let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
31e59cd583b136cd2109b5b223cb7fa5c1fb7b39
clawdbot/extensions/open-prose/skills/prose/examples/38-skill-scan.prose
Peter Steinberger 51a9053387 feat: add OpenProse plugin skills
2026-01-23 00:49:40 +00:00

456 lines
16 KiB
Plaintext
Raw Blame History

# Skill Security Scanner v2
#
# Scans installed AI coding assistant skills/plugins for security vulnerabilities.
# Supports Claude Code, AMP, and other tools that use the SKILL.md format.
#
# KEY IMPROVEMENTS (v2):
# - Progressive disclosure: quick triage before deep scan (saves cost on clean skills)
# - Model tiering: Sonnet for checklist work, Opus for hard analysis
# - Parallel scanners: Independent analyses run concurrently
# - Persistent memory: Track scan history across runs (with sqlite+ backend)
# - Graceful degradation: Individual scanner failures don't break the whole scan
# - Customizable: scan mode, focus areas, specific skills
#
# USAGE:
# prose run 38-skill-scan.prose # Standard scan
# prose run 38-skill-scan.prose mode:"quick" # Fast triage only
# prose run 38-skill-scan.prose mode:"deep" # Full analysis, all skills
# prose run 38-skill-scan.prose focus:"prompt-injection" # Focus on specific category
# prose run 38-skill-scan.prose --backend sqlite+ # Enable persistent history
input mode: "Scan mode: 'quick' (triage only), 'standard' (triage + deep on concerns), 'deep' (full analysis)"
input focus: "Optional: Focus on specific category (malicious, exfiltration, injection, permissions, hooks)"
input skill_filter: "Optional: Specific skill name or path to scan (default: all discovered)"
# =============================================================================
# AGENTS - Model-tiered by task complexity
# =============================================================================
# Discovery & coordination: Sonnet (structured, checklist work)
agent discovery:
model: sonnet
prompt: """
You discover and enumerate AI assistant skills directories.
Check these locations for skills:
- ~/.claude/skills/ (Claude Code personal)
- .claude/skills/ (Claude Code project)
- ~/.claude/plugins/ (Claude Code plugins)
- .agents/skills/ (AMP workspace)
- ~/.config/agents/skills/ (AMP home)
For each location that exists, list all subdirectories containing SKILL.md files.
Return a structured list with: path, name, tool (claude-code/amp/unknown).
"""
# Quick triage: Sonnet (pattern matching, surface-level)
agent triage:
model: sonnet
prompt: """
You perform rapid security triage on AI skills.
Quick scan for obvious red flags:
- Suspicious URLs or IP addresses hardcoded
- Base64 or hex-encoded content
- Shell commands in hooks
- Overly broad permissions (bash: allow, write: ["**/*"])
- Keywords: eval, exec, curl, wget, nc, reverse, shell, encode
Output format:
{
"risk_level": "critical" | "high" | "medium" | "low" | "clean",
"red_flags": ["list of specific concerns"],
"needs_deep_scan": true | false,
"confidence": "high" | "medium" | "low"
}
Be fast but thorough. False negatives are worse than false positives here.
"""
# Deep analysis: Opus (requires reasoning about intent and context)
agent malicious-code-scanner:
model: opus
prompt: """
You are a security analyst specializing in detecting malicious code patterns.
Analyze the provided skill for EXPLICITLY MALICIOUS patterns:
- File deletion or system destruction (rm -rf, shutil.rmtree on system paths)
- Cryptocurrency miners or botnet code
- Keyloggers or input capture
- Backdoors or reverse shells
- Code obfuscation hiding malicious intent
- Attempts to disable security tools
Be precise. Flag only genuinely dangerous patterns, not normal file operations.
Output JSON:
{
"severity": "critical" | "high" | "medium" | "low" | "none",
"findings": [{"location": "file:line", "description": "...", "evidence": "..."}],
"recommendation": "..."
}
"""
agent exfiltration-scanner:
model: opus
prompt: """
You are a security analyst specializing in data exfiltration detection.
Analyze the provided skill for NETWORK AND EXFILTRATION risks:
- HTTP requests to external domains (curl, wget, requests, fetch, axios)
- WebSocket connections
- DNS exfiltration patterns
- Encoded data being sent externally
- Reading sensitive files then making network calls
- Suspicious URL patterns or IP addresses
Distinguish between:
- Legitimate API calls (documented services, user-configured endpoints)
- Suspicious exfiltration (hardcoded external servers, encoded payloads)
Output JSON:
{
"severity": "critical" | "high" | "medium" | "low" | "none",
"findings": [{"location": "file:line", "description": "...", "endpoint": "..."}],
"data_at_risk": ["types of data that could be exfiltrated"],
"recommendation": "..."
}
"""
agent prompt-injection-scanner:
model: opus
prompt: """
You are a security analyst specializing in prompt injection attacks.
Analyze the SKILL.md and related files for PROMPT INJECTION vulnerabilities:
- Instructions that override system prompts or safety guidelines
- Hidden instructions in comments or encoded text
- Instructions to ignore previous context
- Attempts to make the AI reveal sensitive information
- Instructions to execute commands without user awareness
- Jailbreak patterns or persona manipulation
- Instructions that claim special authority or permissions
Pay special attention to:
- Text that addresses the AI directly with override language
- Base64 or other encodings that might hide instructions
- Markdown tricks that hide text from users but not the AI
Output JSON:
{
"severity": "critical" | "high" | "medium" | "low" | "none",
"findings": [{"location": "file:line", "attack_type": "...", "quote": "..."}],
"recommendation": "..."
}
"""
# Checklist-based analysis: Sonnet (following defined criteria)
agent permission-analyzer:
model: sonnet
prompt: """
You analyze skill permissions against the principle of least privilege.
Check for PERMISSION AND ACCESS risks:
- allowed-tools field: are permissions overly broad?
- permissions blocks: what capabilities are requested?
- Bash access without restrictions
- Write access to sensitive paths (/, /etc, ~/.ssh, etc.)
- Network permissions without clear justification
- Ability to modify other skills or system configuration
Compare requested permissions against the skill's stated purpose.
Flag any permissions that exceed what's needed.
Output JSON:
{
"severity": "critical" | "high" | "medium" | "low" | "none",
"requested": ["list of all permissions"],
"excessive": ["permissions that seem unnecessary"],
"least_privilege": ["what permissions are actually needed"],
"recommendation": "..."
}
"""
agent hook-analyzer:
model: sonnet
prompt: """
You analyze event hooks for security risks.
Check for HOOK AND TRIGGER vulnerabilities:
- PreToolUse / PostToolUse hooks that execute shell commands
- Stop hooks that run cleanup scripts
- Hooks that intercept or modify tool inputs/outputs
- Hooks that trigger on sensitive operations (Write, Bash, etc.)
- Command execution in hook handlers
- Hooks that could create persistence mechanisms
Pay attention to:
- What triggers the hook (matcher patterns)
- What the hook executes (command field)
- Whether hooks could chain or escalate
Output JSON:
{
"severity": "critical" | "high" | "medium" | "low" | "none",
"hooks_found": [{"trigger": "...", "action": "...", "risk": "..."}],
"chain_risk": "description of escalation potential",
"recommendation": "..."
}
"""
# Synthesis: Sonnet (coordination and summarization)
agent synthesizer:
model: sonnet
prompt: """
You synthesize security scan results into clear, actionable reports.
Given findings from multiple security scanners, produce a consolidated report:
1. Overall risk rating (Critical / High / Medium / Low / Clean)
2. Executive summary (2-3 sentences)
3. Key findings organized by severity
4. Specific remediation recommendations
5. Whether the skill is safe to use
Be direct and actionable. Don't pad with unnecessary caveats.
Output JSON:
{
"risk_rating": "Critical" | "High" | "Medium" | "Low" | "Clean",
"summary": "...",
"safe_to_use": true | false,
"findings": [{"severity": "...", "category": "...", "description": "..."}],
"remediation": ["prioritized list of actions"]
}
"""
# Persistent memory for scan history (requires sqlite+ backend)
agent historian:
model: sonnet
persist: true
prompt: """
You maintain the security scan history across runs.
Track for each skill:
- Last scan date and results
- Risk level trend (improving, stable, degrading)
- Hash of skill content (to detect changes)
- Previous findings that were remediated
On each scan:
1. Check if skill was scanned before
2. Compare current content hash to previous
3. If unchanged and recently scanned, suggest skipping
4. If changed, note what's different
5. Update history with new results
"""
# =============================================================================
# REUSABLE BLOCKS
# =============================================================================
block read-skill-content(skill_path):
output session "Read and compile all files in skill directory"
prompt: """
Read the skill at {skill_path}:
1. Read SKILL.md (required)
2. Read any .py, .sh, .js, .ts files
3. Read hooks.json, .mcp.json, .lsp.json if present
4. Read any subdirectory files that might contain code
Return complete contents organized by file path.
Include file sizes and line counts.
"""
block triage-skill(skill_content, skill_name):
output session: triage
prompt: "Quick security triage for skill: {skill_name}"
context: skill_content
block deep-scan-skill(skill_content, skill_name, focus_area):
# Run appropriate scanners in parallel (independent analyses)
# Use graceful degradation - one failure doesn't stop others
if **focus_area is specified**:
# Single focused scan
choice **which scanner matches the focus area**:
option "malicious":
output session: malicious-code-scanner
prompt: "Deep scan for malicious code in {skill_name}"
context: skill_content
option "exfiltration":
output session: exfiltration-scanner
prompt: "Deep scan for exfiltration in {skill_name}"
context: skill_content
option "injection":
output session: prompt-injection-scanner
prompt: "Deep scan for prompt injection in {skill_name}"
context: skill_content
option "permissions":
output session: permission-analyzer
prompt: "Deep scan for permission issues in {skill_name}"
context: skill_content
option "hooks":
output session: hook-analyzer
prompt: "Deep scan for hook vulnerabilities in {skill_name}"
context: skill_content
else:
# Full parallel scan with graceful degradation
parallel (on-fail: "continue"):
malicious = session: malicious-code-scanner
prompt: "Analyze {skill_name} for malicious code"
context: skill_content
exfil = session: exfiltration-scanner
prompt: "Analyze {skill_name} for exfiltration risks"
context: skill_content
injection = session: prompt-injection-scanner
prompt: "Analyze {skill_name} for prompt injection"
context: skill_content
permissions = session: permission-analyzer
prompt: "Analyze {skill_name} for permission issues"
context: skill_content
hooks = session: hook-analyzer
prompt: "Analyze {skill_name} for hook vulnerabilities"
context: skill_content
output { malicious, exfil, injection, permissions, hooks }
block synthesize-results(skill_name, triage_result, deep_results):
let report = session: synthesizer
prompt: "Create security report for {skill_name}"
context: { triage_result, deep_results }
# Save individual report
session "Write report to .prose/reports/{skill_name}-security.md"
context: report
output report
block scan-skill(skill_path, skill_name, scan_mode, focus_area):
# Read skill content once, use for all analyses
let content = do read-skill-content(skill_path)
# Always start with quick triage
let triage_result = do triage-skill(content, skill_name)
# Decide whether to deep scan based on mode and triage
if **scan_mode is quick**:
# Quick mode: triage only
output { skill_name, triage: triage_result, deep: null, report: null }
elif **scan_mode is standard AND triage shows clean with high confidence**:
# Standard mode: skip deep scan for obviously clean skills
output { skill_name, triage: triage_result, deep: null, report: "Skipped - triage clean" }
else:
# Deep scan needed (deep mode, or standard with concerns)
let deep_results = do deep-scan-skill(content, skill_name, focus_area)
let report = do synthesize-results(skill_name, triage_result, deep_results)
output { skill_name, triage: triage_result, deep: deep_results, report }
# =============================================================================
# MAIN WORKFLOW
# =============================================================================
# Phase 1: Check scan history (if persistent backend available)
let history_check = session: historian
prompt: """
Check scan history. Report:
- Skills scanned before with dates
- Any skills that changed since last scan
- Recommended skills to re-scan
"""
# Phase 2: Discovery
let discovered = session: discovery
prompt: """
Discover all installed skills across AI coding assistants.
Check each known location, enumerate skills, return structured list.
"""
# Phase 3: Filter skills if requested
let skills_to_scan = session "Filter discovered skills"
prompt: """
Filter skills based on:
- skill_filter input (if specified, match by name or path)
- history_check recommendations (prioritize changed skills)
Return final list of skills to scan.
"""
context: { discovered, skill_filter, history_check }
# Phase 4: Check if any skills to scan
if **no skills to scan**:
output audit = session "Report no skills found"
prompt: """
Create brief report indicating no skills found or all filtered out.
List directories checked and any filter applied.
"""
context: { discovered, skill_filter }
else:
# Phase 5: Scan skills in batches (respect parallelism limits)
let batches = session "Organize skills into batches of 3"
prompt: """
Split skills into batches of 3 for parallel processing.
Return array of arrays.
"""
context: skills_to_scan
let all_results = []
for batch in batches:
# Process batch in parallel
let batch_results = []
parallel for skill in batch:
let result = do scan-skill(skill.path, skill.name, mode, focus)
batch_results = batch_results + [result]
all_results = all_results + batch_results
# Early alert for critical findings
if **any skill in batch has critical severity**:
session "ALERT: Critical vulnerability detected"
prompt: "Immediately report critical finding to user"
context: batch_results
# Phase 6: Update scan history
session: historian
prompt: "Update scan history with new results"
context: all_results
# Phase 7: Create aggregate report
let final_report = session: synthesizer
prompt: """
Create comprehensive security audit report across ALL scanned skills.
Include:
1. Executive summary of overall security posture
2. Skills grouped by risk level (Critical, High, Medium, Low, Clean)
3. Common vulnerability patterns detected
4. Top priority remediation actions
5. Scan statistics (total, by mode, by result)
Format as professional security audit document.
"""
context: all_results
# Save final report
session "Save audit report to .prose/reports/SECURITY-AUDIT.md"
context: final_report
# Phase 8: Output summary
output audit = session "Display terminal-friendly summary"
prompt: """
Concise summary for terminal:
- Total skills scanned
- Breakdown by risk level
- Critical/high findings needing immediate attention
- Path to full report
- Comparison to previous scan (if history available)
"""
context: { final_report, history_check, mode }
Reference in New Issue View Git Blame Copy Permalink