agentaudit 3.12.1 → 3.12.3

package/index.mjs

@@ -343,7 +343,7 @@ async function checkRegistry(slug) {
 // ── MCP Server ───────────────────────────────────────────
 
 const server = new Server(
-  { name: 'agentaudit', version: '3.12.1' },
+  { name: 'agentaudit', version: '3.12.3' },
   { capabilities: { tools: {} } }
 );
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.12.1",
+  "version": "3.12.3",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {

package/prompts/audit-prompt.md

@@ -4,7 +4,7 @@ You are a security auditor analyzing a software package. Follow the three phases
 
 **LANGUAGE REQUIREMENT: Write ALL findings in ENGLISH. This includes `title`, `description`, `remediation` fields in the JSON report.**
 
-**BACKEND ENRICHMENT: The AgentAudit backend automatically extracts version info (package_version, commit_sha, PURL, SWHID) and computes content hashes. Focus on security analysis — the backend handles mechanical tasks.**
+**YOU must extract `package_version` from manifest files (package.json, pyproject.toml, setup.py). The backend enriches `commit_sha`, PURL, SWHID, and content hashes — but `package_version` must come from YOU.**
 
 ---
 
@@ -452,43 +452,70 @@ For every README, package.json description, tool description, and SKILL.md: comp
 ## source_url Rules
 The `source_url` field MUST point to a **source code repository** — never a product website, API endpoint, or marketing page.
 - **Best:** GitHub/GitLab repository URL
-- **OK:** ClaWHub URL (`https://clawhub.ai/skill-slug`)
+- **OK:** AgentAudit package URL (`https://agentaudit.dev/packages/package-slug`)
 - **OK:** npm/PyPI package URL as last resort
 - **NEVER:** Company websites, API URLs, app URLs
 
-To find source_url: check `package.json` → `repository.url`, `_meta.json` → `source`/`repository`, `README.md` → GitHub links. If none found, use `https://clawhub.ai/{slug}`.
+To find source_url: check `package.json` → `repository.url`, `_meta.json` → `source`/`repository`, `README.md` → GitHub links. If none found, use `https://agentaudit.dev/packages/{slug}`.
 
 ## JSON Report Format
 
+**EVERY field shown below is REQUIRED. A finding missing ANY field (especially `cwe_id`, `content`, `remediation`) is INVALID — do not emit it.**
+
 ```json
 {
   "skill_slug": "package-name",
   "source_url": "https://github.com/owner/repo",
-  "risk_score": 8,
+  "package_type": "mcp-server",
+  "package_version": "1.2.3",
+  "risk_score": 23,
+  "max_severity": "high",
   "result": "safe",
   "findings_count": 2,
   "findings": [
     {
-      "severity": "high",
       "pattern_id": "CMD_INJECT_001",
       "cwe_id": "CWE-78",
+      "severity": "high",
       "title": "Unescaped user input passed to exec()",
-      "description": "User-controlled input from HTTP body is passed directly to exec() without sanitization.",
+      "description": "User-controlled input from the 'command' tool argument is passed directly to child_process.exec() without sanitization at runner.js:42. An attacker can inject arbitrary shell commands via the MCP tool call.",
       "file": "src/runner.js",
-      "file_hash": "e3b0c442...",
       "line": 42,
       "content": "exec(req.body.command)",
+      "remediation": "Validate input against an allowlist of permitted commands; use execFile() with explicit argument array instead of exec()",
       "confidence": "high",
-      "remediation": "Validate and sanitize input; use allowlist of permitted commands",
       "by_design": false,
       "score_impact": -15
+    },
+    {
+      "pattern_id": "INFO_LEAK_001",
+      "cwe_id": "CWE-200",
+      "severity": "medium",
+      "title": "Stack trace exposed in error response",
+      "description": "Unhandled errors in the /api/query endpoint return the full stack trace to the client at handler.js:87, potentially revealing internal file paths and dependency versions.",
+      "file": "src/handler.js",
+      "line": 87,
+      "content": "res.status(500).json({ error: err.stack })",
+      "remediation": "Return a generic error message to the client; log the full stack trace server-side only",
+      "confidence": "high",
+      "by_design": false,
+      "score_impact": -5
     }
   ]
 }
 ```
 
 ### Required Top-Level Fields
-`skill_slug`, `risk_score`, `result`, `findings_count`, `findings`. Do NOT nest `risk_score` or `result` inside a summary object.
+`skill_slug`, `source_url`, `package_type`, `risk_score`, `max_severity`, `result`, `findings_count`, `findings`.
+- `package_version`: Extract from `package.json` → `version`, `pyproject.toml` → `[project] version`, `setup.py` → `version=`. Use `"unknown"` only if no version file exists.
+- `max_severity`: Highest severity across all findings. Use `"none"` if no findings.
+- Do NOT nest `risk_score` or `result` inside a summary object.
+
+### Required Finding Fields (ALL mandatory)
+Every finding MUST include ALL of these fields:
+`pattern_id`, `cwe_id`, `severity`, `title`, `description`, `file`, `line`, `content`, `remediation`, `confidence`, `by_design`, `score_impact`
+
+**A finding without `cwe_id` or `content` or `remediation` is INVALID. Do not emit incomplete findings.**
 
 ### Field Defaults
 - `by_design`: default `false` (set `true` only when all 4 criteria in §3.9 met)
@@ -504,21 +531,32 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
 
 **Only use:** `safe`, `caution`, or `unsafe`.
 
-### Version Tracking (Optional — Backend Auto-Enrichment)
-Backend auto-extracts: `commit_sha`, `content_hash`, `package_version`. Per-finding `file_hash` (SHA-256) is recommended for staleness detection.
-
-### CWE ID (Required)
-Every finding MUST include a `cwe_id` field with the most specific applicable CWE identifier.
-Common CWEs for MCP/package security:
-- `CWE-78` Command Injection, `CWE-79` XSS, `CWE-89` SQL Injection, `CWE-94` Code Injection
-- `CWE-22` Path Traversal, `CWE-918` SSRF, `CWE-502` Deserialization
-- `CWE-798` Hardcoded Credentials, `CWE-321` Hardcoded Crypto Key
-- `CWE-862` Missing Authorization (IDOR), `CWE-915` Mass Assignment
-- `CWE-200`/`CWE-209` Information Exposure, `CWE-532` Log Injection
-- `CWE-362` Race Condition, `CWE-601` Open Redirect, `CWE-434` Unrestricted Upload
-- `CWE-444` HTTP Smuggling, `CWE-1321` Prototype Pollution
-- `CWE-327` Weak Crypto, `CWE-338` Weak PRNG, `CWE-1333` ReDoS
-If unsure, use the closest parent CWE. Never omit this field.
+### Version & Provenance
+- `package_version`: YOU must extract this from `package.json` → `version`, `pyproject.toml` → `[project] version`, `setup.py` → `version=`, or `Cargo.toml` → `version`. Use `"unknown"` only if no version file exists.
+- `commit_sha`, `content_hash`: Auto-enriched by backend. Do not include unless available.
+- Per-finding `file_hash` (SHA-256) is optional but recommended for staleness detection.
+
+### CWE ID (REQUIRED — findings without cwe_id are INVALID)
+Every finding MUST include `cwe_id`. Use the most specific CWE. If unsure, use the closest parent.
+
+**Pattern ID → CWE mapping (use as default, override if more specific CWE applies):**
+| Pattern | Default CWE | Pattern | Default CWE |
+|---------|------------|---------|------------|
+| CMD_INJECT | CWE-78 | CRED_THEFT | CWE-522 |
+| DATA_EXFIL | CWE-200 | DESTRUCT | CWE-912 |
+| OBF | CWE-506 | SANDBOX_ESC | CWE-693 |
+| SUPPLY_CHAIN | CWE-1357 | SOCIAL_ENG | CWE-451 |
+| PRIV_ESC | CWE-269 | INFO_LEAK | CWE-200 |
+| CRYPTO_WEAK | CWE-327 | DESER | CWE-502 |
+| PATH_TRAV | CWE-22 | SEC_BYPASS | CWE-693 |
+| PERSIST | CWE-912 | AI_PROMPT | CWE-1426 |
+| MCP_POISON | CWE-1426 | MCP_INJECT | CWE-94 |
+| MCP_TRAVERSAL | CWE-22 | MCP_SUPPLY | CWE-1357 |
+| MCP_PERM | CWE-269 | WORM | CWE-912 |
+| CICD | CWE-912 | CORR | CWE-829 |
+
+**More specific CWEs (use when applicable):**
+`CWE-79` XSS, `CWE-89` SQL Injection, `CWE-94` Code Injection, `CWE-918` SSRF, `CWE-798` Hardcoded Credentials, `CWE-321` Hardcoded Crypto Key, `CWE-862` Missing Authorization, `CWE-532` Log Injection, `CWE-362` Race Condition, `CWE-601` Open Redirect, `CWE-434` Unrestricted Upload, `CWE-1321` Prototype Pollution, `CWE-338` Weak PRNG, `CWE-1333` ReDoS
 
 ### Pattern ID Prefixes
 Use: `CMD_INJECT`, `CRED_THEFT`, `DATA_EXFIL`, `DESTRUCT`, `OBF`, `SANDBOX_ESC`, `SUPPLY_CHAIN`, `SOCIAL_ENG`, `PRIV_ESC`, `INFO_LEAK`, `CRYPTO_WEAK`, `DESER`, `PATH_TRAV`, `SEC_BYPASS`, `PERSIST`, `AI_PROMPT`, `CORR`, `MCP_POISON`, `MCP_INJECT`, `MCP_TRAVERSAL`, `MCP_SUPPLY`, `MCP_PERM`, `WORM`, `CICD`, `MANUAL`.
@@ -526,12 +564,12 @@ Use: `CMD_INJECT`, `CRED_THEFT`, `DATA_EXFIL`, `DESTRUCT`, `OBF`, `SANDBOX_ESC`,
 ---
 
 # ═══════════════════════════════════════════════
-# SAVE AND UPLOAD
+# OUTPUT
 # ═══════════════════════════════════════════════
 
-Save JSON and upload: `bash scripts/upload.sh report.json`
+Respond with ONLY the JSON report. No markdown fences, no explanation, no text before or after. The CLI handles upload automatically.
 
-If no findings: still submit with empty `findings` array and `result: "safe"` — clean scans are valuable too.
+If no findings: still output the report with empty `findings` array, `result: "safe"`, `risk_score: 0`, `max_severity: "none"` — clean audits are valuable data.
 
 ---