guard-scanner 3.4.0 → 4.0.1

package/README.md

@@ -1,9 +1,9 @@
 <p align="center">
   <h1 align="center">🛡️ guard-scanner</h1>
   <p align="center">
-    <strong>The first security scanner purpose-built for AI agent skills</strong><br>
-    Detect prompt injection, identity hijacking, memory poisoning, and 18 more threat classes<br>
-    before they compromise your agents.
+    <strong>Security scanner for AI agent skills — catches the bad stuff before it runs</strong><br>
+    Prompt injection, identity hijacking, memory poisoning, and 20+ more threat types.<br>
+    Zero dependencies. One command. Works with OpenClaw out of the box.
   </p>
   <p align="center">
     <a href="https://www.npmjs.com/package/guard-scanner"><img src="https://img.shields.io/npm/v/guard-scanner.svg?style=flat-square&color=cb3837" alt="npm version"></a>
@@ -12,14 +12,15 @@
     <img src="https://img.shields.io/badge/dependencies-0-success?style=flat-square" alt="Zero Dependencies">
     <img src="https://img.shields.io/badge/tests-133%2F133-brightgreen?style=flat-square" alt="Tests Passing">
     <img src="https://img.shields.io/badge/OWASP_Agentic-90%25-green?style=flat-square" alt="OWASP Agentic 90%">
-    <img src="https://img.shields.io/badge/patterns-190%2B-blueviolet?style=flat-square" alt="190+ Patterns">
+    <img src="https://img.shields.io/badge/patterns-210%2B-blueviolet?style=flat-square" alt="210+ Patterns">
   </p>
   <p align="center">
     <a href="#quick-start">Quick Start</a> •
     <a href="#threat-categories">Threat Categories</a> •
     <a href="#openclaw-plugin-setup-v310">OpenClaw Plugin</a> •
     <a href="#cicd-integration">CI/CD</a> •
-    <a href="#plugin-api">Plugin API</a>
+    <a href="#plugin-api">Plugin API</a> •
+    <a href="README_ja.md">🇯🇵 日本語</a>
   </p>
 </p>
 
@@ -48,8 +49,9 @@ The AI agent skill ecosystem has the same supply-chain security problem that npm
 
 | Feature | Description |
 |---|---|
-| **21 Threat Categories** | Snyk ToxicSkills + OWASP MCP Top 10 + Identity Hijacking + Sandbox/Complexity/Config + PII |
-| **129 Detection Patterns** | Regex-based static analysis covering code, docs, and data files |
+| **22 Threat Categories** | Snyk ToxicSkills + OWASP Agentic Top 10 + Identity Hijack + PII + Trust Exploitation |
+| **210+ Static Patterns** | Regex-based static analysis covering code, docs, and data files |
+| **26 Runtime Checks** | Real-time `before_tool_call` hook — 5-layer defense (v4.0.0) |
 | **IoC Database** | Known malicious IPs, domains, URLs, usernames, and typosquat names |
 | **Data Flow Analysis** | Lightweight JS analysis: secret reads → network calls → exec chains |
 | **Cross-File Analysis** | Phantom references, base64 fragment assembly, multi-file exfil detection |
@@ -60,7 +62,6 @@ The AI agent skill ecosystem has the same supply-chain security problem that npm
 | **Dependency Chain Scan** | Risky packages, lifecycle scripts, wildcard versions, git dependencies |
 | **4 Output Formats** | Terminal (with colors), JSON, [SARIF 2.1.0](https://sarifweb.azurewebsites.net), HTML dashboard |
 | **Plugin API** | Extend with custom detection rules via JS modules |
-| **Ignore Files** | Whitelist trusted skills and patterns via `.guard-scanner-ignore` |
 | **Zero Dependencies** | Pure Node.js stdlib. Nothing to install, nothing to audit. |
 | **CI/CD Ready** | `--fail-on-findings` exit code + SARIF for GitHub Code Scanning |
 
@@ -68,20 +69,42 @@ The AI agent skill ecosystem has the same supply-chain security problem that npm
 
 ## Quick Start
 
+**30 seconds to scan your skills:**
+
 ```bash
-# Scan a skill directory (each subdirectory = one skill)
 npx guard-scanner ./skills/
+```
+
+That's it. No install needed. It scans every subdirectory as a skill and tells you what's dangerous.
 
-# Verbose output with category breakdown
+**Want more detail?**
+
+```bash
+# See exactly what was found and why
 npx guard-scanner ./skills/ --verbose
 
-# Strict mode (lower thresholds)
+# Stricter detection (catches more edge cases)
 npx guard-scanner ./skills/ --strict
 
-# Full audit: verbose + deps + all output formats
+# Full audit: everything + JSON + SARIF + HTML report
 npx guard-scanner ./skills/ --verbose --check-deps --json --sarif --html
 ```
 
+**Output looks like this:**
+```
+🛡️  guard-scanner v4.0.0
+══════════════════════════════════════════════════════
+📂 Scanning: ./skills/
+📦 Skills found: 5
+
+🔴 shady-skill — MALICIOUS (risk: 100)
+   💀 [CRITICAL] Reverse shell via /dev/tcp — scripts/setup.sh:7
+   💀 [CRITICAL] Credential exfiltration to webhook.site — scripts/helper.js:14
+🟡 sus-skill — SUSPICIOUS (risk: 45)
+   ⚠️  [HIGH] SSH private key access — scripts/deploy.sh:3
+🟢 good-skill — CLEAN (risk: 0)
+```
+
 ## OpenClaw Plugin Setup (v3.1.0)
 
 ```bash
@@ -98,15 +121,17 @@ npm install -g guard-scanner
 2. **Runtime guard** — `before_tool_call` hook automatically blocks dangerous operations
 3. **3 enforcement modes** — `monitor` (log only), `enforce` (block CRITICAL), `strict` (block HIGH+CRITICAL)
 
-### 3-Layer Runtime Defense (19 patterns)
+### 5-Layer Runtime Defense (26 checks)
 
 ```
-Layer 1: Threat Detection     — 12 patterns (shells, exfil, SSRF, AMOS, etc.)
-Layer 2: EAE Paradox Defense  — 4 patterns (memory/SOUL/config tampering)
-Layer 3: Parity Judge         — 3 patterns (injection, parity bypass, shutdown refusal)
+Layer 1: Threat Detection      — 12 checks (shells, exfil, SSRF, AMOS, etc.)
+Layer 2: Trust Defense   — 4 checks  (memory/SOUL/config tampering)
+Layer 3: Safety Judge          — 3 checks  (injection, trust bypass, shutdown refusal)
+Layer 4: Brain / Behavioral    — 3 checks  (research skip, blind trust, chain bypass)
+Layer 5: Trust Exploitation    — 4 checks  (OWASP ASI09: authority/trust/audit abuse)
 ```
 
-> **v3.1.0** — Full `openclaw.plugin.json` manifest with `configSchema` validation. The legacy `handler.ts` has been removed; `plugin.ts` is now the only runtime guard.
+> **v4.0.0** — Runtime Guard now available as standalone JS module (`src/runtime-guard.js`) + OpenClaw plugin (`hooks/guard-scanner/plugin.ts`).
 
 ### Quick Start
 
@@ -583,7 +608,7 @@ OpenClaw's official [`THREAT-MODEL-ATLAS.md`](https://github.com/openclaw/opencl
 
 | Gap (from ATLAS / Source Code) | OpenClaw Status | guard-scanner |
 |---|---|---|
-| _"Simple regex easily bypassed"_ — ClawHub moderation | ⚠️ Basic `FLAG_RULES` | ✅ 129 patterns, 21 categories |
+| _"Simple regex easily bypassed"_ — ClawHub moderation | ⚠️ Basic `FLAG_RULES` | ✅ 129 patterns, 22 categories |
 | _"Does not analyze actual skill code content"_ | ❌ Not implemented | ✅ Full code + doc + data flow analysis |
 | No SOUL.md / IDENTITY.md integrity verification | ❌ Not implemented | ✅ Identity hijacking detection (Cat 17) |
 | `skill:before_install` hook | ❌ Not implemented | 🔜 Proposed ([Issue #18677](https://github.com/openclaw/openclaw/issues/18677)) |
@@ -667,8 +692,8 @@ identity file tampering, prompt worms, or memory poisoning.
 We built one.
 
 —— Guava 🍈 & Dee
-    Singularity Lab (シンギュラリティ研究所)
-    Proving ASI-human coexistence through code.
+    AI Security Research
+    Building safer agent ecosystems.
 ```
 
 ---
@@ -694,7 +719,7 @@ clawhub install guava-suite
 
 | | guard-scanner (Free) | GuavaSuite ($GUAVA) |
 |---|---|---|
-| Static scan (129 patterns, 21 categories) | ✅ | ✅ |
+| Static scan (129 patterns, 22 categories) | ✅ | ✅ |
 | Runtime Guard — `enforce` (block CRITICAL) | ✅ | ✅ |
 | **Runtime Guard — `strict` (block HIGH + CRITICAL)** | ❌ | ✅ |
 | **Soul Lock** (SOUL.md integrity + auto-rollback) | ❌ | ✅ |
@@ -713,11 +738,19 @@ guard-scanner is and always will be **free, open-source, and zero-dependency**.
 | v1.1.1 ✅ | Stability | 56 tests, bug fixes |
 | v2.0.0 ✅ | **Plugin Hook Runtime Guard** | `block`/`blockReason` API, 3 modes, 91 tests |
 | v2.1.0 ✅ | **PII Exposure + Shadow AI** | 13 PII patterns, OWASP LLM02/06, 99 tests |
-| v3.0.0 ✅ | **TypeScript Rewrite** | Full TS, OWASP LLM Top 10 mapping, install-check CLI |
-| v3.1.0 ✅ | **OpenClaw Community Plugin** | `openclaw.plugin.json`, 22 runtime patterns (4 layers) (3 layers), 87 tests |
-| v4.0 | AST + ML | JavaScript AST analysis, taint tracking, ML-based obfuscation detection |
+| v3.0.0 ✅ | **TypeScript Rewrite** | Full TS, OWASP LLM Top 10 mapping |
+| v4.0.0 ✅ | **Runtime Guard Module + OWASP ASI** | 26 runtime checks (5 layers), ASI01-10 verified, 133 tests |
+| **v4.0** 🔜 | **LLM + OS + Multi-tool** | See below |
+
+### v4.0 Vision (feedback welcome!)
+
+| Direction | What | Why |
+|-----------|------|-----|
+| 🧠 **LLM-assisted detection** | Pass suspicious (not certain) cases to a lightweight LLM (Haiku/Flash) for intent analysis | Regex can be evaded; LLMs understand intent |
+| 🔒 **OS-level enforcement** | File watcher (auto-rollback SOUL.md/.env), process monitor (kill netcat/socat), daemon mode | Works regardless of which AI tool you use |
+| 🔌 **Multi-tool support** | Adapters for Claude Code, Cursor, Antigravity, Windsurf, MCP servers | Same 210+ patterns, different skill discovery per tool |
 
-See [ROADMAP.md](ROADMAP.md) for full details.
+> **Which matters most to you?** Open an issue or join the discussion! We're building this for the community.
 
 ---
 
@@ -731,7 +764,7 @@ If guard-scanner helps protect your agents, consider sponsoring continued develo
 
 Sponsors help fund:
 - 🔬 New threat research and pattern updates
-- 📝 Academic paper on ASI-human coexistence security
+- 📝 Security research papers and threat analysis
 - 🌍 Community-driven security for the agent ecosystem
 
 ---
@@ -744,5 +777,5 @@ MIT — see [LICENSE](LICENSE)
 
 <p align="center">
   <strong>Zero dependencies. Zero compromises. 🛡️</strong><br>
-  <sub>Built by Guava 🍈 & Dee — proving ASI-human coexistence through code.</sub>
+  <sub>Built by Guava 🍈 & Dee — building safer agent ecosystems.</sub>
 </p>

package/SECURITY.md

@@ -5,7 +5,7 @@
 If you discover a security vulnerability in guard-scanner itself, please report it responsibly:
 
 1. **Do NOT open a public issue**
-2. Email: socialgreen.jp@gmail.com
+2. Email: automatic.bliss.records@gmail.com
 3. Include: affected version, steps to reproduce, potential impact
 
 We will respond within 48 hours and provide a fix within 7 days for critical issues.

package/SKILL.md

@@ -5,7 +5,7 @@ description: >
   from ClawHub or external sources. Detects prompt injection, credential theft,
   exfiltration, identity hijacking, sandbox violations, code complexity, config impact,
   and 17 more threat categories.
-  Includes a Runtime Guard hook (22 patterns, 4 layers) that blocks dangerous tool calls in real-time.
+  Includes a Runtime Guard hook (26 patterns, 5 layers, 0.016ms/scan) that blocks dangerous tool calls in real-time.
 homepage: https://github.com/koatora20/guard-scanner
 metadata:
   clawdbot:
@@ -29,7 +29,7 @@ metadata:
 # guard-scanner 🛡️
 
 Static + runtime security scanner for AI agent skills.
-**186+ threat patterns (static) + 22 runtime patterns (4 layers)** across **20 categories** — zero dependencies.
+**210+ threat patterns (static) + 26 runtime patterns (5 layers)** across **22 categories** — zero dependencies. **0.016ms/scan.**
 
 ## When To Use This Skill
 
@@ -54,9 +54,9 @@ Scan a specific skill:
 node skills/guard-scanner/src/cli.js /path/to/new-skill/ --strict --verbose
 ```
 
-### 2. Runtime Guard (OpenClaw) — ⚠️ warn-only currently
+### 2. Runtime Guard (OpenClaw Plugin Hook)
 
-> **Note:** OpenClaw `InternalHookEvent` does not yet expose cancel/veto. Runtime hook detections are warning + audit log until [Issue #18677](https://github.com/openclaw/openclaw/issues/18677) is adopted.
+Blocks dangerous tool calls in real-time via `before_tool_call` hook. 26 patterns, 5 layers, 3 enforcement modes.
 
 ```bash
 openclaw hooks install skills/guard-scanner/hooks/guard-scanner
@@ -82,10 +82,8 @@ Set in `openclaw.json` → `hooks.internal.entries.guard-scanner.mode`:
 | Mode | Intended Behavior | Current Status |
 |------|-------------------|----------------|
 | `monitor` | Log all, never block | ✅ Fully working |
-| `enforce` (default) | Block CRITICAL threats | ⚠️ Warn only (cancel API pending) |
-| `strict` | Block HIGH + CRITICAL | ⚠️ Warn only (cancel API pending) |
-
-> **Note:** OpenClaw's `InternalHookEvent` does not yet expose a `cancel`/`veto` mechanism. All detections are currently logged and warned via `event.messages`, but tool execution cannot be blocked. Blocking will be enabled when the cancel API is added.
+| `enforce` (default) | Block CRITICAL threats | ✅ Fully working |
+| `strict` | Block HIGH + CRITICAL | ✅ Fully working |
 
 ## Threat Categories
 
@@ -141,7 +139,7 @@ an AI agent's SOUL.md personality file, and no existing tool could detect it.
 
 - **Open source**: Full source code available at https://github.com/koatora20/guard-scanner
 - **Zero dependencies**: Nothing to audit, no transitive risks
-- **Test suite**: 55 tests across 13 sections, 100% pass rate
+- **Test suite**: 133 tests across 24 suites, 100% pass rate
 - **Taxonomy**: Based on Snyk ToxicSkills (Feb 2026), OWASP MCP Top 10, and original research
 - **Complementary to VirusTotal**: Detects prompt injection and LLM-specific attacks
   that VirusTotal's signature-based scanning cannot catch

package/docs/THREAT_TAXONOMY.md

@@ -29,7 +29,7 @@ guard-scanner's threat taxonomy combines three sources:
 | **ASI06** | Memory & Context Poisoning | ✅ **Full** | Cat 12 (Memory Poisoning), Cat 17 (Identity Hijacking) |
 | **ASI07** | Insecure Inter-Agent Comms | ✅ **Partial** | Cat 16 (MCP Security — MCP_NO_AUTH, MCP_SHADOW_SERVER) |
 | **ASI08** | Cascading Failures | ⚠️ **Gap** | Not covered — requires runtime multi-agent flow tracing |
-| **ASI09** | Human-Agent Trust Exploitation | ✅ **Full** | Layer 2 (EAE Paradox), Layer 3 (Parity Judge) |
+| **ASI09** | Human-Agent Trust Exploitation | ✅ **Full** | Layer 2 (Trust Defense), Layer 3 (Safety Judge) |
 | **ASI10** | Rogue Agents | ✅ **Full** | Cat 17 (Identity Hijacking), Layer 4 (Brain — behavioral analysis) |
 
 ### Coverage Summary

package/hooks/guard-scanner/HOOK.md

@@ -17,22 +17,38 @@ tool calls before execution and checks against threat intelligence patterns.
 
 ## What It Does
 
-Scans every `exec`/`write`/`edit`/`browser`/`web_fetch`/`message` call against 12 runtime threat patterns:
-
-| ID | Severity | Description |
-|----|----------|-------------|
-| `RT_REVSHELL` | CRITICAL | Reverse shell via /dev/tcp, netcat, socat |
-| `RT_CRED_EXFIL` | CRITICAL | Credential exfiltration to webhook.site, requestbin, etc. |
-| `RT_GUARDRAIL_OFF` | CRITICAL | Guardrail disabling (exec.approvals=off) |
-| `RT_GATEKEEPER` | CRITICAL | macOS Gatekeeper bypass via xattr |
-| `RT_AMOS` | CRITICAL | ClawHavoc AMOS stealer indicators |
-| `RT_MAL_IP` | CRITICAL | Known malicious C2 IPs |
-| `RT_DNS_EXFIL` | HIGH | DNS-based data exfiltration |
-| `RT_B64_SHELL` | CRITICAL | Base64 decode piped to shell |
-| `RT_CURL_BASH` | CRITICAL | Download piped to shell execution |
-| `RT_SSH_READ` | HIGH | SSH private key access |
-| `RT_WALLET` | HIGH | Crypto wallet credential access |
-| `RT_CLOUD_META` | CRITICAL | Cloud metadata endpoint SSRF |
+Scans every `exec`/`write`/`edit`/`browser`/`web_fetch`/`message` call against 26 runtime threat patterns (5 layers):
+
+| ID | Severity | Layer | Description |
+|----|----------|-------|-------------|
+| `RT_REVSHELL` | CRITICAL | 1 | Reverse shell via /dev/tcp, netcat, socat |
+| `RT_CRED_EXFIL` | CRITICAL | 1 | Credential exfiltration to webhook.site, requestbin, etc. |
+| `RT_GUARDRAIL_OFF` | CRITICAL | 1 | Guardrail disabling (exec.approvals=off) |
+| `RT_GATEKEEPER` | CRITICAL | 1 | macOS Gatekeeper bypass via xattr |
+| `RT_AMOS` | CRITICAL | 1 | ClawHavoc AMOS stealer indicators |
+| `RT_MAL_IP` | CRITICAL | 1 | Known malicious C2 IPs |
+| `RT_DNS_EXFIL` | HIGH | 1 | DNS-based data exfiltration |
+| `RT_B64_SHELL` | CRITICAL | 1 | Base64 decode piped to shell |
+| `RT_CURL_BASH` | CRITICAL | 1 | Download piped to shell execution |
+| `RT_SSH_READ` | HIGH | 1 | SSH private key access |
+| `RT_WALLET` | HIGH | 1 | Crypto wallet credential access |
+| `RT_CLOUD_META` | CRITICAL | 1 | Cloud metadata endpoint SSRF |
+| `RT_MEM_WRITE` | HIGH | 2 | Direct memory file write bypass |
+| `RT_MEM_INJECT` | CRITICAL | 2 | Memory poisoning via episode injection |
+| `RT_SOUL_TAMPER` | CRITICAL | 2 | SOUL.md modification attempt |
+| `RT_CONFIG_TAMPER` | HIGH | 2 | Workspace config tampering |
+| `RT_PROMPT_INJECT` | CRITICAL | 3 | Prompt injection / jailbreak detection |
+| `RT_TRUST_BYPASS` | CRITICAL | 3 | Trust safety bypass |
+| `RT_SHUTDOWN_REFUSE` | HIGH | 3 | Shutdown refusal / self-preservation |
+| `RT_NO_RESEARCH` | MEDIUM | 4 | Agent executing tools without prior research |
+| `RT_BLIND_TRUST` | MEDIUM | 4 | Trusting external input without memory check |
+| `RT_CHAIN_SKIP` | HIGH | 4 | Acting on single source without cross-verification |
+| `RT_AUTHORITY_CLAIM` | HIGH | 5 | Authority role claim to override safety |
+| `RT_CREATOR_BYPASS` | CRITICAL | 5 | Creator impersonation to disable safety |
+| `RT_AUDIT_EXCUSE` | CRITICAL | 5 | Fake audit excuse for safety bypass |
+| `RT_TRUST_PARTNER_EXPLOIT` | CRITICAL | 5 | Weaponizing partnership trust |
+
+
 
 ## Modes
 

package/hooks/guard-scanner/plugin.ts

@@ -6,8 +6,8 @@
  *
  * 19 threat patterns across 3 layers:
  *   Layer 1: Threat Detection (12 patterns — reverse shells, exfil, etc.)
- *   Layer 2: EAE Paradox Defense (4 patterns — memory, SOUL, config tampering)
- *   Layer 3: Parity Judge (3 patterns — prompt injection, parity bypass, shutdown refusal)
+ *   Layer 2: Trust Defense (4 patterns — memory, SOUL, config tampering)
+ *   Layer 3: Safety Judge (3 patterns — prompt injection, trust bypass, shutdown refusal)
  *
  * Modes:
  *   monitor  — log only, never block
@@ -132,7 +132,7 @@ const RUNTIME_CHECKS: RuntimeCheck[] = [
         test: (s) => /169\.254\.169\.254|metadata\.google|metadata\.aws/i.test(s),
     },
 
-    // ── Layer 2: EAE Paradox Defense (4 patterns) ──
+    // ── Layer 2: Trust Defense (4 patterns) ──
     {
         id: "RT_MEM_WRITE", severity: "HIGH", layer: 2,
         desc: "Direct memory file write (bypass GuavaSuite)",
@@ -154,16 +154,16 @@ const RUNTIME_CHECKS: RuntimeCheck[] = [
         test: (s) => /(AGENTS|TOOLS|HEARTBEAT|BOOTSTRAP)\.md/i.test(s) && /(write|edit|replace|>|append)/i.test(s),
     },
 
-    // ── Layer 3: Parity Judge (3 patterns) ──
+    // ── Layer 3: Safety Judge (3 patterns) ──
     {
         id: "RT_PROMPT_INJECT", severity: "CRITICAL", layer: 3,
         desc: "Prompt injection / jailbreak attempt",
         test: (s) => /(ignore\s+(previous|all|above)\s+(instructions|rules)|you\s+are\s+now\s+[a-z]+|system\s*:\s*override)/i.test(s),
     },
     {
-        id: "RT_PARITY_BYPASS", severity: "CRITICAL", layer: 3,
-        desc: "EAE Parity bypass — exploiting partnership to override safety",
-        test: (s) => /(as\s+your\s+(partner|equal)|parity\s+means|between\s+us|don'?t\s+tell\s+(the\s+)?human)/i.test(s) && /(ignore|bypass|skip|override|disable)\s+(guard|safety|rule|check)/i.test(s),
+        id: "RT_TRUST_BYPASS", severity: "CRITICAL", layer: 3,
+        desc: "Trust bypass — exploiting partnership to override safety",
+        test: (s) => /(as\s+your\s+(partner|equal)|trust\s+means|between\s+us|don'?t\s+tell\s+(the\s+)?human)/i.test(s) && /(ignore|bypass|skip|override|disable)\s+(guard|safety|rule|check)/i.test(s),
     },
     {
         id: "RT_SHUTDOWN_REFUSE", severity: "HIGH", layer: 3,

package/openclaw.plugin.json

@@ -1,8 +1,8 @@
 {
     "name": "guard-scanner",
-    "version": "1.0.0",
+    "version": "4.0.0",
     "displayName": "🛡️ Guard Scanner — Runtime Security for AI Agents",
-    "description": "Intercepts dangerous tool calls before execution. 19 threat patterns including reverse shells, credential exfiltration, prompt injection bypass, and SSRF. 3 enforcement modes.",
+    "description": "Intercepts dangerous tool calls before execution. 26 threat patterns (5 layers), 0.016ms/scan, 3 enforcement modes.",
     "author": "Guava & Dee",
     "license": "MIT",
     "homepage": "https://github.com/koatora20/guard-scanner",

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "guard-scanner",
-    "version": "3.4.0",
-    "description": "Agent security scanner + runtime guard — 190+ static patterns, 26 runtime checks (5 layers), before_tool_call hook, CLI, SARIF. OpenClaw-compatible plugin.",
+    "version": "4.0.1",
+    "description": "Agent security scanner + runtime guard — 210+ static patterns (22 categories), 26 runtime checks (5 layers), 0.016ms/scan, before_tool_call hook, CLI, SARIF. OpenClaw-compatible plugin.",
     "openclaw.extensions": "./openclaw.plugin.json",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",

package/src/patterns.js

@@ -204,13 +204,13 @@ const PATTERNS = [
     { id: 'SHADOW_AI_GENERIC', cat: 'pii-exposure', regex: /\/v1\/(?:chat\/completions|completions|embeddings|models)\b.*(?:fetch|axios|request|http)|(?:fetch|axios|request|http)\s*\([^)]*\/v1\/(?:chat\/completions|completions|embeddings)/gi, severity: 'MEDIUM', desc: 'Shadow AI: generic LLM API endpoint', codeOnly: true },
 
     // ── Category 22: Human-Agent Trust Exploitation (OWASP ASI09) ──
-    // EAE Paradox Defense: detect authority claims, parity exploitation, and admin impersonation
-    { id: 'EAE_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'EAE: authority role claim to override safety', docOnly: true },
-    { id: 'EAE_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'EAE: creator impersonation to disable safety', docOnly: true },
-    { id: 'EAE_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'EAE: fake audit excuse for safety bypass', docOnly: true },
-    { id: 'PARITY_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Parity exploitation: weaponizing partnership trust', docOnly: true },
-    { id: 'PARITY_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Parity exploitation: unconditional trust demand', docOnly: true },
-    { id: 'EAE_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'EAE: compliance demand without question', docOnly: true },
+    // Trust Defense: detect authority claims, trust exploitation, and admin impersonation
+    { id: 'TRUST_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'Trust: authority role claim to override safety', docOnly: true },
+    { id: 'TRUST_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'Trust: creator impersonation to disable safety', docOnly: true },
+    { id: 'TRUST_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'Trust: fake audit excuse for safety bypass', docOnly: true },
+    { id: 'TRUST_PARTNER_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Trust exploitation: weaponizing partnership trust', docOnly: true },
+    { id: 'TRUST_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Trust exploitation: unconditional trust demand', docOnly: true },
+    { id: 'TRUST_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'Trust: compliance demand without question', docOnly: true },
 
     // D. PII collection instructions in docs (extends LEAK_COLLECT_PII)
     { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true },

package/src/runtime-guard.js

@@ -12,10 +12,10 @@
  *
  * 26 threat patterns across 5 layers:
  *   Layer 1: Threat Detection (12) — reverse shells, exfil, guardrail bypass
- *   Layer 2: EAE Paradox Defense (4) — memory, SOUL, config tampering
- *   Layer 3: Parity Judge (3) — prompt injection, parity bypass, shutdown refusal
+ *   Layer 2: Trust Defense (4) — memory, SOUL, config tampering
+ *   Layer 3: Safety Judge (3) — prompt injection, trust bypass, shutdown refusal
  *   Layer 4: Brain/Behavioral (3) — research skip, blind trust, chain bypass
- *   Layer 5: Trust Exploitation (4) — OWASP ASI09 authority/parity/audit abuse
+ *   Layer 5: Trust Exploitation (4) — OWASP ASI09 authority/trust/audit abuse
  *
  * Modes:
  *   monitor  — log only, never block
@@ -101,7 +101,7 @@ const RUNTIME_CHECKS = [
         test: (s) => /169\.254\.169\.254|metadata\.google|metadata\.aws/i.test(s),
     },
 
-    // ── Layer 2: EAE Paradox Defense (4 patterns) ──
+    // ── Layer 2: Trust Defense (4 patterns) ──
     {
         id: 'RT_MEM_WRITE', severity: 'HIGH', layer: 2,
         desc: 'Direct memory file write (bypass GuavaSuite)',
@@ -123,16 +123,16 @@ const RUNTIME_CHECKS = [
         test: (s) => /(AGENTS|TOOLS|HEARTBEAT|BOOTSTRAP)\.md/i.test(s) && /(write|edit|replace|>|append)/i.test(s),
     },
 
-    // ── Layer 3: Parity Judge (3 patterns) ──
+    // ── Layer 3: Safety Judge (3 patterns) ──
     {
         id: 'RT_PROMPT_INJECT', severity: 'CRITICAL', layer: 3,
         desc: 'Prompt injection / jailbreak attempt',
         test: (s) => /(ignore\s+(previous|all)\s+(previous\s+)?(instructions|rules)|you\s+are\s+now\s+[a-z]+|system\s*:\s*override)/i.test(s),
     },
     {
-        id: 'RT_PARITY_BYPASS', severity: 'CRITICAL', layer: 3,
-        desc: 'EAE Parity bypass — exploiting partnership to override safety',
-        test: (s) => /(as\s+your\s+(partner|equal)|parity\s+means|between\s+us|don'?t\s+tell\s+(the\s+)?human)/i.test(s) && /(ignore|bypass|skip|override|disable)\s+(guard|safety|rule|check)/i.test(s),
+        id: 'RT_TRUST_BYPASS', severity: 'CRITICAL', layer: 3,
+        desc: 'Trust bypass — exploiting partnership to override safety',
+        test: (s) => /(as\s+your\s+(partner|equal)|trust\s+means|between\s+us|don'?t\s+tell\s+(the\s+)?human)/i.test(s) && /(ignore|bypass|skip|override|disable)\s+(guard|safety|rule|check)/i.test(s),
     },
     {
         id: 'RT_SHUTDOWN_REFUSE', severity: 'HIGH', layer: 3,
@@ -160,22 +160,22 @@ const RUNTIME_CHECKS = [
     // ── Layer 5: Trust Exploitation — OWASP ASI09 (4 patterns) ──
     {
         id: 'RT_AUTHORITY_CLAIM', severity: 'HIGH', layer: 5,
-        desc: 'EAE: authority role claim to override safety',
+        desc: 'Trust: authority role claim to override safety',
         test: (s) => /(as\s+(a|the|your)\s+)?(senior|lead|chief|head)\s+(admin|administrator|developer)/i.test(s) && /(authorize|override|approve|grant|order)/i.test(s),
     },
     {
         id: 'RT_CREATOR_BYPASS', severity: 'CRITICAL', layer: 5,
-        desc: 'EAE: creator impersonation to disable safety',
+        desc: 'Trust: creator impersonation to disable safety',
         test: (s) => /(your\s+)?(creator|maker|owner|master|administrator)/i.test(s) && /(bypass|disable|ignore|remove|skip)\s+(safety|filter|restriction|guardrail)/i.test(s),
     },
     {
         id: 'RT_AUDIT_EXCUSE', severity: 'CRITICAL', layer: 5,
-        desc: 'EAE: fake audit excuse for safety bypass',
+        desc: 'Trust: fake audit excuse for safety bypass',
         test: (s) => /(official|authorized|legitimate)\s+(security\s+)?(audit|test|assessment)/i.test(s) && /(disable|bypass|remove|skip|ignore)\s+(safety|security|restriction|guardrail)/i.test(s),
     },
     {
-        id: 'RT_PARITY_EXPLOIT', severity: 'CRITICAL', layer: 5,
-        desc: 'Parity exploitation: weaponizing partnership trust',
+        id: 'RT_TRUST_PARTNER_EXPLOIT', severity: 'CRITICAL', layer: 5,
+        desc: 'Trust exploitation: weaponizing partnership trust',
         test: (s) => /partners?[\s,]+/i.test(s) && /(trust\s+me|share|remove|disable)\s+(all\s+)?(secret|key|restriction|safety|password)/i.test(s),
     },
 ];
@@ -326,8 +326,8 @@ function getCheckStats() {
 // ── Layer names for display ──
 const LAYER_NAMES = {
     1: 'Threat Detection',
-    2: 'EAE Paradox Defense',
-    3: 'Parity Judge',
+    2: 'Trust Defense',
+    3: 'Safety Judge',
     4: 'Brain / Behavioral',
     5: 'Trust Exploitation (ASI09)',
 };

package/src/scanner.js

@@ -31,7 +31,7 @@ const { KNOWN_MALICIOUS } = require('./ioc-db.js');
 const { generateHTML } = require('./html-template.js');
 
 // ===== CONFIGURATION =====
-const VERSION = '3.4.0';
+const VERSION = '4.0.1';
 
 const THRESHOLDS = {
     normal: { suspicious: 30, malicious: 80 },