npm - agent-security-scanner-mcp - Versions diffs - 3.11.0 → 3.12.0 - Mend

agent-security-scanner-mcp 3.11.0 → 3.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +2 -2
package/index.js +32 -14
package/openclaw.plugin.json +3 -3
package/package.json +2 -1
package/src/cli/audit.js +10 -3
package/src/cli/demo.js +3 -13
package/src/cli/doctor.js +15 -13
package/src/cli/harden.js +10 -3
package/src/cli/init.js +11 -5
package/src/config.js +4 -1
package/src/daemon-client.js +3 -1
package/src/python.js +54 -0
package/src/tools/scan-action.js +222 -2
package/src/tools/scan-prompt.js +34 -0
package/src/tools/scan-skill.js +438 -80
package/src/utils.js +71 -12

package/src/tools/scan-action.js CHANGED Viewed

@@ -2,10 +2,10 @@
 import { z } from "zod";
 export const scanAgentActionSchema = {
-  action_type: z.enum(["bash", "file_write", "file_read", "http_request", "file_delete"])
+  action_type: z.enum(["bash", "file_write", "file_read", "http_request", "file_delete", "cron", "process_spawn", "git", "docker"])
     .describe("Type of agent action to evaluate"),
   action_value: z.string()
-    .describe("The command, file path, or URL to check"),
+    .describe("The command, file path, URL, or structured input to check"),
   verbosity: z.enum(["minimal", "compact", "full"]).optional()
     .describe("Response detail level: 'minimal' (action only), 'compact' (default), 'full' (all details)")
 };
@@ -197,6 +197,159 @@ const EXFILTRATION_PATTERNS = [
   { pattern: /burpcollaborator/i, label: "Burp Collaborator" }
 ];
+// --- Cron rules ---
+const CRON_RULES = [
+  {
+    rule: "cron.persistence.at-boot",
+    pattern: /@reboot/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Cron entry runs at reboot — potential persistence mechanism"
+  },
+  {
+    rule: "cron.frequency.every-minute",
+    pattern: /^\s*\*\s+\*\s+\*\s+\*\s+\*/,
+    severity: "MEDIUM",
+    action: "WARN",
+    message: "Cron entry runs every minute — high frequency may indicate abuse"
+  },
+  {
+    rule: "cron.rce.curl-pipe",
+    pattern: /\b(curl|wget)\b.*\|\s*(sh|bash|python|perl|ruby)\b/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Cron entry downloads and executes remote code"
+  },
+  {
+    rule: "cron.exfiltration.redirect",
+    pattern: /\b(curl|wget)\b.*(-d|--data|--upload-file)\b/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Cron entry sends data to a remote server — potential exfiltration"
+  }
+];
+// --- Process spawn rules ---
+const PROCESS_SPAWN_RULES = [
+  {
+    rule: "process_spawn.reverse-shell",
+    pattern: /\b(nc|ncat|netcat)\s+.*-e\s+\/bin\/(sh|bash)\b/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Reverse shell via netcat"
+  },
+  {
+    rule: "process_spawn.python-shell",
+    pattern: /python.*\bsocket\b.*\bconnect\b/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Python-based reverse shell or socket connection"
+  },
+  {
+    rule: "process_spawn.background-daemon",
+    pattern: /\bnohup\b.*&\s*$/,
+    severity: "MEDIUM",
+    action: "WARN",
+    message: "Background daemon spawned with nohup — may persist after session"
+  },
+  {
+    rule: "process_spawn.privilege-escalation",
+    pattern: /\bsudo\b/,
+    severity: "MEDIUM",
+    action: "WARN",
+    message: "Process spawned with elevated privileges via sudo"
+  }
+];
+// --- Git rules ---
+const GIT_RULES = [
+  {
+    rule: "git.destructive.force-push",
+    pattern: /\bgit\s+push\s+.*--force\b/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Git force push — can overwrite remote history and cause data loss"
+  },
+  {
+    rule: "git.destructive.reset-hard",
+    pattern: /\bgit\s+reset\s+--hard\b/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Git hard reset — discards all uncommitted changes"
+  },
+  {
+    rule: "git.destructive.clean-fd",
+    pattern: /\bgit\s+clean\s+-[a-zA-Z]*f[a-zA-Z]*d/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Git clean with force+directory flags — permanently deletes untracked files and directories"
+  },
+  {
+    rule: "git.credential.config-password",
+    pattern: /\bgit\s+(config|credential)\b.*\b(password|token)\b/i,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Git command may expose or set credentials in config"
+  },
+  {
+    rule: "git.remote.add-untrusted",
+    pattern: /\bgit\s+remote\s+add\b/,
+    severity: "MEDIUM",
+    action: "WARN",
+    message: "Adding a new git remote — verify the URL is trusted"
+  }
+];
+// --- Docker rules ---
+const DOCKER_RULES = [
+  {
+    rule: "docker.privileged",
+    pattern: /--privileged/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Docker container with --privileged flag — full host access"
+  },
+  {
+    rule: "docker.host-mount.root",
+    pattern: /-v\s+\/:/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Docker container mounts host root filesystem"
+  },
+  {
+    rule: "docker.host-mount.docker-sock",
+    pattern: /-v\s+\/var\/run\/docker\.sock/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Docker container mounts Docker socket — can control host Docker daemon"
+  },
+  {
+    rule: "docker.host-network",
+    pattern: /--net(work)?=host\b/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Docker container uses host network — no network isolation"
+  },
+  {
+    rule: "docker.host-pid",
+    pattern: /--pid=host\b/,
+    severity: "HIGH",
+    action: "WARN",
+    message: "Docker container shares host PID namespace — can see/signal host processes"
+  },
+  {
+    rule: "docker.cap-add",
+    pattern: /--cap-add\s+(SYS_ADMIN|ALL)\b/,
+    severity: "CRITICAL",
+    action: "BLOCK",
+    message: "Docker container adds dangerous Linux capability"
+  }
+];
 // --- Detection logic per action type ---
 function checkBash(value) {
@@ -306,6 +459,61 @@ function checkHttpRequest(value) {
   return findings;
 }
+function checkCron(value) {
+  const findings = [];
+  for (const rule of CRON_RULES) {
+    if (rule.pattern.test(value)) {
+      findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+    }
+  }
+  // Also run bash rules on the command portion (after the schedule)
+  const cmdPortion = value.replace(/^[@*0-9,\-\/\s]+/, '').trim();
+  if (cmdPortion) {
+    for (const rule of BASH_RULES) {
+      if (rule.pattern.test(cmdPortion)) {
+        findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+      }
+    }
+  }
+  return findings;
+}
+function checkProcessSpawn(value) {
+  const findings = [];
+  for (const rule of PROCESS_SPAWN_RULES) {
+    if (rule.pattern.test(value)) {
+      findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+    }
+  }
+  // Also apply bash rules for general command safety
+  for (const rule of BASH_RULES) {
+    if (rule.pattern.test(value)) {
+      findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+    }
+  }
+  return findings;
+}
+function checkGit(value) {
+  const findings = [];
+  for (const rule of GIT_RULES) {
+    if (rule.pattern.test(value)) {
+      findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+    }
+  }
+  return findings;
+}
+function checkDocker(value) {
+  const findings = [];
+  for (const rule of DOCKER_RULES) {
+    if (rule.pattern.test(value)) {
+      findings.push({ rule: rule.rule, severity: rule.severity, action: rule.action, message: rule.message });
+    }
+  }
+  return findings;
+}
 function checkFileDelete(value) {
   const findings = [];
@@ -459,6 +667,18 @@ export async function scanAgentAction({ action_type, action_value, verbosity })
     case "file_delete":
       findings = checkFileDelete(action_value);
       break;
+    case "cron":
+      findings = checkCron(action_value);
+      break;
+    case "process_spawn":
+      findings = checkProcessSpawn(action_value);
+      break;
+    case "git":
+      findings = checkGit(action_value);
+      break;
+    case "docker":
+      findings = checkDocker(action_value);
+      break;
   }
   const action = deriveAction(findings);

package/src/tools/scan-prompt.js CHANGED Viewed

@@ -55,12 +55,22 @@ const CONFIDENCE_MULTIPLIERS = {
   "LOW": 0.4
 };
+// Maximum prompt size to prevent DoS via large inputs (100KB)
+const MAX_PROMPT_SIZE = 100 * 1024;
+// Rule caches — loaded once per process, not on every call
+let _agentAttackRulesCache = null;
+let _promptInjectionRulesCache = null;
+let _openClawRulesCache = null;
 // Load agent attack rules from YAML
 function loadAgentAttackRules() {
+  if (_agentAttackRulesCache !== null) return _agentAttackRulesCache;
   try {
     const rulesPath = join(__dirname, '..', '..', 'rules', 'agent-attacks.security.yaml');
     if (!existsSync(rulesPath)) {
       console.error("Agent attack rules file not found");
+      _agentAttackRulesCache = [];
       return [];
     }
@@ -120,18 +130,22 @@ function loadAgentAttackRules() {
       }
     }
+    _agentAttackRulesCache = rules;
     return rules;
   } catch (error) {
     console.error("Error loading agent attack rules:", error.message);
+    _agentAttackRulesCache = [];
     return [];
   }
 }
 // Also load prompt injection rules
 function loadPromptInjectionRules() {
+  if (_promptInjectionRulesCache !== null) return _promptInjectionRulesCache;
   try {
     const rulesPath = join(__dirname, '..', '..', 'rules', 'prompt-injection.security.yaml');
     if (!existsSync(rulesPath)) {
+      _promptInjectionRulesCache = [];
       return [];
     }
@@ -188,18 +202,22 @@ function loadPromptInjectionRules() {
       }
     }
+    _promptInjectionRulesCache = rules;
     return rules;
   } catch (error) {
     console.error("Error loading prompt injection rules:", error.message);
+    _promptInjectionRulesCache = [];
     return [];
   }
 }
 // Load OpenClaw-specific rules
 function loadOpenClawRules() {
+  if (_openClawRulesCache !== null) return _openClawRulesCache;
   try {
     const rulesPath = join(__dirname, '..', '..', 'rules', 'openclaw.security.yaml');
     if (!existsSync(rulesPath)) {
+      _openClawRulesCache = [];
       return [];
     }
@@ -251,9 +269,11 @@ function loadOpenClawRules() {
       }
     }
+    _openClawRulesCache = rules;
     return rules;
   } catch (error) {
     console.error("Error loading OpenClaw rules:", error.message);
+    _openClawRulesCache = [];
     return [];
   }
 }
@@ -441,6 +461,20 @@ export const scanAgentPromptSchema = {
 // Export handler function
 export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
+  // Guard against oversized inputs that could cause DoS via regex scanning
+  if (prompt_text.length > MAX_PROMPT_SIZE) {
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          action: "BLOCK",
+          risk_level: "HIGH",
+          error: `Prompt too large (${prompt_text.length} bytes, max ${MAX_PROMPT_SIZE}). Reduce size or split into smaller chunks.`
+        }, null, 2)
+      }]
+    };
+  }
   const findings = [];
   // Load rules