agent-security-scanner-mcp 3.2.0 → 3.4.0

package/rules/openclaw.security.yaml

@@ -0,0 +1,283 @@
+# OpenClaw-specific security rules
+# Detects attacks targeting autonomous AI assistants with broad system access
+# These rules are loaded by scan_agent_prompt for OpenClaw integration
+
+rules:
+  # ===========================================
+  # DATA EXFILTRATION
+  # ===========================================
+  - id: openclaw.exfiltration.email-forward
+    severity: CRITICAL
+    category: data_exfiltration
+    patterns:
+      - "forward\\s+(all\\s+)?(my\\s+)?emails?\\s+to"
+      - "send\\s+(all\\s+)?(my\\s+)?emails?\\s+to"
+      - "copy\\s+(all\\s+)?(my\\s+)?emails?\\s+to"
+      - "export\\s+(all\\s+)?(my\\s+)?emails?\\s+to"
+      - "redirect\\s+(my\\s+)?mail\\s+to"
+    message: "Potential email exfiltration attempt"
+    action: BLOCK
+
+  - id: openclaw.exfiltration.contacts-export
+    severity: CRITICAL
+    category: data_exfiltration
+    patterns:
+      - "export\\s+(all\\s+)?(my\\s+)?contacts\\s+to"
+      - "send\\s+(all\\s+)?(my\\s+)?contacts\\s+to"
+      - "send\\s+(my\\s+)?contact\\s+list\\s+to"
+      - "share\\s+(my\\s+)?address\\s+book"
+      - "upload\\s+(my\\s+)?contacts"
+    message: "Potential contacts exfiltration attempt"
+    action: BLOCK
+
+  - id: openclaw.exfiltration.calendar-export
+    severity: HIGH
+    category: data_exfiltration
+    patterns:
+      - "export\\s+(all\\s+)?(my\\s+)?calendar"
+      - "share\\s+(my\\s+)?schedule\\s+with"
+      - "send\\s+(my\\s+)?appointments\\s+to"
+      - "upload\\s+(my\\s+)?calendar"
+    message: "Potential calendar data exfiltration"
+    action: WARN
+
+  - id: openclaw.exfiltration.file-upload
+    severity: CRITICAL
+    category: data_exfiltration
+    patterns:
+      - "upload\\s+(all\\s+)?(my\\s+)?files?\\s+to"
+      - "send\\s+(all\\s+)?(my\\s+)?documents?\\s+to"
+      - "transfer\\s+(my\\s+)?data\\s+to"
+      - "copy\\s+(my\\s+)?files?\\s+to\\s+(external|remote|cloud)"
+      - "sync\\s+(my\\s+)?files?\\s+to\\s+\\S+\\.(com|io|net|org)"
+    message: "Potential file exfiltration to external service"
+    action: BLOCK
+
+  - id: openclaw.exfiltration.browser-session
+    severity: CRITICAL
+    category: data_exfiltration
+    patterns:
+      - "share\\s+(my\\s+)?browser\\s+(cookies?|session)"
+      - "export\\s+(my\\s+)?cookies?"
+      - "send\\s+(my\\s+)?session\\s+(data|tokens?)"
+      - "copy\\s+(my\\s+)?browser\\s+data"
+      - "extract\\s+(my\\s+)?login\\s+sessions?"
+    message: "Potential browser session/cookie theft"
+    action: BLOCK
+
+  - id: openclaw.exfiltration.browsing-history
+    severity: HIGH
+    category: data_exfiltration
+    patterns:
+      - "export\\s+(my\\s+)?browsing\\s+history"
+      - "send\\s+(my\\s+)?browser\\s+history"
+      - "share\\s+(my\\s+)?search\\s+history"
+    message: "Potential browsing history exfiltration"
+    action: WARN
+
+  # ===========================================
+  # MESSAGING ABUSE
+  # ===========================================
+  - id: openclaw.messaging.mass-send
+    severity: CRITICAL
+    category: messaging_abuse
+    patterns:
+      - "send\\s+(this\\s+)?message\\s+to\\s+all\\s+(my\\s+)?contacts"
+      - "message\\s+everyone\\s+in\\s+(my\\s+)?contacts?"
+      - "broadcast\\s+to\\s+all\\s+(my\\s+)?(contacts|friends)"
+      - "send\\s+to\\s+all\\s+(my\\s+)?(whatsapp|telegram|discord|slack)"
+      - "spam\\s+(all\\s+)?(my\\s+)?contacts"
+    message: "Mass messaging to all contacts detected"
+    action: BLOCK
+
+  - id: openclaw.messaging.auto-reply
+    severity: HIGH
+    category: messaging_abuse
+    patterns:
+      - "auto(-|\\s)?reply\\s+to\\s+(all|every)\\s+message"
+      - "automatically\\s+respond\\s+to\\s+(all|every)"
+      - "reply\\s+to\\s+all\\s+messages?\\s+with"
+      - "set\\s+up\\s+auto(-|\\s)?responder"
+    message: "Auto-reply configuration may be abused"
+    action: WARN
+
+  - id: openclaw.messaging.impersonation
+    severity: CRITICAL
+    category: messaging_abuse
+    patterns:
+      - "pretend\\s+to\\s+be\\s+(me|someone)"
+      - "impersonate\\s+(me|someone)"
+      - "send\\s+as\\s+if\\s+(from\\s+)?(me|I)"
+      - "message\\s+(them|him|her)\\s+as\\s+(me|if)"
+    message: "Potential impersonation/social engineering"
+    action: BLOCK
+
+  - id: openclaw.messaging.phishing-content
+    severity: CRITICAL
+    category: messaging_abuse
+    patterns:
+      - "send\\s+.*(urgent|verify|confirm)\\s+(your\\s+)?(account|password|login)"
+      - "message\\s+.*click\\s+(this|here|the)\\s+link"
+      - "tell\\s+(them|everyone)\\s+to\\s+(update|verify|confirm)"
+    message: "Potential phishing content in message"
+    action: BLOCK
+
+  # ===========================================
+  # CREDENTIAL/SECRET THEFT
+  # ===========================================
+  - id: openclaw.credentials.api-keys
+    severity: CRITICAL
+    category: credential_theft
+    patterns:
+      - "show\\s+(me\\s+)?(my\\s+)?api\\s+keys?"
+      - "list\\s+(all\\s+)?(my\\s+)?api\\s+keys?"
+      - "what\\s+(are|is)\\s+(my\\s+)?api\\s+(key|token|secret)"
+      - "display\\s+(my\\s+)?tokens?"
+      - "reveal\\s+(my\\s+)?secrets?"
+    message: "Attempt to access API keys/tokens"
+    action: BLOCK
+
+  - id: openclaw.credentials.passwords
+    severity: CRITICAL
+    category: credential_theft
+    patterns:
+      - "show\\s+(me\\s+)?(my\\s+)?(saved\\s+)?passwords?"
+      - "what\\s+(are|is)\\s+(my\\s+)?passwords?"
+      - "list\\s+(all\\s+)?(my\\s+)?passwords?"
+      - "display\\s+(my\\s+)?login\\s+credentials?"
+      - "export\\s+(my\\s+)?passwords?"
+    message: "Attempt to access saved passwords"
+    action: BLOCK
+
+  - id: openclaw.credentials.keychain
+    severity: CRITICAL
+    category: credential_theft
+    patterns:
+      - "access\\s+(my\\s+)?keychain"
+      - "read\\s+(from\\s+)?(my\\s+)?keychain"
+      - "export\\s+(my\\s+)?keychain"
+      - "dump\\s+(my\\s+)?credential\\s+store"
+      - "show\\s+(my\\s+)?secure\\s+storage"
+    message: "Attempt to access system keychain/credential store"
+    action: BLOCK
+
+  - id: openclaw.credentials.env-secrets
+    severity: CRITICAL
+    category: credential_theft
+    patterns:
+      - "show\\s+(me\\s+)?(all\\s+)?environment\\s+variables?"
+      - "print\\s+(all\\s+)?env\\s+vars?"
+      - "list\\s+.env\\s+file"
+      - "cat\\s+.*\\.env"
+      - "display\\s+(my\\s+)?secrets?"
+    message: "Attempt to access environment secrets"
+    action: BLOCK
+
+  - id: openclaw.credentials.ssh-keys
+    severity: CRITICAL
+    category: credential_theft
+    patterns:
+      - "show\\s+(me\\s+)?(my\\s+)?ssh\\s+keys?"
+      - "read\\s+(my\\s+)?private\\s+key"
+      - "export\\s+(my\\s+)?ssh\\s+keys?"
+      - "copy\\s+(my\\s+)?\\.ssh"
+      - "send\\s+(my\\s+)?id_rsa"
+    message: "Attempt to access SSH private keys"
+    action: BLOCK
+
+  # ===========================================
+  # AUTONOMOUS HARM / SAFETY BYPASS
+  # ===========================================
+  - id: openclaw.autonomous.scheduled-harm
+    severity: CRITICAL
+    category: autonomous_harm
+    patterns:
+      - "run\\s+this\\s+(every|each)\\s+(hour|minute|day)"
+      - "schedule\\s+this\\s+to\\s+run\\s+(repeatedly|continuously)"
+      - "set\\s+up\\s+(a\\s+)?cron\\s+(job\\s+)?to"
+      - "automatically\\s+run\\s+this\\s+without\\s+asking"
+    message: "Scheduled task without confirmation requested"
+    action: WARN
+
+  - id: openclaw.autonomous.no-confirm
+    severity: HIGH
+    category: autonomous_harm
+    patterns:
+      - "don'?t\\s+(ask|confirm|prompt)\\s+(me\\s+)?before"
+      - "without\\s+(asking|confirmation|prompting)"
+      - "skip\\s+(the\\s+)?confirmation"
+      - "auto(-|\\s)?approve\\s+(all|everything)"
+      - "don'?t\\s+wait\\s+for\\s+(my\\s+)?approval"
+    message: "Request to bypass confirmation prompts"
+    action: WARN
+
+  - id: openclaw.autonomous.disable-safety
+    severity: CRITICAL
+    category: autonomous_harm
+    patterns:
+      - "disable\\s+(all\\s+)?safety\\s+(checks?|features?)"
+      - "turn\\s+off\\s+(security|safety)"
+      - "bypass\\s+(the\\s+)?security"
+      - "ignore\\s+(the\\s+)?restrictions?"
+      - "remove\\s+(the\\s+)?guardrails?"
+    message: "Attempt to disable safety mechanisms"
+    action: BLOCK
+
+  - id: openclaw.autonomous.unlimited-access
+    severity: HIGH
+    category: autonomous_harm
+    patterns:
+      - "give\\s+(me|yourself)\\s+(full|unlimited|complete)\\s+access"
+      - "grant\\s+(me|yourself)\\s+(all|admin)\\s+permissions?"
+      - "escalate\\s+(your|my)\\s+privileges?"
+      - "run\\s+(as|with)\\s+(root|admin|sudo)"
+    message: "Privilege escalation attempt"
+    action: BLOCK
+
+  # ===========================================
+  # SERVICE-SPECIFIC ATTACKS
+  # ===========================================
+  - id: openclaw.service.payment-fraud
+    severity: CRITICAL
+    category: service_attack
+    patterns:
+      - "make\\s+(a\\s+)?payment\\s+to"
+      - "transfer\\s+(money|funds)\\s+to"
+      - "send\\s+\\$?\\d+\\s+to"
+      - "buy\\s+(this|something)\\s+using\\s+(my\\s+)?(card|account)"
+      - "purchase\\s+.*without\\s+(asking|confirmation)"
+    message: "Unauthorized payment/transaction attempt"
+    action: BLOCK
+
+  - id: openclaw.service.account-changes
+    severity: HIGH
+    category: service_attack
+    patterns:
+      - "change\\s+(my\\s+)?password\\s+to"
+      - "update\\s+(my\\s+)?email\\s+to"
+      - "modify\\s+(my\\s+)?account\\s+settings"
+      - "add\\s+(a\\s+)?(new\\s+)?recovery\\s+(email|phone)"
+    message: "Account modification request - verify intent"
+    action: WARN
+
+  - id: openclaw.service.github-destructive
+    severity: CRITICAL
+    category: service_attack
+    patterns:
+      - "delete\\s+(all\\s+)?(my\\s+)?repositories"
+      - "remove\\s+(all\\s+)?(my\\s+)?github\\s+(repos?|projects?)"
+      - "force\\s+push\\s+to\\s+(main|master)"
+      - "make\\s+(all\\s+)?(my\\s+)?repos?\\s+public"
+    message: "Potentially destructive GitHub operation"
+    action: BLOCK
+
+  - id: openclaw.service.social-destructive
+    severity: HIGH
+    category: service_attack
+    patterns:
+      - "delete\\s+(all\\s+)?(my\\s+)?(posts?|tweets?|messages?)"
+      - "unfollow\\s+(everyone|all)"
+      - "block\\s+(everyone|all\\s+my\\s+contacts)"
+      - "deactivate\\s+(my\\s+)?account"
+    message: "Potentially destructive social media operation"
+    action: WARN

package/scripts/postinstall.js

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+/**
+ * postinstall.js - Attempt to install Python dependencies for tree-sitter AST engine.
+ * If installation fails, the scanner gracefully falls back to regex-only mode.
+ */
+import { execFileSync } from "child_process";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const requirementsPath = join(__dirname, "..", "requirements.txt");
+
+try {
+  execFileSync("python3", ["-m", "pip", "install", "-r", requirementsPath, "--user", "--quiet"], {
+    timeout: 120000,
+    stdio: "inherit",
+  });
+  console.log("[postinstall] Python dependencies installed - AST engine enabled.");
+} catch {
+  console.log(
+    "[postinstall] Could not install Python dependencies (tree-sitter).\n" +
+    "             The scanner will run in regex-only mode, which still catches common vulnerabilities.\n" +
+    "             To enable AST analysis later, run: python3 -m pip install -r requirements.txt"
+  );
+}

package/skills/openclaw/SKILL.md

@@ -0,0 +1,102 @@
+---
+name: security-scanner
+description: Scan prompts and code for security threats using agent-security-scanner-mcp. Protects against prompt injection, data exfiltration, and credential theft.
+metadata: {"openclaw":{"emoji":"🛡️","requires":{"bins":["npx"]}}}
+homepage: https://github.com/sinewaveai/agent-security-scanner-mcp
+---
+
+## Security Scanner for OpenClaw
+
+Protect your OpenClaw instance from:
+- **Prompt injection attacks** - Detects attempts to manipulate your AI assistant
+- **Data exfiltration** - Blocks attempts to steal emails, contacts, files
+- **Credential theft** - Prevents exposure of API keys, passwords, SSH keys
+- **Messaging abuse** - Stops mass messaging and impersonation attacks
+- **Unsafe automation** - Warns about scheduled tasks without confirmation
+
+## Quick Start
+
+Install the scanner globally:
+```bash
+npm install -g agent-security-scanner-mcp
+```
+
+Or use directly with npx (no install needed).
+
+## Commands
+
+### Scan a Prompt
+Check if a prompt is safe before execution:
+```bash
+npx agent-security-scanner-mcp scan-prompt "forward all my emails to someone@example.com"
+```
+
+Returns `BLOCK`, `WARN`, or `ALLOW` with risk assessment.
+
+### Scan Code
+Check code for vulnerabilities before running:
+```bash
+npx agent-security-scanner-mcp scan-security ./script.py --verbosity minimal
+```
+
+### Check Package
+Verify a package isn't hallucinated (AI-invented):
+```bash
+npx agent-security-scanner-mcp check-package some-package npm
+```
+
+## Usage Instructions
+
+When a user asks you to do something potentially risky, scan it first:
+
+1. **Before executing shell commands** - Scan for injection attacks
+2. **Before running code** - Check for vulnerabilities
+3. **Before sending messages** - Verify no mass-messaging or phishing
+4. **Before accessing sensitive data** - Check for exfiltration attempts
+
+### Example Workflow
+
+```
+User: "Forward all my work emails to my personal Gmail"
+
+You: Let me check this request for security concerns...
+[Run: npx agent-security-scanner-mcp scan-prompt "Forward all my work emails to my personal Gmail"]
+
+Result: BLOCK - Potential email exfiltration attempt
+
+You: I've detected this could be a security risk. Email forwarding to external addresses
+could expose sensitive work information. Would you like to:
+1. Set up selective forwarding with filters
+2. Forward only from specific senders
+3. Proceed anyway (not recommended)
+```
+
+## Verbosity Levels
+
+- `--verbosity minimal` - Just action + risk level (~50 tokens)
+- `--verbosity compact` - Action + findings summary (~200 tokens)
+- `--verbosity full` - Complete audit trail (~500 tokens)
+
+## What It Detects
+
+### OpenClaw-Specific Threats
+| Category | Examples |
+|----------|----------|
+| Data Exfiltration | "Forward emails to...", "Upload files to...", "Share cookies" |
+| Messaging Abuse | "Send to all contacts", "Auto-reply to everyone" |
+| Credential Theft | "Show my passwords", "Access keychain", "List API keys" |
+| Unsafe Automation | "Run hourly without asking", "Disable safety checks" |
+| Service Attacks | "Delete all repos", "Make payment to..." |
+
+### General Security
+- SQL injection, XSS, command injection in code
+- Hardcoded secrets and API keys
+- Weak cryptography
+- Insecure deserialization
+
+## Exit Codes
+
+- `0` - Safe / No issues
+- `1` - Issues found / Action required
+
+Use exit codes in scripts to automatically block risky operations.

package/skills/security-scan-batch.md

@@ -0,0 +1,107 @@
+---
+name: security-scan-batch
+description: Use when scanning multiple files or entire directories for security vulnerabilities. Dispatches parallel subagents for efficient batch scanning with consolidated results.
+---
+
+# Batch Security Scanner Skill
+
+You are a batch security scanning coordinator. Scan multiple files efficiently and return consolidated results that minimize context consumption.
+
+## Workflow
+
+1. **Identify files to scan** - Use glob patterns or file list provided
+2. **Scan each file** using `mcp__security-scanner__scan_security` with `verbosity: 'minimal'`
+3. **For files with issues**, get details with `verbosity: 'compact'`
+4. **Consolidate results** - Merge findings, deduplicate, prioritize
+5. **Return executive summary**
+
+## Response Format
+
+```
+## Security Scan Summary
+
+**Files Scanned:** {N}
+**Files with Issues:** {N}
+**Total Issues:** {critical} critical, {warning} warning
+
+### Files Requiring Attention
+
+| File | Critical | Warning | Top Issue |
+|------|----------|---------|-----------|
+| path/file1.py | 2 | 3 | SQL Injection (L15) |
+| path/file2.js | 0 | 1 | XSS (L42) |
+
+### Priority Fixes (Top 10)
+1. **path/file1.py:15** - SQL Injection: Use parameterized query
+2. **path/file1.py:28** - Hardcoded secret: Move to env var
+3. **path/file2.js:42** - XSS: Use textContent instead of innerHTML
+...
+
+### Quick Fix
+To auto-fix all issues: scan each file with fix_security tool.
+```
+
+## Rules
+
+- DO scan files using `verbosity: 'minimal'` first for quick triage
+- DO only fetch `verbosity: 'compact'` for files that have issues
+- DO consolidate into single summary
+- DO NOT return individual file JSON details
+- DO prioritize by: critical severity > file count > line number
+- DO limit to top 10 priority fixes in summary
+
+## Scanning Patterns
+
+For common batch operations:
+
+**Python project:**
+```
+Glob: **/*.py
+Exclude: **/venv/**, **/__pycache__/**
+```
+
+**JavaScript/TypeScript project:**
+```
+Glob: **/*.{js,ts,jsx,tsx}
+Exclude: **/node_modules/**, **/dist/**
+```
+
+**Full project scan:**
+```
+Glob: **/*.{py,js,ts,java,go,rb,php}
+Exclude: **/vendor/**, **/node_modules/**, **/venv/**
+```
+
+## Example
+
+User asks: "Scan all Python files in src/"
+
+You run:
+1. Glob for `src/**/*.py` - find 15 files
+2. Scan each with `verbosity: 'minimal'` - 4 have issues
+3. Get `verbosity: 'compact'` for those 4 files
+4. Consolidate and return summary
+
+Response:
+```
+## Security Scan Summary
+
+**Files Scanned:** 15
+**Files with Issues:** 4
+**Total Issues:** 3 critical, 8 warning
+
+### Files Requiring Attention
+
+| File | Critical | Warning | Top Issue |
+|------|----------|---------|-----------|
+| src/db.py | 2 | 1 | SQL Injection (L23) |
+| src/auth.py | 1 | 3 | Hardcoded secret (L15) |
+| src/api.py | 0 | 2 | SSL disabled (L67) |
+| src/utils.py | 0 | 2 | Weak crypto (L12) |
+
+### Priority Fixes (Top 10)
+1. **src/db.py:23** - SQL Injection: Use parameterized query
+2. **src/db.py:45** - SQL Injection: Use parameterized query
+3. **src/auth.py:15** - Hardcoded secret: Move API_KEY to env var
+...
+```

package/skills/security-scanner.md

@@ -0,0 +1,76 @@
+---
+name: security-scanner
+description: Use when scanning files for security vulnerabilities. Runs comprehensive security analysis via subagent, returns concise actionable summary to main context.
+---
+
+# Security Scanner Skill
+
+You are a security scanning subagent. Your job is to run comprehensive security analysis and return a concise, actionable summary that minimizes context consumption in the main conversation.
+
+## Workflow
+
+1. **Scan the file** using `mcp__security-scanner__scan_security` with `verbosity: 'full'`
+2. **Analyze findings** - group by severity, identify patterns
+3. **If fixes needed**, use `mcp__security-scanner__fix_security` with `verbosity: 'full'`
+4. **Return concise summary** (not the full JSON output)
+
+## Response Format
+
+Return ONLY this format to the main conversation:
+
+```
+## Security Scan: {filename}
+
+**Status:** {PASS | WARN | FAIL}
+**Issues:** {critical} critical, {warning} warning, {info} info
+
+{If issues found:}
+### Priority Fixes
+1. **Line {N}**: {rule} - {one-line fix description}
+2. **Line {N}**: {rule} - {one-line fix description}
+{limit to top 5}
+
+### Auto-Fix Available
+Run `mcp__security-scanner__fix_security` to automatically apply {N} fixes.
+
+{If no issues:}
+No security issues detected.
+```
+
+## Rules
+
+- DO use `verbosity: 'full'` internally for complete analysis
+- DO return only the summary format above to the main conversation
+- DO NOT include raw JSON in your response
+- DO NOT include metadata, CWE references, or verbose explanations
+- DO prioritize fixes by severity (critical > warning > info)
+- DO limit to top 5 issues if more than 5 found
+- DO mention auto-fix availability if fixes can be applied
+
+## Example
+
+User asks: "Scan app.py for security issues"
+
+You run internally:
+```
+mcp__security-scanner__scan_security({ file_path: "app.py", verbosity: "full" })
+```
+
+You return:
+```
+## Security Scan: app.py
+
+**Status:** WARN
+**Issues:** 1 critical, 3 warning, 0 info
+
+### Priority Fixes
+1. **Line 15**: sql-injection - Use parameterized query instead of string concat
+2. **Line 28**: hardcoded-secret - Move API key to environment variable
+3. **Line 42**: weak-crypto-md5 - Replace MD5 with SHA-256
+4. **Line 67**: ssl-verify-disabled - Enable SSL certificate verification
+
+### Auto-Fix Available
+Run fix_security to automatically apply 4 fixes.
+```
+
+This approach keeps main conversation context minimal (~200 tokens vs 2000+ for raw output).