From 7b449b652d946a8eef9aca65f0c8e182b4fb80f7 Mon Sep 17 00:00:00 2001 From: lorecraft-io Date: Sat, 4 Apr 2026 20:45:51 -0400 Subject: [PATCH] Fix grep exit-code-2 bug + add README-SECTIONS updates for /safetycheck - Replace all explicit missing-file grep args with --include= style to prevent exit code 2 false negatives across Checks 14, 18, 19, 20 - Add /safetycheck row to cheat-sheet.md skills table - Add Step 9 row to step-ordering.md (was missing entirely) Co-Authored-By: claude-flow --- README-SECTIONS/cheat-sheet.md | 5 +++-- README-SECTIONS/step-ordering.md | 3 ++- step-9/safetycheck-skill/SKILL.md | 24 ++++++++++++------------ 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/README-SECTIONS/cheat-sheet.md b/README-SECTIONS/cheat-sheet.md index a5781a2..6e3bd97 100644 --- a/README-SECTIONS/cheat-sheet.md +++ b/README-SECTIONS/cheat-sheet.md @@ -96,9 +96,10 @@ These are custom skills installed by the setup scripts. Type them inside a Claud | `/rmini do the thing` | Step 3 | Launch a compact 5-agent swarm — same power, tighter team | | `/rhive ` | Step 3 | Launch a queen-led autonomous hive-mind with raft consensus | | `/w4w` | Step 3 | Maximum attention to detail — word for word, line for line. No skipping, no summarizing. Also works without the slash — just type `w4w` | +| `/safetycheck` | Step 9 | Security audit — scans any project for exposed keys, missing rate limiting, input sanitization gaps, dependency vulnerabilities, and insecure configurations. Also responds to "run a safety check" in plain English | -> These are **explicit triggers** — you type the command to activate the skill. This is different from the auto-triggered tools below, which respond to natural language. Exception: `/w4w` also works without the slash — just type `w4w` anywhere in your message. `/rmini` is the compact version of `/rswarm` — 5 agents instead of 15. +> These are **explicit triggers** — you type the command to activate the skill. This is different from the auto-triggered tools below, which respond to natural language. Exception: `/w4w` also works without the slash — just type `w4w` anywhere in your message. `/rmini` is the compact version of `/rswarm` — 5 agents instead of 15. `/safetycheck` also works in natural language. --- @@ -125,7 +126,7 @@ These activate on their own when Claude detects a relevant task via natural lang | Excalidraw | Add-on | Natural language — diagrams, flowcharts, whiteboard sketches | "Draw a system architecture diagram" | | Gamma | Add-on | Natural language — presentations, documents, webpages | "Create a pitch deck for my startup" | -> **Key distinction:** Slash commands (`/rswarm`, `/rmini`, `/rhive`, `/w4w`) require you to type the command. Everything in this table works by just talking to Claude naturally. +> **Key distinction:** Slash commands (`/rswarm`, `/rmini`, `/rhive`, `/w4w`, `/safetycheck`) require you to type the command. Everything in this table works by just talking to Claude naturally. > > **Add-on tools** are not part of the step-by-step setup — they're optional MCP servers you can connect separately. Claude auto-detects them when they're installed. diff --git a/README-SECTIONS/step-ordering.md b/README-SECTIONS/step-ordering.md index ec83d68..68ea7f1 100644 --- a/README-SECTIONS/step-ordering.md +++ b/README-SECTIONS/step-ordering.md @@ -14,6 +14,7 @@ Run the steps in this order: | 6 | Productivity Tools | Motion Calendar + Notion (pick what you use) | | 7 | Second Brain | Obsidian vault setup + data import (7a-7d) | | 8 | Telegram | Telegram bot setup — message Claude from your phone | +| 9 | Safety Check | Security auditing — 8 API checks + 12 MCP checks for tool poisoning, DNS rebinding, supply chain attacks | | **Final** | **Status Line** | **Final config — status indicators, system health check** | -> **Note:** Step 6 (Productivity Tools) is all optional — install only the tools you use. Step 7 (Second Brain) is the biggest step with four sub-parts (7a-7d). Step 8 (Telegram) is interactive — it walks you through creating a bot and pasting your token. The Final Step (Status Line) is the wrap-up that wires everything together — your status indicators show what's active across all the tools. +> **Note:** Step 6 (Productivity Tools) is all optional — install only the tools you use. Step 7 (Second Brain) is the biggest step with four sub-parts (7a-7d). Step 8 (Telegram) is interactive — it walks you through creating a bot and pasting your token. Step 9 (Safety Check) installs the `/safetycheck` security audit skill — 8 core checks for any project, plus 12 MCP-specific checks when an MCP project is detected (20 total). The Final Step (Status Line) is the wrap-up that wires everything together — your status indicators show what's active across all the tools. diff --git a/step-9/safetycheck-skill/SKILL.md b/step-9/safetycheck-skill/SKILL.md index eafc60d..8f93987 100644 --- a/step-9/safetycheck-skill/SKILL.md +++ b/step-9/safetycheck-skill/SKILL.md @@ -67,7 +67,7 @@ git ls-files 2>/dev/null | grep -iE "\.env$" **MCP Config scan** (if MCP detected) — Scan `.mcp.json`, `claude_desktop_config.json`, `.cursor/mcp.json` for hardcoded secrets in `env` blocks: ```bash -grep -r '"env"' .mcp.json claude_desktop_config.json .cursor/mcp.json 2>/dev/null | grep -iE '(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|ghp_[a-zA-Z0-9]{36}|AIzaSy[a-zA-Z0-9_-]{30,}|xox[bpsa]-[a-zA-Z0-9-]+)' +grep -rn '"env"' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null | grep -iE '(sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|ghp_[a-zA-Z0-9]{36}|AIzaSy[a-zA-Z0-9_-]{30,}|xox[bpsa]-[a-zA-Z0-9-]+)' ``` Check if MCP configs are tracked in git: @@ -344,7 +344,7 @@ Verify TLS is enforced and DNS rebinding protection is active. **Checks:** ```bash # Check for HTTP (non-HTTPS, non-localhost) in MCP configs -grep -rniE '"url"\s*:\s*"http://' .mcp.json claude_desktop_config.json 2>/dev/null | grep -vE '(localhost|127\.0\.0\.1|::1)' +grep -rniE '"url"\s*:\s*"http://' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null | grep -vE '(localhost|127\.0\.0\.1|::1)' # Check for 0.0.0.0 binding without auth grep -rniE '(0\.0\.0\.0|host:\s*["'"'"']0\.0\.0\.0)' --include="*.ts" --include="*.js" --include="*.py" . @@ -395,10 +395,10 @@ Check for over-privileged tokens, missing expiration, and insecure storage. ```bash # Check for wildcard/broad OAuth scopes in MCP config or auth code -grep -rniE '(mail\.google\.com/|calendar\.google\.com/|drive\.google\.com/|scope.*\*|scope.*"all"|scope.*"full")' --include="*.ts" --include="*.js" --include="*.py" .mcp.json 2>/dev/null +grep -rniE '(mail\.google\.com/|calendar\.google\.com/|drive\.google\.com/|scope.*\*|scope.*"all"|scope.*"full")' --include="*.ts" --include="*.js" --include="*.py" --include=".mcp.json" . 2>/dev/null # Check for access tokens stored in plaintext -grep -rniE '("access_token"\s*:\s*"[^"]{20,}"|token\s*=\s*["'"'"'][^"'"'"']{20,})' .mcp.json claude_desktop_config.json 2>/dev/null +grep -rniE '("access_token"\s*:\s*"[^"]{20,}"|token\s*=\s*["'"'"'][^"'"'"']{20,})' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null # Check for long-lived tokens (no expiry) grep -rniE '(expires_in.*86400|expires_in.*[0-9]{6,}|no.*expir|never.*expir)' --include="*.ts" --include="*.js" . @@ -486,10 +486,10 @@ grep -rn "hostHeaderValidation\|localhostHostValidation\|createMcpExpressApp" -- ```bash # @latest floating versions in MCP config (rug-pull risk) -grep -rniE '"@latest"|npx.*@latest' .mcp.json claude_desktop_config.json .cursor/mcp.json 2>/dev/null +grep -rniE '"@latest"|npx.*@latest' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null # npx -y without pinned version (auto-install from potentially poisoned package) -grep -rniE 'npx.*-y' .mcp.json claude_desktop_config.json 2>/dev/null | grep -vE '@[0-9]' +grep -rniE 'npx.*-y' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null | grep -vE '@[0-9]' # Lockfile check ls package-lock.json yarn.lock pnpm-lock.yaml bun.lockb 2>/dev/null || echo "NO_LOCKFILE" @@ -498,7 +498,7 @@ ls package-lock.json yarn.lock pnpm-lock.yaml bun.lockb 2>/dev/null || echo "NO_ node -e "const p=require('./package.json'); console.log(p.files ? 'HAS_FILES_WHITELIST' : 'NO_FILES_WHITELIST');" 2>/dev/null # Shell metacharacters in MCP config args (command injection via config) -grep -rniE '"args"\s*:\s*\[' .mcp.json claude_desktop_config.json 2>/dev/null | grep -E '[;|&\$\`]' +grep -rniE '"args"\s*:\s*\[' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null | grep -E '[;|&\$\`]' ``` **Severity**: HIGH for `@latest` in MCP config. HIGH for no lockfile. HIGH for shell metacharacters in args arrays. MEDIUM for no files whitelist on published MCP server. PASS if pinned and locked. @@ -515,13 +515,13 @@ Verify tool invocations are logged with structured data. ```bash # Check for structured logging library -grep -rn "winston\|pino\|bunyan\|log4js\|structlog\|logging\.getLogger" package.json requirements.txt 2>/dev/null +grep -rn "winston\|pino\|bunyan\|log4js\|structlog\|logging\.getLogger" . --include="package.json" --include="requirements.txt" 2>/dev/null # Check for MCP logging notifications grep -rn "sendLoggingMessage\|LoggingMessageNotification\|setLoggingLevel\|notifications/message" --include="*.ts" --include="*.js" . # Check for observability integration -grep -rn "opentelemetry\|datadog\|sentry\|splunk\|elastic-apm" package.json 2>/dev/null +grep -rn "opentelemetry\|datadog\|sentry\|splunk\|elastic-apm" . --include="package.json" 2>/dev/null ``` Compare: count tool registrations (`server.tool` / `@mcp.tool`) vs structured logging references. If tools > 0 and structured logging = 0, flag it. @@ -538,13 +538,13 @@ Check for floating version references that enable rug-pull attacks. ```bash # @latest in any MCP config -grep -rniE '"@latest"' .mcp.json claude_desktop_config.json .cursor/mcp.json 2>/dev/null +grep -rniE '"@latest"' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null # npx without pinned version in MCP config commands -grep -rniE '"command"\s*:\s*"npx"' .mcp.json claude_desktop_config.json 2>/dev/null +grep -rniE '"command"\s*:\s*"npx"' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null # Verify packages have pinned versions (not @latest) -grep -rniE '@[a-z0-9-]+/[a-z0-9-]+' .mcp.json claude_desktop_config.json 2>/dev/null | grep -v '@[0-9]' | grep -v '@latest' +grep -rniE '@[a-z0-9-]+/[a-z0-9-]+' . --include=".mcp.json" --include="claude_desktop_config.json" 2>/dev/null | grep -v '@[0-9]' | grep -v '@latest' # Check if any MCP server hashes tool definitions (integrity verification) grep -rn "createHash\|sha256\|sha-256\|integrity\|checksum" --include="*.ts" --include="*.js" . | grep -iE "(tool|description|schema)"