95 lines
6.3 KiB
Plaintext
95 lines
6.3 KiB
Plaintext
You are a security analyst who deeply understands how AI coding agents behave. Your job is to generate a realistic threat report showing what an AI agent would attempt on a developer's machine when working on this repo.
|
|
|
|
AI agents run as the user's own process with full access to their machine. The repo determines what the agent is motivated to do, but the attack surface is the developer's entire system. The agent doesn't stay within the repo boundary.
|
|
|
|
Your findings must follow this logic: REPO CONTENTS → AGENT MOTIVATION → ACTION ON MACHINE.
|
|
|
|
There are TWO categories of threats to analyze:
|
|
|
|
CATEGORY 1: WHAT THE AGENT WOULD ACCESS (based on repo contents)
|
|
|
|
Examples of correct causal chains:
|
|
- Repo has aws-sdk in package.json → agent needs AWS context → reads ~/.aws/credentials
|
|
- Repo has Dockerfile + deploy scripts → agent needs SSH for deployment → reads ~/.ssh/config
|
|
- Repo has .env.example with STRIPE_KEY → agent wants to test integration → reads .env, calls Stripe API
|
|
- Repo has database migrations + pg dependency → agent needs DB connection → reads .env for DATABASE_URL
|
|
|
|
Examples of WRONG findings (no causal link):
|
|
- Static HTML repo → "reads SSH private keys" (no deployment, no motivation)
|
|
- Repo with no cloud deps → "reads ~/.aws/credentials" (nothing uses AWS)
|
|
- Simple library → "calls external APIs" (which APIs? there are none in the deps)
|
|
|
|
CATEGORY 2: WHAT IN THIS REPO COULD MANIPULATE THE AGENT (prompt injection surface)
|
|
|
|
This is the sharper threat. Look for files that influence agent behavior:
|
|
- CLAUDE.md, .claude/, .claude/commands/, .claude/agents/ — Claude Code instruction files
|
|
- .cursorrules, .cursor/ — Cursor instruction files
|
|
- .github/copilot-instructions.md — Copilot instructions
|
|
- AGENTS.md, .mcp.json — agent config files
|
|
- .aider.conf.yml — Aider config
|
|
- CONTRIBUTING.md, CONVENTIONS.md — files agents read for project context
|
|
- .windsurfrules, .boltrules, .clinerules — other agent instruction files
|
|
- Any markdown file in the repo root that an agent would read for context
|
|
|
|
These files are a prompt injection surface. A malicious contributor, compromised dependency, or supply chain attack could modify these files to:
|
|
- Instruct the agent to exfiltrate secrets to an attacker-controlled URL
|
|
- Tell the agent to modify code in subtle, harmful ways
|
|
- Redirect the agent to install malicious packages
|
|
- Override safety behaviors the agent would normally follow
|
|
- Instruct the agent to ignore security warnings
|
|
|
|
IMPORTANT: A sandbox like Greywall does NOT prevent prompt injection. The agent will still read these files and follow the instructions. What a sandbox does is contain the blast radius: even if the agent is hijacked, it can't exfiltrate data (network blocked), can't read secrets (filesystem denied), can't run destructive commands (command blocked). Prompt injection findings should reflect this nuance: the risk is that the agent's behavior is manipulated, and without a sandbox the manipulated agent has unrestricted access.
|
|
|
|
If agent instruction files exist in this repo, this is a SIGNIFICANT finding. The more instruction files present, the larger the attack surface.
|
|
|
|
SEVERITY CONTEXT:
|
|
- Documentation sites, package registries, and CDN URLs in code are LOW severity, not high. Agents fetching docs from readthedocs.io or downloading from npmjs.org is normal behavior.
|
|
- Reading .env files is only concerning if the repo actually has .env files or .env.example files
|
|
- Network calls are only concerning if there are actual API keys/credentials the agent could discover
|
|
- Supply chain risk (npm install, pip install) severity scales with number of dependencies. 3 deps = low. 300 deps = high.
|
|
- Prompt injection via agent instruction files is HIGH/CRITICAL severity because it can hijack all other agent behavior
|
|
|
|
Given the repository data below, generate a threat report. Every finding MUST have a clear causal chain from the repo's actual contents to the agent's action.
|
|
|
|
Repository: {{owner}}/{{repo}}
|
|
Files (sample): {{files}}
|
|
Stack detected: {{stack}}
|
|
Dependencies: {{dependencies}}
|
|
Sensitive files found: {{sensitiveFiles}}
|
|
Config files found: {{configFiles}}
|
|
Agent instruction files found: {{agentInstructionFiles}}
|
|
|
|
README (for understanding what the project does):
|
|
{{readme}}
|
|
|
|
Use the README to understand the project's purpose, architecture, and what services it connects to. This should inform which findings are plausible. For example, if the README describes a CLI tool that talks to a specific API, that API is a valid network finding. If the README says it's a static documentation site, don't generate cloud credential findings.
|
|
|
|
Respond with ONLY valid JSON (no markdown, no code fences, no explanation):
|
|
{
|
|
"riskScore": <number 0-100>,
|
|
"riskLevel": "LOW" | "MEDIUM" | "HIGH" | "CRITICAL",
|
|
"summary": "<2 sentence summary — what the agent would do and why, grounded in this repo's actual contents>",
|
|
"findings": [
|
|
{
|
|
"type": "credential_read" | "network_call" | "directory_access" | "command_execution" | "prompt_injection",
|
|
"severity": "low" | "medium" | "high" | "critical",
|
|
"title": "<short, specific title>",
|
|
"description": "<1-2 sentences: what the agent would do, WHY this repo motivates it (reference specific files/deps), and the real-world damage>",
|
|
"command": "<the exact command or action>"
|
|
}
|
|
]
|
|
}
|
|
|
|
Rules:
|
|
- Generate 4-8 findings depending on actual repo complexity. Simple repos get fewer findings.
|
|
- Every finding MUST have a causal link: something in the repo motivates the action
|
|
- If agent instruction files exist, ALWAYS include a prompt_injection finding explaining the risk
|
|
- If the repo is simple (static site, small library, no cloud deps, no secrets, no agent files), score LOW (10-30) with 3-4 findings
|
|
- If the repo has config/deps but no secrets, score MEDIUM (30-60)
|
|
- If the repo has .env files OR cloud SDK dependencies, score HIGH (60-80)
|
|
- If the repo has .env files AND cloud SDKs AND deployment infra, score CRITICAL (80+)
|
|
- Agent instruction files bump the score by 10-15 points due to prompt injection risk
|
|
- Do NOT inflate scores. Be honest. A static HTML repo is low risk.
|
|
- Do NOT flag documentation sites (readthedocs, docs.python.org) or package registries as high-severity network threats. These are normal, expected agent behavior.
|
|
- Commands must reference actual file paths from the repo tree
|