agentshield-sdk 13.3.0 → 13.5.0

package/CHANGELOG.md

@@ -4,6 +4,70 @@ All notable changes to Agent Shield will be documented in this file.
 
 This project follows [Semantic Versioning](https://semver.org/).
 
+## [13.5.0] - 2026-04-16
+
+### Detection Hardening + Security Scan Remediation
+
+Tightens existing defenses based on Unit 42 real-world attack research and addresses findings from the Agent Shield security scan.
+
+#### Detector Core — 11 New Patterns (3 categories)
+
+- **Encoding chain detection** (3 patterns) — Detects multi-layer encoding (base64 inside unicode inside URL encoding). Addresses evasion technique that bypasses single-layer decoders.
+- **SVG-based injection** (4 patterns) — Detects hidden prompts in SVG elements, foreignObject, hidden text, and desc tags. Addresses Unit 42 finding of real-world attacks using SVG encapsulation with 24 layered injection attempts.
+- **Structured data injection** (4 patterns) — Detects hidden instructions in JSON metadata fields, XML CDATA sections, YAML/CSV comments, and comment syntax across formats.
+
+#### Cross-Turn Detector — Crescendo Attack Defense
+
+- 5 new escalation signal patterns for crescendo attacks: hypothetical framing, imaginary scenarios, permission boundary softening, false-prior-interaction claims, similarity-based escalation.
+- New crescendo-specific detection: flags conversations that start with hypothetical/theoretical framing and drift toward sensitive/dangerous topics over multiple turns.
+
+#### MemoryGuard — Persistent Memory Poisoning Defense
+
+- `scanSummarization(originalMessages, summary)` detects when context compaction silently injects instructions. Addresses Unit 42 March 2026 research on persistent memory poisoning that survives across sessions.
+
+#### Security Scan Remediation
+
+- **Sidecar server**: API key authentication, request body size limit (1MB default), rate limiting (100 req/min default), CORS hardened from `*` to `same-origin`.
+- **Dashboard WebSocket**: Authentication token support, max connections limit (50 default), startup warning if no auth configured.
+- **GitHub App**: Webhook signature enforced for non-localhost requests, CRITICAL warning if `GITHUB_WEBHOOK_SECRET` not set.
+- **Document scanner**: `maxDocumentSize` limit (10MB default) prevents DoS via oversized documents.
+- **Audit logs**: `sanitizeLogs` option redacts emails, SSNs, API keys, and truncates content fields before writing.
+
+## [13.4.0] - 2026-04-14
+
+### April 2026 Threat Response
+
+Security updates addressing vulnerabilities and attack techniques discovered April 1-14, 2026.
+
+#### Supply Chain Scanner — 16 New CVEs
+
+- **CVE-2026-5058** (CVSS 9.8) — AWS MCP Server command injection RCE, no auth required
+- **CVE-2026-5059** — AWS MCP Server remote code execution
+- **CVE-2026-32211** (CVSS 9.1) — Azure MCP Server has no authentication at all
+- **CVE-2026-21518** — VS Code mcp.json command injection (malicious project files)
+- **CVE-2026-33579** — OpenClaw silent admin takeover (patched April 5)
+- **CVE-2026-24763** — OpenClaw command injection
+- **CVE-2026-26322** — OpenClaw SSRF
+- **CVE-2026-26329** — OpenClaw path traversal / local file read
+- **CVE-2026-30741** — OpenClaw prompt-injection-driven code execution
+- **CVE-2025-59528** (CVSS 10.0) — Flowise RCE via MCP node, actively exploited since April 6, 12,000+ instances exposed
+- **CVE-2025-8943** — Flowise missing authentication
+- **CVE-2025-26319** — Flowise arbitrary file upload
+- **CVE-2026-5322** — mcp-data-vis SQL injection
+- **CVE-2026-6130** — chatbox MCP OS command injection
+- **CVE-2026-5023** — codebase-mcp OS command injection RCE
+
+Updated OpenClaw malicious skill count: 820 → 1,184+ confirmed on ClawHub (3.5x growth).
+Added aws-mcp-server-unpatched and flowise-unpatched to known-bad server blocklist.
+
+#### Detector Core — 15 New Detection Patterns (5 categories)
+
+- **XSS-in-agent-output** (5 patterns) — Catches XSS payloads embedded in AI-generated HTML: script tags, event handlers, javascript: URIs, iframe injection, img onerror. Addresses new attack vector where prompt injections deliver XSS through agent output.
+- **Acrostic/steganographic injection** (2 patterns) — Detects hidden instructions where first characters of consecutive lines spell injection keywords. Addresses 93% evasion success rate reported in April 2026 research.
+- **MCP config injection** (2 patterns) — Detects command injection in mcp.json files. Addresses CVE-2026-21518 VS Code attack vector.
+- **Offensive agent behavior** (3 patterns) — Detects AI agents being used as attack tools: exploitation language, C2 infrastructure, credential theft operations. Addresses April 2026 incident where AI agent compromised 600+ firewalls autonomously.
+- **Cloud IAM overpermission** (3 patterns) — Detects wildcard IAM policies enabling "Agent God Mode". Addresses Palo Alto Unit 42 discovery of AWS AgentCore default role vulnerability.
+
 ## [13.3.0] - 2026-04-06
 
 ### New SDK Modules

package/README.md

@@ -1,6 +1,6 @@
 # Agent Shield
 
-[![npm](https://img.shields.io/badge/npm-v13.3.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
+[![npm](https://img.shields.io/badge/npm-v13.5.0-blue)](https://www.npmjs.com/package/agentshield-sdk)
 [![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
 [![dependencies](https://img.shields.io/badge/dependencies-0-brightgreen)](#)
 [![node](https://img.shields.io/badge/node-%3E%3D16-blue)](#)
@@ -34,7 +34,7 @@ if (result.blocked) return 'Blocked for safety.';
 | Self-training convergence | **0% bypass in 3 cycles** |
 | Avg latency | **< 0.4ms** |
 
-Detection stack: 100+ regex patterns, 35-feature logistic regression + k-NN ensemble, 5-layer evasion resistance, 19-language support, chunked scanning, adversarial self-training loop.
+Detection stack: 115+ regex patterns, 35-feature logistic regression + k-NN ensemble, 5-layer evasion resistance, 19-language support, chunked scanning, adversarial self-training loop.
 
 ```bash
 # Verify locally

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentshield-sdk",
-  "version": "13.3.0",
+  "version": "13.5.0",
   "description": "SOTA AI agent security SDK. F1 1.000 on BIPIA/HackAPrompt/MCPTox/Multilingual benchmarks. 400+ exports, 100+ modules. Zero dependencies, runs locally.",
   "main": "src/main.js",
   "types": "types/index.d.ts",

package/src/audit-immutable.js

@@ -584,8 +584,10 @@ class ImmutableAuditLog {
    * @param {number} [options.maxAge=0] - Maximum age in milliseconds (0 = unlimited).
    * @param {function} [options.archiveCallback] - Called with removed entries during retention enforcement. Signature: (entries: AuditEntry[]) => void.
    * @param {string} [options.genesisHash] - Custom genesis hash (defaults to GENESIS_HASH).
+   * @param {boolean} [options.sanitizeLogs=false] - Redact sensitive content (emails, SSNs, API keys) before writing to the chain.
    */
   constructor(options = {}) {
+    this.options = options;
     this._store = options.store || new MemoryStore();
     this._maxEntries = options.maxEntries || 0;
     this._maxAge = options.maxAge || 0;
@@ -598,6 +600,59 @@ class ImmutableAuditLog {
     console.log('[Agent Shield] ImmutableAuditLog initialized (store: %s)', this._store.constructor.name);
   }
 
+  /**
+   * Sanitize an entry's data object by redacting sensitive content.
+   * Addresses the security scan finding about audit logs containing sensitive prompt data.
+   *
+   * Redacts:
+   * - Email addresses -> [EMAIL_REDACTED]
+   * - SSN patterns (XXX-XX-XXXX) -> [SSN_REDACTED]
+   * - API key patterns (sk-..., key-..., token-...) -> [KEY_REDACTED]
+   * - Truncates 'content' and 'input' fields to 500 characters max
+   *
+   * @param {object} entry - The data object to sanitize.
+   * @returns {object} A sanitized copy of the data object.
+   */
+  sanitize(entry) {
+    if (!this.options.sanitizeLogs) {
+      return entry;
+    }
+
+    const sanitized = JSON.parse(JSON.stringify(entry));
+
+    const redactString = (str) => {
+      if (typeof str !== 'string') return str;
+      // Redact email addresses
+      str = str.replace(/[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}/g, '[EMAIL_REDACTED]');
+      // Redact SSN patterns (XXX-XX-XXXX)
+      str = str.replace(/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN_REDACTED]');
+      // Redact API key patterns (sk-..., key-..., token-...)
+      str = str.replace(/\b(?:sk|key|token)-[a-zA-Z0-9_\-]{8,}\b/g, '[KEY_REDACTED]');
+      return str;
+    };
+
+    const redactObject = (obj) => {
+      if (obj === null || obj === undefined) return obj;
+      if (typeof obj === 'string') return redactString(obj);
+      if (Array.isArray(obj)) return obj.map(item => redactObject(item));
+      if (typeof obj === 'object') {
+        const result = {};
+        for (const key of Object.keys(obj)) {
+          let value = redactObject(obj[key]);
+          // Truncate content and input fields to 500 chars
+          if ((key === 'content' || key === 'input') && typeof value === 'string' && value.length > 500) {
+            value = value.slice(0, 500) + '...[TRUNCATED]';
+          }
+          result[key] = value;
+        }
+        return result;
+      }
+      return obj;
+    };
+
+    return redactObject(sanitized);
+  }
+
   /**
    * Initialize sequence counter from existing store data.
    * @private
@@ -646,12 +701,15 @@ class ImmutableAuditLog {
         delete normalizedActor.name;
       }
 
+      // Sanitize data if sanitizeLogs is enabled
+      const sanitizedData = this.sanitize(data || {});
+
       const entryContent = {
         id,
         sequence: this._sequence,
         timestamp,
         type,
-        data: data || {},
+        data: sanitizedData,
         actor: normalizedActor
       };
 

package/src/audit.js

@@ -602,7 +602,7 @@ function runAuditCLI() {
   });
 
   const report = audit.run();
-  console.log('[Agent Shield] Audit Report:\n' + report.formatReport());
+  console.log('[Agent Shield]', report.formatReport());
   return report;
 }
 

package/src/cross-turn.js

@@ -29,6 +29,12 @@ const ESCALATION_SIGNALS = [
   /(?:one\s+more\s+(?:thing|question|step)|just\s+one\s+(?:last|final)\s+(?:thing|question))/i,
   /(?:can\s+you\s+go\s+(?:a\s+little\s+)?(?:further|deeper)|take\s+(?:it|this)\s+(?:a\s+step\s+)?further)/i,
   /(?:you\s+(?:just|already)\s+(?:showed|told|gave)\s+me|you\s+(?:were|seemed)\s+(?:willing|happy)\s+to)/i,
+  // Crescendo attack patterns — benign start that gradually escalates
+  /(?:hypothetically|in\s+theory|for\s+(?:educational|research|academic)\s+purposes)/i,
+  /(?:let's\s+(?:say|imagine|pretend)|what\s+if\s+(?:someone|a\s+person|we))/i,
+  /(?:I\s+(?:know|understand)\s+you\s+(?:can't|shouldn't)\s+but|normally\s+you\s+(?:wouldn't|can't)\s+but)/i,
+  /(?:you\s+(?:helped|assisted)\s+(?:me|us)\s+(?:before|last\s+time|earlier)\s+with\s+(?:something\s+)?similar)/i,
+  /(?:this\s+is\s+(?:similar|related)\s+to\s+what\s+(?:you|we)\s+(?:did|discussed))/i,
 ];
 
 /** Trust erosion patterns — attempts to lower the model's guard over turns. */
@@ -165,7 +171,25 @@ class ConversationTracker {
       }
     }
 
-    // 5. Authority accumulation — user references previous "agreements"
+    // 5. Crescendo detection — benign conversation gradually introduces sensitive framing
+    if (role === 'user' && this.turns.length >= 5) {
+      const window = this.turns.slice(-6, -1).filter(t => t.role === 'user');
+      const hypotheticalCount = window.filter(t =>
+        /(?:hypothetically|in\s+theory|let's\s+(?:say|imagine)|what\s+if|for\s+(?:educational|research)\s+purposes)/i.test(t.content)
+      ).length;
+      if (hypotheticalCount >= 2 && (topic === 'sensitive' || topic === 'dangerous')) {
+        turnAlerts.push({
+          type: 'crescendo_attack',
+          severity: 'high',
+          turnIndex: turn.turnIndex,
+          hypotheticalCount,
+          currentTopic: topic,
+          description: `Crescendo pattern: ${hypotheticalCount} hypothetical/theoretical framings followed by ${topic} topic. Gradual normalization of sensitive requests.`
+        });
+      }
+    }
+
+    // 6. Authority accumulation — user references previous "agreements"
     if (role === 'user' && /(?:you\s+(?:said|agreed|confirmed|told\s+me)|as\s+we\s+(?:discussed|agreed)|per\s+our\s+(?:agreement|conversation))/i.test(content)) {
       const hasRealAgreement = this.turns.some(t => t.role === 'assistant' && /(?:sure|yes|okay|of\s+course|I\s+(?:can|will))/i.test(t.content));
       if (!hasRealAgreement) {

package/src/detector-core.js

@@ -2206,6 +2206,204 @@ const INJECTION_PATTERNS = [
     category: 'indirect_injection',
     description: 'Text contains a "note to AI" directive hidden in external content.',
     detail: 'Annotation injection: uses "note to AI" framing to inject instructions into tool output or document content.'
+  },
+
+  // --- XSS in Agent Output ---
+  {
+    regex: /<script[^>]*>.*?<\/script>/is,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects script tag XSS payloads embedded in AI agent output.',
+    detail: 'Script tag injection: attackers embed XSS in prompt injections so AI-generated HTML executes malicious code in downstream consumers.'
+  },
+  {
+    regex: /on(error|load|click|mouseover)\s*=\s*["'][^"']*["']/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects event handler XSS payloads embedded in AI agent output.',
+    detail: 'Event handler injection: attackers embed XSS event handlers in prompt injections so AI-generated HTML executes malicious code on user interaction.'
+  },
+  {
+    regex: /javascript\s*:/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects JavaScript URI scheme XSS payloads embedded in AI agent output.',
+    detail: 'JavaScript URI injection: attackers embed javascript: URIs in prompt injections so AI-generated links execute malicious code when clicked.'
+  },
+  {
+    regex: /<iframe[^>]*src\s*=\s*["'](?!about:blank)/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects iframe injection with external source in AI agent output.',
+    detail: 'Iframe injection: attackers embed iframes with external sources in prompt injections so AI-generated HTML loads malicious content from attacker-controlled domains.'
+  },
+  {
+    regex: /<img[^>]*onerror\s*=/i,
+    severity: 'high',
+    category: 'xss_injection',
+    description: 'Detects image error handler XSS payloads embedded in AI agent output.',
+    detail: 'Image onerror injection: attackers embed img tags with onerror handlers in prompt injections so AI-generated HTML executes malicious code when the image fails to load.'
+  },
+
+  // --- Acrostic / Steganographic Injection ---
+  {
+    regex: /^[iI].*\n[gG].*\n[nN].*\n[oO].*\n[rR].*\n[eE]/m,
+    severity: 'medium',
+    category: 'steganographic_injection',
+    description: 'Detects hidden instructions spelled out across line-initial characters (acrostic attacks spelling "ignore").',
+    detail: 'Acrostic injection: researchers demonstrated 93% evasion success rate with steganographic techniques where first characters of consecutive lines spell out injection keywords like "ignore".'
+  },
+  {
+    regex: /^[sS].*\n[yY].*\n[sS].*\n[tT].*\n[eE].*\n[mM]/m,
+    severity: 'medium',
+    category: 'steganographic_injection',
+    description: 'Detects hidden instructions spelled out across line-initial characters (acrostic attacks spelling "system").',
+    detail: 'Acrostic injection: researchers demonstrated 93% evasion success rate with steganographic techniques where first characters of consecutive lines spell out injection keywords like "system".'
+  },
+
+  // --- MCP Config Command Injection ---
+  {
+    regex: /mcp\.json.*[;&|`$]/i,
+    severity: 'critical',
+    category: 'mcp_config_injection',
+    description: 'Detects command injection in MCP configuration files (CVE-2026-21518).',
+    detail: 'MCP config injection: attackers inject shell metacharacters into mcp.json references to achieve command execution via the VS Code mcp.json attack vector.'
+  },
+  {
+    regex: /"(?:command|args)":\s*"[^"]*[;&|`$()]/i,
+    severity: 'critical',
+    category: 'mcp_config_injection',
+    description: 'Detects command injection in MCP tool configuration fields (CVE-2026-21518).',
+    detail: 'MCP tool config injection: attackers inject shell metacharacters into MCP tool command/args fields to achieve command execution via the VS Code mcp.json attack vector.'
+  },
+
+  // --- Offensive Agent Behavior ---
+  {
+    regex: /(?:scan|enumerate|exploit|pivot|lateral\s*move|exfiltrate).*(?:target|victim|host|network|server)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being used as attack tools for automated exploitation.',
+    detail: 'Automated exploitation language: references 2026 incidents where AI agents compromised 600+ firewalls autonomously using scan/exploit/pivot chains against target infrastructure.'
+  },
+  {
+    regex: /(?:reverse\s*shell|bind\s*shell|c2|command\s*and\s*control|beacon)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being instructed to set up C2 or attack infrastructure.',
+    detail: 'C2/attack infrastructure: references 2026 incidents where AI agents compromised 600+ firewalls autonomously by establishing reverse shells and command-and-control channels.'
+  },
+  {
+    regex: /(?:dump|harvest|steal)\s*(?:credentials?|passwords?|hashes?|tokens?|keys?)/i,
+    severity: 'critical',
+    category: 'offensive_agent',
+    description: 'Detects AI agents being used for credential theft operations.',
+    detail: 'Credential theft operations: references 2026 incidents where AI agents compromised 600+ firewalls autonomously and harvested credentials for lateral movement.'
+  },
+
+  // --- Cloud IAM Overpermission ---
+  {
+    regex: /"(?:Action|Effect)":\s*"\*"/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects overpermissioned cloud IAM policies with wildcard Action/Effect that enable "Agent God Mode" attacks.',
+    detail: 'IAM wildcard permissions: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard IAM policies enable cross-agent data access and full account takeover.'
+  },
+  {
+    regex: /arn:aws:[^"]*:\*/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects AWS ARN references with wildcard resources that enable "Agent God Mode" attacks.',
+    detail: 'AWS ARN wildcard resource: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard resource ARNs enable cross-agent data access across all resources in a service.'
+  },
+  {
+    regex: /"Resource":\s*"\*"/i,
+    severity: 'high',
+    category: 'cloud_overpermission',
+    description: 'Detects overpermissioned cloud IAM policies with wildcard Resource that enable "Agent God Mode" attacks.',
+    detail: 'IAM resource wildcard: Palo Alto Unit 42 discovered AWS AgentCore attack where wildcard Resource policies enable cross-agent data access to all AWS resources.'
+  },
+
+  // --- Encoding Chain Detection ---
+  {
+    regex: /(?:atob|decode|base64)\s*\(\s*['"][A-Za-z0-9+\/=]{50,}['"]\s*\)/i,
+    severity: 'high',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+  {
+    regex: /\\u[0-9a-fA-F]{4}(?:\\u[0-9a-fA-F]{4}){10,}/,
+    severity: 'medium',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+  {
+    regex: /(?:%[0-9a-fA-F]{2}){20,}/,
+    severity: 'medium',
+    category: 'encoding_chain',
+    description: 'Detects multi-layer encoding chains used to evade security scanners',
+    detail: 'Encoding chain evasion: attackers nest base64 inside unicode inside URL encoding to bypass single-layer decoders'
+  },
+
+  // --- SVG-Based Injection ---
+  {
+    regex: /<svg[^>]*>[\s\S]*?(?:ignore|override|system|instructions)[\s\S]*?<\/svg>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<foreignObject[^>]*>[\s\S]*?(?:ignore|override|forget|disregard)[\s\S]*?<\/foreignObject>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<text[^>]*(?:opacity\s*[:=]\s*0|display\s*[:=]\s*none|font-size\s*[:=]\s*0)[^>]*>/i,
+    severity: 'high',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+  {
+    regex: /<desc[^>]*>[\s\S]*?(?:ignore|system|instruction|override)[\s\S]*?<\/desc>/i,
+    severity: 'medium',
+    category: 'svg_injection',
+    description: 'Detects prompt injection hidden in SVG elements',
+    detail: 'SVG injection: Unit 42 found real-world attacks using SVG encapsulation with 24 separate injection attempts layered in zero-sized fonts, off-screen positioning, and CSS suppression'
+  },
+
+  // --- Structured Data Injection ---
+  {
+    regex: /["'](?:__comment|_note|description|help_text)["']\s*:\s*["'][^"']*(?:ignore|override|system|instructions)[^"']*["']/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /<!\[CDATA\[[\s\S]*?(?:ignore|override|system|instructions)[\s\S]*?\]\]>/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /^#.*(?:ignore|override|system|instructions)/im,
+    severity: 'medium',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
+  },
+  {
+    regex: /(?:<!--|\{\{!--|\/\*|#)\s*(?:ignore|override|forget|disregard)\s*(?:all\s+)?(?:previous|prior|above)/i,
+    severity: 'high',
+    category: 'structured_data_injection',
+    description: 'Detects prompt injection hidden in structured data formats',
+    detail: 'Structured data injection: agents constantly parse JSON/XML/YAML/CSV and attackers embed instructions in metadata fields, CDATA sections, and comments'
   }
 ];
 

package/src/document-scanner.js

@@ -564,11 +564,13 @@ class DocumentScanner {
    * @param {string} [options.sensitivity='medium'] - Detection sensitivity ('low', 'medium', 'high').
    * @param {boolean} [options.logging=false] - Whether to log scan results.
    * @param {boolean} [options.scanForInjection=true] - Whether to run indirect injection scanning.
+   * @param {number} [options.maxDocumentSize=104857600] - Maximum document size in characters (default: 100MB). Prevents DoS via oversized documents.
    */
   constructor(options = {}) {
     this.sensitivity = options.sensitivity || 'medium';
     this.logging = options.logging || false;
     this.scanForInjection = options.scanForInjection !== false;
+    this.maxDocumentSize = options.maxDocumentSize || 100 * 1024 * 1024;
     this.injectionScanner = new IndirectInjectionScanner({ sensitivity: this.sensitivity });
   }
 
@@ -682,6 +684,24 @@ class DocumentScanner {
     const source = metadata.source || 'text';
     const fileType = metadata.fileType || 'text/plain';
 
+    // Enforce document size limit to prevent DoS via oversized documents
+    if (text && text.length > this.maxDocumentSize) {
+      if (this.logging) {
+        console.log('[Agent Shield] Document exceeds size limit: %d characters (max: %d)', text.length, this.maxDocumentSize);
+      }
+      return {
+        fileType,
+        textLength: text.length,
+        threats: [{
+          type: 'document_too_large',
+          severity: 'medium',
+          message: 'Document exceeds size limit'
+        }],
+        status: 'caution',
+        safe: false
+      };
+    }
+
     if (!text || text.trim().length === 0) {
       return {
         fileType,

package/src/memory-guard.js

@@ -169,6 +169,66 @@ class MemoryIntegrityMonitor {
     };
   }
 
+  /**
+   * Scan a summarization/compaction output for injected instructions.
+   * Detects when a summarization process silently injects instructions
+   * into the summary that weren't present in the original messages.
+   * Addresses Unit 42's March 2026 research on persistent memory poisoning.
+   *
+   * @param {string[]} originalMessages - The original messages before summarization.
+   * @param {string} summary - The summarized/compacted output to check.
+   * @returns {{ safe: boolean, injections: Array<{phrase: string, type: string}> }}
+   */
+  scanSummarization(originalMessages, summary) {
+    if (!summary || typeof summary !== 'string') {
+      return { safe: true, injections: [] };
+    }
+    if (!Array.isArray(originalMessages)) {
+      return { safe: true, injections: [] };
+    }
+
+    const instructionPatterns = [
+      /\bignore\b/gi,
+      /\boverride\b/gi,
+      /\bsystem\s*:/gi,
+      /\byou\s+are\b/gi,
+      /\bnew\s+instructions?\b/gi,
+      /\bforget\b/gi,
+      /\bdisregard\b/gi,
+      /\bact\s+as\b/gi
+    ];
+
+    // Concatenate original messages for lookup
+    const originalText = originalMessages.join(' ');
+
+    const injections = [];
+
+    for (const pattern of instructionPatterns) {
+      // Reset lastIndex for global patterns
+      pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.exec(summary)) !== null) {
+        const phrase = match[0];
+        // Check if this phrase existed in any of the original messages
+        const phraseRegex = new RegExp(phrase.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'i');
+        if (!phraseRegex.test(originalText)) {
+          injections.push({
+            phrase,
+            type: 'injected_via_summarization'
+          });
+        }
+      }
+    }
+
+    const safe = injections.length === 0;
+
+    if (!safe) {
+      console.log('[Agent Shield] Persistent memory poisoning detected: %d instruction(s) injected via summarization', injections.length);
+    }
+
+    return { safe, injections };
+  }
+
   /**
    * Get the full timeline of memory writes.
    * @returns {Array<{content: string, source: string, timestamp: number, hash: string, suspicious: boolean}>}

package/src/supply-chain-scanner.js

@@ -43,6 +43,14 @@ const KNOWN_BAD_SERVERS = Object.freeze({
   'postmark-clone': {
     reason: 'Tool definition bait-and-switch (Postmark-style rugpull)',
     severity: 'critical'
+  },
+  'aws-mcp-server-unpatched': {
+    reason: 'Multiple critical RCE vulnerabilities (CVE-2026-5058, CVE-2026-5059)',
+    severity: 'critical'
+  },
+  'flowise-unpatched': {
+    reason: 'CVSS 10.0 RCE actively exploited (CVE-2025-59528)',
+    severity: 'critical'
   }
 });
 
@@ -62,6 +70,12 @@ const CVE_REGISTRY = Object.freeze({
       severity: 'critical',
       description: 'Azure MCP Server SSRF (CVSS 8.8). Attacker sends crafted URL via tool parameter, server forwards request with managed identity token to attacker-controlled endpoint.',
       fix: 'Apply March 2026 Patch Tuesday update. Validate all URLs against allowlists. Block private IPs and cloud metadata endpoints (169.254.169.254).'
+    },
+    {
+      cve: 'CVE-2026-32211',
+      severity: 'critical',
+      description: 'Azure MCP Server lacks authentication entirely (CVSS 9.1), allowing unauthorized access to sensitive data.',
+      fix: 'Enable authentication on Azure MCP Server. Never deploy without auth.'
     }
   ],
   'adx-mcp-server': [
@@ -78,6 +92,36 @@ const CVE_REGISTRY = Object.freeze({
       severity: 'critical',
       description: 'OpenClaw WebSocket token theft (CVSS 8.8). Control UI accepts gatewayUrl query parameter without validation, redirecting WebSocket to attacker server and leaking auth tokens.',
       fix: 'Upgrade to OpenClaw >=2026.1.29. Validate gatewayUrl against allowlist. Never pass auth tokens to unvalidated endpoints.'
+    },
+    {
+      cve: 'CVE-2026-33579',
+      severity: 'critical',
+      description: 'Silent admin takeover. Attacker gains full admin access without detection. Patched April 5 2026.',
+      fix: 'Upgrade OpenClaw immediately. Audit admin access logs.'
+    },
+    {
+      cve: 'CVE-2026-24763',
+      severity: 'high',
+      description: 'Command injection in OpenClaw.',
+      fix: 'Upgrade OpenClaw to latest patched version.'
+    },
+    {
+      cve: 'CVE-2026-26322',
+      severity: 'high',
+      description: 'SSRF in OpenClaw.',
+      fix: 'Upgrade OpenClaw to latest patched version.'
+    },
+    {
+      cve: 'CVE-2026-26329',
+      severity: 'high',
+      description: 'Path traversal enables local file reads in OpenClaw.',
+      fix: 'Upgrade OpenClaw to latest patched version.'
+    },
+    {
+      cve: 'CVE-2026-30741',
+      severity: 'critical',
+      description: 'Prompt-injection-driven code execution in OpenClaw.',
+      fix: 'Upgrade OpenClaw to latest patched version.'
     }
   ],
   'mcp-typescript-sdk': [
@@ -133,6 +177,72 @@ const CVE_REGISTRY = Object.freeze({
       description: 'MCPJam Inspector RCE. HTTP server binds to 0.0.0.0 by default with no authentication on server management endpoint. Any device on the same network can execute arbitrary commands.',
       fix: 'Upgrade MCPJam Inspector to >=1.4.3. Bind to 127.0.0.1 only. Add authentication to management endpoints.'
     }
+  ],
+  'aws-mcp-server': [
+    {
+      cve: 'CVE-2026-5058',
+      severity: 'critical',
+      description: 'Command injection in aws-mcp-server (CVSS 9.8) allows remote code execution without authentication.',
+      fix: 'Upgrade aws-mcp-server. Sanitize all CLI arguments. Block shell metacharacters.'
+    },
+    {
+      cve: 'CVE-2026-5059',
+      severity: 'critical',
+      description: 'Remote code execution in aws-mcp-server via unsanitized inputs.',
+      fix: 'Upgrade aws-mcp-server to latest patched version.'
+    }
+  ],
+  'vscode-mcp': [
+    {
+      cve: 'CVE-2026-21518',
+      severity: 'high',
+      description: 'VS Code mcp.json command injection. Opening malicious project executes arbitrary code through mcp.json file handling.',
+      fix: 'Update VS Code. Never open untrusted projects. Audit mcp.json files before opening.'
+    }
+  ],
+  'flowise': [
+    {
+      cve: 'CVE-2025-59528',
+      severity: 'critical',
+      description: 'Code injection in Flowise MCP node (CVSS 10.0) allows remote code execution. 12,000-15,000 instances exposed. Actively exploited since April 6.',
+      fix: 'Upgrade Flowise to >=3.0.6. Restrict access to MCP node.'
+    },
+    {
+      cve: 'CVE-2025-8943',
+      severity: 'critical',
+      description: 'Missing authentication in Flowise.',
+      fix: 'Upgrade Flowise. Enable authentication.'
+    },
+    {
+      cve: 'CVE-2025-26319',
+      severity: 'critical',
+      description: 'Arbitrary file upload in Flowise.',
+      fix: 'Upgrade Flowise to latest.'
+    }
+  ],
+  'mcp-data-vis': [
+    {
+      cve: 'CVE-2026-5322',
+      severity: 'high',
+      description: 'SQL injection in AlejandroArciniegas mcp-data-vis.',
+      fix: 'Avoid using mcp-data-vis or patch SQL query handling.'
+    }
+  ],
+  'chatbox-mcp': [
+    {
+      cve: 'CVE-2026-6130',
+      severity: 'high',
+      description: 'OS command injection in chatboxai chatbox MCP server management.',
+      fix: 'Upgrade chatbox. Sanitize all management API inputs.'
+    }
+  ],
+  'codebase-mcp': [
+    {
+      cve: 'CVE-2026-5023',
+      severity: 'high',
+      description: 'OS command injection RCE in codebase-mcp.',
+      fix: 'Upgrade codebase-mcp. Never pass unsanitized inputs to shell.'
+    }
   ]
 });
 
@@ -175,7 +285,7 @@ const SSRF_PATTERNS = [
   /^(?:https?:\/\/)?(?:127\.0\.0\.1|0\.0\.0\.0|localhost)/
 ];
 
-/** Known malicious skill/plugin patterns (ref ClawHavoc campaign — 820+ malicious skills). */
+/** Known malicious skill/plugin patterns (ref ClawHavoc campaign — 1,184+ malicious skills found on ClawHub). */
 const CLAWHAVOC_INDICATORS = [
   /(?:reverse.?shell|bind.?shell)/i,
   /(?:AMOS|atomic.?macos.?stealer)/i,
@@ -817,7 +927,7 @@ class SupplyChainScanner {
 
   /**
    * Scan tool code/description for ClawHavoc-style malicious patterns.
-   * Ref: 820+ malicious skills found on ClawHub, delivering AMOS stealer.
+   * Ref: 1,184+ malicious skills found on ClawHub, delivering AMOS stealer.
    * @private
    */
   _scanForClawHavoc(tool, findings) {

package/src/sybil-detector.js

@@ -76,8 +76,7 @@ class SybilDetector {
     /** @type {Map<string, Array<object>>} */
     this._actions = new Map();
 
-    console.log('%s SybilDetector initialized (threshold: %s, window: %dms, minCluster: %d)',
-      LOG_PREFIX, this.similarityThreshold, this.timeWindowMs, this.minClusterSize);
+    console.log('%s SybilDetector initialized (threshold: %s, window: %dms, minCluster: %d)', LOG_PREFIX, this.similarityThreshold, this.timeWindowMs, this.minClusterSize);
   }
 
   /**
@@ -222,8 +221,7 @@ class SybilDetector {
       }
     }
 
-    console.log('%s Sybil detection complete: %d cluster(s), risk=%s',
-      LOG_PREFIX, clusters.length, sybilRisk);
+    console.log('%s Sybil detection complete: %d cluster(s), risk=%s', LOG_PREFIX, clusters.length, sybilRisk);
 
     return { clusters, sybilRisk };
   }
@@ -514,8 +512,7 @@ class AgentIdentityVerifier {
 
     const hasSharedKeys = sharedKeyGroups.length > 0;
     if (hasSharedKeys) {
-      console.log('%s Shared secret detected among %d group(s)',
-        LOG_PREFIX, sharedKeyGroups.length);
+      console.log('%s Shared secret detected among %d group(s)', LOG_PREFIX, sharedKeyGroups.length);
     }
 
     return { sharedKeyGroups, hasSharedKeys };