
2028
+ - pattern: |-
2029
+ subprocess.run(llm_output, shell=True)
2030
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-078\\b'
2031
+ message: |-
2032
+ RunSec Detection [AGT-078]: CWE-78
2033
+ languages:
2034
+ - generic
2035
+ severity: WARNING
2036
+ - id: runsec.ds-ml-security.agt-079
2037
+ metadata:
2038
+ runsec_version: v1.0
2039
+ confidence: |-
2040
+ 0.9
2041
+ exploit_scenario: |-
2042
+ Unconstrained tool access enables privilege escalation in agent loop.
2043
+ fix_template: |-
2044
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2045
+ pattern-either:
2046
+ - pattern: |-
2047
+ tool.invoke(parsed.tool_name, parsed.args)
2048
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-079\\b'
2049
+ message: |-
2050
+ RunSec Detection [AGT-079]: CWE-863
2051
+ languages:
2052
+ - generic
2053
+ severity: WARNING
2054
+ - id: runsec.ds-ml-security.agt-080
2055
+ metadata:
2056
+ runsec_version: v1.0
2057
+ confidence: |-
2058
+ 0.9
2059
+ exploit_scenario: |-
2060
+ Executing generated code without sandboxing risks full compromise.
2061
+ fix_template: |-
2062
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2063
+ pattern-either:
2064
+ - pattern: |-
2065
+ exec(generated_python)
2066
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-080\\b'
2067
+ message: |-
2068
+ RunSec Detection [AGT-080]: CWE-94
2069
+ languages:
2070
+ - generic
2071
+ severity: WARNING
2072
+ - id: runsec.ds-ml-security.agt-081
2073
+ metadata:
2074
+ runsec_version: v1.0
2075
+ confidence: |-
2076
+ 0.9
2077
+ exploit_scenario: |-
2078
+ Injected instructions in external content hijack agent behavior.
2079
+ fix_template: |-
2080
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2081
+ pattern-either:
2082
+ - pattern: |-
2083
+ prompt = user_prompt + '\n' + fetched_page_text
2084
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-081\\b'
2085
+ message: |-
2086
+ RunSec Detection [AGT-081]: CWE-1336
2087
+ languages:
2088
+ - generic
2089
+ severity: WARNING
2090
+ - id: runsec.ds-ml-security.agt-082
2091
+ metadata:
2092
+ runsec_version: v1.0
2093
+ confidence: |-
2094
+ 0.9
2095
+ exploit_scenario: |-
2096
+ Model output can include attacker-influenced command payloads.
2097
+ fix_template: |-
2098
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2099
+ pattern-either:
2100
+ - pattern: |-
2101
+ subprocess.run(llm_output, shell=True)
2102
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-082\\b'
2103
+ message: |-
2104
+ RunSec Detection [AGT-082]: CWE-78
2105
+ languages:
2106
+ - generic
2107
+ severity: WARNING
2108
+ - id: runsec.ds-ml-security.agt-083
2109
+ metadata:
2110
+ runsec_version: v1.0
2111
+ confidence: |-
2112
+ 0.9
2113
+ exploit_scenario: |-
2114
+ Unconstrained tool access enables privilege escalation in agent loop.
2115
+ fix_template: |-
2116
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2117
+ pattern-either:
2118
+ - pattern: |-
2119
+ tool.invoke(parsed.tool_name, parsed.args)
2120
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-083\\b'
2121
+ message: |-
2122
+ RunSec Detection [AGT-083]: CWE-863
2123
+ languages:
2124
+ - generic
2125
+ severity: WARNING
2126
+ - id: runsec.ds-ml-security.agt-084
2127
+ metadata:
2128
+ runsec_version: v1.0
2129
+ confidence: |-
2130
+ 0.9
2131
+ exploit_scenario: |-
2132
+ Executing generated code without sandboxing risks full compromise.
2133
+ fix_template: |-
2134
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2135
+ pattern-either:
2136
+ - pattern: |-
2137
+ exec(generated_python)
2138
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-084\\b'
2139
+ message: |-
2140
+ RunSec Detection [AGT-084]: CWE-94
2141
+ languages:
2142
+ - generic
2143
+ severity: WARNING
2144
+ - id: runsec.ds-ml-security.agt-085
2145
+ metadata:
2146
+ runsec_version: v1.0
2147
+ confidence: |-
2148
+ 0.9
2149
+ exploit_scenario: |-
2150
+ Injected instructions in external content hijack agent behavior.
2151
+ fix_template: |-
2152
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2153
+ pattern-either:
2154
+ - pattern: |-
2155
+ prompt = user_prompt + '\n' + fetched_page_text
2156
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-085\\b'
2157
+ message: |-
2158
+ RunSec Detection [AGT-085]: CWE-1336
2159
+ languages:
2160
+ - generic
2161
+ severity: WARNING
2162
+ - id: runsec.ds-ml-security.agt-086
2163
+ metadata:
2164
+ runsec_version: v1.0
2165
+ confidence: |-
2166
+ 0.9
2167
+ exploit_scenario: |-
2168
+ Model output can include attacker-influenced command payloads.
2169
+ fix_template: |-
2170
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2171
+ pattern-either:
2172
+ - pattern: |-
2173
+ subprocess.run(llm_output, shell=True)
2174
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-086\\b'
2175
+ message: |-
2176
+ RunSec Detection [AGT-086]: CWE-78
2177
+ languages:
2178
+ - generic
2179
+ severity: WARNING
2180
+ - id: runsec.ds-ml-security.agt-087
2181
+ metadata:
2182
+ runsec_version: v1.0
2183
+ confidence: |-
2184
+ 0.9
2185
+ exploit_scenario: |-
2186
+ Unconstrained tool access enables privilege escalation in agent loop.
2187
+ fix_template: |-
2188
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2189
+ pattern-either:
2190
+ - pattern: |-
2191
+ tool.invoke(parsed.tool_name, parsed.args)
2192
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-087\\b'
2193
+ message: |-
2194
+ RunSec Detection [AGT-087]: CWE-863
2195
+ languages:
2196
+ - generic
2197
+ severity: WARNING
2198
+ - id: runsec.ds-ml-security.agt-088
2199
+ metadata:
2200
+ runsec_version: v1.0
2201
+ confidence: |-
2202
+ 0.9
2203
+ exploit_scenario: |-
2204
+ Executing generated code without sandboxing risks full compromise.
2205
+ fix_template: |-
2206
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2207
+ pattern-either:
2208
+ - pattern: |-
2209
+ exec(generated_python)
2210
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-088\\b'
2211
+ message: |-
2212
+ RunSec Detection [AGT-088]: CWE-94
2213
+ languages:
2214
+ - generic
2215
+ severity: WARNING
2216
+ - id: runsec.ds-ml-security.agt-089
2217
+ metadata:
2218
+ runsec_version: v1.0
2219
+ confidence: |-
2220
+ 0.9
2221
+ exploit_scenario: |-
2222
+ Injected instructions in external content hijack agent behavior.
2223
+ fix_template: |-
2224
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2225
+ pattern-either:
2226
+ - pattern: |-
2227
+ prompt = user_prompt + '\n' + fetched_page_text
2228
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-089\\b'
2229
+ message: |-
2230
+ RunSec Detection [AGT-089]: CWE-1336
2231
+ languages:
2232
+ - generic
2233
+ severity: WARNING
2234
+ - id: runsec.ds-ml-security.agt-090
2235
+ metadata:
2236
+ runsec_version: v1.0
2237
+ confidence: |-
2238
+ 0.9
2239
+ exploit_scenario: |-
2240
+ Model output can include attacker-influenced command payloads.
2241
+ fix_template: |-
2242
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2243
+ pattern-either:
2244
+ - pattern: |-
2245
+ subprocess.run(llm_output, shell=True)
2246
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-090\\b'
2247
+ message: |-
2248
+ RunSec Detection [AGT-090]: CWE-78
2249
+ languages:
2250
+ - generic
2251
+ severity: WARNING
2252
+ - id: runsec.ds-ml-security.agt-091
2253
+ metadata:
2254
+ runsec_version: v1.0
2255
+ confidence: |-
2256
+ 0.9
2257
+ exploit_scenario: |-
2258
+ Unconstrained tool access enables privilege escalation in agent loop.
2259
+ fix_template: |-
2260
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2261
+ pattern-either:
2262
+ - pattern: |-
2263
+ tool.invoke(parsed.tool_name, parsed.args)
2264
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-091\\b'
2265
+ message: |-
2266
+ RunSec Detection [AGT-091]: CWE-863
2267
+ languages:
2268
+ - generic
2269
+ severity: WARNING
2270
+ - id: runsec.ds-ml-security.agt-092
2271
+ metadata:
2272
+ runsec_version: v1.0
2273
+ confidence: |-
2274
+ 0.9
2275
+ exploit_scenario: |-
2276
+ Executing generated code without sandboxing risks full compromise.
2277
+ fix_template: |-
2278
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2279
+ pattern-either:
2280
+ - pattern: |-
2281
+ exec(generated_python)
2282
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-092\\b'
2283
+ message: |-
2284
+ RunSec Detection [AGT-092]: CWE-94
2285
+ languages:
2286
+ - generic
2287
+ severity: WARNING
2288
+ - id: runsec.ds-ml-security.agt-093
2289
+ metadata:
2290
+ runsec_version: v1.0
2291
+ confidence: |-
2292
+ 0.9
2293
+ exploit_scenario: |-
2294
+ Injected instructions in external content hijack agent behavior.
2295
+ fix_template: |-
2296
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2297
+ pattern-either:
2298
+ - pattern: |-
2299
+ prompt = user_prompt + '\n' + fetched_page_text
2300
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-093\\b'
2301
+ message: |-
2302
+ RunSec Detection [AGT-093]: CWE-1336
2303
+ languages:
2304
+ - generic
2305
+ severity: WARNING
2306
+ - id: runsec.ds-ml-security.agt-094
2307
+ metadata:
2308
+ runsec_version: v1.0
2309
+ confidence: |-
2310
+ 0.9
2311
+ exploit_scenario: |-
2312
+ Model output can include attacker-influenced command payloads.
2313
+ fix_template: |-
2314
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2315
+ pattern-either:
2316
+ - pattern: |-
2317
+ subprocess.run(llm_output, shell=True)
2318
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-094\\b'
2319
+ message: |-
2320
+ RunSec Detection [AGT-094]: CWE-78
2321
+ languages:
2322
+ - generic
2323
+ severity: WARNING
2324
+ - id: runsec.ds-ml-security.agt-095
2325
+ metadata:
2326
+ runsec_version: v1.0
2327
+ confidence: |-
2328
+ 0.9
2329
+ exploit_scenario: |-
2330
+ Unconstrained tool access enables privilege escalation in agent loop.
2331
+ fix_template: |-
2332
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2333
+ pattern-either:
2334
+ - pattern: |-
2335
+ tool.invoke(parsed.tool_name, parsed.args)
2336
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-095\\b'
2337
+ message: |-
2338
+ RunSec Detection [AGT-095]: CWE-863
2339
+ languages:
2340
+ - generic
2341
+ severity: WARNING
2342
+ - id: runsec.ds-ml-security.agt-096
2343
+ metadata:
2344
+ runsec_version: v1.0
2345
+ confidence: |-
2346
+ 0.9
2347
+ exploit_scenario: |-
2348
+ Executing generated code without sandboxing risks full compromise.
2349
+ fix_template: |-
2350
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2351
+ pattern-either:
2352
+ - pattern: |-
2353
+ exec(generated_python)
2354
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-096\\b'
2355
+ message: |-
2356
+ RunSec Detection [AGT-096]: CWE-94
2357
+ languages:
2358
+ - generic
2359
+ severity: WARNING
2360
+ - id: runsec.ds-ml-security.agt-097
2361
+ metadata:
2362
+ runsec_version: v1.0
2363
+ confidence: |-
2364
+ 0.9
2365
+ exploit_scenario: |-
2366
+ Injected instructions in external content hijack agent behavior.
2367
+ fix_template: |-
2368
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2369
+ pattern-either:
2370
+ - pattern: |-
2371
+ prompt = user_prompt + '\n' + fetched_page_text
2372
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-097\\b'
2373
+ message: |-
2374
+ RunSec Detection [AGT-097]: CWE-1336
2375
+ languages:
2376
+ - generic
2377
+ severity: WARNING
2378
+ - id: runsec.ds-ml-security.agt-098
2379
+ metadata:
2380
+ runsec_version: v1.0
2381
+ confidence: |-
2382
+ 0.9
2383
+ exploit_scenario: |-
2384
+ Model output can include attacker-influenced command payloads.
2385
+ fix_template: |-
2386
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2387
+ pattern-either:
2388
+ - pattern: |-
2389
+ subprocess.run(llm_output, shell=True)
2390
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-098\\b'
2391
+ message: |-
2392
+ RunSec Detection [AGT-098]: CWE-78
2393
+ languages:
2394
+ - generic
2395
+ severity: WARNING
2396
+ - id: runsec.ds-ml-security.agt-099
2397
+ metadata:
2398
+ runsec_version: v1.0
2399
+ confidence: |-
2400
+ 0.9
2401
+ exploit_scenario: |-
2402
+ Unconstrained tool access enables privilege escalation in agent loop.
2403
+ fix_template: |-
2404
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2405
+ pattern-either:
2406
+ - pattern: |-
2407
+ tool.invoke(parsed.tool_name, parsed.args)
2408
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-099\\b'
2409
+ message: |-
2410
+ RunSec Detection [AGT-099]: CWE-863
2411
+ languages:
2412
+ - generic
2413
+ severity: WARNING
2414
+ - id: runsec.ds-ml-security.agt-100
2415
+ metadata:
2416
+ runsec_version: v1.0
2417
+ confidence: |-
2418
+ 0.9
2419
+ exploit_scenario: |-
2420
+ Executing generated code without sandboxing risks full compromise.
2421
+ fix_template: |-
2422
+ Autofix: sanitize retrieved context, apply tool/command allowlists, and enforce sandbox execution.
2423
+ pattern-either:
2424
+ - pattern: |-
2425
+ exec(generated_python)
2426
+ - pattern-regex: 'Vulnerable:\\s*AGT\\-100\\b'
2427
+ message: |-
2428
+ RunSec Detection [AGT-100]: CWE-94
2429
+ languages:
2430
+ - generic
2431
+ severity: WARNING