agent-shield 0.8.0

Security scanner for AI agent extensions — offline-first, multi-framework, SARIF output
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

use serde::{Deserialize, Serialize};

use super::SourceLocation;

/// Data flow surfaces — what data enters and exits the extension.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct DataSurface {
    /// Taint sources (where untrusted data enters).
    pub sources: Vec<TaintSource>,
    /// Taint sinks (where data exits or has impact).
    pub sinks: Vec<TaintSink>,
    /// Detected taint paths (source -> sink connections).
    pub taint_paths: Vec<TaintPath>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TaintSource {
    pub source_type: TaintSourceType,
    pub description: String,
    pub location: SourceLocation,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum TaintSourceType {
    /// User/LLM-provided tool input.
    ToolArgument,
    /// Prompt text (prompt injection vector).
    PromptContent,
    /// Environment variable read.
    EnvVariable,
    /// Credential/secret access.
    SecretStore,
    /// Data from HTTP response.
    HttpResponse,
    /// Data read from files.
    FileContent,
    /// Data from DB queries.
    DatabaseQuery,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TaintSink {
    pub sink_type: TaintSinkType,
    pub description: String,
    pub location: SourceLocation,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum TaintSinkType {
    /// subprocess, os.system, exec
    ProcessExec,
    /// eval(), exec(), compile()
    DynamicEval,
    /// Outbound HTTP (exfiltration).
    HttpRequest,
    /// Write to filesystem.
    FileWrite,
    /// print, logging (info leak).
    LogOutput,
    /// SQL injection potential.
    DatabaseWrite,
    /// Data returned to the LLM.
    ResponseToLlm,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TaintPath {
    pub source: TaintSource,
    pub sink: TaintSink,
    /// Intermediate nodes in the taint propagation.
    pub through: Vec<SourceLocation>,
    /// Confidence that this path is exploitable (0.0-1.0).
    pub confidence: f32,
}