功能描述

Cross-platform AI security scanner detecting hooks risks, MCP server attacks, prompt injection, supply chain threats in npm, PyPI, Rust, and GitHub Actions c...

使用说明 (SKILL.md)

AI Supply Chain Security

Name: ai-supply-chain-security
Author: javamagong

Cross-platform AI Coding security scanner for OpenClaw and Claude Code, detecting hooks configuration risks, MCP server attacks, prompt injection, and supply chain attacks (npm/PyPI/Rust).

Skill Information

name: ai-supply-chain-security
version: 2.1.0
description: Cross-platform AI Coding security scanner - Detect hooks, MCP servers, prompt injection, supply chain attacks, lock file poisoning, and registry substitution attacks
author: JavaMaGong
platforms: [Windows, macOS, Linux]
category: security

Installation

OpenClaw

openclaw skills install ai-supply-chain-security

Manual Installation

# Clone repository
git clone https://github.com/javamagong/ai-supply-chain-security.git

# Run directly (no install script needed)
python ai-scanner.py --help

Core Features

1. AI Assistant Hooks Detection

AI Assistant	Config File	Detection Content
Claude Code	`.claude/settings.json`	hooks, MCP servers, permissions
Cursor	`.cursorrules`	Prompt injection
Generic	`CLAUDE.md`	Prompt injection attacks

2. MCP Server Security Detection

Scans MCP server configurations for:

Unverified server sources
Excessive permission requests
Suspicious environment variable access

3. Prompt Injection Detection

Detects suspicious patterns in CLAUDE.md and .cursorrules:

Instruction override patterns (e.g., phrases attempting to clear previous context)
Role hijacking attempts (e.g., claims to change AI identity)
Fake urgency commands (e.g., URGENT override requests)
Hidden Unicode characters (zero-width chars like U+200B, U+200C, U+200D)
Base64 encoded hidden instructions

4. Supply Chain Security Detection

npm Packages:

Known malicious packages (colors, coa, rc, etc.)
Dangerous lifecycle scripts (postinstall, preinstall, prepare)
Dependency confusion attacks
Typosquatting (opeanai, litelm, etc.)

Python Packages:

Malicious code in setup.py
Suspicious pyproject.toml configurations
Git URL dependencies with risks
Dependency confusion attacks

Rust Crates:

Build.rs malicious code
Suspicious cargo.toml

5. Lock File Poisoning Detection

package-lock.json / yarn.lock:

Non-official resolved URLs (CRITICAL)
Missing integrity hashes (WARNING)
Cross-reference against known malicious package database

poetry.lock:

Git-sourced dependencies
Non-PyPI source URLs
Known malicious package detection

Cargo.lock:

Git+ source dependencies
Non-crates.io registry sources
Missing checksum detection

6. Registry Substitution Attack Detection

.npmrc:

Global registry overrides pointing to non-official URLs (CRITICAL)
Scoped registry redirects (@scope:registry)
Hardcoded _authToken values (CRITICAL)
always-auth=true credential exposure

pip.conf / pip.ini:

Non-official index-url (CRITICAL)
extra-index-url dependency confusion risk (WARNING)
trusted-host TLS bypass (WARNING)
Scans both project-level and global system config

7. GitHub Actions Security

Unpinned Action versions (@main, @master, @HEAD)
Secrets leakage to logs
Dangerous pull_request_target triggers

8. Code Obfuscation Detection

Hex-encoded malicious code
Base64 hidden payloads
Unicode homograph attacks

CLI Usage

Basic Scan

# Scan current directory
python ai_scanner.py

# Scan specific directory
python ai_scanner.py -d /path/to/project

# Full scan with node_modules
python ai_scanner.py -d /path/to/project --full

Auto-Discovery Scan

# Scan all projects under directory
python auto_scanner.py -d /path/to/projects

# Scan with specific severity filter
python auto_scanner.py -d /path/to/projects --severity critical

Output Formats

# Text output (default)
python ai_scanner.py -f text

# JSON output
python ai_scanner.py -f json -o report.json

# Markdown report
python ai_scanner.py -f markdown -o report.md

Configuration

Edit config.yaml:

scan_paths:
  - "./"
  - "../projects"

notification:
  webhook:
    enabled: false
    url: "${SECURITY_WEBHOOK_URL}"
  email:
    enabled: false
    smtp_host: "${SMTP_HOST}"
    smtp_port: 587
    from: "${SMTP_FROM}"
    to: "${SMTP_TO}"
    password: "${SMTP_PASSWORD}"

severity_threshold: "medium"

auto_fix: false

Detection Rules

Known Malicious npm Packages

colors (>=1.4.0)
coa (>=2.0.0)
rc (>=1.3.0)
And 30+ more...

AI Ecosystem Typosquatting Targets

openai / opeanai
anthropic / anthorpic
litellm / litelm
langchain / langchn

Dangerous Patterns

Hidden Unicode: zero-width chars in filenames/code
Suspicious base64: encoded shell commands
Malicious setup.py: exec() calls, network requests

CI/CD Integration

GitHub Actions

- name: Security Scan
  uses: actions/checkout@v3
  
- name: Run AI Security Scanner
  run: |
    pip install -r requirements.txt
    python ai_scanner.py -d . -f json -o security-report.json
    
- name: Upload Report
  uses: actions/upload-artifact@v3
  with:
    name: security-report
    path: security-report.json

Pre-commit Hook

repos:
  - repo: local
    hooks:
      - id: ai-security-scan
        name: AI Security Scanner
        entry: python ai_scanner.py -d .
        language: system
        pass_filenames: false

Requirements

Python 3.8+
See requirements.txt for dependencies

License

MIT-0 - See LICENSE file

Author

JavaMaGong - https://github.com/javamagong

Changelog

See CHANGELOG.md for version history

安全使用建议

This package appears to be a legitimate local security scanner whose behavior matches its description. Before installing or running it: 1) verify the upstream source (SKILL.md references a GitHub repo but registry metadata lacks a homepage); 2) run it on directories you control (don’t point it at system/root paths unless you intend to scan them); 3) keep notification/webhook/email settings disabled unless you trust the destination (reports may contain detected secrets/config snippets); 4) review config.yaml to restrict scan_paths, exclusions, and max depth; and 5) if you want stronger assurance, inspect the full auto_scanner.py and any truncated files for network/send logic (requests or socket usage) before enabling notifications or running it on sensitive codebases.

功能分析

Type: OpenClaw Skill Name: ai-supply-chain-security Version: 2.1.0 The bundle is a comprehensive security scanner designed to detect supply chain attacks, malicious AI assistant hooks (e.g., Claude Code, Cursor), and prompt injection. The core logic in 'ai_scanner.py' and 'auto_scanner.py' uses extensive regex-based rules and a database of known malicious packages to audit local project files for risks like typosquatting, dependency confusion, and dangerous lifecycle scripts. While the code contains many 'dangerous' patterns (e.g., 'curl | bash', 'rm -rf'), they are used strictly for detection purposes. No evidence of data exfiltration, unauthorized remote control, or malicious intent was found; the tool's behavior is entirely consistent with its stated purpose.

能力标签

cryptorequires-wallet

能力评估

✓ Purpose & Capability

Name/description (AI supply‑chain & prompt/hooks scanner) match the shipped files and detection rules. The project contains Python/JS/sh scripts that implement the described scanning capabilities (MCP/hook detection, prompt injection, npm/PyPI/Cargo checks, lockfile checks, GitHub Actions analysis). No unrelated credentials or binaries are required by the skill metadata.

ℹ Instruction Scope

SKILL.md and CLI instruct the agent or user to scan directories (current dir or specified path). The scanner also advertises scanning project-level and global config files (e.g., ~/.npmrc, pip config) and can search home/work directories per config — this is coherent with its purpose but means it will read potentially sensitive local files (configs, lockfiles, project files). Instructions do not tell the agent to send data off‑host by default; webhook/email notification hooks are present but disabled by default in config.yaml.

ℹ Install Mechanism

No formal install spec is declared; SKILL.md shows manual installation via git clone or running included Python scripts. The SKILL.md references a GitHub repo (github.com/javamagong/...), but registry metadata lists source/homepage as unknown/missing — a minor inconsistency worth verifying before cloning. There are no remote downloads or archive extracts performed by the provided scripts themselves.

✓ Credentials

The skill declares no required environment variables or primary credentials. Optional configuration supports webhooks and SMTP using environment variables if the user enables notifications; those are optional and not required at runtime. The scanner's detection rules look for references to many common secret names (AWS, OPENAI, etc.) — that's detection logic, not credential usage or exfiltration.

✓ Persistence & Privilege

The skill does not request always:true and does not attempt to alter other skills or system-wide agent settings. It contains CLI/CI integration examples and a pre-commit hook snippet (local usage) but no code that would autonomously persist or escalate privileges. Running the scanner with elevated privileges would expose more files to scanning, but that is user-controlled.

版本历史

v2.1.0

**ai-supply-chain-security v2.1.0** - Added comprehensive lock file poisoning detection (package-lock.json, poetry.lock, Cargo.lock) for non-official sources and missing integrity. - Introduced registry substitution attack checks for .npmrc, pip.conf, and pip.ini including hardcoded tokens and index/registry overrides. - Enhanced supply chain security scanning with updated malicious package database and typosquatting coverage. - Added sample detection examples (`examples/malicious-package.json`, `examples/safe-package.json`). - Unified documentation and changelog under new files; removed legacy meta file.

v1.0.0

ai-supply-chain-security v1.0.0 - Initial release of a cross-platform AI Coding security scanner for OpenClaw and Claude Code. - Detects risks in hooks configuration, MCP server attacks, prompt injection, and supply chain attacks for npm, PyPI, and Rust. - Core features: AI assistant hooks analysis, supply chain threat detection, MCP server security checks, prompt injection protection, GitHub Actions security, and code obfuscation identification. - Supports multiple installation methods and output formats, including CI/CD integrations and customizable configuration. - Built-in detection against known malicious packages and common typo-squat attacks in the AI ecosystem.

元数据

Slug ai-supply-chain-security

版本 2.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题