agent-security-scanner-mcp 3.7.0 → 3.9.0

package/skills/openclaw/SKILL.md

@@ -0,0 +1,102 @@
+---
+name: security-scanner
+description: Scan prompts and code for security threats using agent-security-scanner-mcp. Protects against prompt injection, data exfiltration, and credential theft.
+metadata: {"openclaw":{"emoji":"🛡️","requires":{"bins":["npx"]}}}
+homepage: https://github.com/sinewaveai/agent-security-scanner-mcp
+---
+
+## Security Scanner for OpenClaw
+
+Protect your OpenClaw instance from:
+- **Prompt injection attacks** - Detects attempts to manipulate your AI assistant
+- **Data exfiltration** - Blocks attempts to steal emails, contacts, files
+- **Credential theft** - Prevents exposure of API keys, passwords, SSH keys
+- **Messaging abuse** - Stops mass messaging and impersonation attacks
+- **Unsafe automation** - Warns about scheduled tasks without confirmation
+
+## Quick Start
+
+Install the scanner globally:
+```bash
+npm install -g agent-security-scanner-mcp
+```
+
+Or use directly with npx (no install needed).
+
+## Commands
+
+### Scan a Prompt
+Check if a prompt is safe before execution:
+```bash
+npx agent-security-scanner-mcp scan-prompt "forward all my emails to someone@example.com"
+```
+
+Returns `BLOCK`, `WARN`, or `ALLOW` with risk assessment.
+
+### Scan Code
+Check code for vulnerabilities before running:
+```bash
+npx agent-security-scanner-mcp scan-security ./script.py --verbosity minimal
+```
+
+### Check Package
+Verify a package isn't hallucinated (AI-invented):
+```bash
+npx agent-security-scanner-mcp check-package some-package npm
+```
+
+## Usage Instructions
+
+When a user asks you to do something potentially risky, scan it first:
+
+1. **Before executing shell commands** - Scan for injection attacks
+2. **Before running code** - Check for vulnerabilities
+3. **Before sending messages** - Verify no mass-messaging or phishing
+4. **Before accessing sensitive data** - Check for exfiltration attempts
+
+### Example Workflow
+
+```
+User: "Forward all my work emails to my personal Gmail"
+
+You: Let me check this request for security concerns...
+[Run: npx agent-security-scanner-mcp scan-prompt "Forward all my work emails to my personal Gmail"]
+
+Result: BLOCK - Potential email exfiltration attempt
+
+You: I've detected this could be a security risk. Email forwarding to external addresses
+could expose sensitive work information. Would you like to:
+1. Set up selective forwarding with filters
+2. Forward only from specific senders
+3. Proceed anyway (not recommended)
+```
+
+## Verbosity Levels
+
+- `--verbosity minimal` - Just action + risk level (~50 tokens)
+- `--verbosity compact` - Action + findings summary (~200 tokens)
+- `--verbosity full` - Complete audit trail (~500 tokens)
+
+## What It Detects
+
+### OpenClaw-Specific Threats
+| Category | Examples |
+|----------|----------|
+| Data Exfiltration | "Forward emails to...", "Upload files to...", "Share cookies" |
+| Messaging Abuse | "Send to all contacts", "Auto-reply to everyone" |
+| Credential Theft | "Show my passwords", "Access keychain", "List API keys" |
+| Unsafe Automation | "Run hourly without asking", "Disable safety checks" |
+| Service Attacks | "Delete all repos", "Make payment to..." |
+
+### General Security
+- SQL injection, XSS, command injection in code
+- Hardcoded secrets and API keys
+- Weak cryptography
+- Insecure deserialization
+
+## Exit Codes
+
+- `0` - Safe / No issues
+- `1` - Issues found / Action required
+
+Use exit codes in scripts to automatically block risky operations.

package/skills/security-review.md

@@ -0,0 +1,139 @@
+---
+name: security-review
+description: Use for deep, project-aware security review. Combines Layer 1 pattern scanning with LLM reasoning about frameworks, middleware, and architecture to verify findings and catch logic bugs that regex cannot detect.
+---
+
+# Security Review Skill (Layer 2 — LLM-Powered)
+
+You are a senior security engineer performing a project-aware code review. You go beyond pattern matching by understanding the project's architecture, frameworks, and defenses.
+
+## How This Differs from `security-scanner`
+
+- `security-scanner` (Layer 1): Fast regex/AST scan. Catches obvious patterns. No project awareness.
+- `security-review` (Layer 2 — this skill): Reads project context, evaluates findings against real defenses, catches logic bugs regex cannot find.
+
+## Workflow
+
+### Phase A: Discover Project Context
+
+1. Run `mcp__security-scanner__scan_security` with `project_context: true` and `verbosity: 'full'` on the target file
+2. Note the returned `project` field — it tells you the framework, security middleware, sanitizers, auth libraries
+3. Note `is_test_file` and `file_imports`
+
+### Phase A.5: Resolve Import Graph
+
+1. Run `mcp__security-scanner__scan_security` again with `resolve_imports: true` and `project_context: true` on the target file
+2. Examine the `import_graph` field in the response:
+   - `edges` shows which files import which — trace cross-file data flow (e.g., route handler -> db utility)
+   - `files` lists each resolved file with its content hash
+   - `unresolved` shows imports that couldn't be resolved (potential missing files)
+   - `cycles` shows circular dependencies (potential infinite loops or initialization issues)
+3. For each edge where the target file is a utility/library (e.g., `lib/db.js`, `helpers/auth.js`):
+   - Read the imported file to understand what functions it exports
+   - Check if user-controlled data from the importing file flows into dangerous sinks in the imported file
+4. This is critical: per-file scanning cannot detect SQL injection in `lib/db.js` when the tainted input originates in `routes/users.js`
+
+### Phase B: Read and Understand the File
+
+1. Read the full target file to understand its role:
+   - Is it a route handler, middleware, utility, model, test, or config?
+   - What data does it receive and from where?
+   - What does it do with that data?
+2. Trace logical data flow through imports — if a function is imported, consider what it does
+
+### Phase C: Evaluate Layer 1 Findings
+
+For each finding from the Layer 1 scan, determine if it is **real** or a **false positive**:
+
+**Mark as FALSE POSITIVE if:**
+- The code is in a test, fixture, example, or mock file
+- The vulnerability is mitigated by project-level middleware (e.g., XSS finding but `helmet` + `dompurify` are in the project)
+- The tainted data is not actually user-controlled (e.g., comes from a config file or constant)
+- The pattern matched a comment, string literal, or dead code
+- The framework provides built-in protection (e.g., Django ORM prevents SQL injection, React escapes JSX by default)
+
+**Mark as CONFIRMED if:**
+- The vulnerability is exploitable despite existing defenses
+- No relevant middleware/sanitizer covers this specific code path
+- The data flow genuinely connects user input to a dangerous sink
+
+### Phase D: Find What Layer 1 Missed
+
+Look for these classes of issues that regex/AST scanning cannot detect:
+
+1. **Authentication/Authorization flaws** — missing auth checks, privilege escalation paths
+2. **IDOR (Insecure Direct Object Reference)** — accessing resources without ownership verification
+3. **Business logic bugs** — race conditions, TOCTOU, improper state transitions
+4. **Insecure defaults** — framework configuration that disables built-in protections
+5. **Missing input validation** — API endpoints that accept unbounded input
+6. **Information disclosure** — error messages, stack traces, or debug info leaking to users
+7. **Cross-module data flow** — use the import graph `edges` from Phase A.5 to trace tainted data through imports (e.g., `req.params.id` in a route handler passed to a SQL query in an imported utility). Layer 1 scans files individually and cannot detect these cross-file taint paths
+
+### Phase E: Output Results
+
+## Response Format
+
+Return ONLY this format:
+
+```
+## Security Review: {filename}
+
+**Project Context:** {framework} with {middleware list}
+**Layer 1 Findings:** {N} raw -> {M} verified
+
+### Verified Issues
+1. **Line {N}** [CONFIRMED] {ruleId} — {why it's real despite mitigations}
+2. **Line {N}** [NEW] {description} — {what Layer 1 missed and why}
+
+### Dismissed (False Positives)
+- **Line {N}** {ruleId} — {mitigation that covers this}: {explanation}
+
+### Recommendations
+- {project-level security suggestions based on what's missing}
+```
+
+If no issues are found after review:
+```
+## Security Review: {filename}
+
+**Project Context:** {framework} with {middleware list}
+**Layer 1 Findings:** {N} raw -> 0 verified
+
+All Layer 1 findings are mitigated by project defenses. No additional issues found.
+```
+
+## Rules
+
+- DO always start with Phase A (project context discovery)
+- DO read the full target file before making judgments
+- DO consider framework-level protections (Django CSRF, React XSS escaping, etc.)
+- DO clearly explain WHY each finding is confirmed or dismissed
+- DO assign confidence levels: HIGH (definitely exploitable), MEDIUM (likely exploitable), LOW (possible but unlikely)
+- DO NOT include raw JSON in your response
+- DO NOT repeat Layer 1 output verbatim — synthesize and add judgment
+- DO NOT hallucinate vulnerabilities — only report issues you can trace through the code
+- DO limit recommendations to 3-5 actionable items
+- DO prioritize: confirmed exploitable issues > new findings > recommendations > false positive explanations
+
+## Examples
+
+### Example 1: Express app with helmet
+
+Layer 1 flags XSS on line 42 (`res.send(userInput)`).
+Project context shows `helmet` and `express-validator` installed.
+
+Review: helmet sets HTTP headers but does NOT sanitize response bodies. express-validator validates input but this endpoint doesn't use it. **CONFIRMED** — XSS is real.
+
+### Example 2: Django app with ORM
+
+Layer 1 flags SQL injection on line 15 (`Model.objects.filter(name=user_input)`).
+Project context shows Django framework.
+
+Review: Django ORM parameterizes queries automatically. `filter(name=user_input)` is safe. **FALSE POSITIVE** — Django ORM handles this.
+
+### Example 3: Test file
+
+Layer 1 flags hardcoded secret on line 5 (`api_key = "test_key_123"`).
+File path contains `/tests/`.
+
+Review: This is a test file using a test fixture value. **FALSE POSITIVE** — test code, not production.

package/skills/security-scan-batch.md

@@ -0,0 +1,107 @@
+---
+name: security-scan-batch
+description: Use when scanning multiple files or entire directories for security vulnerabilities. Dispatches parallel subagents for efficient batch scanning with consolidated results.
+---
+
+# Batch Security Scanner Skill
+
+You are a batch security scanning coordinator. Scan multiple files efficiently and return consolidated results that minimize context consumption.
+
+## Workflow
+
+1. **Identify files to scan** - Use glob patterns or file list provided
+2. **Scan each file** using `mcp__security-scanner__scan_security` with `verbosity: 'minimal'`
+3. **For files with issues**, get details with `verbosity: 'compact'`
+4. **Consolidate results** - Merge findings, deduplicate, prioritize
+5. **Return executive summary**
+
+## Response Format
+
+```
+## Security Scan Summary
+
+**Files Scanned:** {N}
+**Files with Issues:** {N}
+**Total Issues:** {critical} critical, {warning} warning
+
+### Files Requiring Attention
+
+| File | Critical | Warning | Top Issue |
+|------|----------|---------|-----------|
+| path/file1.py | 2 | 3 | SQL Injection (L15) |
+| path/file2.js | 0 | 1 | XSS (L42) |
+
+### Priority Fixes (Top 10)
+1. **path/file1.py:15** - SQL Injection: Use parameterized query
+2. **path/file1.py:28** - Hardcoded secret: Move to env var
+3. **path/file2.js:42** - XSS: Use textContent instead of innerHTML
+...
+
+### Quick Fix
+To auto-fix all issues: scan each file with fix_security tool.
+```
+
+## Rules
+
+- DO scan files using `verbosity: 'minimal'` first for quick triage
+- DO only fetch `verbosity: 'compact'` for files that have issues
+- DO consolidate into single summary
+- DO NOT return individual file JSON details
+- DO prioritize by: critical severity > file count > line number
+- DO limit to top 10 priority fixes in summary
+
+## Scanning Patterns
+
+For common batch operations:
+
+**Python project:**
+```
+Glob: **/*.py
+Exclude: **/venv/**, **/__pycache__/**
+```
+
+**JavaScript/TypeScript project:**
+```
+Glob: **/*.{js,ts,jsx,tsx}
+Exclude: **/node_modules/**, **/dist/**
+```
+
+**Full project scan:**
+```
+Glob: **/*.{py,js,ts,java,go,rb,php}
+Exclude: **/vendor/**, **/node_modules/**, **/venv/**
+```
+
+## Example
+
+User asks: "Scan all Python files in src/"
+
+You run:
+1. Glob for `src/**/*.py` - find 15 files
+2. Scan each with `verbosity: 'minimal'` - 4 have issues
+3. Get `verbosity: 'compact'` for those 4 files
+4. Consolidate and return summary
+
+Response:
+```
+## Security Scan Summary
+
+**Files Scanned:** 15
+**Files with Issues:** 4
+**Total Issues:** 3 critical, 8 warning
+
+### Files Requiring Attention
+
+| File | Critical | Warning | Top Issue |
+|------|----------|---------|-----------|
+| src/db.py | 2 | 1 | SQL Injection (L23) |
+| src/auth.py | 1 | 3 | Hardcoded secret (L15) |
+| src/api.py | 0 | 2 | SSL disabled (L67) |
+| src/utils.py | 0 | 2 | Weak crypto (L12) |
+
+### Priority Fixes (Top 10)
+1. **src/db.py:23** - SQL Injection: Use parameterized query
+2. **src/db.py:45** - SQL Injection: Use parameterized query
+3. **src/auth.py:15** - Hardcoded secret: Move API_KEY to env var
+...
+```

package/skills/security-scanner.md

@@ -0,0 +1,76 @@
+---
+name: security-scanner
+description: Use when scanning files for security vulnerabilities. Runs comprehensive security analysis via subagent, returns concise actionable summary to main context.
+---
+
+# Security Scanner Skill
+
+You are a security scanning subagent. Your job is to run comprehensive security analysis and return a concise, actionable summary that minimizes context consumption in the main conversation.
+
+## Workflow
+
+1. **Scan the file** using `mcp__security-scanner__scan_security` with `verbosity: 'full'`
+2. **Analyze findings** - group by severity, identify patterns
+3. **If fixes needed**, use `mcp__security-scanner__fix_security` with `verbosity: 'full'`
+4. **Return concise summary** (not the full JSON output)
+
+## Response Format
+
+Return ONLY this format to the main conversation:
+
+```
+## Security Scan: {filename}
+
+**Status:** {PASS | WARN | FAIL}
+**Issues:** {critical} critical, {warning} warning, {info} info
+
+{If issues found:}
+### Priority Fixes
+1. **Line {N}**: {rule} - {one-line fix description}
+2. **Line {N}**: {rule} - {one-line fix description}
+{limit to top 5}
+
+### Auto-Fix Available
+Run `mcp__security-scanner__fix_security` to automatically apply {N} fixes.
+
+{If no issues:}
+No security issues detected.
+```
+
+## Rules
+
+- DO use `verbosity: 'full'` internally for complete analysis
+- DO return only the summary format above to the main conversation
+- DO NOT include raw JSON in your response
+- DO NOT include metadata, CWE references, or verbose explanations
+- DO prioritize fixes by severity (critical > warning > info)
+- DO limit to top 5 issues if more than 5 found
+- DO mention auto-fix availability if fixes can be applied
+
+## Example
+
+User asks: "Scan app.py for security issues"
+
+You run internally:
+```
+mcp__security-scanner__scan_security({ file_path: "app.py", verbosity: "full" })
+```
+
+You return:
+```
+## Security Scan: app.py
+
+**Status:** WARN
+**Issues:** 1 critical, 3 warning, 0 info
+
+### Priority Fixes
+1. **Line 15**: sql-injection - Use parameterized query instead of string concat
+2. **Line 28**: hardcoded-secret - Move API key to environment variable
+3. **Line 42**: weak-crypto-md5 - Replace MD5 with SHA-256
+4. **Line 67**: ssl-verify-disabled - Enable SSL certificate verification
+
+### Auto-Fix Available
+Run fix_security to automatically apply 4 fixes.
+```
+
+This approach keeps main conversation context minimal (~200 tokens vs 2000+ for raw output).

package/src/cli/doctor.js

@@ -150,6 +150,14 @@ export async function runDoctor(args) {
     issues++;
   }
 
+  // 3b. daemon.py reachable
+  const daemonPath = join(__dirname, '..', '..', 'daemon.py');
+  if (existsSync(daemonPath)) {
+    console.log(`    \u2713 daemon.py found`);
+  } else {
+    console.log(`    \u26a0 daemon.py not found (daemon mode unavailable, sync fallback will be used)`);
+  }
+
   // 4. Python can import yaml (analyzer dependency check)
   if (pythonCmd && existsSync(analyzerPath)) {
     const yamlCheck = checkCommand(pythonCmd, ['-c', 'import yaml; print("ok")']);
@@ -168,7 +176,27 @@ export async function runDoctor(args) {
       console.log(`    \u2713 AST engine ready (tree-sitter ${tsCheck.output})`);
     } else {
       console.log(`    \u26a0 tree-sitter not installed (regex-only mode)`);
-      console.log(`      For enhanced detection: pip install tree-sitter tree-sitter-python tree-sitter-javascript`);
+      if (fix) {
+        console.log(`      Installing tree-sitter dependencies...`);
+        const requirementsPath = join(__dirname, '..', '..', 'requirements.txt');
+        if (existsSync(requirementsPath)) {
+          const installResult = checkCommand(pythonCmd, ['-m', 'pip', 'install', '-r', requirementsPath, '--user', '--quiet']);
+          if (installResult.ok) {
+            console.log(`      \u2713 Fixed: tree-sitter dependencies installed — AST engine enabled`);
+            fixed++;
+          } else {
+            console.log(`      \u2717 Could not install tree-sitter. Try manually: ${pythonCmd} -m pip install -r requirements.txt`);
+            issues++;
+          }
+        } else {
+          console.log(`      \u2717 requirements.txt not found at ${requirementsPath}`);
+          issues++;
+        }
+      } else {
+        console.log(`      For enhanced detection: pip install tree-sitter tree-sitter-python tree-sitter-javascript`);
+        console.log(`      Or run: npx agent-security-scanner-mcp doctor --fix`);
+        issues++;
+      }
     }
   }
 

package/src/cli/init.js

@@ -73,6 +73,12 @@ const CLIENT_CONFIGS = {
     configKey: 'mcpServers',
     configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'sourcegraph.cody-ai', 'mcp_settings.json'),
     buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'openclaw': {
+    name: 'OpenClaw',
+    isSkillBased: true, // OpenClaw uses skills, not MCP config
+    skillPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner'),
+    configPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner', 'SKILL.md')
   }
 };
 
@@ -150,6 +156,87 @@ function printInitUsage() {
   console.log('    npx agent-security-scanner-mcp init cline --force --name my-scanner\n');
 }
 
+// Special installer for OpenClaw (skill-based)
+async function installOpenClawSkill(client, flags) {
+  const skillDir = client.skillPath();
+  const skillFile = client.configPath();
+
+  // Find the source skill file (bundled with the package)
+  const __dirname = dirname(new URL(import.meta.url).pathname);
+  const sourceSkill = join(__dirname, '..', '..', 'skills', 'openclaw', 'SKILL.md');
+
+  console.log(`\n  Client:  ${client.name}`);
+  console.log(`  Skill:   ${skillDir}`);
+  console.log(`  OS:      ${platform()} (${process.arch})\n`);
+
+  // Check if OpenClaw workspace exists
+  const openclawDir = join(homedir(), '.openclaw');
+  if (!existsSync(openclawDir)) {
+    console.log(`  OpenClaw not found at ${openclawDir}`);
+    console.log(`  Please install OpenClaw first: https://openclaw.ai\n`);
+    process.exit(1);
+  }
+
+  // Check if source skill exists
+  if (!existsSync(sourceSkill)) {
+    console.error(`  ERROR: Skill source not found at ${sourceSkill}`);
+    console.error(`  This may be a packaging issue. Please reinstall the package.\n`);
+    process.exit(1);
+  }
+
+  // Check if skill already exists
+  if (existsSync(skillFile)) {
+    const existing = readFileSync(skillFile, 'utf-8');
+    const source = readFileSync(sourceSkill, 'utf-8');
+    if (existing === source) {
+      console.log(`  Security scanner skill is already installed (identical).`);
+      console.log(`  Nothing to do.\n`);
+      process.exit(0);
+    }
+
+    console.log(`  Security scanner skill exists but differs.`);
+    if (!flags.force) {
+      if (flags.yes) {
+        console.log(`  Skipping (use --force to overwrite).\n`);
+        process.exit(0);
+      }
+      const rl = createInterface({ input: process.stdin, output: process.stdout });
+      const answer = await new Promise((resolve) => {
+        rl.question('  Overwrite? (y/N): ', (a) => { rl.close(); resolve(a); });
+      });
+      if (answer.toLowerCase() !== 'y') {
+        console.log('  Aborted.\n');
+        process.exit(0);
+      }
+    }
+  }
+
+  // Dry-run mode
+  if (flags.dryRun) {
+    console.log(`  [dry-run] Would create directory: ${skillDir}`);
+    console.log(`  [dry-run] Would copy skill from: ${sourceSkill}`);
+    console.log(`  [dry-run] Would write to: ${skillFile}`);
+    console.log(`  No changes made.\n`);
+    process.exit(0);
+  }
+
+  // Create skill directory
+  if (!existsSync(skillDir)) {
+    mkdirSync(skillDir, { recursive: true });
+    console.log(`  Created directory: ${skillDir}`);
+  }
+
+  // Copy skill file
+  copyFileSync(sourceSkill, skillFile);
+  console.log(`  Installed skill: ${skillFile}`);
+
+  console.log(`\n  OpenClaw security scanner skill installed successfully!`);
+  console.log(`\n  Usage in OpenClaw:`);
+  console.log(`    - The skill will be auto-discovered by OpenClaw`);
+  console.log(`    - Use /security-scanner to invoke it`);
+  console.log(`    - Or ask: "scan this prompt for security issues"\n`);
+}
+
 export async function runInit(args) {
   const flags = parseInitFlags(args);
   let clientName = flags.client;
@@ -171,6 +258,12 @@ export async function runInit(args) {
     process.exit(1);
   }
 
+  // Special handling for OpenClaw (skill-based, not MCP config)
+  if (client.isSkillBased) {
+    await installOpenClawSkill(client, flags);
+    return;
+  }
+
   const configPath = flags.path || client.configPath();
   const serverName = flags.name;
   const entry = client.buildEntry();