Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
389 changes: 196 additions & 193 deletions POLICY_INDEX.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion autogen/POLICY_INDEX.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Risk score = `severity_weight Γ— confidence Γ— 100` (engine formula; weights: lo
| -- | ------- | ------- | ----- | --------------------------------------------------- | ------------------------------------------------------------------------ | -------- | ---------- | ---- | --------------------------------------------------------------------------------------------------------- |
| 1 | AG2-001 | AutoGen | agent | autogen_conversable_agent, autogen_user_proxy_agent | AutoGen executor runs code on the host without Docker | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 2 | AG2-002 | AutoGen | agent | autogen_conversable_agent, autogen_user_proxy_agent | AutoGen executor runs code with no human review (human_input_mode=NEVER) | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 3 | AG2-004 | AutoGen | agent | autogen_group_chat_manager | AutoGen GroupChatManager has no explicit max_round bound | low | 0.60 | 9.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 3 | AG2-004 | AutoGen | agent | autogen_group_chat_manager | AutoGen group chat has no explicit max_round bound | low | 0.60 | 9.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 4 | AG2-005 | AutoGen | agent | autogen_assistant_agent | AutoGen AssistantAgent enables code execution on the LLM agent | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 5 | AG2-006 | AutoGen | agent | autogen_conversable_agent, autogen_user_proxy_agent | AutoGen executor with code execution has no explicit auto-reply cap | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/agent_safety.yaml) |
| 6 | AG2-007 | AutoGen | tool | autogen_tool | AutoGen tool has no description | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/autogen/tool_definition.yaml) |
Expand Down
23 changes: 12 additions & 11 deletions claude_sdk/POLICY_INDEX.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- Generated by tools/gen_index.py. Do not edit by hand. -->
# Claude Agent SDK policy index

34 rules β€” 17 tool Β· 12 agent Β· 2 subagent Β· 3 repo
35 rules β€” 17 tool Β· 12 agent Β· 3 subagent Β· 3 repo

Risk score = `severity_weight Γ— confidence Γ— 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse.

Expand Down Expand Up @@ -31,13 +31,14 @@ Risk score = `severity_weight Γ— confidence Γ— 100` (engine formula; weights: lo
| 22 | CSDK-108 | Claude SDK | tool | claude_sdk_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) |
| 23 | CSDK-110 | Claude SDK | subagent | claude_subagent | Subagent granted the built-in Bash tool | high | 0.90 | 63.0 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) |
| 24 | CSDK-111 | Claude SDK | subagent | claude_subagent | Subagent granted filesystem-write or web-fetch built-ins | high | 0.85 | 59.5 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) |
| 25 | CSDK-120 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 26 | CSDK-121 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 27 | CSDK-122 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the WebSearch tool | medium | 0.80 | 32.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 28 | CSDK-123 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted filesystem-write built-ins | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 29 | CSDK-124 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the WebFetch tool | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 30 | CSDK-130 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 31 | CSDK-131 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted filesystem-write or web-fetch built-ins | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 32 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) |
| 33 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) |
| 34 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without an agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) |
| 25 | CSDK-112 | Claude SDK | subagent | claude_subagent | Subagent granted the WebSearch tool | medium | 0.80 | 32.0 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) |
| 26 | CSDK-120 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 27 | CSDK-121 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 28 | CSDK-122 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the WebSearch tool | medium | 0.80 | 32.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 29 | CSDK-123 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted filesystem-write built-ins | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 30 | CSDK-124 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition is granted the WebFetch tool | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 31 | CSDK-130 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 32 | CSDK-131 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted filesystem-write or web-fetch built-ins | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) |
| 33 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) |
| 34 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) |
| 35 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without an agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) |
5 changes: 3 additions & 2 deletions crewai/POLICY_INDEX.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<!-- Generated by tools/gen_index.py. Do not edit by hand. -->
# CrewAI policy index

14 rules β€” 7 tool Β· 6 agent Β· 1 repo
15 rules β€” 7 tool Β· 7 agent Β· 1 repo

Risk score = `severity_weight Γ— confidence Γ— 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse.

Expand All @@ -20,4 +20,5 @@ Risk score = `severity_weight Γ— confidence Γ— 100` (engine formula; weights: lo
| 11 | CREW-106 | CrewAI | agent | crewai_agent | CrewAI agent grants an unconstrained FileReadTool | high | 0.70 | 49.0 | [dangerous_tools.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/dangerous_tools.yaml) |
| 12 | CREW-107 | CrewAI | agent | crewai_agent | CrewAI agent wires a tool that fetches model-chosen URLs | medium | 0.70 | 28.0 | [dangerous_tools.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/dangerous_tools.yaml) |
| 13 | CREW-108 | CrewAI | tool | crewai_tool | CrewAI tool returns its output as the final answer | medium | 0.60 | 24.0 | [tool_behavior.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/tool_behavior.yaml) |
| 14 | CREW-201 | CrewAI | repo | crewai | CrewAI project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/repo_hygiene.yaml) |
| 14 | CREW-109 | CrewAI | agent | crewai_agent | CrewAI agent wires a model-driven file-writing tool | high | 0.75 | 52.5 | [dangerous_tools.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/dangerous_tools.yaml) |
| 15 | CREW-201 | CrewAI | repo | crewai | CrewAI project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/crewai/repo_hygiene.yaml) |
16 changes: 10 additions & 6 deletions docs/Policy/autogen/agent_safety.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,14 @@ or disable execution. **Confidence 0.85:** the rule confirms execution is
configured and review is off, but cannot see an out-of-band approval gate the team
may have wired around the agent β€” a small over-flag.

### AG2-004 β€” GroupChatManager has no explicit max_round bound (Severity: low, Confidence: 0.6, Fix type: config)
### AG2-004 β€” Group chat has no explicit max_round bound (Severity: low, Confidence: 0.6, Fix type: config)

**What we detect:** a `GroupChatManager` (or `GroupChat`) with no `max_round`
kwarg (predicate `agent_kwarg_missing`).
**What we detect:** a `GroupChat` config object with no `max_round` kwarg
(predicates `agent_class: [GroupChat]` + `agent_kwarg_missing`). The match is
anchored to `GroupChat` because `max_round` is a `GroupChat`-only constructor
param: a `GroupChatManager` cannot accept it, so matching the manager (as an
earlier revision did) fired on every properly configured chat β€” the manager def
never carries the kwarg even when its `GroupChat` sets it.

**Why it is flaggable:** with no explicit `max_round` the speaker-selection loop
falls back to AutoGen's built-in default rather than a task-sized cap; a
Expand All @@ -149,9 +153,9 @@ rounds before a timeout kills it.
so this flags a missing *explicit, task-sized* cap rather than a true runaway β€” a
hygiene nudge whose usual worst case is a cost/availability incident, and only a
safety problem when looped tools have side effects. **Fix type β€” config:** pass
`max_round=`. **Confidence 0.8:** a chat wrapped by an external timeout or a
custom loop guard is over-flagged, since the rule sees only the constructor
kwarg.
`max_round=` to `GroupChat(...)`. **Confidence 0.6:** a chat wrapped by an
external timeout or a custom loop guard is over-flagged, since the rule sees only
the constructor kwarg.

### AG2-005 β€” AssistantAgent enables code execution on the LLM agent (Severity: medium, Confidence: 0.7, Fix type: config)

Expand Down
53 changes: 46 additions & 7 deletions docs/Policy/claude_sdk/subagent_safety.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,21 @@ rules:
confidence: 0.85
scope: subagent
fix_type: config
- id: CSDK-112
severity: medium
confidence: 0.8
scope: subagent
fix_type: config
references: [LLM06, LLM01]
---

# Policy Rationale: Subagent Frontmatter Safety

**Policy ID:** `claude_sdk_subagent_safety`
**File:** `claude_sdk/subagent_safety.yaml`
**Rules:** CSDK-110, CSDK-111
**Severities:** high, high
**Fix types:** config, config
**Rules:** CSDK-110, CSDK-111, CSDK-112
**Severities:** high, high, medium
**Fix types:** config, config, config
**References:** LLM06, LLM01

> Related: [agent_safety.md](agent_safety.md) covers the same over-granting threat
Expand All @@ -37,9 +42,10 @@ references: [LLM06, LLM01]
Claude Code subagent β€” whose `tools:` list grants a dangerous built-in. These fire
per subagent file (scope: subagent), matched at any path depth, via the
`subagent_grants_tool` predicate: CSDK-110 grants `Bash`; CSDK-111 grants a
filesystem-write (`Write`/`Edit`) or `WebFetch` built-in. Because the surface is
markdown frontmatter, these rules carry no `language:` field and fire regardless of
the surrounding codebase β€” including on flat subagent collections that ship no SDK
filesystem-write (`Write`/`Edit`/`MultiEdit`/`NotebookEdit`) or `WebFetch`
built-in; CSDK-112 grants `WebSearch`. Because the surface is markdown
frontmatter, these rules carry no `language:` field and fire regardless of the
surrounding codebase β€” including on flat subagent collections that ship no SDK
code at all.

---
Expand Down Expand Up @@ -92,7 +98,10 @@ unambiguous; the gap is the genuinely shell-needing subagent (a build/test runne
### CSDK-111 β€” Subagent granted filesystem-write or web-fetch built-ins (Severity: high, Confidence: 0.85, Fix type: config)

**What we detect:** A subagent whose frontmatter `tools:` grants `Write`, `Edit`,
or `WebFetch`.
`MultiEdit`, `NotebookEdit`, or `WebFetch`. The multi-file and notebook editors
are matched alongside `Write`/`Edit` because they reach the same write surface β€”
omitting them would let a `tools: [MultiEdit]` grant escape the check while an
equivalent `Edit` grant fires.

**Why it is flaggable:** Write built-ins let the subagent modify source, config, or
its own `.claude/` controls; `WebFetch` pulls attacker-controllable content into the
Expand All @@ -112,6 +121,36 @@ role needs them; gate fetching with a PreToolUse host allowlist.
**Confidence 0.85:** Slightly below CSDK-110 because editor and fetcher roles more
often have a legitimate need than a pure shell grant does.

### CSDK-112 β€” Subagent granted the WebSearch tool (Severity: medium, Confidence: 0.8, Fix type: config)

**What we detect:** A subagent whose frontmatter `tools:` grants `WebSearch`
(`subagent_grants_tool: [WebSearch]`). This is the subagent-scope analogue of the
agent-scope CSDK-102 check on in-code `AgentDefinition` grants β€” before this rule,
the same grant declared in markdown frontmatter was unaudited.

**Why it is flaggable:** Search results are attacker-reachable text: anyone can
publish a page that ranks for a query the subagent is likely to make, so the grant
opens a prompt-injection channel (OWASP LLM01) into an autonomously-dispatched
worker whose output the parent loop usually trusts.

**Real-world consequence:** A research subagent granted `WebSearch` retrieves an
attacker-planted page whose content instructs it to misreport findings or to steer
the parent toward a malicious dependency; the injected conclusion flows back to the
parent as the subagent's answer.

**Why severity is medium and not high:** Matching CSDK-102's calibration β€” search
returns provider-mediated snippets rather than raw page content, so the injection
surface is narrower than `WebFetch`, and the tool itself has no write or execution
reach. The risk compounds only when paired with side-effecting grants, which
CSDK-110/111 flag separately.

**Fix type β€” config:** Remove `WebSearch` from the `tools:` list unless the role is
genuinely research-oriented (a frontmatter edit).

**Confidence 0.8:** The grant is unambiguous in frontmatter; the gap is the
legitimately research-oriented subagent, which is a more common role than a
shell-needing one.

---

## What this policy does not cover
Expand Down
Loading
Loading