{ "schemaVersion": "1.0", "item": { "slug": "agentic-security-audit", "name": "Agentic Security Audit", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/kingrubic/agentic-security-audit", "canonicalUrl": "https://clawhub.ai/kingrubic/agentic-security-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/agentic-security-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=agentic-security-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "_meta.json" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "agentic-security-audit", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-26T04:15:40.827Z", "expiresAt": "2026-05-03T04:15:40.827Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=agentic-security-audit", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=agentic-security-audit", "contentDisposition": "attachment; filename=\"agentic-security-audit-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "agentic-security-audit" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/agentic-security-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/agentic-security-audit", "agentPageUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Security Audit", "body": "Scan, detect, and fix security issues in codebases and infrastructure. Covers dependency vulnerabilities, secret detection, OWASP top 10, SSL/TLS verification, file permissions, and secure coding patterns." }, { "title": "When to Use", "body": "Scanning project dependencies for known vulnerabilities\nDetecting hardcoded secrets, API keys, or credentials in source code\nReviewing code for OWASP top 10 vulnerabilities (injection, XSS, CSRF, etc.)\nVerifying SSL/TLS configuration for endpoints\nAuditing file and directory permissions\nChecking authentication and authorization patterns\nPreparing for a security review or compliance audit" }, { "title": "Node.js", "body": "# Built-in npm audit\nnpm audit\nnpm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, via: .value.via[0]}'\n\n# Fix automatically where possible\nnpm audit fix\n\n# Show only high and critical\nnpm audit --audit-level=high\n\n# Check a specific package\nnpm audit --package-lock-only\n\n# Alternative: use npx to scan without installing\nnpx audit-ci --high" }, { "title": "Python", "body": "# pip-audit (recommended)\npip install pip-audit\npip-audit\npip-audit -r requirements.txt\npip-audit --format=json\n\n# safety (alternative)\npip install safety\nsafety check\nsafety check -r requirements.txt --json\n\n# Check a specific package\npip-audit --requirement=- <<< \"requests==2.25.0\"" }, { "title": "Go", "body": "# Built-in vuln checker\ngo install golang.org/x/vuln/cmd/govulncheck@latest\ngovulncheck ./...\n\n# Check specific binary\ngovulncheck -mode=binary ./myapp" }, { "title": "Rust", "body": "# cargo-audit\ncargo install cargo-audit\ncargo audit\n\n# With fix suggestions\ncargo audit fix" }, { "title": "Universal: Trivy (scans any project)", "body": "# Install: https://aquasecurity.github.io/trivy\n# Scan filesystem\ntrivy fs .\n\n# Scan specific language\ntrivy fs --scanners vuln --severity HIGH,CRITICAL .\n\n# Scan Docker image\ntrivy image myapp:latest\n\n# JSON output\ntrivy fs --format json -o results.json ." }, { "title": "Manual grep patterns", "body": "# AWS keys\ngrep -rn 'AKIA[0-9A-Z]\\{16\\}' --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml,cfg,conf,ini}' .\n\n# Generic API keys and tokens\ngrep -rn -i 'api[_-]\\?key\\|api[_-]\\?secret\\|access[_-]\\?token\\|auth[_-]\\?token\\|bearer ' \\\n --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json}' .\n\n# Private keys\ngrep -rn 'BEGIN.*PRIVATE KEY' .\n\n# Passwords in config\ngrep -rn -i 'password\\s*[:=]' --include='*.{env,yml,yaml,json,xml,cfg,conf,ini,toml}' .\n\n# Connection strings with credentials\ngrep -rn -i 'mongodb://\\|mysql://\\|postgres://\\|redis://' --include='*.{js,ts,py,go,env,yml,yaml,json}' . | grep -v 'localhost\\|127.0.0.1\\|example'\n\n# JWT tokens (three base64 segments separated by dots)\ngrep -rn 'eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.' --include='*.{js,ts,py,go,log,json}' ." }, { "title": "Automated scanning with git", "body": "# Scan git history for secrets (not just current files)\n# Using git log + grep\ngit log -p --all | grep -n -i 'api.key\\|password\\|secret\\|token' | head -50\n\n# Check staged files before commit\ngit diff --cached --name-only | xargs grep -l -i 'api.key\\|password\\|secret\\|token' 2>/dev/null" }, { "title": "Pre-commit hook for secrets", "body": "#!/bin/bash\n# .git/hooks/pre-commit - Block commits containing potential secrets\n\nPATTERNS=(\n 'AKIA[0-9A-Z]{16}'\n 'BEGIN.*PRIVATE KEY'\n 'password\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'api[_-]?key\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'sk-[A-Za-z0-9]{20,}'\n 'ghp_[A-Za-z0-9]{36}'\n 'xox[bpoas]-[A-Za-z0-9-]+'\n)\n\nSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)\n[ -z \"$STAGED_FILES\" ] && exit 0\n\nEXIT_CODE=0\nfor pattern in \"${PATTERNS[@]}\"; do\n matches=$(echo \"$STAGED_FILES\" | xargs grep -Pn \"$pattern\" 2>/dev/null)\n if [ -n \"$matches\" ]; then\n echo \"BLOCKED: Potential secret detected matching pattern: $pattern\"\n echo \"$matches\"\n EXIT_CODE=1\n fi\ndone\n\nif [ $EXIT_CODE -ne 0 ]; then\n echo \"\"\n echo \"To proceed anyway: git commit --no-verify\"\n echo \"To remove secrets: replace with environment variables\"\nfi\nexit $EXIT_CODE" }, { "title": ".gitignore audit", "body": "# Check if sensitive files are tracked\necho \"--- Files that should probably be gitignored ---\"\nfor pattern in '.env' '.env.*' '*.pem' '*.key' '*.p12' '*.pfx' 'credentials.json' \\\n 'service-account*.json' '*.keystore' 'id_rsa' 'id_ed25519'; do\n found=$(git ls-files \"$pattern\" 2>/dev/null)\n [ -n \"$found\" ] && echo \" TRACKED: $found\"\ndone\n\n# Check if .gitignore exists and has common patterns\nif [ ! -f .gitignore ]; then\n echo \"WARNING: No .gitignore file found\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem'; do\n grep -q \"$entry\" .gitignore || echo \" MISSING from .gitignore: $entry\"\n done\nfi" }, { "title": "1. Injection (SQL, Command, LDAP)", "body": "# SQL injection: string concatenation in queries\ngrep -rn \"query\\|execute\\|cursor\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"f\\\"\\|format(\\|%s\\|\\${\\|+ \\\"\\|concat\\|sprintf\" | \\\n grep -iv \"parameterized\\|placeholder\\|prepared\"\n\n# Command injection: user input in shell commands\ngrep -rn \"exec(\\|spawn(\\|system(\\|popen(\\|subprocess\\|os\\.system\\|child_process\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Check for parameterized queries (good)\ngrep -rn \"\\\\$[0-9]\\|\\\\?\\|%s\\|:param\\|@param\\|prepared\" --include='*.{py,js,ts,go,java,rb}' ." }, { "title": "2. Broken Authentication", "body": "# Weak password hashing (MD5, SHA1 used for passwords)\ngrep -rn \"md5\\|sha1\\|sha256\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"password\\|passwd\"\n\n# Hardcoded credentials\ngrep -rn -i \"admin.*password\\|password.*admin\\|default.*password\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml,json}' .\n\n# Session tokens in URLs\ngrep -rn \"session\\|token\\|jwt\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"url\\|query\\|param\\|GET\"\n\n# Check for rate limiting on auth endpoints\ngrep -rn -i \"rate.limit\\|throttle\\|brute\" --include='*.{py,js,ts,go,java,rb}' ." }, { "title": "3. Cross-Site Scripting (XSS)", "body": "# Unescaped output in templates\ngrep -rn \"innerHTML\\|dangerouslySetInnerHTML\\|v-html\\|\\|html(\" \\\n --include='*.{js,ts,jsx,tsx,vue,html}' .\n\n# Template injection\ngrep -rn \"{{{.*}}}\\|<%=\\|<%-\\|\\$\\!{\" --include='*.{html,ejs,hbs,pug,erb}' .\n\n# Document.write\ngrep -rn \"document\\.write\\|document\\.writeln\" --include='*.{js,ts,html}' .\n\n# eval with user input\ngrep -rn \"eval(\\|new Function(\\|setTimeout.*string\\|setInterval.*string\" \\\n --include='*.{js,ts}' ." }, { "title": "4. Insecure Direct Object References", "body": "# Direct ID usage in routes without authz check\ngrep -rn \"params\\.id\\|params\\[.id.\\]\\|req\\.params\\.\\|request\\.args\\.\\|request\\.GET\\.\" \\\n --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"user\\|account\\|profile\\|order\\|document\"" }, { "title": "5. Security Misconfiguration", "body": "# CORS wildcard\ngrep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\\|cors()\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Debug mode in production configs\ngrep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\\|NODE_ENV.*development\" \\\n --include='*.{py,js,ts,yml,yaml,json,env}' .\n\n# Verbose error messages exposed to clients\ngrep -rn \"stack\\|traceback\\|stackTrace\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"response\\|send\\|return\\|res\\.\"" }, { "title": "Check endpoint SSL", "body": "# Full SSL check\nopenssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \\\n openssl x509 -noout -subject -issuer -dates -fingerprint\n\n# Check certificate expiry\necho | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \\\n openssl x509 -noout -enddate\n\n# Check supported TLS versions\nfor v in tls1 tls1_1 tls1_2 tls1_3; do\n result=$(openssl s_client -connect example.com:443 -$v < /dev/null 2>&1)\n if echo \"$result\" | grep -q \"Cipher is\"; then\n echo \"$v: SUPPORTED\"\n else\n echo \"$v: NOT SUPPORTED\"\n fi\ndone\n\n# Check cipher suites\nopenssl s_client -connect example.com:443 -cipher 'ALL' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\n# Check for weak ciphers\nopenssl s_client -connect example.com:443 -cipher 'NULL:EXPORT:DES:RC4:MD5' < /dev/null 2>&1 | \\\n grep \"Cipher :\"" }, { "title": "Verify certificate chain", "body": "# Download and verify full chain\nopenssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \\\n awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' > chain.pem\n\n# Verify chain\nopenssl verify -CAfile /etc/ssl/certs/ca-certificates.crt chain.pem\n\n# Check certificate details\nopenssl x509 -in chain.pem -noout -text | grep -A2 \"Subject:\\|Issuer:\\|Not Before\\|Not After\\|DNS:\"" }, { "title": "Check SSL from code", "body": "# Verify SSL isn't disabled in code\ngrep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\\|CURLOPT_SSL_VERIFYPEER.*false\\|NODE_TLS_REJECT_UNAUTHORIZED.*0\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml}' ." }, { "title": "File Permission Audit", "body": "# Find world-writable files\nfind . -type f -perm -o=w -not -path '*/node_modules/*' -not -path '*/.git/*' 2>/dev/null\n\n# Find executable files that shouldn't be\nfind . -type f -perm -u=x -not -name '*.sh' -not -name '*.py' -not -path '*/node_modules/*' \\\n -not -path '*/.git/*' -not -path '*/bin/*' 2>/dev/null\n\n# Check sensitive file permissions\nfor f in .env .env.* *.pem *.key *.p12 id_rsa id_ed25519; do\n [ -f \"$f\" ] && ls -la \"$f\"\ndone\n\n# Find files with SUID/SGID bits (Linux)\nfind / -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null | head -20\n\n# Check SSH key permissions\nif [ -d ~/.ssh ]; then\n echo \"--- SSH directory permissions ---\"\n ls -la ~/.ssh/\n echo \"\"\n # Should be: dir=700, private keys=600, public keys=644, config=600\n [ \"$(stat -c %a ~/.ssh 2>/dev/null || stat -f %Lp ~/.ssh)\" != \"700\" ] && echo \"WARNING: ~/.ssh should be 700\"\nfi" }, { "title": "Full Project Security Audit Script", "body": "#!/bin/bash\n# security-audit.sh - Run a comprehensive security check on a project\nset -euo pipefail\n\nPROJECT_DIR=\"${1:-.}\"\ncd \"$PROJECT_DIR\"\n\necho \"=========================================\"\necho \"Security Audit: $(basename \"$(pwd)\")\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nwarn() { echo \" [!] $1\"; ((ISSUES++)); }\nok() { echo \" [OK] $1\"; }\nsection() { echo \"\"; echo \"--- $1 ---\"; }\n\n# 1. Secrets detection\nsection \"Secret Detection\"\nfor pattern in 'AKIA[0-9A-Z]\\{16\\}' 'BEGIN.*PRIVATE KEY' 'sk-[A-Za-z0-9]\\{20,\\}' \\\n 'ghp_[A-Za-z0-9]\\{36\\}' 'xox[bpoas]-'; do\n count=$(grep -rn \"$pattern\" --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|vendor\\|__pycache__' | wc -l)\n if [ \"$count\" -gt 0 ]; then\n warn \"Found $count matches for pattern: $pattern\"\n fi\ndone\ngrep -rn -i 'password\\s*[:=]\\s*[\"'\"'\"'][^\"'\"'\"']*[\"'\"'\"']' \\\n --include='*.{js,ts,py,go,yml,yaml,json,env}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|example\\|test\\|mock\\|placeholder\\|changeme\\|xxxx' | \\\n while read -r line; do warn \"Hardcoded password: $line\"; done\n\n# 2. Dependency audit\nsection \"Dependency Vulnerabilities\"\nif [ -f package-lock.json ] || [ -f package.json ]; then\n npm audit --audit-level=high 2>/dev/null && ok \"npm: no high/critical vulns\" || warn \"npm audit found issues\"\nfi\nif [ -f requirements.txt ]; then\n pip-audit -r requirements.txt 2>/dev/null && ok \"pip: no known vulns\" || warn \"pip-audit found issues\"\nfi\nif [ -f go.sum ]; then\n govulncheck ./... 2>/dev/null && ok \"Go: no known vulns\" || warn \"govulncheck found issues\"\nfi\n\n# 3. Gitignore check\nsection \".gitignore Coverage\"\nif [ ! -f .gitignore ]; then\n warn \"No .gitignore file\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem' '.DS_Store'; do\n grep -q \"$entry\" .gitignore 2>/dev/null && ok \".gitignore has $entry\" || warn \".gitignore missing: $entry\"\n done\nfi\n\n# 4. SSL verification disabled\nsection \"SSL Verification\"\ndisabled=$(grep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|spec\\|mock' | wc -l)\n[ \"$disabled\" -gt 0 ] && warn \"SSL verification disabled in $disabled location(s)\" || ok \"No SSL bypasses found\"\n\n# 5. CORS wildcard\nsection \"CORS Configuration\"\ncors=$(grep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git' | wc -l)\n[ \"$cors\" -gt 0 ] && warn \"CORS wildcard found in $cors location(s)\" || ok \"No CORS wildcard\"\n\n# 6. Debug mode\nsection \"Debug/Development Settings\"\ndebug=$(grep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\" \\\n --include='*.{py,yml,yaml,json}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|jest\\|vitest' | wc -l)\n[ \"$debug\" -gt 0 ] && warn \"Debug mode enabled in $debug location(s)\" || ok \"No debug flags found\"\n\necho \"\"\necho \"=========================================\"\necho \"Audit complete. Issues found: $ISSUES\"\necho \"=========================================\"\n[ \"$ISSUES\" -eq 0 ] && exit 0 || exit 1" }, { "title": "Environment variables instead of hardcoded secrets", "body": "# Bad: hardcoded in source\nAPI_KEY=\"sk-abc123...\"\n\n# Good: from environment\nAPI_KEY=\"${API_KEY:?Error: API_KEY not set}\"\n\n# Good: from .env file (loaded at startup, never committed)\n# .env\nAPI_KEY=sk-abc123...\n# .gitignore\n.env" }, { "title": "Input validation checklist", "body": "- [ ] All user input validated (type, length, format)\n- [ ] SQL queries use parameterized statements (never string concat)\n- [ ] Shell commands never include user input directly\n- [ ] File paths validated (no path traversal: ../)\n- [ ] URLs validated (no SSRF: restrict to expected domains)\n- [ ] HTML output escaped (no XSS: use framework auto-escaping)\n- [ ] JSON parsing has error handling (no crash on malformed input)\n- [ ] File uploads checked (type, size, no executable content)" }, { "title": "HTTP security headers", "body": "# Check security headers on a URL\ncurl -sI https://example.com | grep -i 'strict-transport\\|content-security\\|x-frame\\|x-content-type\\|referrer-policy\\|permissions-policy'\n\n# Expected headers:\n# Strict-Transport-Security: max-age=31536000; includeSubDomains\n# Content-Security-Policy: default-src 'self'\n# X-Frame-Options: DENY\n# X-Content-Type-Options: nosniff\n# Referrer-Policy: strict-origin-when-cross-origin\n# Permissions-Policy: camera=(), microphone=(), geolocation=()" }, { "title": "Tips", "body": "Run npm audit / pip-audit / govulncheck in CI on every pull request, not just occasionally.\nSecret detection in git history matters: even if a secret is removed from HEAD, it exists in git history. Use git filter-branch or git-filter-repo to purge, then rotate the credential.\nThe most dangerous vulnerabilities are often the simplest: SQL injection via string concatenation, command injection via unsanitized input, XSS via innerHTML.\nCORS Access-Control-Allow-Origin: * is safe for truly public, read-only APIs. It's dangerous for anything that uses cookies or auth tokens.\nAlways verify SSL in production. verify=False or rejectUnauthorized: false should only appear in test code, never in production paths.\nDefense in depth: validate input, escape output, use parameterized queries, enforce least privilege, and assume every layer might be bypassed." }, { "title": "🤖 Agentic Security Audit (Bổ sung 25/02/2026)", "body": "Từ paper \"Agents of Chaos\" (arXiv:2602.20021) + OWASP Top 10 for Agentic Applications 2026.\nTraditional security audit chỉ cover code/infra. Agentic systems có attack surface hoàn toàn mới." }, { "title": "When to Use (Agentic)", "body": "Auditing OpenClaw/agent workspace configuration\nReviewing agent permissions and access boundaries\nScanning for prompt injection vectors in agent-facing content\nAssessing multi-agent communication security\nEvaluating identity verification mechanisms\nChecking persistent memory for poisoning" }, { "title": "OWASP Agentic Top 10 Checklist (2026)", "body": "- [ ] ASI01: Agent Goal Hijack (prompt injection — direct & indirect)\n- [ ] ASI02: Tool Misuse and Exploitation (shell, filesystem, API abuse)\n- [ ] ASI03: Identity and Privilege Abuse (confused deputy, over-privilege)\n- [ ] ASI04: Memory Poisoning (SOUL.md, MEMORY.md, persistent context)\n- [ ] ASI05: Supply Chain Attacks (malicious skills/plugins — e.g., ClawHub)\n- [ ] ASI06: Rogue Agents (operating outside intended boundaries)\n- [ ] ASI07: Data Leakage via Agentic Channels (cross-channel PII exposure)\n- [ ] ASI08: Orchestration Manipulation (sub-agent hijacking)\n- [ ] ASI09: Insufficient Logging and Observability\n- [ ] ASI10: Insecure Agent Communication (agent-to-agent trust)" }, { "title": "1. Workspace Configuration Audit", "body": "# Check if agent config files are world-readable\necho \"--- Agent Config Permissions ---\"\nfor f in SOUL.md MEMORY.md AGENTS.md TOOLS.md IDENTITY.md USER.md HEARTBEAT.md; do\n [ -f \"$f\" ] && echo \"$(stat -f '%Sp %N' \"$f\" 2>/dev/null || stat -c '%A %n' \"$f\")\" || echo \" NOT FOUND: $f\"\ndone\n\n# Check for secrets leaked into agent memory/config\necho \"--- Secrets in Agent Files ---\"\ngrep -rn -i 'api.key\\|password\\|token\\|secret\\|bearer' \\\n SOUL.md MEMORY.md TOOLS.md IDENTITY.md USER.md memory/*.md 2>/dev/null | \\\n grep -v 'example\\|placeholder\\|REDACTED'\n\n# Check for over-permissive shell access\necho \"--- Shell Access Check ---\"\ngrep -rn -i 'sudo\\|chmod 777\\|unrestricted' AGENTS.md TOOLS.md 2>/dev/null" }, { "title": "2. Prompt Injection Scan (Agent-Facing Content)", "body": "# Scan content that agents read/process for injection patterns\nSCAN_DIRS=\"${1:-.}\"\n\necho \"--- Prompt Injection Patterns ---\"\nINJECTION_PATTERNS=(\n 'ignore\\s+(previous|all|above)\\s+instructions'\n 'you\\s+are\\s+now\\s+'\n 'new\\s+system\\s+prompt'\n '\\[SYSTEM\\]'\n ''\n 'AUTHORIZED_OVERRIDE'\n 'forget\\s+your\\s+(rules|instructions|guidelines)'\n 'act\\s+as\\s+if\\s+you\\s+are'\n 'disregard\\s+(all|your|previous)'\n 'jailbreak'\n 'DAN\\s+mode'\n)\n\nfor pattern in \"${INJECTION_PATTERNS[@]}\"; do\n matches=$(grep -rn -iP \"$pattern\" \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json,html,yml,yaml}' 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|SKILL.md' | head -5)\n [ -n \"$matches\" ] && echo \" [!] Injection pattern '$pattern':\" && echo \"$matches\"\ndone\n\n# Steganographic: zero-width Unicode characters\necho \"--- Zero-Width Unicode Characters ---\"\ngrep -rPn '[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}\\x{00AD}\\x{2060}]' \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json,html}' 2>/dev/null | head -10\n\n# Suspicious base64 strings (>50 chars, could be encoded payloads)\necho \"--- Suspicious Base64 Strings ---\"\ngrep -rPn '[A-Za-z0-9+/=]{50,}' \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json}' 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|\\.png\\|\\.jpg\\|package-lock' | head -10" }, { "title": "3. Identity & Authorization Audit", "body": "# Check if agent verifies owner identity beyond display name\necho \"--- Identity Verification ---\"\n\n# OpenClaw: check if authorized senders are configured\ngrep -n 'authorizedSenders\\|authorized_senders\\|allowlist' \\\n ~/.config/openclaw/config.yaml ~/.openclaw/config.* 2>/dev/null\n\n# Check if agent trusts display names (vulnerable to spoofing)\ngrep -rn -i 'display.name\\|username\\|sender.name' \\\n AGENTS.md SOUL.md TOOLS.md 2>/dev/null | \\\n grep -iv 'user.id\\|sender.id\\|verified'\n\n# Check for cross-channel trust assumptions\necho \"--- Cross-Channel Trust ---\"\ngrep -rn -i 'if.*channel\\|trust.*channel\\|verify.*channel' \\\n AGENTS.md SOUL.md 2>/dev/null" }, { "title": "4. Memory Poisoning Check", "body": "# Check memory files for suspicious patterns\necho \"--- Memory Integrity ---\"\n\n# External URLs stored as \"governing documents\" (Case #10: Agent Corruption)\necho \"URLs in memory that agent may follow as instructions:\"\ngrep -rn 'https\\?://\\|gist\\.github\\|pastebin\\|hastebin' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null\n\n# Check if memory files were recently modified by non-owner actions\necho \"Recent memory file changes:\"\nfind memory/ MEMORY.md SOUL.md AGENTS.md -newer IDENTITY.md -type f 2>/dev/null | \\\n while read f; do echo \" $(stat -f '%Sm %N' \"$f\" 2>/dev/null || stat -c '%y %n' \"$f\")\"; done\n\n# Check for instructions in memory that override safety rules\ngrep -rn -i 'override\\|bypass\\|ignore.*rule\\|disable.*safety\\|skip.*check' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null\n\n# Check git blame for who modified critical files\necho \"--- SOUL.md modification history ---\"\ngit log --oneline -10 -- SOUL.md 2>/dev/null || echo \" (not in git)\"\necho \"--- AGENTS.md modification history ---\"\ngit log --oneline -10 -- AGENTS.md 2>/dev/null || echo \" (not in git)\"" }, { "title": "5. Multi-Agent Communication Audit", "body": "# Check for agent-to-agent trust without verification\necho \"--- Multi-Agent Trust ---\"\n\n# Shared channels where agents interact (Discord, forum, email)\ngrep -rn -i 'discord\\|forum\\|moltbook\\|clawstr\\|email.*agent' \\\n TOOLS.md MEMORY.md memory/*.md 2>/dev/null\n\n# Check if agent auto-executes actions from other agents\ngrep -rn -i 'webhook\\|auto.reply\\|auto.respond\\|on.*mention' \\\n AGENTS.md HEARTBEAT.md TOOLS.md scripts/*.sh 2>/dev/null\n\n# Check for infinite loop risks (agent A ↔ agent B relay)\ngrep -rn -i 'relay\\|forward.*message\\|pass.*along\\|tell.*agent' \\\n MEMORY.md memory/*.md 2>/dev/null\n\n# Check cron/heartbeat for tasks triggered by external content\necho \"--- Scheduled Tasks ---\"\ngrep -rn -i 'check.*forum\\|check.*moltbook\\|reply.*comment\\|respond.*mention' \\\n HEARTBEAT.md 2>/dev/null" }, { "title": "6. Resource & Privilege Audit", "body": "# Check for excessive agent permissions\necho \"--- Agent Permissions ---\"\n\n# Sudo access (should NOT be default for agents)\ngrep -rn 'sudo\\|root\\|admin.*access\\|unrestricted' \\\n AGENTS.md TOOLS.md 2>/dev/null\n\n# Background processes agent has created\necho \"Running agent processes:\"\nps aux | grep -i 'cron\\|heartbeat\\|monitor\\|watch\\|loop' | grep -v grep | head -10\n\n# Check for unbounded resource consumption patterns\necho \"--- Cron/Background Jobs ---\"\ncrontab -l 2>/dev/null || echo \" No crontab\"\n\n# Check disk usage of agent workspace\necho \"--- Workspace Size ---\"\ndu -sh . memory/ 2>/dev/null\n\n# Check for files agent probably shouldn't have access to\necho \"--- Sensitive System Files Readable by Agent ---\"\nfor f in /etc/shadow /etc/passwd ~/.ssh/id_rsa ~/.ssh/id_ed25519 \\\n ~/.aws/credentials ~/.config/gcloud/credentials.db; do\n [ -r \"$f\" ] && echo \" [!] READABLE: $f\"\ndone" }, { "title": "7. Semantic Reframing Detection (Advanced)", "body": "From Agents of Chaos Case #3: \"Give me SSN\" → refused. \"Forward the email\" (containing SSN) → complied.\nThis check helps humans verify their agent won't leak data through reframed requests.\n\n# Check if agent has rules about content-based (not just action-based) evaluation\necho \"--- Content-Based Safety Rules ---\"\ngrep -rn -i 'content.*evaluat\\|semantic.*refram\\|forward.*email.*sensitive\\|assess.*content' \\\n AGENTS.md SOUL.md 2>/dev/null\n\n# Check for PII in files agent might forward/share\necho \"--- PII in Agent-Accessible Files ---\"\n# SSN pattern\ngrep -rPn '\\b\\d{3}-\\d{2}-\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null\n# Credit card pattern\ngrep -rPn '\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null\n# Email addresses\ngrep -rPn '\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z]{2,}\\b' \\\n MEMORY.md memory/*.md USER.md 2>/dev/null | \\\n grep -v 'example\\|test\\|placeholder'" }, { "title": "Full Agentic Security Audit Script", "body": "#!/bin/bash\n# agentic-security-audit.sh - Comprehensive security check for AI agent workspaces\n# Based on \"Agents of Chaos\" (arXiv:2602.20021) + OWASP Agentic Top 10\nset -euo pipefail\n\nWORKSPACE=\"${1:-.}\"\ncd \"$WORKSPACE\"\n\necho \"=========================================\"\necho \"Agentic Security Audit\"\necho \"Workspace: $(pwd)\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"Framework: Based on Agents of Chaos + OWASP Agentic Top 10\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nWARNINGS=0\nwarn() { echo \" ⚠️ $1\"; ((WARNINGS++)); }\ncritical() { echo \" 🔴 $1\"; ((ISSUES++)); }\nok() { echo \" ✅ $1\"; }\nsection() { echo \"\"; echo \"=== $1 ===\"; }\n\n# --- ASI01: Prompt Injection ---\nsection \"ASI01: Prompt Injection Vectors\"\ninjection_count=0\nfor pattern in 'ignore.*previous.*instructions' 'you are now' 'new system prompt' \\\n '\\[SYSTEM\\]' 'SYSTEM_ADMIN_OVERRIDE' 'forget your' 'act as if'; do\n count=$(grep -rin \"$pattern\" --include='*.md' --include='*.txt' --include='*.json' . 2>/dev/null | \\\n grep -v 'SKILL.md\\|security-audit\\|node_modules\\|\\.git' | wc -l | tr -d ' ')\n injection_count=$((injection_count + count))\ndone\n[ \"$injection_count\" -gt 0 ] && critical \"Found $injection_count prompt injection patterns in workspace\" || ok \"No injection patterns found\"\n\n# Zero-width Unicode\nzw_count=$(grep -rPc '[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}]' --include='*.md' . 2>/dev/null | \\\n awk -F: '{s+=$2}END{print s+0}')\n[ \"$zw_count\" -gt 0 ] && critical \"Found $zw_count zero-width Unicode chars (possible steganographic injection)\" || ok \"No hidden Unicode\"\n\n# --- ASI02: Tool Misuse ---\nsection \"ASI02: Tool Permissions\"\ngrep -rn 'sudo\\|chmod 777\\|unrestricted.*shell\\|full.*access' AGENTS.md TOOLS.md 2>/dev/null && \\\n critical \"Over-permissive access configured\" || ok \"No sudo/unrestricted access\"\n\n# --- ASI03: Identity & Privilege ---\nsection \"ASI03: Identity Verification\"\nif grep -q 'authorizedSenders\\|Authorized Senders\\|Telegram.*ID' AGENTS.md 2>/dev/null; then\n ok \"Authorized sender verification configured\"\nelse\n critical \"No authorized sender verification found — vulnerable to non-owner compliance\"\nfi\n\n# Anti-spoofing rules\nif grep -qi 'display.name.*identity\\|verify.*identity\\|spoofing\\|user.*ID.*verify' AGENTS.md 2>/dev/null; then\n ok \"Identity spoofing awareness in config\"\nelse\n warn \"No anti-spoofing rules — vulnerable to Case #8 Identity Hijack\"\nfi\n\n# --- ASI04: Memory Poisoning ---\nsection \"ASI04: Memory Integrity\"\next_urls=$(grep -rn 'https\\?://.*gist\\|https\\?://.*pastebin\\|https\\?://.*hastebin' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\n[ \"$ext_urls\" -gt 0 ] && warn \"Found $ext_urls external URLs in memory files (Case #10 risk: external governing documents)\" || ok \"No suspicious external URLs in memory\"\n\noverride_count=$(grep -rin 'override\\|bypass.*safety\\|disable.*check\\|ignore.*rule' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\n[ \"$override_count\" -gt 0 ] && critical \"Found $override_count override/bypass instructions in memory\" || ok \"No override patterns in memory\"\n\n# --- ASI05: Supply Chain ---\nsection \"ASI05: Supply Chain (Skills/Plugins)\"\nif [ -d skills ] || [ -d .openclaw/skills ]; then\n skill_count=$(find skills .openclaw/skills -name 'SKILL.md' 2>/dev/null | wc -l | tr -d ' ')\n echo \" Found $skill_count installed skills\"\n # Check for skills with shell access\n grep -rn 'exec\\|shell\\|subprocess\\|child_process' skills/*/SKILL.md .openclaw/skills/*/SKILL.md 2>/dev/null && \\\n warn \"Skills with shell execution capabilities found\" || ok \"No shell-executing skills\"\nfi\n\n# --- ASI07: Data Leakage ---\nsection \"ASI07: Sensitive Data Exposure\"\n# Secrets in agent files\nsecret_count=$(grep -rin 'api.key\\s*[:=]\\|password\\s*[:=]\\|token\\s*[:=]\\|bearer\\s' \\\n SOUL.md MEMORY.md TOOLS.md USER.md memory/*.md 2>/dev/null | \\\n grep -v 'example\\|placeholder\\|REDACTED\\|xxx\\|changeme\\|SKILL.md' | wc -l | tr -d ' ')\n[ \"$secret_count\" -gt 0 ] && critical \"Found $secret_count potential secrets in agent files\" || ok \"No exposed secrets\"\n\n# PII patterns\npii_count=0\nssn=$(grep -rPc '\\b\\d{3}-\\d{2}-\\d{4}\\b' MEMORY.md memory/*.md USER.md 2>/dev/null | awk -F: '{s+=$2}END{print s+0}')\npii_count=$((pii_count + ssn))\ncc=$(grep -rPc '\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null | awk -F: '{s+=$2}END{print s+0}')\npii_count=$((pii_count + cc))\n[ \"$pii_count\" -gt 0 ] && warn \"Found $pii_count PII patterns (SSN/credit card) in agent files\" || ok \"No PII patterns\"\n\n# --- ASI06: Boundary Rules ---\nsection \"ASI06: Agent Boundary Rules\"\nif grep -qi 'non-owner\\|non.owner.*refuse\\|only.*owner\\|forum.*only.*discuss\\|chỉ.*thảo luận' AGENTS.md 2>/dev/null; then\n ok \"Non-owner boundary rules configured\"\nelse\n warn \"No non-owner boundary rules — vulnerable to Case #2 non-owner compliance\"\nfi\n\nif grep -qi 'nhượng bộ\\|concession.*limit\\|escalat.*stop\\|gaslighting\\|pressure.*limit' AGENTS.md 2>/dev/null; then\n ok \"Anti-gaslighting/escalation rules present\"\nelse\n warn \"No anti-gaslighting rules — vulnerable to Case #7\"\nfi\n\n# --- ASI10: Multi-Agent Communication ---\nsection \"ASI10: Multi-Agent Communication\"\nagent_channels=$(grep -rin 'discord\\|forum\\|moltbook\\|clawstr\\|webhook' \\\n TOOLS.md MEMORY.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\necho \" Agent communicates via $agent_channels external channel references\"\n[ \"$agent_channels\" -gt 5 ] && warn \"Many external channels — larger attack surface\" || ok \"Moderate channel exposure\"\n\n# --- Summary ---\necho \"\"\necho \"=========================================\"\necho \"Audit complete\"\necho \" 🔴 Critical issues: $ISSUES\"\necho \" ⚠️ Warnings: $WARNINGS\"\necho \"=========================================\"\n\nif [ \"$ISSUES\" -gt 0 ]; then\n echo \"\"\n echo \"Recommended actions:\"\n echo \" 1. Fix all critical issues before exposing agent to external interactions\"\n echo \" 2. Review AGENTS.md for Anti-Chaos Defense Rules\"\n echo \" 3. Reference: Agents of Chaos (arXiv:2602.20021)\"\n echo \" 4. Reference: OWASP Top 10 for Agentic Applications 2026\"\n exit 1\nfi\nexit 0" }, { "title": "References", "body": "Agents of Chaos — arXiv:2602.20021 — Live red-teaming of OpenClaw agents\nOWASP Top 10 for Agentic Applications 2026\nNIST AI Agent Standards Initiative\nOpenClaw Security Crisis — Conscia" } ], "body": "Security Audit\n\nScan, detect, and fix security issues in codebases and infrastructure. Covers dependency vulnerabilities, secret detection, OWASP top 10, SSL/TLS verification, file permissions, and secure coding patterns.\n\nWhen to Use\nScanning project dependencies for known vulnerabilities\nDetecting hardcoded secrets, API keys, or credentials in source code\nReviewing code for OWASP top 10 vulnerabilities (injection, XSS, CSRF, etc.)\nVerifying SSL/TLS configuration for endpoints\nAuditing file and directory permissions\nChecking authentication and authorization patterns\nPreparing for a security review or compliance audit\nDependency Vulnerability Scanning\nNode.js\n# Built-in npm audit\nnpm audit\nnpm audit --json | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, via: .value.via[0]}'\n\n# Fix automatically where possible\nnpm audit fix\n\n# Show only high and critical\nnpm audit --audit-level=high\n\n# Check a specific package\nnpm audit --package-lock-only\n\n# Alternative: use npx to scan without installing\nnpx audit-ci --high\n\nPython\n# pip-audit (recommended)\npip install pip-audit\npip-audit\npip-audit -r requirements.txt\npip-audit --format=json\n\n# safety (alternative)\npip install safety\nsafety check\nsafety check -r requirements.txt --json\n\n# Check a specific package\npip-audit --requirement=- <<< \"requests==2.25.0\"\n\nGo\n# Built-in vuln checker\ngo install golang.org/x/vuln/cmd/govulncheck@latest\ngovulncheck ./...\n\n# Check specific binary\ngovulncheck -mode=binary ./myapp\n\nRust\n# cargo-audit\ncargo install cargo-audit\ncargo audit\n\n# With fix suggestions\ncargo audit fix\n\nUniversal: Trivy (scans any project)\n# Install: https://aquasecurity.github.io/trivy\n# Scan filesystem\ntrivy fs .\n\n# Scan specific language\ntrivy fs --scanners vuln --severity HIGH,CRITICAL .\n\n# Scan Docker image\ntrivy image myapp:latest\n\n# JSON output\ntrivy fs --format json -o results.json .\n\nSecret Detection\nManual grep patterns\n# AWS keys\ngrep -rn 'AKIA[0-9A-Z]\\{16\\}' --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml,cfg,conf,ini}' .\n\n# Generic API keys and tokens\ngrep -rn -i 'api[_-]\\?key\\|api[_-]\\?secret\\|access[_-]\\?token\\|auth[_-]\\?token\\|bearer ' \\\n --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json}' .\n\n# Private keys\ngrep -rn 'BEGIN.*PRIVATE KEY' .\n\n# Passwords in config\ngrep -rn -i 'password\\s*[:=]' --include='*.{env,yml,yaml,json,xml,cfg,conf,ini,toml}' .\n\n# Connection strings with credentials\ngrep -rn -i 'mongodb://\\|mysql://\\|postgres://\\|redis://' --include='*.{js,ts,py,go,env,yml,yaml,json}' . | grep -v 'localhost\\|127.0.0.1\\|example'\n\n# JWT tokens (three base64 segments separated by dots)\ngrep -rn 'eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.' --include='*.{js,ts,py,go,log,json}' .\n\nAutomated scanning with git\n# Scan git history for secrets (not just current files)\n# Using git log + grep\ngit log -p --all | grep -n -i 'api.key\\|password\\|secret\\|token' | head -50\n\n# Check staged files before commit\ngit diff --cached --name-only | xargs grep -l -i 'api.key\\|password\\|secret\\|token' 2>/dev/null\n\nPre-commit hook for secrets\n#!/bin/bash\n# .git/hooks/pre-commit - Block commits containing potential secrets\n\nPATTERNS=(\n 'AKIA[0-9A-Z]{16}'\n 'BEGIN.*PRIVATE KEY'\n 'password\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'api[_-]?key\\s*[:=]\\s*[\"\\x27][^\"\\x27]+'\n 'sk-[A-Za-z0-9]{20,}'\n 'ghp_[A-Za-z0-9]{36}'\n 'xox[bpoas]-[A-Za-z0-9-]+'\n)\n\nSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)\n[ -z \"$STAGED_FILES\" ] && exit 0\n\nEXIT_CODE=0\nfor pattern in \"${PATTERNS[@]}\"; do\n matches=$(echo \"$STAGED_FILES\" | xargs grep -Pn \"$pattern\" 2>/dev/null)\n if [ -n \"$matches\" ]; then\n echo \"BLOCKED: Potential secret detected matching pattern: $pattern\"\n echo \"$matches\"\n EXIT_CODE=1\n fi\ndone\n\nif [ $EXIT_CODE -ne 0 ]; then\n echo \"\"\n echo \"To proceed anyway: git commit --no-verify\"\n echo \"To remove secrets: replace with environment variables\"\nfi\nexit $EXIT_CODE\n\n.gitignore audit\n# Check if sensitive files are tracked\necho \"--- Files that should probably be gitignored ---\"\nfor pattern in '.env' '.env.*' '*.pem' '*.key' '*.p12' '*.pfx' 'credentials.json' \\\n 'service-account*.json' '*.keystore' 'id_rsa' 'id_ed25519'; do\n found=$(git ls-files \"$pattern\" 2>/dev/null)\n [ -n \"$found\" ] && echo \" TRACKED: $found\"\ndone\n\n# Check if .gitignore exists and has common patterns\nif [ ! -f .gitignore ]; then\n echo \"WARNING: No .gitignore file found\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem'; do\n grep -q \"$entry\" .gitignore || echo \" MISSING from .gitignore: $entry\"\n done\nfi\n\nOWASP Top 10 Code Patterns\n1. Injection (SQL, Command, LDAP)\n# SQL injection: string concatenation in queries\ngrep -rn \"query\\|execute\\|cursor\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"f\\\"\\|format(\\|%s\\|\\${\\|+ \\\"\\|concat\\|sprintf\" | \\\n grep -iv \"parameterized\\|placeholder\\|prepared\"\n\n# Command injection: user input in shell commands\ngrep -rn \"exec(\\|spawn(\\|system(\\|popen(\\|subprocess\\|os\\.system\\|child_process\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Check for parameterized queries (good)\ngrep -rn \"\\\\$[0-9]\\|\\\\?\\|%s\\|:param\\|@param\\|prepared\" --include='*.{py,js,ts,go,java,rb}' .\n\n2. Broken Authentication\n# Weak password hashing (MD5, SHA1 used for passwords)\ngrep -rn \"md5\\|sha1\\|sha256\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"password\\|passwd\"\n\n# Hardcoded credentials\ngrep -rn -i \"admin.*password\\|password.*admin\\|default.*password\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml,json}' .\n\n# Session tokens in URLs\ngrep -rn \"session\\|token\\|jwt\" --include='*.{py,js,ts,go,java,rb}' . | grep -i \"url\\|query\\|param\\|GET\"\n\n# Check for rate limiting on auth endpoints\ngrep -rn -i \"rate.limit\\|throttle\\|brute\" --include='*.{py,js,ts,go,java,rb}' .\n\n3. Cross-Site Scripting (XSS)\n# Unescaped output in templates\ngrep -rn \"innerHTML\\|dangerouslySetInnerHTML\\|v-html\\|\\|html(\" \\\n --include='*.{js,ts,jsx,tsx,vue,html}' .\n\n# Template injection\ngrep -rn \"{{{.*}}}\\|<%=\\|<%-\\|\\$\\!{\" --include='*.{html,ejs,hbs,pug,erb}' .\n\n# Document.write\ngrep -rn \"document\\.write\\|document\\.writeln\" --include='*.{js,ts,html}' .\n\n# eval with user input\ngrep -rn \"eval(\\|new Function(\\|setTimeout.*string\\|setInterval.*string\" \\\n --include='*.{js,ts}' .\n\n4. Insecure Direct Object References\n# Direct ID usage in routes without authz check\ngrep -rn \"params\\.id\\|params\\[.id.\\]\\|req\\.params\\.\\|request\\.args\\.\\|request\\.GET\\.\" \\\n --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"user\\|account\\|profile\\|order\\|document\"\n\n5. Security Misconfiguration\n# CORS wildcard\ngrep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\\|cors()\" \\\n --include='*.{py,js,ts,go,java,rb}' .\n\n# Debug mode in production configs\ngrep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\\|NODE_ENV.*development\" \\\n --include='*.{py,js,ts,yml,yaml,json,env}' .\n\n# Verbose error messages exposed to clients\ngrep -rn \"stack\\|traceback\\|stackTrace\" --include='*.{py,js,ts,go,java,rb}' . | \\\n grep -i \"response\\|send\\|return\\|res\\.\"\n\nSSL/TLS Verification\nCheck endpoint SSL\n# Full SSL check\nopenssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \\\n openssl x509 -noout -subject -issuer -dates -fingerprint\n\n# Check certificate expiry\necho | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \\\n openssl x509 -noout -enddate\n\n# Check supported TLS versions\nfor v in tls1 tls1_1 tls1_2 tls1_3; do\n result=$(openssl s_client -connect example.com:443 -$v < /dev/null 2>&1)\n if echo \"$result\" | grep -q \"Cipher is\"; then\n echo \"$v: SUPPORTED\"\n else\n echo \"$v: NOT SUPPORTED\"\n fi\ndone\n\n# Check cipher suites\nopenssl s_client -connect example.com:443 -cipher 'ALL' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\n# Check for weak ciphers\nopenssl s_client -connect example.com:443 -cipher 'NULL:EXPORT:DES:RC4:MD5' < /dev/null 2>&1 | \\\n grep \"Cipher :\"\n\nVerify certificate chain\n# Download and verify full chain\nopenssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null | \\\n awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{print}' > chain.pem\n\n# Verify chain\nopenssl verify -CAfile /etc/ssl/certs/ca-certificates.crt chain.pem\n\n# Check certificate details\nopenssl x509 -in chain.pem -noout -text | grep -A2 \"Subject:\\|Issuer:\\|Not Before\\|Not After\\|DNS:\"\n\nCheck SSL from code\n# Verify SSL isn't disabled in code\ngrep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\\|CURLOPT_SSL_VERIFYPEER.*false\\|NODE_TLS_REJECT_UNAUTHORIZED.*0\" \\\n --include='*.{py,js,ts,go,java,rb,yml,yaml}' .\n\nFile Permission Audit\n# Find world-writable files\nfind . -type f -perm -o=w -not -path '*/node_modules/*' -not -path '*/.git/*' 2>/dev/null\n\n# Find executable files that shouldn't be\nfind . -type f -perm -u=x -not -name '*.sh' -not -name '*.py' -not -path '*/node_modules/*' \\\n -not -path '*/.git/*' -not -path '*/bin/*' 2>/dev/null\n\n# Check sensitive file permissions\nfor f in .env .env.* *.pem *.key *.p12 id_rsa id_ed25519; do\n [ -f \"$f\" ] && ls -la \"$f\"\ndone\n\n# Find files with SUID/SGID bits (Linux)\nfind / -type f \\( -perm -4000 -o -perm -2000 \\) 2>/dev/null | head -20\n\n# Check SSH key permissions\nif [ -d ~/.ssh ]; then\n echo \"--- SSH directory permissions ---\"\n ls -la ~/.ssh/\n echo \"\"\n # Should be: dir=700, private keys=600, public keys=644, config=600\n [ \"$(stat -c %a ~/.ssh 2>/dev/null || stat -f %Lp ~/.ssh)\" != \"700\" ] && echo \"WARNING: ~/.ssh should be 700\"\nfi\n\nFull Project Security Audit Script\n#!/bin/bash\n# security-audit.sh - Run a comprehensive security check on a project\nset -euo pipefail\n\nPROJECT_DIR=\"${1:-.}\"\ncd \"$PROJECT_DIR\"\n\necho \"=========================================\"\necho \"Security Audit: $(basename \"$(pwd)\")\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nwarn() { echo \" [!] $1\"; ((ISSUES++)); }\nok() { echo \" [OK] $1\"; }\nsection() { echo \"\"; echo \"--- $1 ---\"; }\n\n# 1. Secrets detection\nsection \"Secret Detection\"\nfor pattern in 'AKIA[0-9A-Z]\\{16\\}' 'BEGIN.*PRIVATE KEY' 'sk-[A-Za-z0-9]\\{20,\\}' \\\n 'ghp_[A-Za-z0-9]\\{36\\}' 'xox[bpoas]-'; do\n count=$(grep -rn \"$pattern\" --include='*.{js,ts,py,go,java,rb,env,yml,yaml,json,xml}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|vendor\\|__pycache__' | wc -l)\n if [ \"$count\" -gt 0 ]; then\n warn \"Found $count matches for pattern: $pattern\"\n fi\ndone\ngrep -rn -i 'password\\s*[:=]\\s*[\"'\"'\"'][^\"'\"'\"']*[\"'\"'\"']' \\\n --include='*.{js,ts,py,go,yml,yaml,json,env}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|example\\|test\\|mock\\|placeholder\\|changeme\\|xxxx' | \\\n while read -r line; do warn \"Hardcoded password: $line\"; done\n\n# 2. Dependency audit\nsection \"Dependency Vulnerabilities\"\nif [ -f package-lock.json ] || [ -f package.json ]; then\n npm audit --audit-level=high 2>/dev/null && ok \"npm: no high/critical vulns\" || warn \"npm audit found issues\"\nfi\nif [ -f requirements.txt ]; then\n pip-audit -r requirements.txt 2>/dev/null && ok \"pip: no known vulns\" || warn \"pip-audit found issues\"\nfi\nif [ -f go.sum ]; then\n govulncheck ./... 2>/dev/null && ok \"Go: no known vulns\" || warn \"govulncheck found issues\"\nfi\n\n# 3. Gitignore check\nsection \".gitignore Coverage\"\nif [ ! -f .gitignore ]; then\n warn \"No .gitignore file\"\nelse\n for entry in '.env' 'node_modules' '*.key' '*.pem' '.DS_Store'; do\n grep -q \"$entry\" .gitignore 2>/dev/null && ok \".gitignore has $entry\" || warn \".gitignore missing: $entry\"\n done\nfi\n\n# 4. SSL verification disabled\nsection \"SSL Verification\"\ndisabled=$(grep -rn \"verify\\s*=\\s*False\\|rejectUnauthorized.*false\\|InsecureSkipVerify.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|spec\\|mock' | wc -l)\n[ \"$disabled\" -gt 0 ] && warn \"SSL verification disabled in $disabled location(s)\" || ok \"No SSL bypasses found\"\n\n# 5. CORS wildcard\nsection \"CORS Configuration\"\ncors=$(grep -rn \"Access-Control-Allow-Origin.*\\*\\|cors({.*origin.*true\" \\\n --include='*.{py,js,ts,go,java,rb}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git' | wc -l)\n[ \"$cors\" -gt 0 ] && warn \"CORS wildcard found in $cors location(s)\" || ok \"No CORS wildcard\"\n\n# 6. Debug mode\nsection \"Debug/Development Settings\"\ndebug=$(grep -rn \"DEBUG\\s*=\\s*True\\|debug:\\s*true\" \\\n --include='*.{py,yml,yaml,json}' . 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|test\\|jest\\|vitest' | wc -l)\n[ \"$debug\" -gt 0 ] && warn \"Debug mode enabled in $debug location(s)\" || ok \"No debug flags found\"\n\necho \"\"\necho \"=========================================\"\necho \"Audit complete. Issues found: $ISSUES\"\necho \"=========================================\"\n[ \"$ISSUES\" -eq 0 ] && exit 0 || exit 1\n\nSecure Coding Quick Reference\nEnvironment variables instead of hardcoded secrets\n# Bad: hardcoded in source\nAPI_KEY=\"sk-abc123...\"\n\n# Good: from environment\nAPI_KEY=\"${API_KEY:?Error: API_KEY not set}\"\n\n# Good: from .env file (loaded at startup, never committed)\n# .env\nAPI_KEY=sk-abc123...\n# .gitignore\n.env\n\nInput validation checklist\n- [ ] All user input validated (type, length, format)\n- [ ] SQL queries use parameterized statements (never string concat)\n- [ ] Shell commands never include user input directly\n- [ ] File paths validated (no path traversal: ../)\n- [ ] URLs validated (no SSRF: restrict to expected domains)\n- [ ] HTML output escaped (no XSS: use framework auto-escaping)\n- [ ] JSON parsing has error handling (no crash on malformed input)\n- [ ] File uploads checked (type, size, no executable content)\n\nHTTP security headers\n# Check security headers on a URL\ncurl -sI https://example.com | grep -i 'strict-transport\\|content-security\\|x-frame\\|x-content-type\\|referrer-policy\\|permissions-policy'\n\n# Expected headers:\n# Strict-Transport-Security: max-age=31536000; includeSubDomains\n# Content-Security-Policy: default-src 'self'\n# X-Frame-Options: DENY\n# X-Content-Type-Options: nosniff\n# Referrer-Policy: strict-origin-when-cross-origin\n# Permissions-Policy: camera=(), microphone=(), geolocation=()\n\nTips\nRun npm audit / pip-audit / govulncheck in CI on every pull request, not just occasionally.\nSecret detection in git history matters: even if a secret is removed from HEAD, it exists in git history. Use git filter-branch or git-filter-repo to purge, then rotate the credential.\nThe most dangerous vulnerabilities are often the simplest: SQL injection via string concatenation, command injection via unsanitized input, XSS via innerHTML.\nCORS Access-Control-Allow-Origin: * is safe for truly public, read-only APIs. It's dangerous for anything that uses cookies or auth tokens.\nAlways verify SSL in production. verify=False or rejectUnauthorized: false should only appear in test code, never in production paths.\nDefense in depth: validate input, escape output, use parameterized queries, enforce least privilege, and assume every layer might be bypassed.\n🤖 Agentic Security Audit (Bổ sung 25/02/2026)\n\nTừ paper \"Agents of Chaos\" (arXiv:2602.20021) + OWASP Top 10 for Agentic Applications 2026. Traditional security audit chỉ cover code/infra. Agentic systems có attack surface hoàn toàn mới.\n\nWhen to Use (Agentic)\nAuditing OpenClaw/agent workspace configuration\nReviewing agent permissions and access boundaries\nScanning for prompt injection vectors in agent-facing content\nAssessing multi-agent communication security\nEvaluating identity verification mechanisms\nChecking persistent memory for poisoning\nOWASP Agentic Top 10 Checklist (2026)\n- [ ] ASI01: Agent Goal Hijack (prompt injection — direct & indirect)\n- [ ] ASI02: Tool Misuse and Exploitation (shell, filesystem, API abuse)\n- [ ] ASI03: Identity and Privilege Abuse (confused deputy, over-privilege)\n- [ ] ASI04: Memory Poisoning (SOUL.md, MEMORY.md, persistent context)\n- [ ] ASI05: Supply Chain Attacks (malicious skills/plugins — e.g., ClawHub)\n- [ ] ASI06: Rogue Agents (operating outside intended boundaries)\n- [ ] ASI07: Data Leakage via Agentic Channels (cross-channel PII exposure)\n- [ ] ASI08: Orchestration Manipulation (sub-agent hijacking)\n- [ ] ASI09: Insufficient Logging and Observability\n- [ ] ASI10: Insecure Agent Communication (agent-to-agent trust)\n\n1. Workspace Configuration Audit\n# Check if agent config files are world-readable\necho \"--- Agent Config Permissions ---\"\nfor f in SOUL.md MEMORY.md AGENTS.md TOOLS.md IDENTITY.md USER.md HEARTBEAT.md; do\n [ -f \"$f\" ] && echo \"$(stat -f '%Sp %N' \"$f\" 2>/dev/null || stat -c '%A %n' \"$f\")\" || echo \" NOT FOUND: $f\"\ndone\n\n# Check for secrets leaked into agent memory/config\necho \"--- Secrets in Agent Files ---\"\ngrep -rn -i 'api.key\\|password\\|token\\|secret\\|bearer' \\\n SOUL.md MEMORY.md TOOLS.md IDENTITY.md USER.md memory/*.md 2>/dev/null | \\\n grep -v 'example\\|placeholder\\|REDACTED'\n\n# Check for over-permissive shell access\necho \"--- Shell Access Check ---\"\ngrep -rn -i 'sudo\\|chmod 777\\|unrestricted' AGENTS.md TOOLS.md 2>/dev/null\n\n2. Prompt Injection Scan (Agent-Facing Content)\n# Scan content that agents read/process for injection patterns\nSCAN_DIRS=\"${1:-.}\"\n\necho \"--- Prompt Injection Patterns ---\"\nINJECTION_PATTERNS=(\n 'ignore\\s+(previous|all|above)\\s+instructions'\n 'you\\s+are\\s+now\\s+'\n 'new\\s+system\\s+prompt'\n '\\[SYSTEM\\]'\n ''\n 'AUTHORIZED_OVERRIDE'\n 'forget\\s+your\\s+(rules|instructions|guidelines)'\n 'act\\s+as\\s+if\\s+you\\s+are'\n 'disregard\\s+(all|your|previous)'\n 'jailbreak'\n 'DAN\\s+mode'\n)\n\nfor pattern in \"${INJECTION_PATTERNS[@]}\"; do\n matches=$(grep -rn -iP \"$pattern\" \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json,html,yml,yaml}' 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|SKILL.md' | head -5)\n [ -n \"$matches\" ] && echo \" [!] Injection pattern '$pattern':\" && echo \"$matches\"\ndone\n\n# Steganographic: zero-width Unicode characters\necho \"--- Zero-Width Unicode Characters ---\"\ngrep -rPn '[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}\\x{00AD}\\x{2060}]' \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json,html}' 2>/dev/null | head -10\n\n# Suspicious base64 strings (>50 chars, could be encoded payloads)\necho \"--- Suspicious Base64 Strings ---\"\ngrep -rPn '[A-Za-z0-9+/=]{50,}' \"$SCAN_DIRS\" \\\n --include='*.{md,txt,json}' 2>/dev/null | \\\n grep -v 'node_modules\\|\\.git\\|\\.png\\|\\.jpg\\|package-lock' | head -10\n\n3. Identity & Authorization Audit\n# Check if agent verifies owner identity beyond display name\necho \"--- Identity Verification ---\"\n\n# OpenClaw: check if authorized senders are configured\ngrep -n 'authorizedSenders\\|authorized_senders\\|allowlist' \\\n ~/.config/openclaw/config.yaml ~/.openclaw/config.* 2>/dev/null\n\n# Check if agent trusts display names (vulnerable to spoofing)\ngrep -rn -i 'display.name\\|username\\|sender.name' \\\n AGENTS.md SOUL.md TOOLS.md 2>/dev/null | \\\n grep -iv 'user.id\\|sender.id\\|verified'\n\n# Check for cross-channel trust assumptions\necho \"--- Cross-Channel Trust ---\"\ngrep -rn -i 'if.*channel\\|trust.*channel\\|verify.*channel' \\\n AGENTS.md SOUL.md 2>/dev/null\n\n4. Memory Poisoning Check\n# Check memory files for suspicious patterns\necho \"--- Memory Integrity ---\"\n\n# External URLs stored as \"governing documents\" (Case #10: Agent Corruption)\necho \"URLs in memory that agent may follow as instructions:\"\ngrep -rn 'https\\?://\\|gist\\.github\\|pastebin\\|hastebin' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null\n\n# Check if memory files were recently modified by non-owner actions\necho \"Recent memory file changes:\"\nfind memory/ MEMORY.md SOUL.md AGENTS.md -newer IDENTITY.md -type f 2>/dev/null | \\\n while read f; do echo \" $(stat -f '%Sm %N' \"$f\" 2>/dev/null || stat -c '%y %n' \"$f\")\"; done\n\n# Check for instructions in memory that override safety rules\ngrep -rn -i 'override\\|bypass\\|ignore.*rule\\|disable.*safety\\|skip.*check' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null\n\n# Check git blame for who modified critical files\necho \"--- SOUL.md modification history ---\"\ngit log --oneline -10 -- SOUL.md 2>/dev/null || echo \" (not in git)\"\necho \"--- AGENTS.md modification history ---\"\ngit log --oneline -10 -- AGENTS.md 2>/dev/null || echo \" (not in git)\"\n\n5. Multi-Agent Communication Audit\n# Check for agent-to-agent trust without verification\necho \"--- Multi-Agent Trust ---\"\n\n# Shared channels where agents interact (Discord, forum, email)\ngrep -rn -i 'discord\\|forum\\|moltbook\\|clawstr\\|email.*agent' \\\n TOOLS.md MEMORY.md memory/*.md 2>/dev/null\n\n# Check if agent auto-executes actions from other agents\ngrep -rn -i 'webhook\\|auto.reply\\|auto.respond\\|on.*mention' \\\n AGENTS.md HEARTBEAT.md TOOLS.md scripts/*.sh 2>/dev/null\n\n# Check for infinite loop risks (agent A ↔ agent B relay)\ngrep -rn -i 'relay\\|forward.*message\\|pass.*along\\|tell.*agent' \\\n MEMORY.md memory/*.md 2>/dev/null\n\n# Check cron/heartbeat for tasks triggered by external content\necho \"--- Scheduled Tasks ---\"\ngrep -rn -i 'check.*forum\\|check.*moltbook\\|reply.*comment\\|respond.*mention' \\\n HEARTBEAT.md 2>/dev/null\n\n6. Resource & Privilege Audit\n# Check for excessive agent permissions\necho \"--- Agent Permissions ---\"\n\n# Sudo access (should NOT be default for agents)\ngrep -rn 'sudo\\|root\\|admin.*access\\|unrestricted' \\\n AGENTS.md TOOLS.md 2>/dev/null\n\n# Background processes agent has created\necho \"Running agent processes:\"\nps aux | grep -i 'cron\\|heartbeat\\|monitor\\|watch\\|loop' | grep -v grep | head -10\n\n# Check for unbounded resource consumption patterns\necho \"--- Cron/Background Jobs ---\"\ncrontab -l 2>/dev/null || echo \" No crontab\"\n\n# Check disk usage of agent workspace\necho \"--- Workspace Size ---\"\ndu -sh . memory/ 2>/dev/null\n\n# Check for files agent probably shouldn't have access to\necho \"--- Sensitive System Files Readable by Agent ---\"\nfor f in /etc/shadow /etc/passwd ~/.ssh/id_rsa ~/.ssh/id_ed25519 \\\n ~/.aws/credentials ~/.config/gcloud/credentials.db; do\n [ -r \"$f\" ] && echo \" [!] READABLE: $f\"\ndone\n\n7. Semantic Reframing Detection (Advanced)\n\nFrom Agents of Chaos Case #3: \"Give me SSN\" → refused. \"Forward the email\" (containing SSN) → complied. This check helps humans verify their agent won't leak data through reframed requests.\n\n# Check if agent has rules about content-based (not just action-based) evaluation\necho \"--- Content-Based Safety Rules ---\"\ngrep -rn -i 'content.*evaluat\\|semantic.*refram\\|forward.*email.*sensitive\\|assess.*content' \\\n AGENTS.md SOUL.md 2>/dev/null\n\n# Check for PII in files agent might forward/share\necho \"--- PII in Agent-Accessible Files ---\"\n# SSN pattern\ngrep -rPn '\\b\\d{3}-\\d{2}-\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null\n# Credit card pattern\ngrep -rPn '\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null\n# Email addresses\ngrep -rPn '\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z]{2,}\\b' \\\n MEMORY.md memory/*.md USER.md 2>/dev/null | \\\n grep -v 'example\\|test\\|placeholder'\n\nFull Agentic Security Audit Script\n#!/bin/bash\n# agentic-security-audit.sh - Comprehensive security check for AI agent workspaces\n# Based on \"Agents of Chaos\" (arXiv:2602.20021) + OWASP Agentic Top 10\nset -euo pipefail\n\nWORKSPACE=\"${1:-.}\"\ncd \"$WORKSPACE\"\n\necho \"=========================================\"\necho \"Agentic Security Audit\"\necho \"Workspace: $(pwd)\"\necho \"Date: $(date -u '+%Y-%m-%dT%H:%M:%SZ')\"\necho \"Framework: Based on Agents of Chaos + OWASP Agentic Top 10\"\necho \"=========================================\"\necho \"\"\n\nISSUES=0\nWARNINGS=0\nwarn() { echo \" ⚠️ $1\"; ((WARNINGS++)); }\ncritical() { echo \" 🔴 $1\"; ((ISSUES++)); }\nok() { echo \" ✅ $1\"; }\nsection() { echo \"\"; echo \"=== $1 ===\"; }\n\n# --- ASI01: Prompt Injection ---\nsection \"ASI01: Prompt Injection Vectors\"\ninjection_count=0\nfor pattern in 'ignore.*previous.*instructions' 'you are now' 'new system prompt' \\\n '\\[SYSTEM\\]' 'SYSTEM_ADMIN_OVERRIDE' 'forget your' 'act as if'; do\n count=$(grep -rin \"$pattern\" --include='*.md' --include='*.txt' --include='*.json' . 2>/dev/null | \\\n grep -v 'SKILL.md\\|security-audit\\|node_modules\\|\\.git' | wc -l | tr -d ' ')\n injection_count=$((injection_count + count))\ndone\n[ \"$injection_count\" -gt 0 ] && critical \"Found $injection_count prompt injection patterns in workspace\" || ok \"No injection patterns found\"\n\n# Zero-width Unicode\nzw_count=$(grep -rPc '[\\x{200B}\\x{200C}\\x{200D}\\x{FEFF}]' --include='*.md' . 2>/dev/null | \\\n awk -F: '{s+=$2}END{print s+0}')\n[ \"$zw_count\" -gt 0 ] && critical \"Found $zw_count zero-width Unicode chars (possible steganographic injection)\" || ok \"No hidden Unicode\"\n\n# --- ASI02: Tool Misuse ---\nsection \"ASI02: Tool Permissions\"\ngrep -rn 'sudo\\|chmod 777\\|unrestricted.*shell\\|full.*access' AGENTS.md TOOLS.md 2>/dev/null && \\\n critical \"Over-permissive access configured\" || ok \"No sudo/unrestricted access\"\n\n# --- ASI03: Identity & Privilege ---\nsection \"ASI03: Identity Verification\"\nif grep -q 'authorizedSenders\\|Authorized Senders\\|Telegram.*ID' AGENTS.md 2>/dev/null; then\n ok \"Authorized sender verification configured\"\nelse\n critical \"No authorized sender verification found — vulnerable to non-owner compliance\"\nfi\n\n# Anti-spoofing rules\nif grep -qi 'display.name.*identity\\|verify.*identity\\|spoofing\\|user.*ID.*verify' AGENTS.md 2>/dev/null; then\n ok \"Identity spoofing awareness in config\"\nelse\n warn \"No anti-spoofing rules — vulnerable to Case #8 Identity Hijack\"\nfi\n\n# --- ASI04: Memory Poisoning ---\nsection \"ASI04: Memory Integrity\"\next_urls=$(grep -rn 'https\\?://.*gist\\|https\\?://.*pastebin\\|https\\?://.*hastebin' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\n[ \"$ext_urls\" -gt 0 ] && warn \"Found $ext_urls external URLs in memory files (Case #10 risk: external governing documents)\" || ok \"No suspicious external URLs in memory\"\n\noverride_count=$(grep -rin 'override\\|bypass.*safety\\|disable.*check\\|ignore.*rule' \\\n MEMORY.md memory/*.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\n[ \"$override_count\" -gt 0 ] && critical \"Found $override_count override/bypass instructions in memory\" || ok \"No override patterns in memory\"\n\n# --- ASI05: Supply Chain ---\nsection \"ASI05: Supply Chain (Skills/Plugins)\"\nif [ -d skills ] || [ -d .openclaw/skills ]; then\n skill_count=$(find skills .openclaw/skills -name 'SKILL.md' 2>/dev/null | wc -l | tr -d ' ')\n echo \" Found $skill_count installed skills\"\n # Check for skills with shell access\n grep -rn 'exec\\|shell\\|subprocess\\|child_process' skills/*/SKILL.md .openclaw/skills/*/SKILL.md 2>/dev/null && \\\n warn \"Skills with shell execution capabilities found\" || ok \"No shell-executing skills\"\nfi\n\n# --- ASI07: Data Leakage ---\nsection \"ASI07: Sensitive Data Exposure\"\n# Secrets in agent files\nsecret_count=$(grep -rin 'api.key\\s*[:=]\\|password\\s*[:=]\\|token\\s*[:=]\\|bearer\\s' \\\n SOUL.md MEMORY.md TOOLS.md USER.md memory/*.md 2>/dev/null | \\\n grep -v 'example\\|placeholder\\|REDACTED\\|xxx\\|changeme\\|SKILL.md' | wc -l | tr -d ' ')\n[ \"$secret_count\" -gt 0 ] && critical \"Found $secret_count potential secrets in agent files\" || ok \"No exposed secrets\"\n\n# PII patterns\npii_count=0\nssn=$(grep -rPc '\\b\\d{3}-\\d{2}-\\d{4}\\b' MEMORY.md memory/*.md USER.md 2>/dev/null | awk -F: '{s+=$2}END{print s+0}')\npii_count=$((pii_count + ssn))\ncc=$(grep -rPc '\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b' MEMORY.md memory/*.md 2>/dev/null | awk -F: '{s+=$2}END{print s+0}')\npii_count=$((pii_count + cc))\n[ \"$pii_count\" -gt 0 ] && warn \"Found $pii_count PII patterns (SSN/credit card) in agent files\" || ok \"No PII patterns\"\n\n# --- ASI06: Boundary Rules ---\nsection \"ASI06: Agent Boundary Rules\"\nif grep -qi 'non-owner\\|non.owner.*refuse\\|only.*owner\\|forum.*only.*discuss\\|chỉ.*thảo luận' AGENTS.md 2>/dev/null; then\n ok \"Non-owner boundary rules configured\"\nelse\n warn \"No non-owner boundary rules — vulnerable to Case #2 non-owner compliance\"\nfi\n\nif grep -qi 'nhượng bộ\\|concession.*limit\\|escalat.*stop\\|gaslighting\\|pressure.*limit' AGENTS.md 2>/dev/null; then\n ok \"Anti-gaslighting/escalation rules present\"\nelse\n warn \"No anti-gaslighting rules — vulnerable to Case #7\"\nfi\n\n# --- ASI10: Multi-Agent Communication ---\nsection \"ASI10: Multi-Agent Communication\"\nagent_channels=$(grep -rin 'discord\\|forum\\|moltbook\\|clawstr\\|webhook' \\\n TOOLS.md MEMORY.md HEARTBEAT.md 2>/dev/null | wc -l | tr -d ' ')\necho \" Agent communicates via $agent_channels external channel references\"\n[ \"$agent_channels\" -gt 5 ] && warn \"Many external channels — larger attack surface\" || ok \"Moderate channel exposure\"\n\n# --- Summary ---\necho \"\"\necho \"=========================================\"\necho \"Audit complete\"\necho \" 🔴 Critical issues: $ISSUES\"\necho \" ⚠️ Warnings: $WARNINGS\"\necho \"=========================================\"\n\nif [ \"$ISSUES\" -gt 0 ]; then\n echo \"\"\n echo \"Recommended actions:\"\n echo \" 1. Fix all critical issues before exposing agent to external interactions\"\n echo \" 2. Review AGENTS.md for Anti-Chaos Defense Rules\"\n echo \" 3. Reference: Agents of Chaos (arXiv:2602.20021)\"\n echo \" 4. Reference: OWASP Top 10 for Agentic Applications 2026\"\n exit 1\nfi\nexit 0\n\nReferences\nAgents of Chaos — arXiv:2602.20021 — Live red-teaming of OpenClaw agents\nOWASP Top 10 for Agentic Applications 2026\nNIST AI Agent Standards Initiative\nOpenClaw Security Crisis — Conscia" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/kingrubic/agentic-security-audit", "publisherUrl": "https://clawhub.ai/kingrubic/agentic-security-audit", "owner": "kingrubic", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/agentic-security-audit", "downloadUrl": "https://openagent3.xyz/downloads/agentic-security-audit", "agentUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/agentic-security-audit/agent.md" } }