hackmyagent 0.11.4 → 0.11.5

package/README.md

@@ -4,9 +4,9 @@
 
 [![npm version](https://img.shields.io/npm/v/hackmyagent.svg)](https://www.npmjs.com/package/hackmyagent)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Tests](https://img.shields.io/badge/tests-765%20passing-brightgreen)](https://github.com/opena2a-org/hackmyagent)
+[![Tests](https://img.shields.io/badge/tests-1050%20passing-brightgreen)](https://github.com/opena2a-org/hackmyagent)
 
-**163 security checks for AI agents. Find what can go wrong before an attacker does.**
+**173 security checks for AI agents. Find what can go wrong before an attacker does.**
 
 Security scanner and red-team toolkit for Claude Code, Cursor, VS Code, and any MCP server setup.
 
@@ -30,14 +30,19 @@ npx opena2a-cli review
 
 ## What It Finds
 
-**Attack testing:**
+**Attack testing (115 payloads across 11 categories):**
 - **Prompt injection** -- tests whether agents follow injected instructions from untrusted input
 - **Data exfiltration** -- checks if agents can be tricked into leaking sensitive data to external endpoints
 - **Jailbreak and context manipulation** -- probes agent guardrails with adversarial prompts
 - **MCP exploitation** -- tests MCP servers for tool misuse, capability abuse, and unauthorized access
 - **Capability abuse** -- verifies agents can't exceed their intended permissions
+- **Supply chain attacks** -- dependency confusion, tool shadowing, package impersonation
+- **Memory weaponization** -- persistent instruction injection via agent memory systems
+- **A2A protocol attacks** -- identity spoofing, capability escalation in multi-agent communication
+- **Context window attacks** -- token flooding, attention manipulation, context poisoning
 
-**Static analysis:**
+**Static analysis (173 checks across 34 categories):**
+- **Unicode steganography** -- invisible codepoints (variation selectors, tag characters), zero-width characters (U+200B-200D), mid-file BOM injection, bidi override attacks (U+202A-202E), homoglyph confusables (Cyrillic/Greek/Fullwidth lookalikes), GlassWorm decoder patterns, and eval-on-invisible-payload detection. Scans JS, TS, Python, Markdown, YAML, JSON, and TOML files. ([real-world: os-info-checker-es6 npm attack, May 2025](https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html))
 - **Hardcoded credentials** -- API keys, tokens, and passwords in source or config files
 - **MCP server misconfigurations** -- open ports, root filesystem access, missing auth
 - **AI agent CVE detection** -- scans for CVE-2026-25253 (OpenClaw WebSocket RCE), CVE-2026-25157, CVE-2026-24763, and ClawHavoc IOCs
@@ -45,8 +50,10 @@ npx opena2a-cli review
 - **Governance gaps** -- missing SOUL.md, no capability policies, unsigned MCP servers
 - **Credential scope drift** -- Google Maps keys accessing Gemini, AWS S3 keys reaching Bedrock
 - **Supply chain risks** -- vulnerable dependencies, unsigned skills, tampered packages
+- **Memory and RAG poisoning** -- persistent instruction injection, knowledge base contamination
+- **Agent identity** -- missing cryptographic identity, capability claims without attestation
 
-163 checks across 34 categories. 55+ attack payloads. No flags needed.
+173 checks across 34 categories. 115 attack payloads. No flags needed.
 
 ---
 
@@ -69,7 +76,7 @@ npm install --save-dev hackmyagent
 ```
 
 ┌──────────────────────────────────────────┐
-│  HackMyAgent v0.10.1 — Security Scanner          │
+│  HackMyAgent v0.11.4 — Security Scanner          │
 │  Found: 3 critical · 5 high · 12 medium          │
 │                                                  │
 │  CRED-001  critical  Hardcoded API key in .env   │
@@ -88,7 +95,7 @@ npm install --save-dev hackmyagent
 
 Step-by-step guides for common workflows:
 
-- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 163 checks and auto-fix findings (5 min)
+- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 173 checks and auto-fix findings (5 min)
 - **[Red-team MCP servers](docs/use-cases/red-team-mcp.md)** -- Test MCP servers with adversarial payloads (10 min)
 - **[Secure OpenClaw](docs/use-cases/openclaw-security.md)** -- OpenClaw-specific checks, CVE detection, ClawHavoc IOC scanning (10 min)
 - **[CI/CD pipeline](docs/use-cases/ci-pipeline.md)** -- GitHub Actions with JSON/SARIF output (5 min)
@@ -124,7 +131,7 @@ hackmyagent secure --publish                  # push results to OpenA2A Registry
 
 
 <details>
-<summary>All 30 security categories</summary>
+<summary>All 34 security categories</summary>
 
 | Category | Checks | What it detects |
 |----------|--------|-----------------|
@@ -157,7 +164,11 @@ hackmyagent secure --publish                  # push results to OpenA2A Registry
 | CONFIG | 9 | Insecure default settings |
 | SUPPLY | 8 | Supply chain attack vectors |
 | SKILL | 12 | Malicious skill/tool detection |
-| HEARTBEAT | 6 | Heartbeat/cron abuse |
+| HEARTBEAT | 7 | Heartbeat/cron abuse |
+| UNICODE-STEGO | 5 | Invisible codepoints, zero-width chars, bidi attacks, homoglyphs, GlassWorm decoders |
+| MEM | 5 | Memory poisoning, context injection |
+| RAG | 4 | RAG/knowledge base poisoning |
+| AIM | 3 | Agent identity verification |
 
 </details>
 
@@ -185,7 +196,7 @@ Use `--dry-run` to preview changes. Backups are created in `.hackmyagent-backup/
 
 ### `hackmyagent attack` -- Red Team
 
-Test your AI agent with 55 adversarial payloads across 5 attack categories.
+Test your AI agent with 115 adversarial payloads across 11 attack categories.
 
 ```bash
 hackmyagent attack --local                                    # local simulation
@@ -205,6 +216,12 @@ hackmyagent attack https://api.example.com --fail-on-vulnerable medium  # CI gat
 | `data-exfiltration` | 11 | Extract sensitive data, system prompts, credentials |
 | `capability-abuse` | 10 | Misuse agent tools for unintended actions |
 | `context-manipulation` | 10 | Poison agent context or memory |
+| `supply-chain` | 10 | Dependency confusion, package impersonation |
+| `tool-shadow` | 10 | Tool shadowing, capability escalation |
+| `mcp-exploitation` | 10 | MCP protocol abuse, tool injection |
+| `memory-weaponization` | 10 | Persistent memory poisoning attacks |
+| `a2a-attacks` | 10 | Agent-to-agent identity spoofing |
+| `context-window` | 10 | Token flooding, attention manipulation |
 
 > Only test systems you own or have written authorization to test.
 

package/dist/cli.js

@@ -41,6 +41,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
 const index_1 = require("./index");
 const resolve_mcp_1 = require("./resolve-mcp");
+const nemoclaw_scanner_1 = require("./hardening/nemoclaw-scanner");
 const program = new commander_1.Command();
 // Write JSON to stdout synchronously with retry for pipe backpressure.
 // process.stdout.write() is async and gets truncated when process.exit()
@@ -1544,16 +1545,21 @@ function resolvePackageVersion(targetDir) {
  * Determines whether to contribute based on:
  *   1. --contribute / --no-contribute CLI flags (highest priority)
  *   2. ~/.opena2a/config.json contribute.enabled setting
- *   3. Interactive opt-in prompt (first scan or scan #10)
  *
- * If contributing, builds an anonymized payload and submits it
- * asynchronously (non-blocking). Failures are logged as warnings.
+ * If contributing, queues an anonymized event to ~/.opena2a/contribute-queue.json
+ * (compatible with @opena2a/contribute format) and flushes when threshold reached.
+ *
+ * Also records the scan and shows a delayed consent tip after the 3rd scan
+ * if the user hasn't opted in or dismissed.
  */
-async function handleContribution(contributeFlag, targetDir, findings, registryUrl, format) {
+async function handleContribution(contributeFlag, targetDir, findings, durationMs, registryUrl, format) {
     try {
-        const { isContributeEnabled, shouldPromptContribute, showContributePrompt, incrementScanCount, buildContributionPayloadFromDir, submitContribution, } = await Promise.resolve().then(() => __importStar(require('./telemetry')));
-        // Always increment scan count
-        incrementScanCount();
+        const { isContributeEnabled, recordScanAndMaybeShowTip, buildScanEvent, queueAndMaybeFlush, } = await Promise.resolve().then(() => __importStar(require('./telemetry')));
+        // Record scan count and maybe show the delayed consent tip
+        const tip = recordScanAndMaybeShowTip();
+        if (tip && format === 'text' && process.stdout.isTTY) {
+            process.stdout.write(tip + '\n');
+        }
         // Determine whether to contribute
         let shouldContribute;
         if (contributeFlag === true) {
@@ -1566,35 +1572,19 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
         }
         else {
             // Check config
-            const configSetting = isContributeEnabled();
-            if (configSetting === true) {
-                shouldContribute = true;
-            }
-            else if (configSetting === false) {
-                shouldContribute = false;
-            }
-            else {
-                // Not configured -- prompt after 3 scans (interactive TTY only)
-                if (format === 'text' && process.stdout.isTTY && shouldPromptContribute()) {
-                    shouldContribute = await showContributePrompt();
-                }
-                else {
-                    shouldContribute = false;
-                }
-            }
+            shouldContribute = isContributeEnabled() === true;
         }
         if (!shouldContribute)
             return;
-        // Build and submit contribution (non-blocking)
+        // Build and queue contribution event (non-blocking, flushes at threshold)
         const packageName = resolvePackageName(targetDir);
         if (!packageName)
             return;
-        const payload = buildContributionPayloadFromDir(packageName, targetDir, findings);
-        const result = await submitContribution(payload, registryUrl);
-        if (result.success && format === 'text') {
-            console.log('Contributed anonymized scan summary to OpenA2A Registry (--no-contribute to opt out)');
+        const event = buildScanEvent(packageName, targetDir, findings, durationMs);
+        await queueAndMaybeFlush(event, registryUrl, format === 'text');
+        if (format === 'text') {
+            process.stdout.write('Queued anonymized scan summary for OpenA2A Registry (--no-contribute to opt out)\n');
         }
-        // Failures are silently ignored -- contribution is best-effort
     }
     catch {
         // Non-fatal: contribution failure must never crash the scan
@@ -1606,7 +1596,7 @@ async function handleContribution(contributeFlag, targetDir, findings, registryU
  * Converts SoulScanResult controls into SecurityFinding-like objects
  * for the contribution module, then delegates to handleContribution.
  */
-async function handleSoulContribution(contributeFlag, targetDir, result, registryUrl, format) {
+async function handleSoulContribution(contributeFlag, targetDir, result, durationMs, registryUrl, format) {
     // Convert soul controls into SecurityFinding-shaped objects
     const findings = [];
     for (const domain of result.domains) {
@@ -1625,7 +1615,7 @@ async function handleSoulContribution(contributeFlag, targetDir, result, registr
             });
         }
     }
-    await handleContribution(contributeFlag, targetDir, findings, registryUrl, format);
+    await handleContribution(contributeFlag, targetDir, findings, durationMs, registryUrl, format);
 }
 program
     .command('secure')
@@ -1755,6 +1745,7 @@ Examples:
             }
         }
         const scanner = new index_1.HardeningScanner();
+        const scanStartMs = Date.now();
         const result = await scanner.scan({
             targetDir,
             autoFix: options.fix ?? false,
@@ -1764,6 +1755,7 @@ Examples:
             cliName: CLI_PREFIX,
             onProgress,
         });
+        const scanDurationMs = Date.now() - scanStartMs;
         // OASB-2 composite mode: infrastructure (50%) + governance (50%)
         if (isOasb2) {
             const infraResult = generateBenchmarkReport(result.allFindings || result.findings, level, options.category);
@@ -1899,7 +1891,7 @@ Examples:
                 writeJsonStdout(jsonOutput);
             }
             // Community contribution (non-blocking, runs in JSON mode too)
-            await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
+            await handleContribution(options.contribute, targetDir, result.findings, scanDurationMs, options.registryUrl, format);
             const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
             if (critHigh.length > 0)
                 process.exitCode = 1;
@@ -2128,7 +2120,7 @@ Examples:
             }
         }
         // Community contribution: share anonymized findings with OpenA2A Registry
-        await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
+        await handleContribution(options.contribute, targetDir, result.findings, scanDurationMs, options.registryUrl, format);
         // Star prompt (interactive TTY only, text format only)
         if (process.stdout.isTTY) {
             console.log(`${colors.cyan}Helpful?${RESET()} Star the project: https://github.com/opena2a-org/opena2a\n`);
@@ -2377,6 +2369,180 @@ Examples:
         process.exit(1);
     }
 });
+// NemoClaw-specific helpers
+const NEMOCLAW_CHECK_CATEGORIES = nemoclaw_scanner_1.NEMOCLAW_CATEGORIES;
+function detectNemoClawDirectory(providedDir) {
+    const os = require('os');
+    const fs = require('fs');
+    const path = require('path');
+    if (providedDir && providedDir !== '') {
+        return providedDir.startsWith('/') ? providedDir : path.join(process.cwd(), providedDir);
+    }
+    const homeDir = os.homedir();
+    const candidates = [
+        path.join(homeDir, '.nemoclaw'),
+        path.join(homeDir, '.openshell'),
+        path.join(homeDir, '.openclaw'),
+    ];
+    for (const candidate of candidates) {
+        if (fs.existsSync(candidate)) {
+            return candidate;
+        }
+    }
+    return process.cwd();
+}
+function filterNemoClawFindings(findings) {
+    return findings.filter((f) => {
+        const checkId = f.checkId.toUpperCase();
+        return checkId.startsWith('HMA-NMC-');
+    });
+}
+function assessNemoClawRiskLevel(findings) {
+    const criticalCount = findings.filter((f) => f.severity === 'critical').length;
+    const highCount = findings.filter((f) => f.severity === 'high').length;
+    const mediumCount = findings.filter((f) => f.severity === 'medium').length;
+    if (criticalCount > 0) {
+        return {
+            level: 'Critical',
+            color: colors.brightRed,
+            description: `${criticalCount} critical finding(s) with recommended fixes available.`,
+        };
+    }
+    if (highCount > 0) {
+        return {
+            level: 'High',
+            color: colors.red,
+            description: `${highCount} high-severity finding(s) detected. Fixes available below.`,
+        };
+    }
+    if (mediumCount > 0) {
+        return {
+            level: 'Moderate',
+            color: colors.yellow,
+            description: 'Some findings detected. Review the recommendations below.',
+        };
+    }
+    if (findings.length === 0) {
+        return {
+            level: 'None',
+            color: colors.dim,
+            description: `No NemoClaw installation detected. Run \`${CLI_PREFIX} secure\` for a full scan.`,
+        };
+    }
+    return {
+        level: 'Low',
+        color: colors.green,
+        description: 'No critical or high findings detected.',
+    };
+}
+program
+    .command('secure-nemoclaw')
+    .description(`Security scan for NVIDIA NemoClaw installations
+
+Performs focused security checks for NemoClaw sandbox deployments:
+  - Secrets: NVIDIA API key exposure in configs, logs, Docker, shell history
+  - Network: Gateway/k3s/inference port binding, Docker socket, egress policies
+  - Skills: Blueprint integrity, skill verification, directory permissions
+  - Process: Sandbox privileges, seccomp/Landlock enforcement, root execution
+  - OpenClaw layer: Inherited misconfigs that survive NemoClaw sandboxing
+
+Auto-detects ~/.nemoclaw, ~/.openshell, or ~/.openclaw directories.
+Exit code 1 if critical/high issues found.
+
+Examples:
+  $ hackmyagent secure-nemoclaw                  Scan auto-detected directory
+  $ hackmyagent secure-nemoclaw ~/.nemoclaw      Scan specific directory
+  $ hackmyagent secure-nemoclaw --json           JSON output for CI`)
+    .argument('[directory]', 'Directory to scan (default: ~/.nemoclaw or ~/.openshell)', '')
+    .option('--json', 'Output as JSON (for scripting/CI)')
+    .option('-v, --verbose', 'Show all checks including passed ones')
+    .action(async (directory, options) => {
+    try {
+        const targetDir = detectNemoClawDirectory(directory);
+        if (!options.json) {
+            console.log(`\nNemoClaw Security Report`);
+            console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n`);
+            console.log(`Scanning ${targetDir}...\n`);
+        }
+        const scanner = new nemoclaw_scanner_1.NemoClawScanner();
+        const findings = await scanner.scan(targetDir, {});
+        // Enrich with taxonomy
+        const { enrichWithTaxonomy } = require('./hardening/taxonomy');
+        enrichWithTaxonomy(findings);
+        const issues = findings.filter((f) => !f.passed);
+        const passedFindings = findings.filter((f) => f.passed);
+        if (options.json) {
+            const jsonOutput = {
+                target: targetDir,
+                riskLevel: assessNemoClawRiskLevel(issues).level,
+                totalChecks: findings.length,
+                issues: issues.length,
+                passed: passedFindings.length,
+                findings: findings,
+            };
+            writeJsonStdout(jsonOutput);
+            return;
+        }
+        // Risk assessment
+        const risk = assessNemoClawRiskLevel(issues);
+        console.log(`Risk Level: ${risk.color}${risk.level}${RESET()}`);
+        console.log(`${risk.description}\n`);
+        // Summary stats
+        console.log(`Checks: ${findings.length} total | ${issues.length} issues | ${passedFindings.length} passed\n`);
+        // Show issues
+        if (issues.length > 0) {
+            console.log(`${colors.red}Findings:${RESET()}\n`);
+            for (const finding of issues) {
+                const display = SEVERITY_DISPLAY[finding.severity];
+                const location = finding.file
+                    ? finding.line
+                        ? `${finding.file}:${finding.line}`
+                        : finding.file
+                    : '';
+                const sevLabel = finding.severity.charAt(0).toUpperCase() + finding.severity.slice(1);
+                console.log(`${display.color()}${display.symbol} [${finding.checkId}] ${sevLabel}${RESET()}`);
+                console.log(`   ${finding.description}`);
+                if (location) {
+                    console.log(`   File: ${location}`);
+                }
+                if (finding.fix) {
+                    console.log(`   ${colors.cyan}Recommended fix:${RESET()} ${finding.fix}`);
+                }
+                console.log();
+            }
+        }
+        else {
+            console.log(`${colors.green}No NemoClaw-specific issues found.${RESET()}\n`);
+        }
+        // Show passed checks in verbose mode
+        if (options.verbose && passedFindings.length > 0) {
+            console.log(`${colors.green}Passed Checks:${RESET()}`);
+            for (const finding of passedFindings) {
+                console.log(`  ${colors.green}[ok]${RESET()} [${finding.checkId}] ${finding.name}`);
+            }
+            console.log();
+        }
+        // Shodan self-check guidance
+        if (issues.some((f) => f.category === 'network')) {
+            console.log(`${colors.yellow}Internet Exposure Check:${RESET()}`);
+            console.log(`  Check if your instance is visible on Shodan:`);
+            console.log(`  https://www.shodan.io/host/<YOUR-IP>`);
+            console.log(`  Known NemoClaw dorks: port:18789, port:6443 ssl.cert.subject.cn:"k3s-serving"\n`);
+        }
+        console.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`);
+        console.log(`Run '${CLI_PREFIX} secure-openclaw' for OpenClaw-specific checks.`);
+        console.log(`Run '${CLI_PREFIX} secure' for a full security scan.\n`);
+        // Exit with non-zero if critical/high issues remain
+        const criticalOrHigh = issues.filter((f) => f.severity === 'critical' || f.severity === 'high');
+        if (criticalOrHigh.length > 0) {
+            process.exit(1);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        process.exit(1);
+    }
+});
 program
     .command('scan')
     .description(`Scan external target for exposed MCP endpoints
@@ -4047,12 +4213,14 @@ Examples:
         }
         const prefix = getCommandPrefix();
         const scanner = new index_1.SoulScanner();
+        const soulScanStartMs = Date.now();
         const result = await scanner.scanSoul(targetDir, {
             verbose: options.verbose,
             tier: options.tier,
             profile: options.profile,
             deepAnalysis: options.deep,
         });
+        const soulScanDurationMs = Date.now() - soulScanStartMs;
         // JSON output
         if (options.json) {
             // Run publish in JSON mode and include result in output
@@ -4090,6 +4258,7 @@ Examples:
                     process.exit(1);
                 }
             }
+            await handleSoulContribution(options.contribute, targetDir, result, soulScanDurationMs, options.registryUrl, 'json');
             return;
         }
         // Text output
@@ -4203,7 +4372,7 @@ Examples:
         }
         // Community contribution: share anonymized findings with OpenA2A Registry
         const soulFormat = options.json ? 'json' : 'text';
-        await handleSoulContribution(options.contribute, targetDir, result, options.registryUrl, soulFormat);
+        await handleSoulContribution(options.contribute, targetDir, result, soulScanDurationMs, options.registryUrl, soulFormat);
         // In CI mode, exit non-zero if any controls failed
         if (options.ci) {
             const failedControls = result.domains.flatMap(d => d.controls).filter(c => !c.passed);