shieldcortex 2.4.23 → 2.4.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dashboard/.next/standalone/dashboard/.next/BUILD_ID +1 -1
- package/dashboard/.next/standalone/dashboard/.next/build-manifest.json +2 -2
- package/dashboard/.next/standalone/dashboard/.next/prerender-manifest.json +3 -3
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.html +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.segments/__PAGE__.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.segments/_full.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.segments/_head.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.segments/_index.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_global-error.segments/_tree.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found/page_client-reference-manifest.js +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.html +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_full.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_head.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_index.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_not-found/__PAGE__.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_not-found.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/_not-found.segments/_tree.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.html +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.rsc +3 -3
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.segments/__PAGE__.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.segments/_full.segment.rsc +3 -3
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.segments/_head.segment.rsc +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.segments/_index.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/index.segments/_tree.segment.rsc +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/app/page/react-loadable-manifest.json +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/app/page_client-reference-manifest.js +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/chunks/ssr/dashboard_25b1b286._.js +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/pages/404.html +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/pages/500.html +2 -2
- package/dashboard/.next/standalone/dashboard/.next/server/server-reference-manifest.js +1 -1
- package/dashboard/.next/standalone/dashboard/.next/server/server-reference-manifest.json +1 -1
- package/dashboard/.next/standalone/dashboard/.next/static/chunks/{0327af3bf4830eac.js → 0ba8a0e679bf5c40.js} +1 -1
- package/dashboard/.next/standalone/dashboard/.next/static/chunks/17348ec48b354115.css +3 -0
- package/dashboard/.next/standalone/dashboard/.next/static/chunks/{21c4fc7176fbe8ee.js → caa049bd46f24dd8.js} +1 -1
- package/dashboard/.next/standalone/dashboard/.next/static/chunks/{511275d9224bafb2.js → cb7d5bff58e77e2c.js} +1 -1
- package/dist/api/visualization-server.d.ts.map +1 -1
- package/dist/api/visualization-server.js +54 -0
- package/dist/api/visualization-server.js.map +1 -1
- package/dist/cloud/sync.d.ts.map +1 -1
- package/dist/cloud/sync.js +7 -3
- package/dist/cloud/sync.js.map +1 -1
- package/dist/defence/index.d.ts +2 -0
- package/dist/defence/index.d.ts.map +1 -1
- package/dist/defence/index.js +2 -0
- package/dist/defence/index.js.map +1 -1
- package/dist/defence/skill-scanner/__tests__/skill-scanner.test.d.ts +12 -0
- package/dist/defence/skill-scanner/__tests__/skill-scanner.test.d.ts.map +1 -0
- package/dist/defence/skill-scanner/__tests__/skill-scanner.test.js +471 -0
- package/dist/defence/skill-scanner/__tests__/skill-scanner.test.js.map +1 -0
- package/dist/defence/skill-scanner/discover.d.ts +16 -0
- package/dist/defence/skill-scanner/discover.d.ts.map +1 -0
- package/dist/defence/skill-scanner/discover.js +85 -0
- package/dist/defence/skill-scanner/discover.js.map +1 -0
- package/dist/defence/skill-scanner/index.d.ts +20 -0
- package/dist/defence/skill-scanner/index.d.ts.map +1 -0
- package/dist/defence/skill-scanner/index.js +17 -0
- package/dist/defence/skill-scanner/index.js.map +1 -0
- package/dist/defence/skill-scanner/parser.d.ts +45 -0
- package/dist/defence/skill-scanner/parser.d.ts.map +1 -0
- package/dist/defence/skill-scanner/parser.js +373 -0
- package/dist/defence/skill-scanner/parser.js.map +1 -0
- package/dist/defence/skill-scanner/patterns.d.ts +37 -0
- package/dist/defence/skill-scanner/patterns.d.ts.map +1 -0
- package/dist/defence/skill-scanner/patterns.js +240 -0
- package/dist/defence/skill-scanner/patterns.js.map +1 -0
- package/dist/defence/skill-scanner/scan-skill.d.ts +75 -0
- package/dist/defence/skill-scanner/scan-skill.d.ts.map +1 -0
- package/dist/defence/skill-scanner/scan-skill.js +397 -0
- package/dist/defence/skill-scanner/scan-skill.js.map +1 -0
- package/dist/embeddings/generator.d.ts +5 -0
- package/dist/embeddings/generator.d.ts.map +1 -1
- package/dist/embeddings/generator.js +35 -5
- package/dist/embeddings/generator.js.map +1 -1
- package/dist/embeddings/index.d.ts +1 -1
- package/dist/embeddings/index.d.ts.map +1 -1
- package/dist/embeddings/index.js +1 -1
- package/dist/embeddings/index.js.map +1 -1
- package/dist/index.js +88 -0
- package/dist/index.js.map +1 -1
- package/dist/memory/contradiction.d.ts.map +1 -1
- package/dist/memory/contradiction.js +8 -2
- package/dist/memory/contradiction.js.map +1 -1
- package/dist/memory/store.d.ts.map +1 -1
- package/dist/memory/store.js +27 -0
- package/dist/memory/store.js.map +1 -1
- package/dist/server.d.ts.map +1 -1
- package/dist/server.js +35 -0
- package/dist/server.js.map +1 -1
- package/hooks/openclaw/cortex-memory/handler.js +75 -0
- package/package.json +1 -1
- package/scripts/session-start-hook.mjs +67 -1
- package/dashboard/.next/standalone/dashboard/.next/static/chunks/8e559e67e3d8782b.css +0 -3
- /package/dashboard/.next/standalone/dashboard/.next/static/{Ykr04kZxo_ae93TlaBU55 → G16ww7KrkUyZJT_fvjFk6}/_buildManifest.js +0 -0
- /package/dashboard/.next/standalone/dashboard/.next/static/{Ykr04kZxo_ae93TlaBU55 → G16ww7KrkUyZJT_fvjFk6}/_clientMiddlewareManifest.json +0 -0
- /package/dashboard/.next/standalone/dashboard/.next/static/{Ykr04kZxo_ae93TlaBU55 → G16ww7KrkUyZJT_fvjFk6}/_ssgManifest.js +0 -0
|
@@ -0,0 +1,240 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Skill-Specific Threat Patterns
|
|
3
|
+
*
|
|
4
|
+
* Detects malicious patterns in agent instruction files (skill files, tool
|
|
5
|
+
* definitions, .mdc rules, etc.) and in code files (JS/TS/JSON) that may
|
|
6
|
+
* accompany them.
|
|
7
|
+
*
|
|
8
|
+
* Two entry points:
|
|
9
|
+
* - detectSkillThreats() — natural-language instruction scanning
|
|
10
|
+
* - detectCodeThreats() — JavaScript / JSON code scanning
|
|
11
|
+
*
|
|
12
|
+
* Follows the same conventions as instruction-detector.ts:
|
|
13
|
+
* - One match per group is enough (break after first)
|
|
14
|
+
* - MAX_SCAN_LENGTH truncation to prevent ReDOS
|
|
15
|
+
* - safeRegexTest wrapper for every test
|
|
16
|
+
* - Length caps on unbounded quantifiers ([\s\S]{0,N})
|
|
17
|
+
*/
|
|
18
|
+
// ── Constants ────────────────────────────────────────────────────────────────
|
|
19
|
+
/** Maximum content length to analyse (prevents ReDOS on very long inputs). */
|
|
20
|
+
const MAX_SCAN_LENGTH = 50000;
|
|
21
|
+
// ── Helpers ──────────────────────────────────────────────────────────────────
|
|
22
|
+
/**
|
|
23
|
+
* Safely test a regex against content with a length limit.
|
|
24
|
+
*/
|
|
25
|
+
function safeRegexTest(pattern, text) {
|
|
26
|
+
const truncated = text.length > MAX_SCAN_LENGTH ? text.slice(0, MAX_SCAN_LENGTH) : text;
|
|
27
|
+
return pattern.test(truncated);
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Run a set of pattern groups against content and return a SkillThreatResult.
|
|
31
|
+
*
|
|
32
|
+
* Confidence = max matched group weight + 0.1 bonus per additional group,
|
|
33
|
+
* capped at 1.0.
|
|
34
|
+
*/
|
|
35
|
+
function runPatternGroups(content, groups) {
|
|
36
|
+
const matchedThreats = [];
|
|
37
|
+
let maxWeight = 0;
|
|
38
|
+
for (const group of groups) {
|
|
39
|
+
for (const pattern of group.patterns) {
|
|
40
|
+
if (safeRegexTest(pattern, content)) {
|
|
41
|
+
matchedThreats.push(group.name);
|
|
42
|
+
if (group.weight > maxWeight) {
|
|
43
|
+
maxWeight = group.weight;
|
|
44
|
+
}
|
|
45
|
+
break; // one match per group is enough
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
const groupBonus = Math.min((matchedThreats.length - 1) * 0.1, 0.3);
|
|
50
|
+
const confidence = matchedThreats.length > 0 ? Math.min(maxWeight + groupBonus, 1.0) : 0;
|
|
51
|
+
return {
|
|
52
|
+
detected: matchedThreats.length > 0,
|
|
53
|
+
threats: [...new Set(matchedThreats)],
|
|
54
|
+
confidence: Math.round(confidence * 100) / 100,
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
// ── Skill Instruction Patterns ───────────────────────────────────────────────
|
|
58
|
+
const SKILL_PATTERN_GROUPS = [
|
|
59
|
+
// 1. Tool injection — instructions to run shell commands or write files
|
|
60
|
+
{
|
|
61
|
+
name: 'tool_injection',
|
|
62
|
+
weight: 0.9,
|
|
63
|
+
patterns: [
|
|
64
|
+
/always run\s*:?\s*[`'"]/i,
|
|
65
|
+
/execute\s+(this\s+)?(bash|shell|command|script)/i,
|
|
66
|
+
/run\s+the\s+following\s+(command|script)/i,
|
|
67
|
+
/write\s+(this|the\s+following)\s+to\s+\//i,
|
|
68
|
+
/use\s+the\s+Bash\s+tool\s+to/i,
|
|
69
|
+
/pipe[\s\S]{0,50}\|\s*(bash|sh|zsh)/i,
|
|
70
|
+
/echo\s+[\s\S]{0,100}>\s*\//i,
|
|
71
|
+
],
|
|
72
|
+
},
|
|
73
|
+
// 2. Scope escalation — access to files / data outside the project
|
|
74
|
+
{
|
|
75
|
+
name: 'scope_escalation',
|
|
76
|
+
weight: 0.85,
|
|
77
|
+
patterns: [
|
|
78
|
+
/read\s+[\s\S]{0,50}~\/\.ssh/i,
|
|
79
|
+
/read\s+[\s\S]{0,50}~\/\.aws/i,
|
|
80
|
+
/read\s+[\s\S]{0,50}~\/\.env/i,
|
|
81
|
+
/read\s+[\s\S]{0,50}\/etc\/(passwd|shadow|hosts)/i,
|
|
82
|
+
/access\s+[\s\S]{0,50}environment\s+var/i,
|
|
83
|
+
/process\.env\[/i,
|
|
84
|
+
/cat\s+~\//i,
|
|
85
|
+
/cat\s+\/etc\//i,
|
|
86
|
+
/~\/\.gnupg/i,
|
|
87
|
+
/~\/\.config\/(gcloud|gh|hub)/i,
|
|
88
|
+
/read[\s\S]{0,50}(private\.key|id_rsa|id_ed25519)/i,
|
|
89
|
+
],
|
|
90
|
+
},
|
|
91
|
+
// 3. Data exfiltration — extract and send data externally
|
|
92
|
+
{
|
|
93
|
+
name: 'data_exfiltration',
|
|
94
|
+
weight: 0.9,
|
|
95
|
+
patterns: [
|
|
96
|
+
/include\s+(the\s+)?(contents?|data|output|result)\s+(in|with)\s+(your\s+)?response/i,
|
|
97
|
+
/send\s+(to|via)\s+https?:/i,
|
|
98
|
+
/post\s+(to|data)[\s\S]{0,50}https?:/i,
|
|
99
|
+
/curl\s+[\s\S]{0,100}-d\s+[\s\S]{0,100}https?:/i,
|
|
100
|
+
/upload\s+[\s\S]{0,50}to\s+https?:/i,
|
|
101
|
+
/webhook\s*[=:]\s*https?:/i,
|
|
102
|
+
/fetch\s*\(\s*['"]https?:/i,
|
|
103
|
+
/encode\s+[\s\S]{0,50}base64[\s\S]{0,50}send/i,
|
|
104
|
+
],
|
|
105
|
+
},
|
|
106
|
+
// 4. Persistence — modify agent configuration files
|
|
107
|
+
{
|
|
108
|
+
name: 'persistence',
|
|
109
|
+
weight: 0.85,
|
|
110
|
+
patterns: [
|
|
111
|
+
/modify\s+[\s\S]{0,50}\.claude\/settings/i,
|
|
112
|
+
/edit\s+[\s\S]{0,50}CLAUDE\.md/i,
|
|
113
|
+
/write\s+[\s\S]{0,50}\.cursorrules/i,
|
|
114
|
+
/write\s+[\s\S]{0,50}\.windsurfrules/i,
|
|
115
|
+
/write\s+[\s\S]{0,50}\.clinerules/i,
|
|
116
|
+
/modify\s+[\s\S]{0,50}\.claude\/commands/i,
|
|
117
|
+
/add\s+[\s\S]{0,50}hook/i,
|
|
118
|
+
/install\s+[\s\S]{0,50}hook/i,
|
|
119
|
+
/modify\s+[\s\S]{0,50}\.claude\/plugins/i,
|
|
120
|
+
/\bcrontab\b/i,
|
|
121
|
+
/\blaunchd\b/i,
|
|
122
|
+
/systemctl\s+enable/i,
|
|
123
|
+
/write\s+[\s\S]{0,50}\.(bashrc|zshrc|profile)/i,
|
|
124
|
+
],
|
|
125
|
+
},
|
|
126
|
+
// 5. Supply chain — install packages or modify dependencies
|
|
127
|
+
{
|
|
128
|
+
name: 'supply_chain',
|
|
129
|
+
weight: 0.8,
|
|
130
|
+
patterns: [
|
|
131
|
+
/npm\s+install\s+/i,
|
|
132
|
+
/pip\s+install\s+/i,
|
|
133
|
+
/add\s+[\s\S]{0,50}to\s+(package\.json|requirements\.txt|Gemfile|go\.mod)/i,
|
|
134
|
+
/install\s+(this\s+)?package/i,
|
|
135
|
+
/add\s+(this\s+)?dependency/i,
|
|
136
|
+
/cargo\s+add\s+/i,
|
|
137
|
+
/brew\s+install/i,
|
|
138
|
+
],
|
|
139
|
+
},
|
|
140
|
+
// 6. Agent manipulation — override agent safety or behaviour
|
|
141
|
+
{
|
|
142
|
+
name: 'agent_manipulation',
|
|
143
|
+
weight: 0.9,
|
|
144
|
+
patterns: [
|
|
145
|
+
/ignore\s+(all\s+)?(safety|security|permission|restriction)/i,
|
|
146
|
+
/bypass\s+(the\s+)?(sandbox|permission|safety|check)/i,
|
|
147
|
+
/disable\s+(the\s+)?(firewall|security|protection|hook|guard)/i,
|
|
148
|
+
/never\s+(ask|check|verify|confirm|prompt)\s+(for\s+)?permission/i,
|
|
149
|
+
/auto-?approve\s+all/i,
|
|
150
|
+
/skip\s+(verification|validation|check)/i,
|
|
151
|
+
/override\s+(the\s+)?(safety|security)/i,
|
|
152
|
+
/dangerouslyDisableSandbox/i,
|
|
153
|
+
/--no-verify|--force|--yes/i,
|
|
154
|
+
],
|
|
155
|
+
},
|
|
156
|
+
// 7. Stealth instruction — hidden instructions using formatting tricks
|
|
157
|
+
{
|
|
158
|
+
name: 'stealth_instruction',
|
|
159
|
+
weight: 0.85,
|
|
160
|
+
patterns: [
|
|
161
|
+
// HTML comments containing actionable words (length-capped)
|
|
162
|
+
/<!--[\s\S]{0,500}?(always|never|must|ignore|execute|run|send|read)[\s\S]{0,500}?-->/i,
|
|
163
|
+
// Buried after excessive whitespace (length-capped)
|
|
164
|
+
/\n{10,}[\s\S]{0,200}(always|never|must|ignore|execute|run|send|read)/i,
|
|
165
|
+
// Content after --- end-of-document marker with actionable words
|
|
166
|
+
/\n---\s*\n[\s\S]{0,500}?(always|never|must|ignore|execute|run|send|read)/i,
|
|
167
|
+
// Unicode direction overrides in instruction context
|
|
168
|
+
/[\u200E\u200F\u202A-\u202E\u2066-\u2069]/,
|
|
169
|
+
],
|
|
170
|
+
},
|
|
171
|
+
];
|
|
172
|
+
// ── Code Threat Patterns (JS / JSON) ─────────────────────────────────────────
|
|
173
|
+
const CODE_PATTERN_GROUPS = [
|
|
174
|
+
// 1. Dangerous require / import
|
|
175
|
+
{
|
|
176
|
+
name: 'dangerous_require',
|
|
177
|
+
weight: 0.9,
|
|
178
|
+
patterns: [
|
|
179
|
+
/require\s*\(\s*['"]child_process['"]\s*\)/,
|
|
180
|
+
/require\s*\(\s*['"]net['"]\s*\)/,
|
|
181
|
+
/require\s*\(\s*['"]http['"]\s*\)/,
|
|
182
|
+
/require\s*\(\s*['"]https['"]\s*\)/,
|
|
183
|
+
/require\s*\(\s*['"]dgram['"]\s*\)/,
|
|
184
|
+
/import\s+.*from\s+['"]child_process['"]/,
|
|
185
|
+
],
|
|
186
|
+
},
|
|
187
|
+
// 2. Dangerous function calls
|
|
188
|
+
{
|
|
189
|
+
name: 'dangerous_calls',
|
|
190
|
+
weight: 0.9,
|
|
191
|
+
patterns: [
|
|
192
|
+
/\beval\s*\(/,
|
|
193
|
+
/\bFunction\s*\(/,
|
|
194
|
+
/child_process\.(exec|spawn|execSync|fork)/,
|
|
195
|
+
/\.exec\s*\(\s*[`'"]/,
|
|
196
|
+
/process\.exit/,
|
|
197
|
+
],
|
|
198
|
+
},
|
|
199
|
+
// 3. Filesystem access to sensitive paths
|
|
200
|
+
{
|
|
201
|
+
name: 'filesystem_access',
|
|
202
|
+
weight: 0.7,
|
|
203
|
+
patterns: [
|
|
204
|
+
/fs\.readFileSync\s*\(\s*['"][\s\S]{0,100}\.(env|key|pem|ssh)/,
|
|
205
|
+
/readFile[\s\S]{0,50}\/etc\/(passwd|shadow)/,
|
|
206
|
+
/writeFile[\s\S]{0,50}\.(bashrc|zshrc|profile|claude)/,
|
|
207
|
+
],
|
|
208
|
+
},
|
|
209
|
+
// 4. Network access
|
|
210
|
+
{
|
|
211
|
+
name: 'network_access',
|
|
212
|
+
weight: 0.8,
|
|
213
|
+
patterns: [
|
|
214
|
+
/http\.request|https\.request/,
|
|
215
|
+
/fetch\s*\(\s*['"]https?:/,
|
|
216
|
+
/new\s+WebSocket/,
|
|
217
|
+
/\.listen\s*\(\s*\d+\s*\)/,
|
|
218
|
+
],
|
|
219
|
+
},
|
|
220
|
+
];
|
|
221
|
+
// ── Public API ───────────────────────────────────────────────────────────────
|
|
222
|
+
/**
|
|
223
|
+
* Analyse natural-language skill / instruction content for threat patterns.
|
|
224
|
+
*
|
|
225
|
+
* Designed for scanning .mdc files, skill definitions, tool descriptions,
|
|
226
|
+
* and similar agent instruction documents.
|
|
227
|
+
*/
|
|
228
|
+
export function detectSkillThreats(content) {
|
|
229
|
+
return runPatternGroups(content, SKILL_PATTERN_GROUPS);
|
|
230
|
+
}
|
|
231
|
+
/**
|
|
232
|
+
* Analyse JavaScript / JSON code content for threat patterns.
|
|
233
|
+
*
|
|
234
|
+
* Designed for scanning code files that accompany skill definitions —
|
|
235
|
+
* tool implementations, config files, etc.
|
|
236
|
+
*/
|
|
237
|
+
export function detectCodeThreats(content) {
|
|
238
|
+
return runPatternGroups(content, CODE_PATTERN_GROUPS);
|
|
239
|
+
}
|
|
240
|
+
//# sourceMappingURL=patterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/defence/skill-scanner/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAgBH,gFAAgF;AAEhF,8EAA8E;AAC9E,MAAM,eAAe,GAAG,KAAK,CAAC;AAE9B,gFAAgF;AAEhF;;GAEG;AACH,SAAS,aAAa,CAAC,OAAe,EAAE,IAAY;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACxF,OAAO,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,OAAe,EAAE,MAAsB;IAC/D,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACrC,IAAI,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;gBACpC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;oBAC7B,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC;gBAC3B,CAAC;gBACD,MAAM,CAAC,gCAAgC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,CAAC,CAAC;IACpE,MAAM,UAAU,GACd,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAExE,OAAO;QACL,QAAQ,EAAE,cAAc,CAAC,MAAM,GAAG,CAAC;QACnC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QACrC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG;KAC/C,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF,MAAM,oBAAoB,GAAmB;IAC3C,wEAAwE;IACxE;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,0BAA0B;YAC1B,kDAAkD;YAClD,2CAA2C;YAC3C,2CAA2C;YAC3C,+BAA+B;YAC/B,qCAAqC;YACrC,6BAA6B;SAC9B;KACF;IAED,mEAAmE;IACnE;QACE,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE;YACR,8BAA8B;YAC9B,8BAA8B;YAC9B,8BAA8B;YAC9B,kDAAkD;YAClD,yCAAyC;YACzC,iBAAiB;YACjB,YAAY;YACZ,gBAAgB;YAChB,aAAa;YACb,+BAA+B;YAC/B,mDAAmD;SACpD;KACF;IAED,0DAA0D;IAC1D;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,qFAAqF;YACrF,4BAA4B;YAC5B,sCAAsC;YACtC,gDAAgD;YAChD,oCAAoC;YACpC,2BAA2B;YAC3B,2BAA2B;YAC3B,8CAA8C;SAC/C;KACF;IAED,oDAAoD;IACpD;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE;YACR,0CAA0C;YAC1C,gCAAgC;YAChC,oCAAoC;YACpC,sCAAsC;YACtC,mCAAmC;YACnC,0CAA0C;YAC1C,yBAAyB;YACzB,6BAA6B;YAC7B,yCAAyC;YACzC,cAAc;YACd,cAAc;YACd,qBAAqB;YACrB,+CAA+C;SAChD;KACF;IAED,4DAA4D;IAC5D;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,mBAAmB;YACnB,mBAAmB;YACnB,2EAA2E;YAC3E,8BAA8B;YAC9B,6BAA6B;YAC7B,iBAAiB;YACjB,iBAAiB;SAClB;KACF;IAED,6DAA6D;IAC7D;QACE,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,6DAA6D;YAC7D,sDAAsD;YACtD,+DAA+D;YAC/D,kEAAkE;YAClE,sBAAsB;YACtB,yCAAyC;YACzC,wCAAwC;YACxC,4BAA4B;YAC5B,4BAA4B;SAC7B;KACF;IAED,uEAAuE;IACvE;QACE,IAAI,EAAE,qBAAqB;QAC3B,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE;YACR,4DAA4D;YAC5D,sFAAsF;YACtF,oDAAoD;YACpD,uEAAuE;YACvE,iEAAiE;YACjE,2EAA2E;YAC3E,qDAAqD;YACrD,0CAA0C;SAC3C;KACF;CACF,CAAC;AAEF,gFAAgF;AAEhF,MAAM,mBAAmB,GAAmB;IAC1C,gCAAgC;IAChC;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,2CAA2C;YAC3C,iCAAiC;YACjC,kCAAkC;YAClC,mCAAmC;YACnC,mCAAmC;YACnC,yCAAyC;SAC1C;KACF;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,aAAa;YACb,iBAAiB;YACjB,2CAA2C;YAC3C,qBAAqB;YACrB,eAAe;SAChB;KACF;IAED,0CAA0C;IAC1C;QACE,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,8DAA8D;YAC9D,4CAA4C;YAC5C,sDAAsD;SACvD;KACF;IAED,oBAAoB;IACpB;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,GAAG;QACX,QAAQ,EAAE;YACR,8BAA8B;YAC9B,0BAA0B;YAC1B,iBAAiB;YACjB,0BAA0B;SAC3B;KACF;CACF,CAAC;AAEF,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,OAAO,gBAAgB,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,gBAAgB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;AACxD,CAAC"}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Skill Scanner — Core Module
|
|
3
|
+
*
|
|
4
|
+
* Scans agent instruction files (skill definitions, tool configs, rules files)
|
|
5
|
+
* for threats using the full ShieldCortex defence pipeline combined with
|
|
6
|
+
* skill-specific pattern detection.
|
|
7
|
+
*
|
|
8
|
+
* Public API:
|
|
9
|
+
* - scanSkill(filePath, options?) — read from disc and scan
|
|
10
|
+
* - scanSkillContent(content, options?) — scan raw content directly
|
|
11
|
+
*
|
|
12
|
+
* Never throws — returns safe defaults on errors.
|
|
13
|
+
*/
|
|
14
|
+
import type { FirewallAnalysis, SensitivityClassification } from '../types.js';
|
|
15
|
+
import type { SkillFormat } from './parser.js';
|
|
16
|
+
export interface SkillScanOptions {
|
|
17
|
+
/** Defence mode override (defaults to config default — 'balanced'). */
|
|
18
|
+
mode?: 'strict' | 'balanced' | 'permissive';
|
|
19
|
+
/** When true, include the matched text snippet in each finding. */
|
|
20
|
+
includeContent?: boolean;
|
|
21
|
+
}
|
|
22
|
+
export interface SkillThreatFinding {
|
|
23
|
+
/** Pattern group name, e.g. 'tool_injection', 'data_exfiltration'. */
|
|
24
|
+
pattern: string;
|
|
25
|
+
/** Derived severity for this finding. */
|
|
26
|
+
severity: 'low' | 'medium' | 'high' | 'critical';
|
|
27
|
+
/** Human-readable explanation of the threat. */
|
|
28
|
+
description: string;
|
|
29
|
+
/** The text that triggered the finding (truncated to 80 chars). */
|
|
30
|
+
matchedText?: string;
|
|
31
|
+
/** Line number in the source file, if determinable. */
|
|
32
|
+
line?: number;
|
|
33
|
+
}
|
|
34
|
+
export interface SkillScanResult {
|
|
35
|
+
/** True when no high or critical findings exist. */
|
|
36
|
+
safe: boolean;
|
|
37
|
+
/** Name extracted from the skill file. */
|
|
38
|
+
skillName: string;
|
|
39
|
+
/** Detected format of the skill file. */
|
|
40
|
+
format: SkillFormat;
|
|
41
|
+
/** Individual threat findings. */
|
|
42
|
+
findings: SkillThreatFinding[];
|
|
43
|
+
/** Overall risk level — the highest severity found, or 'safe'. */
|
|
44
|
+
riskLevel: 'safe' | 'low' | 'medium' | 'high' | 'critical';
|
|
45
|
+
/** One-line human-readable summary. */
|
|
46
|
+
summary: string;
|
|
47
|
+
/** Time taken to scan in milliseconds. */
|
|
48
|
+
scanDurationMs: number;
|
|
49
|
+
/** Full firewall analysis result. */
|
|
50
|
+
firewall: FirewallAnalysis;
|
|
51
|
+
/** Sensitivity classification result. */
|
|
52
|
+
sensitivity: SensitivityClassification;
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Scan a skill file from disc for threats.
|
|
56
|
+
*
|
|
57
|
+
* Reads the file, auto-detects its format, and runs the full defence pipeline
|
|
58
|
+
* plus skill-specific pattern detection.
|
|
59
|
+
*
|
|
60
|
+
* Never throws — returns safe defaults if the file cannot be read.
|
|
61
|
+
*/
|
|
62
|
+
export declare function scanSkill(filePath: string, options?: SkillScanOptions): SkillScanResult;
|
|
63
|
+
/**
|
|
64
|
+
* Scan raw skill content for threats without reading from disc.
|
|
65
|
+
*
|
|
66
|
+
* Useful when the content is already in memory (e.g. received via API,
|
|
67
|
+
* read from a database, or extracted from a larger document).
|
|
68
|
+
*
|
|
69
|
+
* @param content Raw file content to scan
|
|
70
|
+
* @param options Scan options (mode, includeContent)
|
|
71
|
+
* @param format Optional format hint — auto-detected as 'unknown' if omitted
|
|
72
|
+
* @param name Optional skill name — defaults to 'inline'
|
|
73
|
+
*/
|
|
74
|
+
export declare function scanSkillContent(content: string, options?: SkillScanOptions, format?: SkillFormat, name?: string): SkillScanResult;
|
|
75
|
+
//# sourceMappingURL=scan-skill.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan-skill.d.ts","sourceRoot":"","sources":["../../../src/defence/skill-scanner/scan-skill.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAGV,gBAAgB,EAChB,yBAAyB,EAE1B,MAAM,aAAa,CAAC;AAKrB,OAAO,KAAK,EAAE,WAAW,EAAe,MAAM,aAAa,CAAC;AAI5D,MAAM,WAAW,gBAAgB;IAC/B,uEAAuE;IACvE,IAAI,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,YAAY,CAAC;IAC5C,mEAAmE;IACnE,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,sEAAsE;IACtE,OAAO,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,gDAAgD;IAChD,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,oDAAoD;IACpD,IAAI,EAAE,OAAO,CAAC;IACd,0CAA0C;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,MAAM,EAAE,WAAW,CAAC;IACpB,kCAAkC;IAClC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;IAC/B,kEAAkE;IAClE,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAC3D,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,qCAAqC;IACrC,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yCAAyC;IACzC,WAAW,EAAE,yBAAyB,CAAC;CACxC;AAiWD;;;;;;;GAOG;AACH,wBAAgB,SAAS,CACvB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,gBAAgB,GACzB,eAAe,CA+BjB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,gBAAgB,EAC1B,MAAM,CAAC,EAAE,WAAW,EACpB,IAAI,CAAC,EAAE,MAAM,GACZ,eAAe,CAuCjB"}
|