Scanner / Precision

Precision lineage

By Michael K Onyekwere

The AgentScore scanner is a regex-based detector. Regex cannot tell a database method call apart from a shell exec, or a test fixture apart from a real credential, without context. Scanner v2.1 ships a mitigator system that scans a window around each match for known sanitizer wrappers or test-fixture markers and downgrades the severity when one fires.

The list below is every mitigator the scanner has gained, paired with the public report that motivated it. Each entry was driven by a real maintainer interaction, not a hypothetical edge case.

This page is the scanner's public memory. If you want the full maintainer loop, start with the NodeBench case study, then compare it with the live package report.

Scanner version

v2.2

Current ruleset digest

55366a05fee3

How mitigators work

When a finding fires, the scanner looks at a 2,000-character window around the match. If a sanitizer pattern (like validateCommand, execFile, or a database-shaped .exec()) hits in that window, the severity is downgraded. The original finding stays visible with an annotation showing which mitigator fired and where, so you can audit the call yourself.

The downgrades: command_injection, unsafe_eval, sensitive_file_access go to LOW. hardcoded_secret goes to MEDIUM (a placeholder is still an information disclosure about test infrastructure, just not a credential).

Precision is bounded by what regex can express. A renamed sanitizer or a database method that does not match the variable-name list still produces a false positive. Real data-flow analysis is on the v2.2 roadmap.

Recent mitigator additions

2026-05-16 (engine v2.2)ruleset post-ea8aabc

Per-file iteration + all-matches walk (Codex review caught two scope leaks)

Codex review of the earlier May 16 mitigator pass surfaced two structural issues. First, the scanner read the whole gunzipped tarball as one buffer and ran findMitigators against +/-2000 chars in that buffer, so a README heading in one file could downgrade a real finding in another (cross-file leak). Second, even after per-file iteration, the scanner ran each pattern as a single .exec() per file, so an early benign shell call in a file would mask a later real unsafe one in the same file (same-file masking). Both fixed today.

Patterns added

engine

iterateTarFiles(buf)

Walk POSIX tar archive entry-by-entry, including GNU longname (L) and pax (x) extended header support. Mitigators run against the current file's content only. ~80 lines, no new dep.

engine

findAllMatches(pattern, content)

Iterate every match per pattern per file (capped at 200 to bound pathological inputs). Each match's severity is computed against its own +/-2000 char window. The worst severity across all matches wins for that file. Short-circuits on the first match that remains at the pattern's original severity.

engine

isScannableFile(filename)

Path filter that allows source-like extensions and excludes pure artefacts (node_modules, .git, coverage, .next, *.map, *.min.js, *.d.ts). Crucially does NOT skip dist/ or build/ — in published npm tarballs those are usually the actual executable code.

Outcome: Verification against the version-pinned 5-package sample (now version-pinned to prevent silent drift) shows 75% suppression rate on detected command_injection findings, not the 100% claimed in the entry below. The corrected number is more honest: memoir-cli@3.6.1's upgrade.js contains `exec(\`open "${url}"\`)` that the previous first-match-only iteration was masking behind an earlier match downgraded by path.join. The all-matches walk now surfaces it and flags HIGH. In single-user CLI threat models this pattern is benign; the scanner correctly cannot infer that without runtime context, and a HIGH static-analysis flag is the right output. SCANNER_VERSION bumped to 2.2 because tarball handling changed at engine level.

2026-05-16ruleset post-c7bb83c

Self-detected false-positive class: command_injection in browser/CLI MCP packages (31 advisories affected)

Internal tracking on 2026-05-15 showed 31 distinct browser/terminal/CLI-automation MCP packages flagged with HIGH command_injection in a 30-day window. Volume alone made a real-bug-per-package interpretation implausible. Sample-checked five (safari-mcp, brave-real-browser-mcp-server, memoir-cli, s3db.js, claude-flow): four of five were clear false positives, one ambiguous. Causes: postinstall codesign of internal binaries, database client .exec(`SELECT ...`) misidentified as child_process.exec, hardcoded ALL_CAPS constants treated as user input, numeric IDs from webhook payloads, and a security tutorial .md file that the regex caught literally with `// ❌ Dangerous: shell injection possible` as the matched line. The advisory pipeline had been auto-publishing HIGH severity on these patterns at ~one per day. Caught and shipped under our own steam before any maintainer push-back; the public-correction loop is the asset, applied to ourselves.

Patterns added

sanitizer

Extended the existing database-method allowlist to include `this.exec(`. s3db.js's remote-sqlite-client calls `this.exec(\`SELECT ...\`, [params])` for SQL, not shell.

sanitizer

Compile-time identifiers within scope. safari-mcp's postinstall used `path.join(__dirname, '..', 'safari-helper')` and the regex treated that as user input.

sanitizer

/\$\{[A-Z][A-Z0-9_]{2,}\}/

ALL_CAPS interpolated identifiers strongly signal a compile-time constant. s3db.js's `${REPO_URL}` is a hardcoded repository URL.

sanitizer

/\$\{\s*(?:Number|parseInt|parseFloat)\s*\(/

Numeric coercion. A value passed through Number(), parseInt(), or parseFloat() cannot carry shell metacharacters.

sanitizer

/\$\{\s*[a-zA-Z_]+\.(?:number|id|index|count|length|size)(?:\s*\|\s*0|\s*\?\?\s*0)?\s*\}/

Properties guaranteed to be numeric. claude-flow's webhook example uses `${event.pull_request.number}` which is always an integer from GitHub.

sanitizer

/\b(codesign|signtool|notarytool)\b|\bgpg\s+--sign\b/

Code-signing toolchain. Postinstall scripts in macOS/Windows helper packages invoke these against package-internal binaries, never user input.

sanitizer

/execSync\s*\(\s*`npm\s+(?:view|pack|info)\s+\$\{[a-zA-Z_]+\}/

Auto-update scripts querying npm for known dependency names from package.json.

documentation_context

/```\s*(?:js|ts|javascript|typescript|jsx|tsx|json|bash|sh|shell|console)?\s*\n/

Triple-backtick code fences. Markdown documentation routinely contains example code, including anti-pattern examples.

documentation_context

/❌|✅|⚠️\s+(?:Dangerous|Unsafe|Bad|Don't|Avoid)/i

Markdown anti-pattern markers. claude-flow's v3-security-architect.md literally labelled the example shell-exec line `❌ Dangerous: shell injection possible` and the scanner caught the tutorial.

documentation_context

English comment annotations marking code as an anti-pattern.

documentation_context

/^#{1,4}\s+\S/m

Markdown headings within scope. Strong signal the surrounding context is documentation, not executable source.

documentation_context

//

HTML / JSX comments commonly used in README, MDX, and docs.

Outcome: Local verification (scripts/verify-mitigators.cjs against the 5-package sample) shows 100% of detected command_injection findings now downgrade to LOW. Monitor cron will rescan the 31 affected packages organically over the next 3-4 days; their public advisories will pick up the corrected severity. The RULESET_DIGEST changed automatically because the mitigators set is part of digest material, so rescans register as scanner_reassessment (not maintainer-caused drift). Historic advisories on /security/advisories that were published under the pre-mitigator regex remain visible with their original severity recorded; readers can compare the original AGENTSCORE-2026-NNNN advisory to the current /report/<package> page to see the corrected scan. This is by design: we do not silently rewrite the public record. Corrections happen in the open.

2026-04-26ruleset 3185eb87b4ce

Database .exec and eval-in-message-strings (HomenShum/nodebench-ai#8)

Maintainer reviewed two HIGH findings against source. Confirmed three real command_injection sites and refactored to argv-based spawn. Correctly identified unsafe_eval as a false positive: the regex matched better-sqlite3's db.exec(`SQL`) and the literal word eval inside a recommendations.push string.

Patterns added

sanitizer

/\.exec\s*\(\s*[`'"]?\s*(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP|PRAGMA|VACUUM|BEGIN|COMMIT|ROLLBACK|TRUNCATE|REPLACE|MERGE|GRANT|REVOKE|EXPLAIN)\b/i

SQL keyword immediately after .exec(. Strong signal this is a database method, not child_process.exec.

sanitizer

Database-shaped variable names calling .exec, like better-sqlite3, pg, mysql2, prisma raw queries.

test_fixture

/\/[a-zA-Z]*[Ee]val[A-Z][a-zA-Z]*\.(js|ts|mjs|cjs)\b/

Files like selfEvalTools.js, llmJudgeEval.js, pipelineEval.js. The word eval refers to evaluation flow, not JavaScript eval.

test_fixture

/\b(?:recommendations?|messages?|errors?|warnings?|notes?)\s*\.\s*push\s*\(\s*[`'"]/i

Strings being pushed into a recommendations or messages array are message text, not executable code.

test_fixture

console.log and friends emitting strings that contain the word eval.

Outcome: nodebench-mcp@3.2.1 rescored 55/ELEVATED to 85/LOW after refactor + mitigators. Both findings downgraded with explicit annotations.

2026-04-25

Declarative test-fixture markers (claude-flow CRITICAL hardcoded_secret in dist/)

claude-flow shipped a manifest-validator with structural test fixtures inside dist/. Existing test_fixture rules expected files to live under tests/ or specs/, so they did not catch shipped-as-data fixtures.

Patterns added

test_fixture

/\babc(123|def|xyz)/i

Canonical fake-credential placeholders. claude-flow used sk-abc123-style test keys.

test_fixture

/\b(123|abcd){3,}/i

Long repeating placeholder sequences like abcdabcdabcd.

test_fixture

Declarative fixture structure: { params: { ... }, expectedOutcome: 'deny' }. Pure data, not exploitable code.

test_fixture

Test-shaped predicate names sitting near otherwise-dangerous-looking literals.

test_fixture

Validator and sanitizer source files contain example dangerous strings by design.

Outcome: claude-flow's hardcoded_secret CRITICAL finding downgraded to MEDIUM. command_injection HIGH still flags pending a future mitigator pass.

2026-04-22

Sanitizer wrappers (Agions/taskflow-ai#6)

Maintainer shipped v3.0.2 with a validateCommand wrapper around shell_exec (whitelist + dangerous-pattern detection) within 48h of the scan report. The scanner's HIGH command_injection finding for the same code was no longer the right severity once a guard was in place.

Patterns added

sanitizer

/\bvalidateCommand\b/

Direct match for the wrapper Agions introduced.

sanitizer

/\bsanitize(?:Command|Args|Input)?\b/i

Common naming convention for input sanitizers across the ecosystem.

sanitizer

/\bisAllowedCommand\b/i

Whitelist-style guards.

sanitizer

/\bexecFile\b/

execFile with an args array cannot shell-interpret. Different posture from exec.

sanitizer

/\bspawn\s*\(\s*[^,)]+,\s*\[/

spawn('cmd', [args]) array form bypasses the shell entirely.

Outcome: taskflow-ai went 45/HIGH to 60/ELEVATED on v3.0.2, then to 80/MODERATE on v4.0.0 after seven capabilities were deleted. Full arc closed in four days.

Reporting a precision gap

If the scanner flagged something it should not have, or missed something it should have caught, the report goes through public issue forms on the scanner repo. Detection-accuracy reports are not security disclosures and do not need confidentiality.

Report false positive Report missed risk Public advisories

Real vulnerabilities in AgentScore infrastructure go to security@agentscores.xyz, not these forms.