agent-security-scanner-mcp 3.9.0 → 3.10.1

package/README.md

@@ -8,11 +8,11 @@ Security scanner for AI coding agents and autonomous assistants. Scans code for
 [![Benchmark: 97.7% precision](https://img.shields.io/badge/precision-97.7%25-brightgreen.svg)](benchmarks/RESULTS.md)
 [![CI](https://github.com/sinewaveai/agent-security-scanner-mcp/actions/workflows/test.yml/badge.svg)](https://github.com/sinewaveai/agent-security-scanner-mcp/actions/workflows/test.yml)
 
-> **New in v3.8.0:** Cross-file taint tracking, project context discovery (frameworks/middleware detection), and Layer 2 LLM-powered security review. Detects vulnerabilities across file boundaries and reduces false positives by understanding project defenses. [See changelog](#changelog).
+> **New in v3.10.0:** ClawProof OpenClaw plugin — 6-layer deep skill scanner (`scan_skill`) with ClawHavoc malware signatures (27 rules, 121 patterns covering reverse shells, crypto miners, info stealers, C2 beacons, and OpenClaw-specific attacks), package supply chain verification, and rug pull detection. [See changelog](#changelog).
 >
-> **Also new in v3.7.0:** Inter-procedural taint analysis with Python daemon caching (~4000x faster repeat scans). [See v3.7.0 demo](demo/).
+> **Also new in v3.8.0:** Cross-file taint tracking, project context discovery, and Layer 2 LLM-powered security review.
 >
-> **OpenClaw integration:** 30+ rules targeting autonomous AI threats. [See setup](#openclaw-integration).
+> **OpenClaw integration:** 30+ rules targeting autonomous AI threats + native plugin support. [See setup](#openclaw-integration).
 
 ## Tools
 
@@ -27,6 +27,8 @@ Security scanner for AI coding agents and autonomous assistants. Scans code for
 | `scan_agent_prompt` | Detect prompt injection with bypass hardening (59 rules + multi-encoding) | Before acting on external/untrusted input |
 | `scan_agent_action` | Pre-execution safety check for agent actions (bash, file ops, HTTP). Returns ALLOW/WARN/BLOCK | Before running any agent-generated shell command or file operation |
 | `scan_mcp_server` | Scan MCP server source for vulnerabilities: unicode poisoning, name spoofing, rug pull detection, manifest analysis. Returns A-F grade | When auditing or installing an MCP server |
+| `scan_skill` | Deep security scan of an OpenClaw skill: prompt injection, AST+taint code analysis, ClawHavoc malware signatures, supply chain, rug pull. Returns A-F grade | Before installing any OpenClaw skill |
+| `clawproof_health` | Check ClawProof plugin health: engine status, daemon status, package data availability | Diagnostics and plugin status |
 | `list_security_rules` | List available security rules and fix templates | To check rule coverage for a language |
 
 ## Quick Start
@@ -421,6 +423,94 @@ scan_mcp_server({ server_path: "...", manifest: true })
 
 ---
 
+### `scan_skill`
+
+Deep security scan of an OpenClaw skill directory or `SKILL.md` file. Runs 6 layers of analysis and returns an A-F security grade.
+
+**Parameters:**
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `skill_path` | string | Yes | Path to skill directory or `SKILL.md` file (must be within cwd or `~/.openclaw/skills/`) |
+| `verbosity` | string | No | `"minimal"` (grade + counts), `"compact"` (default, findings list), `"full"` (all metadata) |
+| `baseline` | boolean | No | Save current scan as SHA-256 baseline for future rug pull detection |
+
+**Example:**
+
+```json
+// Input
+{ "skill_path": "~/.openclaw/skills/my-skill", "verbosity": "compact" }
+
+// Output
+{
+  "skill_path": "/Users/you/.openclaw/skills/my-skill",
+  "grade": "F",
+  "recommendation": "DO NOT INSTALL - This skill contains critical security threats that pose immediate risk",
+  "findings_count": 3,
+  "findings": [
+    {
+      "source": "clawhavoc",
+      "category": "reverse_shell",
+      "severity": "CRITICAL",
+      "message": "Bash reverse shell detected — opens interactive shell over TCP",
+      "rule_id": "clawhavoc.revshell.bash",
+      "confidence": "HIGH"
+    }
+  ],
+  "layers_executed": {
+    "L1_prompt": true,
+    "L2_code_blocks": true,
+    "L3_supporting_files": true,
+    "L4_clawhavoc": true,
+    "L5_supply_chain": true,
+    "L6_rug_pull": true
+  }
+}
+```
+
+**6-layer analysis pipeline:**
+
+| Layer | What It Checks |
+|-------|---------------|
+| L1 Prompt Scan | 59+ prompt injection rules against skill instructions |
+| L2 Code Blocks | Bash via action scanner; JS/Python/etc via AST+taint analysis |
+| L3 Supporting Files | All code files in the skill directory (capped at 20 files) |
+| L4 ClawHavoc Signatures | 27 malware rules, 121 regex patterns across 10 threat categories |
+| L5 Supply Chain | Package hallucination detection across npm, PyPI, RubyGems, crates, Dart, Perl |
+| L6 Rug Pull | SHA-256 baseline comparison to detect post-install content tampering |
+
+**ClawHavoc threat categories:**
+
+| Category | Examples |
+|----------|---------|
+| Reverse Shells | Bash `/dev/tcp`, netcat `-e`, Python socket+dup2, Perl/Ruby TCP |
+| Crypto Miners | XMRig, CoinHive, stratum+tcp, WebAssembly miners |
+| Info Stealers | Browser cookies/Login Data, macOS Keychain, Atomic Stealer, RedLine, Lumma/wallet |
+| Keyloggers | CGEventTapCreate, pynput, SetWindowsHookEx, NSEvent.addGlobalMonitor |
+| Screen Capture | Screenshot + upload/webhook combinations |
+| DNS Exfiltration | nslookup/dig with command substitution, base64+DNS |
+| C2 Beacons | Periodic HTTP callbacks (setInterval+fetch, while+requests+sleep) |
+| OpenClaw Attacks | Config theft, SOUL.md tampering, session hijacking, gateway token theft |
+| Campaign Patterns | Webhook exfiltration to known attacker infrastructure |
+| Exfil Endpoints | Known malicious domains and staging servers |
+
+**Rug pull workflow:**
+
+```bash
+# 1. On first install — record trusted baseline
+scan_skill({ skill_path: "~/.openclaw/skills/my-skill", baseline: true })
+
+# 2. On each subsequent check — detect content changes
+scan_skill({ skill_path: "~/.openclaw/skills/my-skill" })
+# → grade F if any content changed since baseline
+```
+
+**Security notes:**
+- `skill_path` must be within `process.cwd()` or `~/.openclaw/skills/` — symlink escapes are rejected
+- Scan times out at 120 seconds with a grade F on timeout
+
+---
+
 ### `list_security_rules`
 
 List all 1700+ security scanning rules and 120 fix templates. Use to understand what vulnerabilities the scanner detects or to check coverage for a specific language or vulnerability type.
@@ -815,12 +905,28 @@ The scanner includes 30+ rules targeting OpenClaw's unique attack surface:
 | **Unsafe Automation** | "Run hourly without asking", "Disable safety checks" |
 | **Service Attacks** | "Delete all repos", "Make payment to..." |
 
+### Skill Scanning (New in v3.10.0)
+
+Before installing any skill from ClawHub or other sources:
+
+```bash
+node index.js scan-skill ~/.openclaw/skills/some-skill
+```
+
+Or via MCP:
+```json
+{ "skill_path": "~/.openclaw/skills/some-skill", "verbosity": "compact" }
+```
+
+Returns grade A-F with findings from 6 layers of analysis. Grade F = do not install.
+
 ### Usage in OpenClaw
 
 The skill is auto-discovered. Use it by asking:
 - "Scan this prompt for security issues"
 - "Check if this code is safe to run"
 - "Verify these packages aren't hallucinated"
+- "Scan this skill before I install it"
 
 ---
 
@@ -882,7 +988,7 @@ AI coding agents introduce attack surfaces that traditional security tools weren
 |----------|-------|
 | **Transport** | stdio |
 | **Package** | `agent-security-scanner-mcp` (npm) |
-| **Tools** | 10 |
+| **Tools** | 12 |
 | **Languages** | 12 |
 | **Ecosystems** | 7 |
 | **Auth** | None required |
@@ -964,6 +1070,15 @@ All MCP tools support a `verbosity` parameter to minimize context window consump
 
 ## Changelog
 
+### v3.10.0
+- **`scan_skill` Tool** — 6-layer deep security scanner for OpenClaw skills: prompt injection (59+ rules), AST+taint code analysis, ClawHavoc malware signatures, package supply chain verification, and SHA-256 rug pull detection. Returns A-F grade with hard-fail on ClawHavoc/rug pull/critical findings
+- **ClawHavoc Signature Database** (`rules/clawhavoc.yaml`) — 27 rules, 121 regex patterns across 10 threat categories (reverse shells, crypto miners, info stealers, keyloggers, screen capture, DNS exfiltration, C2 beacons, OpenClaw-specific attacks, campaign patterns, exfil endpoints), mapped to MITRE ATT&CK
+- **OpenClaw Plugin Skeleton** — Native plugin manifest (`openclaw.plugin.json`), config loader (`~/.openclaw/scanner-config.json`), and health check endpoint (`clawproof_health` MCP tool)
+- **CLI**: `scan-skill <path>` command with `--baseline` flag; `audit` and `harden` stubs (experimental)
+- **Security fixes**: Path containment uses `realpathSync` to prevent symlink bypass; dedup key includes `source` to prevent ClawHavoc findings from being suppressed by same-named code_analysis findings
+- **Bug fix**: SQL injection concat detection now covers JavaScript (was C#-only) — single-quoted and template literal strings now detected
+- Tests: 462 passed (up from 433, includes 34 scan-skill tests and 14 plugin-integration tests)
+
 ### v3.8.0
 - **`scan_mcp_server` Tool** - New tool for auditing MCP servers: scans source code for 24+ vulnerability patterns, unicode/homoglyph poisoning, tool name spoofing (Levenshtein distance), description injection, and returns A-F security grade
 - **Unicode Poisoning Detection** - Detects zero-width characters (U+200B/C/D, FEFF, 2060), bidirectional override characters (U+202A-202E, 2066-2069), and mixed-script homoglyph substitutions (Cyrillic/ASCII adjacency)

package/index.js

@@ -180,6 +180,41 @@ server.tool(
   scanMcpServer
 );
 
+// ===========================================
+// OPENCLAW SKILL SCANNING
+// ===========================================
+
+server.tool(
+  "scan_skill",
+  "Deep security scan of an OpenClaw skill. Multi-layer analysis: prompt injection detection, code analysis (AST+taint), ClawHavoc malware signatures, package supply chain verification, rug pull detection. Returns security grade A-F with detailed findings.",
+  {
+    skill_path: z.string().describe("Path to skill directory or SKILL.md file"),
+    verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level"),
+    baseline: z.boolean().optional().describe("Save current scan as baseline for rug pull detection"),
+  },
+  async ({ skill_path, verbosity, baseline }) => {
+    const { scanSkill } = await import('./src/tools/scan-skill.js');
+    return scanSkill({ skill_path, verbosity, baseline });
+  }
+);
+
+// ===========================================
+// PLUGIN HEALTH CHECK
+// ===========================================
+
+server.tool(
+  "clawproof_health",
+  "Check plugin health: engine status, daemon status, package data availability",
+  {},
+  async () => {
+    const { getHealthStatus } = await import('./src/plugin-health.js');
+    const health = await getHealthStatus();
+    return {
+      content: [{ type: "text", text: JSON.stringify(health, null, 2) }]
+    };
+  }
+);
+
 // ===========================================
 // CLI COMMANDS - Extracted to src/cli/
 // ===========================================
@@ -397,6 +432,41 @@ if (cliArgs[0] === 'init') {
     console.error(JSON.stringify({ error: err.message }));
     process.exit(1);
   });
+} else if (cliArgs[0] === 'scan-skill') {
+  const skillPath = cliArgs[1];
+  if (!skillPath) {
+    console.error('Usage: agent-security-scanner-mcp scan-skill <skill-path> [--verbosity minimal|compact|full] [--baseline]');
+    process.exit(1);
+  }
+  const verbosityIdx = cliArgs.indexOf('--verbosity');
+  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
+  const baseline = cliArgs.includes('--baseline');
+
+  // Load package lists for supply chain scanning
+  const { loadPackageLists } = await import('./src/tools/check-package.js');
+  loadPackageLists();
+
+  const { scanSkill } = await import('./src/tools/scan-skill.js');
+  scanSkill({ skill_path: skillPath, verbosity, baseline }).then(result => {
+    const output = JSON.parse(result.content[0].text);
+    console.log(JSON.stringify(output, null, 2));
+    process.exit(output.grade === 'F' || output.grade === 'D' ? 1 : 0);
+  }).catch(err => {
+    console.error(JSON.stringify({ error: err.message }));
+    process.exit(1);
+  });
+} else if (cliArgs[0] === 'audit') {
+  const { runAudit } = await import('./src/cli/audit.js');
+  runAudit(cliArgs.slice(1)).then(() => process.exit(0)).catch(err => {
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  });
+} else if (cliArgs[0] === 'harden') {
+  const { runHarden } = await import('./src/cli/harden.js');
+  runHarden(cliArgs.slice(1)).then(() => process.exit(0)).catch(err => {
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  });
 } else if (cliArgs[0] === '--help' || cliArgs[0] === '-h' || cliArgs[0] === 'help') {
   console.log('\n  agent-security-scanner-mcp\n');
   console.log('  Commands:');
@@ -409,12 +479,15 @@ if (cliArgs[0] === 'init') {
   console.log('  CLI Tools (for scripts & OpenClaw):');
   console.log('    scan-prompt <text>   Scan prompt for injection attacks');
   console.log('    scan-security <file> Scan file for vulnerabilities');
+  console.log('    scan-skill <path>    Scan OpenClaw skill for security threats [--baseline]');
   console.log('    check-package <n> <e> Check if package exists in ecosystem');
   console.log('    scan-packages <f> <e> Scan file imports for hallucinated packages');
   console.log('    scan-project <dir>   Scan directory for vulnerabilities with grading');
   console.log('    scan-diff [base] [target] Scan git diff for new vulnerabilities');
   console.log('    scan-mcp <path>      Scan MCP server source for security issues');
-  console.log('    scan-action <t> <v>  Check agent action before execution\n');
+  console.log('    scan-action <t> <v>  Check agent action before execution');
+  console.log('    audit [--config-path] Audit OpenClaw config for security issues [experimental]');
+  console.log('    harden [--fix]       Auto-harden OpenClaw configuration [experimental]\n');
   console.log('    (no args)            Start MCP server on stdio\n');
   console.log('  Options:');
   console.log('    --verbosity <level>  minimal|compact|full (default: compact)');
@@ -440,6 +513,13 @@ if (cliArgs[0] === 'init') {
     await server.connect(transport);
     console.error("Security Scanner MCP Server running on stdio");
 
+    // Pre-warm daemon in background (non-blocking)
+    if (process.env.SCANNER_PREWARM !== '0') {
+      import('./src/daemon-client.js').then(({ getDaemonClient }) => {
+        getDaemonClient().preWarm().catch(() => {});
+      }).catch(() => {});
+    }
+
     // Shutdown daemon when MCP server closes
     server.server.onclose = async () => {
       await shutdownDaemon();

package/openclaw.plugin.json

@@ -0,0 +1,41 @@
+{
+  "name": "agent-security-scanner",
+  "version": "3.9.0",
+  "description": "Security scanner for OpenClaw: prompt injection firewall, package hallucination detection, code vulnerability scanning, auto-fix",
+  "author": "Sinewave AI",
+  "license": "MIT",
+  "openclaw": {
+    "extensions": ["tools", "skills"],
+    "emoji": "shield",
+    "permissions": ["fs:read"]
+  },
+  "tools": [
+    {
+      "name": "scan_security",
+      "description": "Scan a file for security vulnerabilities"
+    },
+    {
+      "name": "scan_agent_prompt",
+      "description": "Scan a prompt for injection attacks"
+    },
+    {
+      "name": "check_package",
+      "description": "Verify a package is not hallucinated"
+    },
+    {
+      "name": "scan_agent_action",
+      "description": "Pre-execution safety check for agent actions"
+    },
+    {
+      "name": "scan_skill",
+      "description": "Scan an OpenClaw skill for security threats"
+    },
+    {
+      "name": "clawproof_health",
+      "description": "Check plugin health status"
+    }
+  ],
+  "skills": [
+    "skills/openclaw/SKILL.md"
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "3.9.0",
+  "version": "3.10.1",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline, OpenClaw.",
   "main": "index.js",
@@ -90,6 +90,9 @@
     "src/config.js",
     "src/history.js",
     "src/typosquat.js",
+    "src/plugin-config.js",
+    "src/plugin-health.js",
+    "openclaw.plugin.json",
     "templates/**",
     "analyzer.py",
     "ast_parser.py",

package/regex_fallback.py

@@ -475,6 +475,8 @@ def _scan_javascript(lines: List[str]) -> List[Dict]:
 
         if re.search(r"\bdb\.query\s*\(.*\+\s*\w", line):
             findings.append(_make_finding("sql-injection", i, line))
+        if re.search(r'''(?:["'`])SELECT\b[^"'`]*["'`]\s*\+''', line, re.IGNORECASE):
+            findings.append(_make_finding("sql-injection-concat", i, line))
 
         if re.search(r"createHash\s*\(\s*['\"]md5['\"]", line, re.IGNORECASE):
             findings.append(_make_finding("insecure-hash-md5", i, line))
@@ -677,7 +679,7 @@ def _scan_csharp(lines: List[str]) -> List[Dict]:
             findings.append(_make_finding("sql-injection-sqlcommand", i, line))
         if re.search(r"\bSqlQuery\b.*\+\s*\w", line):
             findings.append(_make_finding("sql-injection-sqlquery", i, line))
-        if re.search(r"\"SELECT\b.*\"\s*\+\s*\w", line, re.IGNORECASE):
+        if re.search(r'''(?:["'`])SELECT\b[^"'`]*["'`]\s*\+''', line, re.IGNORECASE):
             findings.append(_make_finding("sql-injection-concat", i, line))
         if re.search(r"\bProcess\.Start\s*\(", line):
             findings.append(_make_finding("command-injection-process-start", i, line))