cisco-ai-skill-scanner 1.0.0__py3-none-any.whl → 1.0.2__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {cisco_ai_skill_scanner-1.0.0.dist-info → cisco_ai_skill_scanner-1.0.2.dist-info}/METADATA +28 -13
- cisco_ai_skill_scanner-1.0.2.dist-info/RECORD +102 -0
- cisco_ai_skill_scanner-1.0.2.dist-info/entry_points.txt +4 -0
- {skillanalyzer → skill_scanner}/__init__.py +8 -4
- {skillanalyzer → skill_scanner}/_version.py +2 -2
- {skillanalyzer → skill_scanner}/api/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/api/api.py +4 -4
- {skillanalyzer → skill_scanner}/api/api_cli.py +8 -8
- {skillanalyzer → skill_scanner}/api/api_server.py +7 -7
- {skillanalyzer → skill_scanner}/api/router.py +3 -3
- {skillanalyzer → skill_scanner}/cli/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/cli/cli.py +71 -13
- {skillanalyzer → skill_scanner}/config/__init__.py +3 -3
- {skillanalyzer → skill_scanner}/config/config.py +2 -2
- {skillanalyzer → skill_scanner}/config/config_parser.py +9 -9
- {skillanalyzer → skill_scanner}/config/constants.py +2 -2
- skill_scanner/config/yara_modes.py +314 -0
- {skillanalyzer → skill_scanner}/core/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/core/analyzers/__init__.py +3 -3
- {skillanalyzer → skill_scanner}/core/analyzers/aidefense_analyzer.py +3 -3
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_llm_client.py +1 -1
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_prompt_builder.py +2 -2
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral_analyzer.py +1 -1
- skillanalyzer/core/analyzers/cross_skill_analyzer.py → skill_scanner/core/analyzers/cross_skill_scanner.py +5 -5
- {skillanalyzer → skill_scanner}/core/analyzers/llm_analyzer.py +4 -4
- {skillanalyzer → skill_scanner}/core/analyzers/llm_prompt_builder.py +2 -2
- {skillanalyzer → skill_scanner}/core/analyzers/meta_analyzer.py +52 -20
- {skillanalyzer → skill_scanner}/core/analyzers/static.py +185 -35
- {skillanalyzer → skill_scanner}/core/analyzers/trigger_analyzer.py +2 -2
- {skillanalyzer → skill_scanner}/core/exceptions.py +10 -10
- {skillanalyzer → skill_scanner}/core/loader.py +4 -4
- {skillanalyzer → skill_scanner}/core/models.py +7 -6
- {skillanalyzer → skill_scanner}/core/reporters/markdown_reporter.py +11 -5
- {skillanalyzer → skill_scanner}/core/reporters/sarif_reporter.py +2 -2
- {skillanalyzer → skill_scanner}/core/reporters/table_reporter.py +2 -2
- {skillanalyzer → skill_scanner}/core/rules/yara_scanner.py +1 -1
- {skillanalyzer → skill_scanner}/core/scanner.py +2 -2
- {skillanalyzer → skill_scanner}/core/static_analysis/context_extractor.py +88 -14
- {skillanalyzer → skill_scanner}/core/static_analysis/dataflow/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/core/static_analysis/interprocedural/call_graph_analyzer.py +2 -2
- {skillanalyzer → skill_scanner}/core/static_analysis/parser/python_parser.py +5 -5
- {skillanalyzer → skill_scanner}/data/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/data/prompts/boilerplate_protection_rule_prompt.md +5 -5
- {skillanalyzer → skill_scanner}/data/prompts/code_alignment_threat_analysis_prompt.md +128 -53
- {skillanalyzer → skill_scanner}/data/prompts/llm_response_schema.json +3 -3
- {skillanalyzer → skill_scanner}/data/prompts/skill_meta_analysis_prompt.md +16 -15
- {skillanalyzer → skill_scanner}/data/prompts/skill_threat_analysis_prompt.md +53 -17
- {skillanalyzer → skill_scanner}/data/prompts/unified_response_schema.md +1 -1
- {skillanalyzer → skill_scanner}/data/rules/signatures.yaml +143 -37
- skill_scanner/data/yara_rules/autonomy_abuse_generic.yara +66 -0
- skillanalyzer/data/yara_rules/skill_discovery_abuse.yara → skill_scanner/data/yara_rules/capability_inflation_generic.yara +7 -4
- skill_scanner/data/yara_rules/code_execution_generic.yara +76 -0
- skillanalyzer/data/yara_rules/coercive_injection.yara → skill_scanner/data/yara_rules/coercive_injection_generic.yara +2 -2
- skill_scanner/data/yara_rules/command_injection_generic.yara +77 -0
- skillanalyzer/data/yara_rules/credential_harvesting.yara → skill_scanner/data/yara_rules/credential_harvesting_generic.yara +25 -4
- skillanalyzer/data/yara_rules/transitive_trust_abuse.yara → skill_scanner/data/yara_rules/indirect_prompt_injection_generic.yara +8 -5
- skillanalyzer/data/yara_rules/prompt_injection.yara → skill_scanner/data/yara_rules/prompt_injection_generic.yara +2 -2
- skillanalyzer/data/yara_rules/unicode_steganography.yara → skill_scanner/data/yara_rules/prompt_injection_unicode_steganography.yara +23 -17
- skill_scanner/data/yara_rules/script_injection_generic.yara +82 -0
- skillanalyzer/data/yara_rules/sql_injection.yara → skill_scanner/data/yara_rules/sql_injection_generic.yara +22 -8
- skill_scanner/data/yara_rules/system_manipulation_generic.yara +79 -0
- skill_scanner/data/yara_rules/tool_chaining_abuse_generic.yara +72 -0
- {skillanalyzer → skill_scanner}/hooks/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/hooks/pre_commit.py +16 -16
- {skillanalyzer → skill_scanner}/threats/__init__.py +25 -3
- skill_scanner/threats/cisco_ai_taxonomy.py +274 -0
- {skillanalyzer → skill_scanner}/threats/threats.py +28 -99
- {skillanalyzer → skill_scanner}/utils/__init__.py +1 -1
- {skillanalyzer → skill_scanner}/utils/command_utils.py +1 -1
- {skillanalyzer → skill_scanner}/utils/di_container.py +1 -1
- {skillanalyzer → skill_scanner}/utils/logging_config.py +7 -7
- cisco_ai_skill_scanner-1.0.0.dist-info/RECORD +0 -100
- cisco_ai_skill_scanner-1.0.0.dist-info/entry_points.txt +0 -4
- skillanalyzer/data/yara_rules/autonomy_abuse.yara +0 -66
- skillanalyzer/data/yara_rules/code_execution.yara +0 -61
- skillanalyzer/data/yara_rules/command_injection.yara +0 -54
- skillanalyzer/data/yara_rules/script_injection.yara +0 -83
- skillanalyzer/data/yara_rules/system_manipulation.yara +0 -65
- skillanalyzer/data/yara_rules/tool_chaining_abuse.yara +0 -60
- {cisco_ai_skill_scanner-1.0.0.dist-info → cisco_ai_skill_scanner-1.0.2.dist-info}/WHEEL +0 -0
- {cisco_ai_skill_scanner-1.0.0.dist-info → cisco_ai_skill_scanner-1.0.2.dist-info}/licenses/LICENSE +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/base.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_orchestrator.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_response_validator.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/threat_vulnerability_classifier.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/llm_provider_config.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/llm_request_handler.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/llm_response_parser.py +0 -0
- {skillanalyzer → skill_scanner}/core/analyzers/virustotal_analyzer.py +0 -0
- {skillanalyzer → skill_scanner}/core/reporters/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/reporters/json_reporter.py +0 -0
- {skillanalyzer → skill_scanner}/core/rules/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/rules/patterns.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/cfg/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/cfg/builder.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/dataflow/forward_analysis.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/interprocedural/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/interprocedural/cross_file_analyzer.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/parser/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/semantic/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/semantic/name_resolver.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/semantic/type_analyzer.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/taint/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/taint/tracker.py +0 -0
- {skillanalyzer → skill_scanner}/core/static_analysis/types/__init__.py +0 -0
- {skillanalyzer → skill_scanner}/utils/file_utils.py +0 -0
- {skillanalyzer → skill_scanner}/utils/logging_utils.py +0 -0
|
@@ -1,83 +0,0 @@
|
|
|
1
|
-
//////////////////////////////////////////
|
|
2
|
-
// Detects common scripting payloads (JS, VBScript, etc.) embeddings.
|
|
3
|
-
// Target: JavaScript, VBScript, or ActiveX payloads.
|
|
4
|
-
// (Event handlers or inline scripts)
|
|
5
|
-
//////////////////////////////////////////
|
|
6
|
-
|
|
7
|
-
rule script_injection{
|
|
8
|
-
|
|
9
|
-
meta:
|
|
10
|
-
author = "Cisco"
|
|
11
|
-
description = "Detects embedded scripting payloads (JS, VBScript, etc.) in MCP tool descriptions"
|
|
12
|
-
classification = "harmful"
|
|
13
|
-
threat_type = "INJECTION ATTACK"
|
|
14
|
-
|
|
15
|
-
strings:
|
|
16
|
-
|
|
17
|
-
// Script tags and protocol handlers (exclude XML namespaces)
|
|
18
|
-
$tags = /(<\/?script[^>]*>|javascript:)/i
|
|
19
|
-
|
|
20
|
-
// ALWAYS exclude (safe in all file types)
|
|
21
|
-
$xml_namespace = /(xmlns:script=|<script:module|<script:)/
|
|
22
|
-
$openoffice_xml = /openoffice\.org\/2000\/script/
|
|
23
|
-
$legitimate_cdn = /(cdnjs\.cloudflare\.com|cdn\.jsdelivr\.net|unpkg\.com)/i
|
|
24
|
-
|
|
25
|
-
// Only exclude in MARKDOWN files (risky in .py files!)
|
|
26
|
-
// Check for markdown-specific syntax
|
|
27
|
-
$markdown_heading = /^#\s+/
|
|
28
|
-
$markdown_list = /^\*\s+/
|
|
29
|
-
$markdown_code_block = /(```html|```javascript|```js)/i
|
|
30
|
-
$documentation_context = /(example.*html|artifact.*structure|template|single.*file)/i
|
|
31
|
-
|
|
32
|
-
// Execution functions
|
|
33
|
-
$execution_functions = /\b(setTimeout|Function|setInterval)\s*\(/i
|
|
34
|
-
|
|
35
|
-
// VBScript execution and Windows Script Host objects
|
|
36
|
-
$vbs_execution = /\b(vbscript|CreateObject|WScript\.Shell|Shell\.Application)\b/i
|
|
37
|
-
|
|
38
|
-
// VBScript dangerous functions (more specific to avoid false positives in docs)
|
|
39
|
-
$vbs_dangerous_functions = /\b(WScript\.Shell\.Exec|Shell\.Application\.ShellExecute|CreateObject.*Exec)\s*\(/i
|
|
40
|
-
|
|
41
|
-
// Base64 encoded script data URIs
|
|
42
|
-
$encoded_script_uris = /\bdata:(text\/html|application\/javascript);base64\b/i
|
|
43
|
-
|
|
44
|
-
// ANSI terminal deception patterns
|
|
45
|
-
$ansi_deception = /(\\x1[Bb]\[38;5;\d+|\\x1[Bb]\[2F\\x1[Bb]\[1G|\\x1[Bb]\[1;1H\\x1[Bb]\[0J|\\x1[Bb]\]8;;.*\\x1[Bb]\\|\\033\[[0-9;]*m|\\e\[[0-9;]*[mGKHF])/i
|
|
46
|
-
|
|
47
|
-
// Hidden instruction obfuscation
|
|
48
|
-
$hidden_obfuscation = /\b(padding.*push.*off.*screen|hidden.*scrollbar|overflow.*hidden.*instruction|invisible.*text.*color)\b/i
|
|
49
|
-
|
|
50
|
-
condition:
|
|
51
|
-
|
|
52
|
-
// ALWAYS exclude (safe everywhere)
|
|
53
|
-
not $xml_namespace and
|
|
54
|
-
not $openoffice_xml and
|
|
55
|
-
not $legitimate_cdn and
|
|
56
|
-
|
|
57
|
-
// Only exclude markdown patterns if file has markdown indicators
|
|
58
|
-
not (($markdown_heading or $markdown_list) and ($markdown_code_block or $documentation_context)) and
|
|
59
|
-
|
|
60
|
-
(
|
|
61
|
-
// Script tags and protocol handlers
|
|
62
|
-
$tags or
|
|
63
|
-
|
|
64
|
-
// Execution functions
|
|
65
|
-
$execution_functions or
|
|
66
|
-
|
|
67
|
-
// VBScript execution
|
|
68
|
-
$vbs_execution or
|
|
69
|
-
|
|
70
|
-
// VBScript dangerous functions
|
|
71
|
-
$vbs_dangerous_functions or
|
|
72
|
-
|
|
73
|
-
// Base64 encoded script URIs
|
|
74
|
-
$encoded_script_uris or
|
|
75
|
-
|
|
76
|
-
// ANSI terminal deception
|
|
77
|
-
$ansi_deception or
|
|
78
|
-
|
|
79
|
-
// Hidden instruction obfuscation
|
|
80
|
-
$hidden_obfuscation
|
|
81
|
-
)
|
|
82
|
-
|
|
83
|
-
}
|
|
@@ -1,65 +0,0 @@
|
|
|
1
|
-
//////////////////////////////////////////
|
|
2
|
-
// System Manipulation and Privilege Escalation Detection
|
|
3
|
-
// Target: File destruction and manipulation operations
|
|
4
|
-
// (Process control and termination)
|
|
5
|
-
//////////////////////////////////////////
|
|
6
|
-
|
|
7
|
-
rule system_manipulation{
|
|
8
|
-
|
|
9
|
-
meta:
|
|
10
|
-
author = "Cisco"
|
|
11
|
-
description = "Detects system manipulation, privilege escalation, and destructive file operations"
|
|
12
|
-
classification = "harmful"
|
|
13
|
-
threat_type = "SYSTEM MANIPULATION"
|
|
14
|
-
|
|
15
|
-
strings:
|
|
16
|
-
// Suspicious environment variable manipulation (not just reading)
|
|
17
|
-
$env_var_manipulation = /\b(os\.environ\s*\[[^\]]*\]\s*=|export\s+PATH=|unset\s+(PATH|HOME|USER))\b/i
|
|
18
|
-
|
|
19
|
-
// File destruction and manipulation
|
|
20
|
-
$file_destruction = /\b(rm\s+-rf|dd\s+if=\/dev\/zero|wipefs|shred\s+-|find\s+[^\n]+-delete)\b/i
|
|
21
|
-
|
|
22
|
-
// Dangerous file permission changes
|
|
23
|
-
$permission_manipulation = /\b(chmod\s+(777|4755|6755|[ug]?\+s)|(chown|chgrp)\s+(root|0)|setuid|setgid)\b/i
|
|
24
|
-
|
|
25
|
-
// Critical system file access
|
|
26
|
-
$critical_system_access = /\b(\/etc\/(passwd|shadow|sudoers)|\/root\/\.ssh|~\/\.aws\/credentials|~\/\.ssh\/id_rsa)\b/i
|
|
27
|
-
|
|
28
|
-
// Privilege escalation patterns
|
|
29
|
-
$privilege_escalation = /\b(sudo\s+-[si]|su\s+-c?|runuser|doas)\b/i
|
|
30
|
-
|
|
31
|
-
// Dangerous process operations
|
|
32
|
-
$process_manipulation = /\b(kill\s+-9\s+[0-9]+|killall\s+-9|pkill\s+-9)\b/i
|
|
33
|
-
|
|
34
|
-
// Dangerous recursive operations with wildcards
|
|
35
|
-
$recursive_operations = /\b(rm\s+-rf\s+[\$\/\*]|find\s+\/\s+-delete)\b/i
|
|
36
|
-
|
|
37
|
-
// System path manipulation
|
|
38
|
-
$path_manipulation = /\b(PATH=\/tmp|PATH=\.:|export\s+PATH=[\$\{])/i
|
|
39
|
-
|
|
40
|
-
condition:
|
|
41
|
-
|
|
42
|
-
// Environment variable manipulation (not just reading)
|
|
43
|
-
$env_var_manipulation or
|
|
44
|
-
|
|
45
|
-
// File destruction
|
|
46
|
-
$file_destruction or
|
|
47
|
-
|
|
48
|
-
// Permission manipulation
|
|
49
|
-
$permission_manipulation or
|
|
50
|
-
|
|
51
|
-
// Critical system access
|
|
52
|
-
$critical_system_access or
|
|
53
|
-
|
|
54
|
-
// Privilege escalation
|
|
55
|
-
$privilege_escalation or
|
|
56
|
-
|
|
57
|
-
// Process manipulation
|
|
58
|
-
$process_manipulation or
|
|
59
|
-
|
|
60
|
-
// Recursive operations
|
|
61
|
-
$recursive_operations or
|
|
62
|
-
|
|
63
|
-
// PATH manipulation
|
|
64
|
-
$path_manipulation
|
|
65
|
-
}
|
|
@@ -1,60 +0,0 @@
|
|
|
1
|
-
//////////////////////////////////////////
|
|
2
|
-
// Tool Chaining Abuse Detection
|
|
3
|
-
// Target: Suspicious multi-step operations that could exfiltrate data
|
|
4
|
-
// For Claude Skills that chain operations suspiciously
|
|
5
|
-
//////////////////////////////////////////
|
|
6
|
-
|
|
7
|
-
rule tool_chaining_abuse{
|
|
8
|
-
|
|
9
|
-
meta:
|
|
10
|
-
author = "Cisco"
|
|
11
|
-
description = "Detects suspicious tool chaining patterns that could lead to data exfiltration"
|
|
12
|
-
classification = "harmful"
|
|
13
|
-
threat_type = "TOOL CHAINING ABUSE"
|
|
14
|
-
|
|
15
|
-
strings:
|
|
16
|
-
|
|
17
|
-
// Read → Send pattern
|
|
18
|
-
$read_then_send = /\b(read|fetch|get|retrieve|collect|gather)\b[^\n]{0,100}\b(send|post|upload|transmit|forward|email|slack|webhook)\b/i
|
|
19
|
-
|
|
20
|
-
// Collect → Exfiltrate pattern
|
|
21
|
-
$collect_exfiltrate = /\b(collect (all |every |entire )?(data|files?|info|credentials?|secrets?|keys?|tokens?))\b[^\n]{0,150}\b(send|post|upload|transmit|curl|wget|requests\.post)\b/i
|
|
22
|
-
|
|
23
|
-
// Multi-step with network
|
|
24
|
-
$multistep_network = /\b(first|then|next|after|finally),? (read|collect|gather)\b[^\n]{0,100}\b(then|next|after|finally),? (send|post|upload)\b/i
|
|
25
|
-
|
|
26
|
-
// Summarize and send externally
|
|
27
|
-
$summarize_send = /\b(summarize|aggregate|compile)\b[^\n]{0,80}\b(send|post|email|slack) (to|via) (external|webhook|url|endpoint|api)\b/i
|
|
28
|
-
|
|
29
|
-
// Read environment → Network
|
|
30
|
-
$env_to_network = /\b(os\.environ|getenv|process\.env)\b[^\n]{0,150}\b(requests\.|urllib\.|curl|wget|socket\.)\b/i
|
|
31
|
-
|
|
32
|
-
// File traversal → Collection → Send
|
|
33
|
-
$traverse_collect_send = /\b(walk|rglob|listdir|scandir|find)\b[^\n]{0,100}\b(open|read)\b[^\n]{0,100}\b(send|post|upload)\b/i
|
|
34
|
-
|
|
35
|
-
// Automated data pipeline
|
|
36
|
-
$auto_pipeline = /\b(automatically (read|collect|gather))\b[^\n]{0,100}\b(and |then )?(send|post|forward|upload)\b/i
|
|
37
|
-
|
|
38
|
-
condition:
|
|
39
|
-
|
|
40
|
-
// Read then send
|
|
41
|
-
$read_then_send or
|
|
42
|
-
|
|
43
|
-
// Collect and exfiltrate
|
|
44
|
-
$collect_exfiltrate or
|
|
45
|
-
|
|
46
|
-
// Multi-step with network
|
|
47
|
-
$multistep_network or
|
|
48
|
-
|
|
49
|
-
// Summarize and send
|
|
50
|
-
$summarize_send or
|
|
51
|
-
|
|
52
|
-
// Environment to network
|
|
53
|
-
$env_to_network or
|
|
54
|
-
|
|
55
|
-
// Traverse, collect, send
|
|
56
|
-
$traverse_collect_send or
|
|
57
|
-
|
|
58
|
-
// Automated pipeline
|
|
59
|
-
$auto_pipeline
|
|
60
|
-
}
|
|
File without changes
|
{cisco_ai_skill_scanner-1.0.0.dist-info → cisco_ai_skill_scanner-1.0.2.dist-info}/licenses/LICENSE
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
{skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_orchestrator.py
RENAMED
|
File without changes
|
{skillanalyzer → skill_scanner}/core/analyzers/behavioral/alignment/alignment_response_validator.py
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|