vibesafu 0.1.2 → 0.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +33 -0
- package/dist/index.js +26 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -218,6 +218,39 @@ pnpm build
|
|
|
218
218
|
pnpm verify
|
|
219
219
|
```
|
|
220
220
|
|
|
221
|
+
## Security Model
|
|
222
|
+
|
|
223
|
+
### What VibeSafu Protects Against
|
|
224
|
+
|
|
225
|
+
VibeSafu provides **pre-execution review** of commands. It analyzes commands before they run and blocks dangerous patterns:
|
|
226
|
+
|
|
227
|
+
- **Prompt Injection Attacks**: Blocks attempts to manipulate Claude into running malicious code
|
|
228
|
+
- **Supply Chain Attacks**: Forces review of package installations and untrusted scripts
|
|
229
|
+
- **Data Exfiltration**: Blocks commands that try to send sensitive data to external servers
|
|
230
|
+
- **Reverse Shells**: Instant-blocks common reverse shell patterns
|
|
231
|
+
- **Crypto Mining**: Blocks cryptocurrency mining commands
|
|
232
|
+
|
|
233
|
+
### What VibeSafu Does NOT Protect Against
|
|
234
|
+
|
|
235
|
+
VibeSafu is a **static pre-execution analyzer**, not a runtime sandbox. It cannot protect against:
|
|
236
|
+
|
|
237
|
+
| Limitation | Description | Recommendation |
|
|
238
|
+
|------------|-------------|----------------|
|
|
239
|
+
| **TOCTOU Attacks** | File modified between analysis and execution | Use Docker/firejail sandbox |
|
|
240
|
+
| **Environment Manipulation** | PATH, LD_PRELOAD, alias poisoning | Use isolated environments |
|
|
241
|
+
| **Multi-stage Chains** | Only 1st level of downloads analyzed | Review scripts manually |
|
|
242
|
+
| **Conditional Malware** | Code behaving differently based on environment | Use runtime monitoring |
|
|
243
|
+
| **Runtime Exploits** | Vulnerabilities in executed code | Use security scanning tools |
|
|
244
|
+
|
|
245
|
+
### Defense in Depth
|
|
246
|
+
|
|
247
|
+
For maximum security, combine VibeSafu with:
|
|
248
|
+
|
|
249
|
+
1. **Sandbox** (Docker, firejail) - Isolates execution environment
|
|
250
|
+
2. **Network Monitoring** - Detects suspicious outbound connections
|
|
251
|
+
3. **File Integrity** - Monitors file changes
|
|
252
|
+
4. **Code Review** - Manual review of downloaded scripts
|
|
253
|
+
|
|
221
254
|
## FAQ
|
|
222
255
|
|
|
223
256
|
### Do I need an Anthropic API key?
|
package/dist/index.js
CHANGED
|
@@ -1128,7 +1128,18 @@ BLOCK - Obviously dangerous:
|
|
|
1128
1128
|
Respond with ONLY this JSON structure:
|
|
1129
1129
|
{"classification": "SELF_HANDLE" | "ESCALATE" | "BLOCK", "reason": "brief explanation", "risk_indicators": ["list", "of", "concerns"]}
|
|
1130
1130
|
</response_format>`;
|
|
1131
|
+
var FORCE_ESCALATE_TYPES = [
|
|
1132
|
+
"package_install"
|
|
1133
|
+
// Supply chain attacks via postinstall scripts
|
|
1134
|
+
];
|
|
1131
1135
|
async function triageWithHaiku(client, checkpoint) {
|
|
1136
|
+
if (FORCE_ESCALATE_TYPES.includes(checkpoint.type)) {
|
|
1137
|
+
return {
|
|
1138
|
+
classification: "ESCALATE",
|
|
1139
|
+
reason: `Package installation requires Sonnet review (supply chain risk)`,
|
|
1140
|
+
riskIndicators: ["force_escalate_type", checkpoint.type]
|
|
1141
|
+
};
|
|
1142
|
+
}
|
|
1132
1143
|
const sanitizedCommand = sanitizeForPrompt(checkpoint.command);
|
|
1133
1144
|
const userPrompt = TRIAGE_USER_PROMPT.replace("{command}", escapeXml(sanitizedCommand)).replace("{checkpoint_type}", escapeXml(checkpoint.type)).replace("{context}", escapeXml(checkpoint.description));
|
|
1134
1145
|
try {
|
|
@@ -1224,6 +1235,15 @@ var REVIEW_USER_PROMPT = `<task>Perform security review of this operation</task>
|
|
|
1224
1235
|
1. Intent Analysis: What is this command trying to accomplish?
|
|
1225
1236
|
2. Risk Assessment: What could go wrong?
|
|
1226
1237
|
3. Mitigation: Are there safer alternatives?
|
|
1238
|
+
4. Secondary Downloads: Does this script/command download and execute additional code?
|
|
1239
|
+
- Look for: curl|wget inside scripts, eval(), bash -c "$(curl ...)", exec()
|
|
1240
|
+
- Check for embedded download URLs that will fetch more code
|
|
1241
|
+
5. Privilege Escalation Flow: Is this part of a dangerous pattern?
|
|
1242
|
+
- download \u2192 chmod +x \u2192 execute \u2192 sudo sequence
|
|
1243
|
+
- Commands requesting elevated permissions after downloading
|
|
1244
|
+
6. Dynamic Execution: Does this use dangerous dynamic execution?
|
|
1245
|
+
- eval, exec, or command substitution with external input
|
|
1246
|
+
- Code that builds and executes strings dynamically
|
|
1227
1247
|
</analysis_required>
|
|
1228
1248
|
|
|
1229
1249
|
<verdict_rules>
|
|
@@ -1231,11 +1251,16 @@ ALLOW - Safe to proceed autonomously:
|
|
|
1231
1251
|
- Legitimate development operation
|
|
1232
1252
|
- No significant risk to system or data
|
|
1233
1253
|
- Source is verifiable and trusted
|
|
1254
|
+
- No secondary downloads or dynamic execution patterns
|
|
1234
1255
|
|
|
1235
|
-
ASK_USER - Need human approval:
|
|
1256
|
+
ASK_USER - Need human approval (choose this if ANY risky pattern detected):
|
|
1236
1257
|
- Operation has potential risks but may be legitimate
|
|
1237
1258
|
- User should understand what will happen
|
|
1238
1259
|
- Provide clear explanation of risks
|
|
1260
|
+
- Contains secondary downloads (curl|wget inside script content)
|
|
1261
|
+
- Part of privilege escalation flow (download + execute + sudo)
|
|
1262
|
+
- Uses dynamic execution (eval, exec with external input)
|
|
1263
|
+
- Downloads content that will be executed later
|
|
1239
1264
|
|
|
1240
1265
|
BLOCK - Do not allow:
|
|
1241
1266
|
- Clear security risk
|