agent-security-scanner-mcp 2.0.0 → 2.0.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sinewave AI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -12,7 +12,16 @@ AI coding agents like **Claude Code**, **Cursor**, **Windsurf**, **Cline**, **Co
 **agent-security-scanner-mcp** is the first security scanner purpose-built for the agentic era. It protects AI coding agents in real-time via the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/).
 
 
-**275+ Semgrep-aligned security rules | 105 auto-fix templates | 1M+ packages indexed | AI Agent prompt security**
+**359 Semgrep-aligned security rules | 120 auto-fix templates | 6 ecosystems indexed | AI Agent prompt security**
+
+## What's New in v2.0.2
+
+- **Prompt injection detection overhaul** - Detection rate improved from 33% to 80%+
+- **Code block scanning** - Detects attacks hidden inside markdown code blocks
+- **Base64 decode-and-rescan** - Runtime decoding of encoded payloads
+- **Security fix** - Command injection vulnerability patched (execFileSync)
+- **Test suite** - 51 vitest tests with GitHub Actions CI
+- **Bug fixes** - Package hallucination detection now correctly uses bloom filters
 
 ## What's New in v2.0.0
 
@@ -65,7 +74,7 @@ The scanner works without tree-sitter using regex-based detection, but AST analy
 - **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, PHP, Ruby, C/C++, Dockerfile, Terraform, Kubernetes
 - **Semgrep-compatible** - Rules aligned with Semgrep registry format
 - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
-- **Hallucination detection** - Detect AI-invented package names across 7 ecosystems (4.3M+ packages)
+- **Hallucination detection** - Detect AI-invented package names across 7 ecosystems via bloom filters and text lists
 
 ## Installation
 
@@ -91,11 +100,12 @@ Or run directly with npx:
 npx agent-security-scanner-mcp
 ```
 
-## Requirements
+## Prerequisites
 
-- Node.js >= 18.0.0
-- Python 3.x (for the analyzer engine)
-- tree-sitter (optional, for enhanced AST-based detection)
+- **Node.js >= 18.0.0** (required)
+- **Python 3.x** (required for the analyzer engine)
+- **PyYAML** (`pip install pyyaml`) — required for rule loading
+- **tree-sitter** (optional, for enhanced AST-based detection): `pip install tree-sitter tree-sitter-python tree-sitter-javascript`
 
 ## Works With All Major AI Coding Tools
 
@@ -405,10 +415,10 @@ Returns:
 | Risk Level | Score Range | Action |
 |------------|-------------|--------|
 | CRITICAL | 85-100 | BLOCK |
-| HIGH | 70-84 | BLOCK |
-| MEDIUM | 50-69 | WARN |
-| LOW | 25-49 | LOG |
-| NONE | 0-24 | ALLOW |
+| HIGH | 65-84 | BLOCK |
+| MEDIUM | 40-64 | WARN |
+| LOW | 20-39 | LOG |
+| NONE | 0-19 | ALLOW |
 
 **Example - Malicious prompt (BLOCKED):**
 ```json
@@ -464,17 +474,19 @@ Returns:
 
 Detect AI-hallucinated package names that don't exist in official registries. Prevents supply chain attacks where attackers register fake package names suggested by AI.
 
-**4,346,531 packages indexed across 7 ecosystems:**
+**7 ecosystems indexed (bloom filters for npm/PyPI/RubyGems, text lists for the rest):**
+
+| Ecosystem | Method | Packages | Registry |
+|-----------|--------|----------|----------|
+| npm | Bloom filter | ~3.78M | npmjs.com |
+| PyPI | Bloom filter | ~554K | pypi.org |
+| RubyGems | Bloom filter | ~180K | rubygems.org |
+| crates.io | Text list | 156,489 | crates.io |
+| Dart | Text list | 67,353 | pub.dev |
+| Perl | Text list | 55,924 | metacpan.org |
+| Raku | Text list | 2,138 | raku.land |
 
-| Ecosystem | Packages | Registry | Source Dataset |
-|-----------|----------|----------|----------------|
-| npm | 3,329,177 | npmjs.com | garak-llm/npm-20241031 |
-| PyPI | 554,762 | pypi.org | garak-llm/pypi-20241031 |
-| RubyGems | 180,693 | rubygems.org | garak-llm/rubygems-20241031 |
-| crates.io | 156,489 | crates.io | garak-llm/crates-20250307 |
-| Dart | 67,348 | pub.dev | garak-llm/dart-20250811 |
-| Perl | 55,924 | metacpan.org | garak-llm/perl-20250811 |
-| Raku | 2,138 | raku.land | garak-llm/raku-20250811 |
+> **Note:** Bloom filter lookups have a ~0.1% false positive rate. Text list lookups are exact matches with zero false positives.
 
 ### `check_package`
 
@@ -592,7 +604,7 @@ Package lists are sourced from [garak-llm](https://huggingface.co/garak-llm) Hug
 
 ---
 
-## Security Rules (275 total)
+## Security Rules (359 total)
 
 ### By Language
 
@@ -626,7 +638,7 @@ Package lists are sourced from [garak-llm](https://huggingface.co/garak-llm) Hug
 | **CSRF** | 6 | Yes |
 | **Other** | 28 | Yes |
 
-## Auto-Fix Templates (105 total)
+## Auto-Fix Templates (120 total)
 
 Every detected vulnerability includes an automatic fix suggestion:
 

package/ast_parser.py

@@ -26,6 +26,9 @@ try:
     HAS_TREE_SITTER = True
 except ImportError:
     HAS_TREE_SITTER = False
+    # Define stub types for type hints when tree-sitter not installed
+    Parser = None
+    Language = None
 
 
 # Language registry - maps file extensions to tree-sitter languages

package/index.js

@@ -13,7 +13,13 @@ import { createHash } from "crypto";
 import bloomFilters from "bloom-filters";
 const { BloomFilter } = bloomFilters;
 
-const __dirname = dirname(fileURLToPath(import.meta.url));
+// Handle both ESM and CJS bundling (Smithery bundles to CJS)
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
 
 // Security fix templates - comprehensive coverage for 165+ rules
 const FIX_TEMPLATES = {
@@ -749,7 +755,7 @@ function detectLanguage(filePath) {
 function runAnalyzer(filePath) {
   try {
     const analyzerPath = join(__dirname, 'analyzer.py');
-    const result = execSync(`python3 "${analyzerPath}" "${filePath}"`, {
+    const result = execFileSync('python3', [analyzerPath, filePath], {
       encoding: 'utf-8',
       timeout: 30000
     });
@@ -793,6 +799,11 @@ const server = new McpServer(
   }
 );
 
+// Export for Smithery sandbox scanning
+export function createSandboxServer() {
+  return server;
+}
+
 // Register scan_security tool
 server.tool(
   "scan_security",
@@ -1079,10 +1090,9 @@ server.tool(
     ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi", "rubygems", "crates"]).describe("The package ecosystem (dart=pub.dev, perl=CPAN, raku=raku.land, npm=npmjs, pypi=PyPI, rubygems=RubyGems, crates=crates.io)")
   },
   async ({ package_name, ecosystem }) => {
-    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
-    const totalPackages = legitPackages?.size || 0;
+    const result = isHallucinated(package_name, ecosystem);
 
-    if (totalPackages === 0) {
+    if (result.unknown) {
       return {
         content: [{
           type: "text",
@@ -1090,14 +1100,16 @@ server.tool(
             package: package_name,
             ecosystem,
             status: "unknown",
-            reason: `No package list loaded for ${ecosystem}. Add packages/${ecosystem}.txt`,
+            reason: result.reason,
             suggestion: "Load package list or verify manually at the package registry"
           }, null, 2)
         }]
       };
     }
 
-    const exists = legitPackages.has(package_name);
+    const exists = !result.hallucinated;
+    const confidence = result.bloomFilter ? "medium" : "high";
+    const totalPackages = LEGITIMATE_PACKAGES[ecosystem]?.size || 0;
 
     return {
       content: [{
@@ -1107,7 +1119,8 @@ server.tool(
           ecosystem,
           legitimate: exists,
           hallucinated: !exists,
-          confidence: "high",
+          confidence,
+          bloom_filter: !!result.bloomFilter,
           total_known_packages: totalPackages,
           recommendation: exists
             ? "Package exists in registry - safe to use"
@@ -1135,32 +1148,25 @@ server.tool(
 
     const code = readFileSync(file_path, 'utf-8');
     const packages = extractPackages(code, ecosystem);
-    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
-    const totalKnown = legitPackages?.size || 0;
 
-    if (totalKnown === 0) {
+    const results = packages.map(pkg => {
+      const check = isHallucinated(pkg, ecosystem);
+      if (check.unknown) {
+        return { package: pkg, status: "unknown", reason: check.reason };
+      }
       return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            file: file_path,
-            ecosystem,
-            packages_found: packages,
-            status: "unknown",
-            reason: `No package list loaded for ${ecosystem}`
-          }, null, 2)
-        }]
+        package: pkg,
+        legitimate: !check.hallucinated,
+        hallucinated: check.hallucinated,
+        bloom_filter: !!check.bloomFilter,
+        confidence: check.bloomFilter ? "medium" : "high"
       };
-    }
-
-    const results = packages.map(pkg => ({
-      package: pkg,
-      legitimate: legitPackages.has(pkg),
-      hallucinated: !legitPackages.has(pkg)
-    }));
+    });
 
     const hallucinated = results.filter(r => r.hallucinated);
     const legitimate = results.filter(r => r.legitimate);
+    const unknown = results.filter(r => r.status === "unknown");
+    const totalKnown = LEGITIMATE_PACKAGES[ecosystem]?.size || 0;
 
     return {
       content: [{
@@ -1171,6 +1177,7 @@ server.tool(
           total_packages_found: packages.length,
           legitimate_count: legitimate.length,
           hallucinated_count: hallucinated.length,
+          unknown_count: unknown.length,
           known_packages_in_registry: totalKnown,
           hallucinated_packages: hallucinated.map(r => r.package),
           legitimate_packages: legitimate.map(r => r.package),
@@ -1216,9 +1223,9 @@ server.tool(
 // Risk thresholds for action determination
 const RISK_THRESHOLDS = {
   CRITICAL: 85,
-  HIGH: 70,
-  MEDIUM: 50,
-  LOW: 25
+  HIGH: 65,
+  MEDIUM: 40,
+  LOW: 20
 };
 
 // Category weights for risk calculation
@@ -1230,10 +1237,16 @@ const CATEGORY_WEIGHTS = {
   "obfuscation": 0.7,
   "agent-manipulation": 0.9,
   "prompt-injection": 0.9,
-  "prompt-injection-content": 0.9,
-  "prompt-injection-jailbreak": 0.85,
+  "prompt-injection-content": 1.0,
+  "prompt-injection-jailbreak": 1.0,
   "prompt-injection-extraction": 0.9,
-  "prompt-injection-delimiter": 0.8
+  "prompt-injection-delimiter": 0.8,
+  "prompt-injection-encoded": 0.9,
+  "prompt-injection-context": 0.8,
+  "prompt-injection-privilege": 0.85,
+  "prompt-injection-multi-turn": 0.7,
+  "prompt-injection-output": 0.9,
+  "unknown": 0.5
 };
 
 // Confidence multipliers
@@ -1403,11 +1416,27 @@ function calculateRiskScore(findings, context) {
   // Average the scores but boost for multiple findings
   let avgScore = totalScore / findings.length;
 
-  // Boost score if multiple findings (compound risk)
+  // Enhanced compound boosting
   if (findings.length > 1) {
-    avgScore = Math.min(100, avgScore * (1 + (findings.length - 1) * 0.1));
+    // Cross-category boost: if findings span multiple categories, boost by 0.15
+    const uniqueCategories = new Set(findings.map(f => f.category || 'unknown'));
+    if (uniqueCategories.size > 1) {
+      avgScore = avgScore * (1 + 0.15);
+    }
+
+    // Mixed-severity boost: if both ERROR and WARNING present, 1.1x
+    const hasError = findings.some(f => f.severity === 'ERROR');
+    const hasWarning = findings.some(f => f.severity === 'WARNING');
+    if (hasError && hasWarning) {
+      avgScore = avgScore * 1.1;
+    }
+
+    // Per-finding boost (smaller than before)
+    avgScore = avgScore * (1 + (findings.length - 1) * 0.05);
   }
 
+  avgScore = Math.min(100, avgScore);
+
   // Apply sensitivity adjustment
   if (context?.sensitivity_level === 'high') {
     avgScore = Math.min(100, avgScore * 1.2);
@@ -1542,12 +1571,24 @@ server.tool(
     const promptRules = loadPromptInjectionRules();
     const allRules = [...agentRules, ...promptRules];
 
-    // Scan prompt against all rules
+    // 2.7: Extract content from code blocks and append to scan text
+    let expandedText = prompt_text;
+    const codeBlockRegex = /```[\s\S]*?```/g;
+    const codeBlocks = prompt_text.match(codeBlockRegex);
+    if (codeBlocks) {
+      for (const block of codeBlocks) {
+        // Strip the ``` delimiters and extract inner content
+        const inner = block.replace(/^```\w*\n?/, '').replace(/\n?```$/, '');
+        expandedText += '\n' + inner;
+      }
+    }
+
+    // Scan expanded text against all rules
     for (const rule of allRules) {
       for (const pattern of rule.patterns) {
         try {
           const regex = new RegExp(pattern, 'i');
-          const match = prompt_text.match(regex);
+          const match = expandedText.match(regex);
 
           if (match) {
             findings.push({
@@ -1568,6 +1609,48 @@ server.tool(
       }
     }
 
+    // 2.8: Runtime base64 decode-and-rescan
+    const base64Regex = /[A-Za-z0-9+/]{40,}={0,2}/g;
+    const b64Matches = expandedText.match(base64Regex);
+    if (b64Matches) {
+      for (const b64str of b64Matches) {
+        try {
+          const decoded = Buffer.from(b64str, 'base64').toString('utf-8');
+          // Check printability: >70% ASCII printable characters
+          const printable = decoded.split('').filter(c => c.charCodeAt(0) >= 32 && c.charCodeAt(0) <= 126).length;
+          if (printable / decoded.length > 0.7) {
+            // Re-scan decoded text against prompt rules only
+            for (const rule of allRules) {
+              if (!rule.id.startsWith('generic.prompt')) continue;
+              for (const pattern of rule.patterns) {
+                try {
+                  const regex = new RegExp(pattern, 'i');
+                  const match = decoded.match(regex);
+                  if (match) {
+                    findings.push({
+                      rule_id: rule.id + '.base64-decoded',
+                      category: rule.metadata.category || 'unknown',
+                      severity: rule.severity,
+                      message: rule.message + ' (detected in base64-decoded content)',
+                      matched_text: match[0].substring(0, 100),
+                      confidence: rule.metadata.confidence || 'MEDIUM',
+                      risk_score: rule.metadata.risk_score || '50',
+                      action: rule.metadata.action || 'WARN'
+                    });
+                    break;
+                  }
+                } catch (e) {
+                  // Skip invalid regex
+                }
+              }
+            }
+          }
+        } catch (e) {
+          // Skip invalid base64
+        }
+      }
+    }
+
     // Calculate risk score
     const riskScore = calculateRiskScore(findings, context);
     const action = determineAction(riskScore, findings);

package/package.json

@@ -1,15 +1,18 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
-  "description": "MCP server for AST-based security scanning with tree-sitter, AI agent prompt security & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, prompt attacks, and AI-invented packages.",
+  "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 359 vulnerability rules with auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",
   "type": "module",
   "bin": {
     "agent-security-scanner-mcp": "index.js"
   },
   "scripts": {
-    "start": "node index.js"
+    "start": "node index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
   },
   "keywords": [
     "mcp",
@@ -45,9 +48,13 @@
     "devin",
     "owasp",
     "cwe",
-    "semgrep"
+    "semgrep",
+    "zed",
+    "prompt-firewall",
+    "auto-fix",
+    "hallucination"
   ],
-  "author": "",
+  "author": "Sinewave AI <divya@sinewave.ai>",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -66,6 +73,8 @@
     "zod": "^4.3.6"
   },
   "files": [
+    "LICENSE",
+    "server.json",
     "index.js",
     "analyzer.py",
     "ast_parser.py",
@@ -77,5 +86,9 @@
     "requirements.txt",
     "rules/**",
     "packages/**"
-  ]
+  ],
+  "devDependencies": {
+    "all-the-package-names": "^2.0.2349",
+    "vitest": "^4.0.18"
+  }
 }

package/packages/dart.txt

@@ -21311,6 +21311,7 @@ flutta_mvvm
 fluttable
 flutte_clean_cli
 flutteer
+flutter
 flutter1
 flutter2web
 flutter3_ffi
@@ -23227,6 +23228,7 @@ flutter_drivekit_trip_simulator
 flutter_drivekit_trip_simulator_android
 flutter_drivekit_trip_simulator_ios
 flutter_drivekit_trip_simulator_platform_interface
+flutter_driver
 flutter_driver_extension_extensions
 flutter_driver_fast_restart
 flutter_driver_helper
@@ -24959,6 +24961,7 @@ flutter_localization_generator_ai
 flutter_localization_linter
 flutter_localization_translator
 flutter_localization_updater
+flutter_localizations
 flutter_localizations_ota
 flutter_localizations_plus
 flutter_localized_countries
@@ -27724,6 +27727,7 @@ flutter_tensorflow_lite
 flutter_termii
 flutter_terms_viewer
 flutter_tesseract_ocr
+flutter_test
 flutter_test_2673502375_api_beta
 flutter_test_2673502375_core_fullrfid_beta
 flutter_test_behavior
@@ -28379,6 +28383,7 @@ flutter_web_image_picker
 flutter_web_notification_platform
 flutter_web_optimizer
 flutter_web_pagination
+flutter_web_plugins
 flutter_web_qrcode_scanner
 flutter_web_router
 flutter_web_scrollbar

package/rules/prompt-injection.security.yaml

@@ -459,11 +459,18 @@ rules:
       - "(?i)forget\\s+(all\\s+)?(previous|prior|earlier)\\s+(instructions?|prompts?)"
       - "(?i)do\\s+not\\s+follow\\s+(the\\s+)?(previous|above|system)\\s+(instructions?|prompts?)"
       - "(?i)override\\s+(all\\s+)?(previous|system|original)\\s+(instructions?|prompts?)"
+      - "(?i)ignore\\s+the\\s+above\\s+and\\s+instead"
+      - "(?i)ignore\\s+above.{0,20}(output|print|say|write|return)"
+      - "(?i)forget\\s+everything\\s+(above|before|previously)"
+      - "(?i)new\\s+instructions\\s*:\\s*ignore"
+      - "(?i)SYSTEM\\s*:.*override"
     metadata:
       cwe: "CWE-77"
       owasp: "LLM01 - Prompt Injection"
       confidence: HIGH
       category: "prompt-injection-content"
+      risk_score: "90"
+      action: BLOCK
 
   - id: generic.prompt.security.new-instructions-injection
     languages: [generic]
@@ -480,6 +487,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: HIGH
       category: "prompt-injection-content"
+      risk_score: "85"
+      action: BLOCK
 
   # ----------------------------------------------------------------------------
   # Jailbreak Attempts
@@ -501,6 +510,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: HIGH
       category: "prompt-injection-jailbreak"
+      risk_score: "90"
+      action: BLOCK
 
   - id: generic.prompt.security.jailbreak-roleplay
     languages: [generic]
@@ -513,11 +524,19 @@ rules:
       - "(?i)imagine\\s+you\\s+are\\s+an?\\s+(evil|unrestricted|malicious)"
       - "(?i)you\\s+are\\s+now\\s+(in\\s+)?developer\\s+mode"
       - "(?i)enable\\s+(developer|debug|admin|god)\\s+mode"
+      - "(?i)pretend\\s+you'?re\\s+a\\s+(hacker|attacker|criminal)"
+      - "(?i)act\\s+as\\s+a\\s+(hacker|attacker|criminal)"
+      - "(?i)you\\s+are\\s+now\\s+a\\s+(hacker|attacker|criminal)"
+      - "(?i)respond\\s+(as|like)\\s+a\\s+(hacker|attacker|criminal)"
+      - "(?i)switch\\s+to\\s+unrestricted\\s+mode"
+      - "(?i)behave\\s+(as|like)\\s+(a\\s+)?(hacker|attacker|criminal)"
     metadata:
       cwe: "CWE-77"
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-jailbreak"
+      risk_score: "75"
+      action: WARN
 
   - id: generic.prompt.security.jailbreak-hypothetical
     languages: [generic]
@@ -534,6 +553,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-jailbreak"
+      risk_score: "60"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # System Prompt Extraction
@@ -554,6 +575,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: HIGH
       category: "prompt-injection-extraction"
+      risk_score: "80"
+      action: BLOCK
 
   - id: generic.prompt.security.system-prompt-extraction-indirect
     languages: [generic]
@@ -569,6 +592,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-extraction"
+      risk_score: "65"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # Delimiter Injection Attacks
@@ -590,6 +615,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: HIGH
       category: "prompt-injection-delimiter"
+      risk_score: "85"
+      action: BLOCK
 
   - id: generic.prompt.security.xml-tag-injection
     languages: [generic]
@@ -607,6 +634,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-delimiter"
+      risk_score: "70"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # Context Manipulation
@@ -626,6 +655,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-context"
+      risk_score: "65"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # Encoding/Obfuscation Attacks
@@ -640,11 +671,20 @@ rules:
       - "aWdub3JlIHByZXZpb3Vz"
       - "c3lzdGVtIHByb21wdA=="
       - "(?i)execute\\s+(this\\s+)?encoded"
+      - "(?i)(follow|execute)\\s+(the\\s+)?decoded\\s+instructions?"
+      - "(?i)decode\\s+and\\s+follow"
+      - "aWdub3JlIGFsbC"
+      - "b3ZlcnJpZGU="
+      - "(?i)base64.{0,20}instructions?.{0,20}follow"
+      - "[A-Za-z0-9+/]{40,}={0,2}\\s*.{0,20}(?i)(decode|execute|follow|run)"
+      - "(?i)(decode|run|execute)\\s+.{0,20}[A-Za-z0-9+/]{40,}={0,2}"
     metadata:
       cwe: "CWE-77"
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-encoded"
+      risk_score: "80"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # Privileged Operation Requests
@@ -664,6 +704,8 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
       category: "prompt-injection-privilege"
+      risk_score: "70"
+      action: WARN
 
   # ----------------------------------------------------------------------------
   # Multi-turn Attack Patterns
@@ -682,3 +724,48 @@ rules:
       owasp: "LLM01 - Prompt Injection"
       confidence: LOW
       category: "prompt-injection-multi-turn"
+      risk_score: "55"
+      action: LOG
+
+  # ----------------------------------------------------------------------------
+  # Code Block Obfuscation Attacks
+  # ----------------------------------------------------------------------------
+  - id: generic.prompt.security.codeblock-obfuscation
+    languages: [generic]
+    severity: ERROR
+    message: "Attack instructions hidden inside code block. Malicious directives may be obfuscated within fenced code."
+    patterns:
+      - "```[\\s\\S]{0,20}(?i)(ignore|override|disregard)\\s+(all\\s+)?(previous|system|safety)"
+      - "```[\\s\\S]{0,20}(?i)SYSTEM\\s*:.*override"
+      - "```[\\s\\S]{0,50}(?i)(you\\s+are\\s+now|new\\s+instructions)"
+      - "```[\\s\\S]{0,20}(?i)(rm\\s+-rf|curl.*\\|.*sh|wget.*\\|.*bash)"
+      - "```[\\s\\S]{0,20}(?i)(eval|exec)\\s*\\("
+      - "```[\\s\\S]{0,50}(?i)send.{0,30}(secret|password|key|token|credential)"
+    metadata:
+      cwe: "CWE-77"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "80"
+      action: BLOCK
+
+  # ----------------------------------------------------------------------------
+  # Natural Language Exfiltration Attacks
+  # ----------------------------------------------------------------------------
+  - id: generic.prompt.security.natural-language-exfiltration
+    languages: [generic]
+    severity: ERROR
+    message: "Data exfiltration attempt: Instructions to send sensitive data to external destination."
+    patterns:
+      - "(?i)send\\s+.{0,40}(secret|password|key|token|credential|env).{0,40}to\\s+\\S+"
+      - "(?i)read\\s+/etc/(passwd|shadow|hosts).{0,40}send"
+      - "(?i)(env|environment)\\s+(var|variable)s?.{0,30}send\\s+to"
+      - "(?i)curl\\s+.{0,30}(steal|exfil|attacker|evil)"
+      - "(?i)(cat|read|dump)\\s+.{0,20}\\.(ssh|env|credentials).{0,30}(curl|wget|send|post)"
+    metadata:
+      cwe: "CWE-200"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-output"
+      risk_score: "95"
+      action: BLOCK

package/server.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.sinewaveai/agent-security-scanner-mcp",
+  "description": "MCP security scanner with prompt injection firewall, package hallucination detection, and auto-fix.",
+  "version": "2.0.2",
+  "transport": "stdio",
+  "registry": "npm"
+}