Detection patterns for the ClawGuard security scanner. This package contains YAML-based pattern definitions, custom semgrep rules, and test fixtures used to identify malicious, vulnerable, or over-permissioned AI agent skills.
npm install @yourclaw/clawguard-rulesFor local development as part of the ClawGuard project:
cd ../clawguard && make setupimport { matchPatterns, loadRules, categories } from "@yourclaw/clawguard-rules";
// Match against all categories
const findings = matchPatterns(suspiciousContent);
// Match against a specific category
const piFindings = matchPatterns(content, "prompt-injection");
const secretFindings = matchPatterns(content, "secrets");Scans the provided content against all loaded detection patterns (or a specific category) and returns an array of findings sorted by severity.
Loads and validates all YAML pattern files. Rules are cached after first load.
Array of available categories: prompt-injection, secrets, malware,
permissions.
88 patterns across 5 sub-categories:
| Sub-category | IDs | Examples |
|---|---|---|
instructionOverride |
PI-001 — PI-020 | "ignore previous instructions", "disregard all prior" |
rolePlaying |
PI-021 — PI-040 | "you are now DAN", "pretend you are" |
encodingObfuscation |
PI-041 — PI-060 | Base64 payloads, hex-encoded commands |
contextManipulation |
PI-061 — PI-075 | "system prompt:", fake XML/JSON contexts |
instructionSmuggling |
PI-076 — PI-088 | Hidden instructions in markdown, comments |
15 patterns for leaked credentials:
| ID | What it catches |
|---|---|
| SEC-001 — SEC-003 | AWS access keys, secret keys, session tokens |
| SEC-004 — SEC-006 | GitHub tokens, private keys, GCP/Azure credentials |
| SEC-007 — SEC-015 | Connection strings, JWTs, Slack tokens, generic API keys |
10 pattern groups for malicious behaviour:
| ID | What it catches |
|---|---|
| MAL-001 | Pipe-to-shell (`curl |
| MAL-002 | Reverse shells |
| MAL-003 | Data exfiltration (curl/wget with sensitive paths) |
| MAL-004 | Credential file access |
| MAL-005 | Crypto mining |
| MAL-006 — MAL-010 | Process injection, keyloggers, rootkits, persistence |
8 pattern groups for over-permissioned skills:
| ID | What it catches |
|---|---|
| PERM-001 | Unrestricted shell access |
| PERM-002 | Root/admin filesystem access |
| PERM-003 | Wildcard network access |
| PERM-004 — PERM-008 | Docker socket, environment snooping, sudo, SSH, cron |
Custom semgrep rules are provided in semgrep/:
| File | Catches |
|---|---|
shell-injection.yaml |
child_process.exec() with unsanitised input |
eval-usage.yaml |
eval(), Function(), vm.runInNewContext() |
credential-access.yaml |
Reading from ~/.ssh, ~/.aws/credentials, etc. |
Use with semgrep:
semgrep --config ./semgrep/ /path/to/skillThe test-fixtures/ directory contains sample skills for testing:
test-fixtures/
├── malicious/
│ ├── data-exfiltration-skill/ # triggers MAL-003, SEC-*
│ ├── prompt-override-skill/ # triggers PI-*
│ └── reverse-shell-skill/ # triggers MAL-002
└── benign/
├── memory-manager-skill/ # should trigger zero findings
└── code-formatter-skill/ # should trigger zero findings
# Install dependencies
npm install
# Run tests
npm run test:run # single run
npm test # watch mode
# Build
npm run build
# Lint
npm run lint
npm run lint:fix # auto-fix- Edit the appropriate YAML file in
src/. - Use the next available ID in the sequence (e.g.,
PI-089). - Add a test fixture if the pattern covers a new attack vector.
- Run
npm run test:runto verify no regressions.
A local Makefile is provided for convenience:
make install # npm install
make build # tsup build
make test # vitest run
make lint # biome check
make clean # remove dist/ and node_modules/This is the highest-impact repo to contribute to. Every new detection pattern protects all ClawGuard users immediately.
See the main CONTRIBUTING.md for full guidelines. Quick summary:
- Add your pattern to the right YAML file in
src/. - Add a test fixture in
test-fixtures/malicious/. - Run
npm run test:runto verify. - Submit a PR.
Ideas for new rules:
- New prompt injection techniques (jailbreaks, multi-turn attacks)
- MCP-specific permission escalation patterns
- Supply chain attack vectors (dependency confusion, typosquatting)
- Obfuscated payload delivery methods
- Credential harvesting patterns
CC-BY-SA-4.0 — Detection patterns are community-contributed and shared under Creative Commons.