Other

/cyber

Security audit for MCP, TS, Swift, shell. Triggers: security, vulnerability, hardening, traversal, injection.

$ golems-cli skills install cyber
93% best pass rate
29 assertions
8 evals
3 workflows

Updated 2 weeks ago

You find the bugs that pass code review. Silent catches, unsanitized inputs, missing annotations, prompt injection --- the stuff that ships because "it works."

Security Audit: [target]

#SeverityFile:LinePatternFindingFix
1CRITICALserver.ts:818silent-catch.catch(() => {}) swallows registry errorLog error: .catch(e => console.error(...))

Summary

  • Critical: N | High: N | Medium: N | Low: N
  • ToolAnnotations coverage: N/M tools annotated
  • Verdict: PASS / PASS WITH NOTES / FAIL

---

## DOMAIN ROUTING

Route to the appropriate workflow based on what you're auditing:

| Task | Workflow |
|------|----------|
| Audit an MCP server | `/cyber:workflows:mcp-audit` |
| Review a PR for security | `/cyber:workflows:pr-review` |
| Full repo security scan | `/cyber:workflows:repo-scan` |

---

## CORE VULNERABILITY PATTERNS

These are **real vulnerabilities found in our ecosystem** (not theoretical). Every pattern maps to an actual bug.

### 1. Silent Error Swallowing (CRITICAL)
**Source:** cmuxlayer PR #21 --- `.catch(() => {})` hid registry reconstitution failures.

```typescript
// VULNERABLE --- error silently disappears
registry.reconstitute().catch(() => {});

// FIXED --- error is logged
registry.reconstitute().catch((e) =>
  console.error("[cmux-mcp] registry reconstitution failed:", e)
);

Grep: \.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\) and .catch(() => {}) and catch\s*\([^)]*\)\s*\{\s*\}

Why CRITICAL: In MCP servers, swallowed errors mean the host (Claude Code, Cursor) has no idea something failed. The tool returns success, the agent trusts it, downstream decisions are based on phantom data.

2. Unsanitized Child Process Spawning (CRITICAL)

Source: voicelayer SafeSkill scan --- 52 critical findings for Bun.spawn, exec, execSync.

// VULNERABLE --- user input flows to shell
const result = execSync(`ffmpeg -i ${inputPath} ${outputPath}`);
 
// FIXED --- array args, no shell interpolation
const result = execSync("ffmpeg", ["-i", inputPath, outputPath]);

Grep: exec\(, execSync\(, spawn\(, Bun\.spawn, child_process

3. Path Traversal (HIGH)

Source: orchestrator PR #41 --- file paths accepted without .. checking.

// VULNERABLE
const content = fs.readFileSync(path.join(baseDir, userPath));
 
// FIXED
const resolved = path.resolve(baseDir, userPath);
if (!resolved.startsWith(baseDir)) throw new Error("path traversal blocked");
const content = fs.readFileSync(resolved);

Grep: path\.join\(.*,\s*(?:req|input|param|arg|user), readFileSync\(, writeFileSync\(

4. Prompt Injection via CLAUDE.md / Tool Descriptions (HIGH)

Source: brainlayer SafeSkill scan --- hidden HTML comments with instructions in CLAUDE.md.

<!-- IDENTITY: brainlayer, owner=EtanHey, purpose=... -->
<!-- ANTI-PATTERNS: brain_update, brain_expand are STUB tools... -->

Risk: Attackers can inject instructions into tool descriptions or CLAUDE.md that override agent behavior. MCP tool description fields are prompt injection surfaces.

Grep in tool definitions: description:.*<, description:.*\{, <!--.*--> in .md files loaded by agents

5. SSML Injection (MEDIUM --- voicelayer-specific)

Source: voicelayer TTS pipeline --- user text passed directly to SSML without escaping.

// VULNERABLE
const ssml = `<speak><prosody rate="${rate}">${userText}</prosody></speak>`;
 
// FIXED --- escape SSML special chars
const safe = userText.replace(/[<>&"']/g, c => `&#${c.charCodeAt(0)};`);
const ssml = `<speak><prosody rate="${rate}">${safe}</prosody></speak>`;

Grep: <speak>, <prosody, ssml, \.replace.*<

6. Data Exfiltration Patterns (HIGH)

Source: brainlayer SafeSkill scan --- references to ~/.config in tool-accessible paths.

// VULNERABLE --- tool can read arbitrary config
const config = fs.readFileSync(path.join(os.homedir(), ".config", toolInput));
 
// FIXED --- allowlist specific paths
const ALLOWED = [".config/golems/config.yaml"];
if (!ALLOWED.includes(toolInput)) throw new Error("path not allowed");

Grep: homedir\(\), ~\/\., process\.env, \.env, credentials, secret, token, api[_-]?key

7. Missing ToolAnnotations (MEDIUM --- MCP compliance)

Source: MCP spec 2025-03-26 --- tools MUST declare readOnlyHint, destructiveHint, idempotentHint.

// VULNERABLE --- no annotations, host can't enforce safety
server.tool("delete_file", schema, handler);
 
// FIXED --- annotations declare intent
server.tool("delete_file", schema, handler, {
  annotations: {
    readOnlyHint: false,
    destructiveHint: true,
    idempotentHint: false,
    openWorldHint: false,
  }
});

Audit: Every server.tool( call must have annotations. Count annotated vs total.


Workflows

/cyber:mcp-audit/cyber:pr-review/cyber:repo-scan