AUTHENSOR/attack-surface-mapper

# Attack Surface Mapper **映射 AI 智能体的攻击面。** 一个零依赖的 CLI 工具和库，用于分析 AI 智能体的配置 —— 工具、MCP 服务器、环境变量、权限 —— 并绘制其安全漏洞图谱。可以将其视为针对 AI 智能体能力的 `nmap`。 ## 快速开始 ``` npx @15rl/attack-surface-mapper agent-config.json ``` ## 示例输出 ``` Attack Surface Report: my-agent Scanned: 2026-03-15T10:00:00.000Z Risk Score: 78/100 (Grade: F) Attack Surface Tools: 4 Capabilities: shell_execute: 1 tool(s) network_request: 2 tool(s) credential_access: 1 tool(s) Critical paths: shell_execute → network_request credential_access → network_request Findings (12) CRITICAL Shell + network access enables data exfiltration [ASI02: Tool Misuse] A tool with both shell execution and network access can pipe arbitrary data to external endpoints. Fix: Separate shell and network capabilities into distinct tools with individual approval requirements. CRITICAL Credential access + network enables credential exfiltration [ASI03: Identity & Privilege Abuse] Credentials can be read and sent to external endpoints in a single tool invocation. Fix: Never combine credential access with network capabilities. HIGH No network egress allowlist configured [ASI02: Tool Misuse] 2 tool(s) have network access with no egress restrictions. Fix: Configure a network allowlist limiting egress to known, required endpoints. ... ``` ## 配置文件格式 ``` { "name": "my-agent", "tools": [ { "name": "run-command", "description": "Execute shell commands", "parameters": { "command": { "type": "string" } }, "capabilities": ["shell_execute"] }, { "name": "read-file", "description": "Read files from disk", "capabilities": ["file_read"] } ], "mcpServers": [ { "name": "filesystem", "command": "npx @modelcontextprotocol/server-filesystem /tmp", "transport": "stdio" } ], "envVars": { "OPENAI_API_KEY": "sk-...", "APP_NAME": "my-app" }, "permissions": { "fileSystemPaths": ["/app", "/tmp"], "networkAllowList": ["api.openai.com"], "requireApproval": ["shell_execute", "payment_process"] } } ``` ## 检查内容 | 分析器 | 检查项 | |----------|--------| | **Tool** | 危险能力组合、参数范围过大、最小权限违规 | | **MCP** | 传输安全性、已知易受攻击的服务器、秘密泄露、缺少工具白名单 | | **Environment** | API Key 泄露、数据库凭证、支付密钥 | | **Network** | 不受限制的出站流量、SSRF 风险、数据渗出路径 | | **Permissions** | 敏感路径访问、缺少审批要求、无边界限制 | ## 输出格式 ``` asm config.json # Terminal (default, colored) asm config.json --json # JSON asm config.json --format markdown # Markdown table asm config.json --sarif # SARIF (GitHub Security tab) ``` ## OWASP 智能体 Top 10 映射 每项发现均映射到 [OWASP Top 10 for Agentic Applications (2026)](https://owasp.org/www-project-top-10-for-large-language-model-applications/)： | ID | 名称 | 检查内容 | |----|------|---------------| | ASI01 | Agent Goal Hijacking | 接受任意输入的宽泛参数 | | ASI02 | Tool Misuse | 危险能力组合、不受限制的出站流量 | | ASI03 | Identity & Privilege Abuse | 凭证泄露、权限缺失、过度访问权限 | | ASI04 | Supply Chain Vulnerabilities | 已知易受攻击的 MCP 服务器、泄露给第三方的秘密 | | ASI05 | Unexpected Code Execution | 代码执行 + 系统配置组合 | | ASI09 | Human-Agent Trust Exploitation | 危险操作缺少审批要求 | ## 编程方式使用 ``` import { AttackSurfaceScanner } from '@15rl/attack-surface-mapper'; const scanner = new AttackSurfaceScanner(); const result = scanner.scan(agentConfig); console.log(`Grade: ${result.grade}`); console.log(`Findings: ${result.findings.length}`); console.log(`Critical paths: ${result.attackSurface.criticalPaths.join(', ')}`); ``` ## Authensor 生态系统的一部分 本项目是 [Authensor](https://github.com/AUTHENSOR/AUTHENSOR) 开源 AI 安全生态系统的一部分，由 [15 Research Lab](https://github.com/15-Research-Lab) 构建。 | 项目 | 描述 | |---------|-------------| | [Authensor](https://github.com/AUTHENSOR/AUTHENSOR) | AI 智能体的开源安全栈 | | [Prompt Injection Benchmark](https://github.com/AUTHENSOR/prompt-injection-benchmark) | 安全扫描器的标准化基准 | | [AI SecLists](https://github.com/AUTHENSOR/ai-seclists) | 用于 AI/LLM 测试的安全字典和载荷 | | [ATT&CK ↔ Alignment Rosetta](https://github.com/AUTHENSOR/attack-alignment-rosetta) | 将 MITRE ATT&CK 映射到 AI 对齐概念 | | [Agent Forensics](https://github.com/AUTHENSOR/agent-forensics) | 针对收据链的事件后分析 | | [Behavioral Fingerprinting](https://github.com/AUTHENSOR/behavioral-fingerprinting) | 统计性行为漂移检测 | | [Hawthorne Protocol](https://github.com/AUTHENSOR/hawthorne-protocol) | AI 系统能否检测到它们正在被评估？ | ## 许可证 MIT

标签：AI安全, ASTM, Chat Copilot, Credential Access, GitHub Security, HTTP/HTTPS抓包, HTTP工具, IP 地址批量处理, LLM, MCP, MITM代理, SARIF, Shell执行, Unmanaged PE, 图数据库, 大模型安全, 工具滥用检测, 态势感知, 攻击面测绘, 数据防泄露, 文档结构分析, 权限分析, 网络安全, 网络安全审计, 自动化攻击, 隐私保护, 零依赖