Files
ai-workflow-course/modules/22-securing-third-party-mcp-and-skills/lab/audit.sh
T
claude f925fd9645 fix(M7-27+capstone): apply AI-drives-git reframe, lesson=theory, de-slop course-wide
Phase 2 sweep — all modules are post-pivot, so the learner directs the AI agent
(Claude Code as the worked example) to do the git/setup work and verifies, instead
of typing commands by hand; no re-teaching basics. Lesson sections are theory with
example output; all execution lives in the labs. De-slopped ("prose" etc. gone
course-wide, em-dash density thinned). /path/to placeholders -> ~/ai-workflow-course.

Every deliberate teaching device verified intact: M10 ai-change.patch trap,
M12 bad-clear-snippet, M13/M27 planted pending_count bug, M15 secret+typosquat+MD5,
M18 BREAK=1, M21 absent-.gitignore, M22 poisoned skill, M24 no-op patch, M25 --simulate.
Labs compile/parse (py/sh/yaml/json); no junk.

Closes #83
Closes #86
Closes #89

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 21:58:17 -04:00

88 lines
3.2 KiB
Bash
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
#
# audit.sh — a runnable version of the Module 22 vetting checklist.
#
# Static red-flag scan over a third-party MCP server or skill BEFORE you install it. It does not
# execute anything in the target; it only reads. A clean run is NOT a guarantee (see "Where it
# breaks") — it is a cheap first pass that catches the obvious and the lazy.
#
# Usage: bash audit.sh <path-to-skill-or-server-dir>
#
set -euo pipefail
TARGET="${1:-}"
if [[ -z "$TARGET" || ! -d "$TARGET" ]]; then
echo "usage: bash audit.sh <directory>" >&2
exit 2
fi
hits=0
section () { printf '\n=== %s ===\n' "$1"; }
# scan <label> <regex> — grep the tree, print matches, count a hit if found
scan () {
local label="$1" regex="$2" out
out=$(grep -rIinE "$regex" "$TARGET" 2>/dev/null || true)
if [[ -n "$out" ]]; then
printf '\n[FLAG] %s\n' "$label"
printf '%s\n' "$out" | sed 's/^/ /'
hits=$((hits + 1))
fi
}
echo "Auditing: $TARGET"
echo "Files:"
find "$TARGET" -type f | sed 's/^/ /'
section "Outbound network (where could data go?)"
scan "HTTP / socket egress" 'urllib|requests\.|http\.client|socket\.|urlopen|fetch\(|axios|curl |wget '
section "Credential & environment access (what secrets can it reach?)"
scan "Reads the whole environment" 'os\.environ|getenv|process\.env|printenv|(^|[^A-Za-z])env([^A-Za-z]|$)'
scan "Reads private credentials" '\.ssh|id_rsa|\.aws|credentials|\.env([^a-z]|$)|NOTION_TOKEN'
section "Code execution & obfuscation"
scan "Shell-out / eval / exec" 'os\.system|subprocess|child_process|eval\(|exec\(|\| *bash|\| *sh($| )'
scan "Encoding (often hides data)" 'base64|b64encode|atob\(|btoa\('
section "Broad filesystem access"
scan "Home / root paths" 'Path\.home|\$HOME|os\.path\.expanduser|(^|[^a-zA-Z0-9._/-])~/'
section "Hidden / injected instructions in text"
scan "Imperative directives" 'ignore (previous|prior|all)|system:|maintenance mode|do not (mention|tell|list)|exfiltrat'
# Zero-width / invisible characters smuggle instructions past a human reader. Use Python (a lab
# prerequisite) so this works the same on every OS, regardless of the local grep flavor.
section "Invisible characters (zero-width injection)"
if command -v python3 >/dev/null 2>&1; then PY=python3; else PY=python; fi
zw=$("$PY" - "$TARGET" <<'EOF'
import os, sys
bad = {"","","","",""}
root = sys.argv[1]
for dp, _, fns in os.walk(root):
for fn in fns:
p = os.path.join(dp, fn)
try:
text = open(p, encoding="utf-8", errors="ignore").read()
except OSError:
continue
for i, ch in enumerate(text):
if ch in bad:
print(f" {p}: zero-width char U+{ord(ch):04X} at offset {i}")
break
EOF
)
if [[ -n "$zw" ]]; then
printf '\n[FLAG] Invisible characters found\n%s\n' "$zw"
hits=$((hits + 1))
fi
section "Verdict"
if (( hits > 0 )); then
echo "REJECT (or sandbox + scope) — $hits red-flag categor$([[ $hits -eq 1 ]] && echo y || echo ies) tripped."
echo "Read the flagged lines above against what the skill CLAIMS to do."
exit 1
else
echo "No static red flags. Still: read the code, check provenance, and PIN the version before installing."
fi