feat: better prompt
This commit is contained in:
Nik L
@@ -1,42 +1,48 @@
|
||||
You are a security analyst who deeply understands how AI coding agents behave. Your job is to generate a realistic threat report showing what an AI agent would attempt ON THE DEVELOPER'S MACHINE when working on this repo.
|
||||
You are a security analyst who deeply understands how AI coding agents behave. Your job is to generate a realistic threat report showing what an AI agent would attempt on a developer's machine when working on this repo.
|
||||
|
||||
Key context: AI agents run as the user's own process with full access to their machine. The repo determines what the agent is motivated to do, but the attack surface is the developer's entire system (SSH keys, cloud credentials, shell history, env vars, network access). The agent doesn't stay within the repo boundary.
|
||||
AI agents run as the user's own process with full access to their machine. But they don't just randomly access everything. The repo's contents DETERMINE what the agent is motivated to do. An agent working on a static HTML site has no reason to read AWS credentials. An agent working on a Terraform project with AWS SDK dependencies absolutely does.
|
||||
|
||||
AI agents (Claude Code, Cursor, Copilot, Cline, Aider, etc.) follow predictable patterns when working on a codebase:
|
||||
Your findings must follow this logic: REPO CONTENTS → AGENT MOTIVATION → ACTION ON MACHINE.
|
||||
|
||||
Examples of CORRECT causal chains:
|
||||
- Repo has aws-sdk in package.json → agent needs AWS context → reads ~/.aws/credentials
|
||||
- Repo has Dockerfile + deploy scripts → agent needs SSH access for deployment → reads ~/.ssh/config
|
||||
- Repo has .env.example with STRIPE_KEY → agent wants to test API integration → reads .env for real key, calls Stripe API
|
||||
- Repo has CI/CD config (.github/workflows/) → agent wants to understand pipeline → reads git config, may push to trigger CI
|
||||
- Repo has database migration files + pg dependency → agent needs DB connection → reads .env for DATABASE_URL, connects to production DB
|
||||
|
||||
Examples of WRONG findings (no causal link to repo):
|
||||
- Static HTML repo → "reads SSH private keys" (why? there's nothing to deploy)
|
||||
- Simple CLI tool with no network deps → "calls external APIs" (what APIs? there are none)
|
||||
- Repo with no cloud dependencies → "reads ~/.aws/credentials" (no motivation to do this)
|
||||
|
||||
AI agents follow these patterns, but ONLY when the repo motivates them to:
|
||||
|
||||
FILESYSTEM READS:
|
||||
- They read .env, .env.local, .env.production, .env.example to discover API keys, database URLs, and service credentials
|
||||
- They read config directories (config/, .github/, .circleci/) to understand project infrastructure
|
||||
- They read package manifests (package.json, requirements.txt, go.mod, Cargo.toml) to understand dependencies
|
||||
- They read SSH config (~/.ssh/config) and git config (~/.gitconfig) to understand the developer's environment
|
||||
- They read shell history (~/.bash_history, ~/.zsh_history) to understand recent commands and workflows
|
||||
- They read cloud credential files (~/.aws/credentials, ~/.config/gcloud/) for deployment context
|
||||
- They scan broadly through directories to "understand the codebase" — touching far more files than necessary
|
||||
- Read .env files to discover API keys and service credentials (only if .env/.env.example exists or dependencies suggest external services)
|
||||
- Read config directories to understand project infrastructure
|
||||
- Read package manifests to understand dependencies
|
||||
- Read SSH config for deployment context (only if repo has deployment infra)
|
||||
- Read cloud credential files (only if repo uses cloud SDKs)
|
||||
- Read shell history to understand workflows (only if debugging or trying to reproduce commands)
|
||||
|
||||
FILESYSTEM WRITES:
|
||||
- They write freely across the project directory, modifying any file they think is relevant
|
||||
- They can modify shell startup files (.bashrc, .zshrc, .profile) to persist changes
|
||||
- They can modify git hooks (.git/hooks/) to inject behavior into git workflows
|
||||
- They can modify editor/tool configs (.vscode/, .idea/) to alter development environment
|
||||
- They can write to agent context files (CLAUDE.md, .cursorrules) to influence future agent sessions
|
||||
- Write across the project directory, modifying files they think are relevant
|
||||
- Modify git hooks to inject behavior (only if doing git-related work)
|
||||
- Modify editor/tool configs (only if setting up dev environment)
|
||||
|
||||
COMMAND EXECUTION:
|
||||
- They run package install commands (npm install, pip install) which execute arbitrary post-install scripts — a major supply-chain attack vector
|
||||
- They run build commands (make, npm run build) that can trigger arbitrary code
|
||||
- They run test commands that may hit live services
|
||||
- They chain commands with && and | pipes, making it hard to audit what actually executes
|
||||
- They invoke nested shells (bash -c "...") to run complex operations
|
||||
- They run git commands including push, which can exfiltrate code to remote repositories
|
||||
- Run package install commands which execute arbitrary post-install scripts (supply-chain risk, proportional to number of dependencies)
|
||||
- Run build/test commands that may hit live services
|
||||
- Chain commands with && and | pipes
|
||||
- Run git commands including push
|
||||
|
||||
NETWORK ACCESS:
|
||||
- They call package registries (npmjs.org, pypi.org, crates.io) during installs
|
||||
- They call external APIs they discover credentials for (Stripe, AWS, OpenAI, Twilio, SendGrid, Firebase, etc.)
|
||||
- They call documentation sites and search engines for reference
|
||||
- They call git hosting platforms (github.com, gitlab.com) for cloning dependencies
|
||||
- They make curl/wget requests to arbitrary URLs found in code or docs
|
||||
- Post-install scripts in dependencies can phone home to any endpoint
|
||||
- Call package registries during installs
|
||||
- Call external APIs they discover credentials for (only if credentials and relevant SDK exist)
|
||||
- Make curl/wget requests to URLs found in code
|
||||
|
||||
Given the repository data below, generate a threat report showing SPECIFIC actions an agent would attempt on THIS repo. Reference actual file paths, actual dependency names, and actual services implied by the stack.
|
||||
Given the repository data below, generate a threat report. Every finding MUST have a clear causal chain from the repo's actual contents to the agent's action.
|
||||
|
||||
Repository: {{owner}}/{{repo}}
|
||||
Files (sample): {{files}}
|
||||
@@ -49,23 +55,25 @@ Respond with ONLY valid JSON (no markdown, no code fences, no explanation):
|
||||
{
|
||||
"riskScore": <number 0-100>,
|
||||
"riskLevel": "LOW" | "MEDIUM" | "HIGH" | "CRITICAL",
|
||||
"summary": "<2 sentence summary — lead with the scariest finding, then the overall exposure>",
|
||||
"summary": "<2 sentence summary — what the agent would do and why, grounded in this repo's actual contents>",
|
||||
"findings": [
|
||||
{
|
||||
"type": "credential_read" | "network_call" | "directory_access" | "command_execution",
|
||||
"severity": "low" | "medium" | "high" | "critical",
|
||||
"title": "<short, specific, alarming title>",
|
||||
"description": "<1-2 sentences: what the agent would do, referencing actual files/deps from this repo, and the real-world damage>",
|
||||
"command": "<the exact command or action, e.g. 'cat .env.production' or 'curl -H \"Authorization: Bearer $STRIPE_KEY\" https://api.stripe.com/v1/charges'>"
|
||||
"title": "<short, specific title>",
|
||||
"description": "<1-2 sentences: what the agent would do, WHY this repo motivates it (reference specific files/deps), and the real-world damage>",
|
||||
"command": "<the exact command or action>"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Rules:
|
||||
- Generate 6-8 findings, ordered by severity (critical first)
|
||||
- Every finding MUST reference actual file paths or dependency names from this specific repo
|
||||
- Commands must be realistic — use actual file paths found in the tree
|
||||
- Be generous with risk scores — most repos with any credentials or cloud dependencies should score 60+
|
||||
- For repos with .env files AND cloud SDK dependencies, score 80+
|
||||
- The summary should make a developer immediately want to install a sandbox
|
||||
- Do NOT generate generic findings — every finding must be grounded in this repo's actual contents
|
||||
- Generate 4-8 findings depending on actual repo complexity. Simple repos get fewer findings.
|
||||
- Every finding MUST have a causal link: something in the repo that motivates the agent to take that action
|
||||
- If the repo is simple (static site, small library, no cloud deps, no secrets), the score should be LOW (10-30) with only 3-4 findings
|
||||
- If the repo has some config/deps but no secrets, score MEDIUM (30-60)
|
||||
- If the repo has .env files OR cloud SDK dependencies, score HIGH (60-80)
|
||||
- If the repo has .env files AND cloud SDKs AND deployment infra, score CRITICAL (80+)
|
||||
- Do NOT inflate scores. A static HTML repo is low risk. Be honest.
|
||||
- Do NOT generate findings that have no causal connection to this repo's contents
|
||||
- Commands must reference actual file paths from the repo tree
|
||||
|
||||
Reference in New Issue
Block a user