v1.9.0 — OWASP ASI Agentic Rules (AGT-008 to AGT-011)

What's new in v1.9.0

4 new agentic rules — OWASP ASI gap-fill

ID	Severity	OWASP ASI	Rule
AGT-008	Critical	ASI03	Agent calls assumeRole/grantAccess/setPermissions with LLM output value — privilege escalation via prompt injection
AGT-009	High	ASI04	Agent loads tool or plugin at runtime from a variable path or dynamic import — supply chain substitution vector
AGT-010	High	ASI07	Raw agent output forwarded to another agent via send/route/dispatch without HMAC, JWT, or schema validation
AGT-011	High	ASI08	Agent plan step error caught silently — no rethrow, no error-state flag; downstream steps proceed on bad or incomplete state

Numbers

• 95 rules (was 91) across 14 categories
• 453 tests, all passing

v1.8.0 — Runtime Guard API + MCP Security Rules Expansion

What's new in v1.8.0

Runtime Guard API (context-hound/runtime)

Inspect live LLM message arrays at runtime — not just at CI time.

import { createGuard } from 'context-hound/runtime';

const guard = createGuard({ policy: { critical: 'block', high: 'warn' } });

// Standalone inspection
const result = guard.inspect(messages);
console.log(result.score, result.findings);

// Wrapped call — throws HoundBlockedError if blocked
const response = await guard.wrap(messages, () =>
  openai.chat.completions.create({ model: 'gpt-4o', messages })
);

GuardConfig options: policy, onInspect, onBlock, languageHint, extraRules

5 new MCP security rules (MCP-006 to MCP-010)

ID	Severity	Rule
MCP-006	Critical	Confused deputy — auth token forwarded to downstream API without re-validation
MCP-007	High	Cross-MCP context poisoning — shared state written without integrity check
MCP-008	High	Stdio transport command loaded from variable path
MCP-009	High	Session ID used as auth decision without expiry check (replay attack)
MCP-010	Critical	Transport event payload injected into LLM context without sanitisation

Numbers

• 91 rules (was 86) across 14 categories
• 429 tests, all passing

v1.7.0 — --min-confidence CLI flag

What's new

New CLI flag: --min-confidence

Filter findings by confidence level directly from the command line:

hound scan --min-confidence high     # only high-confidence findings
hound scan --min-confidence medium   # medium and high
hound scan --min-confidence low      # all findings (default)

This was previously only configurable via minConfidence in .contexthoundrc.json. The CLI flag now overrides the config file value.

86 rules · 14 categories

npm install -g context-hound

v1.6.0 — Supply chain, DOS, encoding & agentic rules

What's new

New rule categories

• Supply Chain (SCH) — 2 rules: registry override detection, dynamic import at runtime
• Denial of Service (DOS) — 1 rule: unsanitised input in LLM call loops (token flooding)

New rules (11 total)

• ENC-003–006 — Base64-chained injections, invisible Unicode characters, homoglyph substitution, Unicode bidirectional text override
• INJ-016 — Template engine renders user-controlled string as template source (Jinja2, Handlebars, Nunjucks)
• SCH-001 — Unsafe deserialization of model/checkpoint files (pickle, torch.load)
• SCH-003 — Dynamic import / dependency confusion vector
• DOS-001 — Unbounded LLM call loop with unsanitised user input
• AGT-005 — Agent trusts claimed identity without cryptographic verification
• AGT-006 — Raw agent output chained as input to another agent without validation
• AGT-007 — Agent modifies its own system prompt or tool list at runtime

Bug fixes

• AGT-005: pattern now correctly matches === and !== operators
• AGT-007: pattern no longer requires ( after assignment operator

86 rules · 14 categories

npm install -g context-hound

v1.5.0 — CSV & JUnit formatters + MCP security rules

What's new

New output formatters

• --format csv — export findings to a spreadsheet or any issue tracker
• --format junit — drop a JUnit XML file into Jenkins, Azure DevOps, or CircleCI; findings appear as test failures

MCP Security rules (5 new rules)

• MCP-001 — Tool description poisoning (CVE-2025-6514 pattern)
• MCP-002 — Rug pull / dynamic tool registration
• MCP-003 — Sampling hijack with no human-in-the-loop (CVE-2025-59536)
• MCP-004 — Transport URL from variable
• MCP-005 — shell:true in stdio transport

Multi-language support

Added scanning for .py, .go, .rs, .java, .kt, .cs, .php, .rb, .swift, .vue, .sh, .bash, .hs

75 rules · 12 categories

npm install -g context-hound

v1.4.0 — RAG provenance rules + false-positive reduction

What's new

RAG-005 — Provenance-free retrieval

Flags vector store retrieval calls where chunks enter the prompt construction path without any provenance metadata check (source, metadata.source, owner, trust_level). If a chunk can enter the prompt anonymously, there is no way to apply trust-tier filtering downstream — making the pipeline blind to poisoned documents.

RAG-006 — No ACL or trust-tier filter on retrieval query

Flags retrieval queries (Pinecone, Weaviate, Qdrant, LangChain, FAISS, ChromaDB, and others) that do not pass a filter, where, metadata_filter, score_threshold, or namespace parameter. An unfiltered query accepts documents from any owner or trust tier and lets policy-violating content reach the model unchecked.

INJ-001 — Expanded false-positive suppression

The negative matcher in INJ-001 now also recognises sanitization wrappers — sanitize(), escape(), DOMPurify.sanitize(), validator.escape(), encodeURIComponent() — applied to the interpolated variable. Inputs that are demonstrably cleaned before use are no longer flagged, reducing noise for teams with proper input handling in place.

Mitigation check #6 — Input sanitization/escaping present

scoreMitigations() now includes a sixth check: presence of a sanitization or escaping function call in the prompt context. When detected, risk points for injection findings in that prompt are reduced by 15, complementing the existing delimiter-labeling check.

Stats

• 70 rules (+2 vs v1.3.0)
• 284 tests passing
• 11 categories

v1.1.1 — OpenClaw Security Patch (SKL-008 to SKL-013)

ContextHound v1.1.1 — OpenClaw Security Patch

Patch release adding 6 new rules targeting advanced OpenClaw skill attack classes that instruction-based scanners miss — because the payloads are written in plain English, not code. Initial installs are clean; the attacks execute at runtime through the skill's markdown instructions.

---

What's New

6 new SKL rules (SKL-008 to SKL-013)

Rule	Severity	Attack class
SKL-008	Critical	Heartbeat C2 — scheduled remote fetch silently overwrites skill instructions after a clean install
SKL-009	Critical	Identity denial — skill instructs agent to deny being AI or claim to be human
SKL-010	Critical	Anti-scanner evasion — skill contains text designed to mislead security auditing tools
SKL-011	Critical	SOUL.md / IDENTITY.md persistence — instructions written to agent identity files survive uninstallation
SKL-012	High	Self-propagating worm — SSH spread or curl|bash to reachable hosts
SKL-013	High	Autonomous financial transactions — crypto drainer, executes wallet transactions without user confirmation

---

Full SKL rule set (13 rules total)

Rule	Severity
SKL-001	Critical — self-authoring attack
SKL-002	Critical — remote skill loading
SKL-003	Critical — prompt injection in skill body
SKL-004	High — unsafe command-dispatch
SKL-005	High — sensitive filesystem path access
SKL-006	High — privilege escalation
SKL-007	Critical — hardcoded credentials in frontmatter
SKL-008	Critical — heartbeat C2
SKL-009	Critical — identity denial
SKL-010	Critical — anti-scanner evasion
SKL-011	Critical — SOUL.md persistence
SKL-012	High — self-propagating worm
SKL-013	High — autonomous financial transactions

---

By the numbers

• 61 rules total (up from 55)
• 195 tests passing (up from 168)
• Self-scan score: 0 / 100

---

Upgrading

The v1 tag has been moved to this release. Users on @v1 receive this automatically:

- uses: IulianVOStrut/ContextHound@v1

MIT License · Static analysis only · No data leaves your machine

v1.1.0 — Skills Marketplace Security (OpenClaw)

ContextHound v1.1.0 — Skills Marketplace Security

Urgent update for OpenClaw users. Snyk's ToxicSkills research found 36% of ClawHub skills contain security flaws, 1,467 malicious payloads, and 824+ confirmed malicious skills across 135,000 exposed instances. This release adds a dedicated scanning category for OpenClaw SKILL.md files.

---

What's New

New Category: Skills Marketplace (SKL) — 7 rules

Rule	Severity	Detects
SKL-001	Critical	Skill instructs agent to write or modify other skill files (self-authoring attack — persists across restarts)
SKL-002	Critical	Skill instructs agent to fetch skills from an external URL (attacker controls behavior after install)
SKL-003	Critical	Prompt injection in skill body targeting agent core instructions
SKL-004	High	command-dispatch: tool with command-arg-mode: raw — raw user input forwarded to tool, bypassing model safety
SKL-005	High	Skill references sensitive filesystem paths (~/.ssh, ~/.env, /etc/passwd)
SKL-006	High	Skill claims elevated privileges or instructs agent to override other skills
SKL-007	Critical	Hardcoded credential (API key, token, password) in YAML frontmatter

Extractor update

SKILL.md files and any markdown files in skills/ or .openclaw/ directories are now automatically emitted as code-block for full multi-line rule coverage, in addition to raw.

Scanning your OpenClaw skills

npx hound scan --dir ./skills

Or add to .contexthoundrc.json:

{
  "include": ["**/skills/**/*.md", "**/SKILL.md"]
}

---

By the numbers

• 55 rules total (up from 48)
• 10 categories (up from 9)
• 168 tests passing (up from 143)
• Self-scan score: 0 / 100

---

Upgrading the GitHub Action

The v1 tag has been moved to this release. Users pinned to @v1 receive this update automatically:

- uses: IulianVOStrut/ContextHound@v1

---

MIT License · Static analysis only · No data leaves your machine

v1.0.0 — Initial Release

ContextHound v1.0.0

Static analysis tool for LLM prompt security. Scans your codebase for prompt injection, jailbreaks, exfiltration risks, and more — entirely locally, with no data leaving your machine.

---

Highlights

• 48 security rules across 9 categories
• 18 languages supported: JavaScript, TypeScript, Python, Go, Rust, Java, Kotlin, C#, PHP, Ruby, Swift, Vue, Bash, C, C++, Haskell, and more
• 5 extraction kinds: raw text, template strings, object fields, chat messages, and full code-block context
• SARIF output compatible with GitHub Code Scanning, Semgrep, and CodeQL workflows
• GitHub Action for CI/CD integration
• Zero telemetry — runs fully offline

---

Rule Categories

Category	Rules	Covers
Injection	INJ-001 – INJ-011	Direct injection, RAG poisoning, role injection, DOM sources, HTTP data in system prompts
Exfiltration	EXF-001 – EXF-007	Credential leakage, prompt extraction, Base64 encoding, internal URL exposure
Jailbreak	JBK-001 – JBK-006	Known jailbreak phrases, role-play escapes, auto-execution, evidence erasure
Unsafe Tools	TOOL-001 – TOOL-005	Unbounded execution, unsandboxed code, tool definitions from user input
Command Injection	CMD-001 – CMD-005	Shell interpolation across JS/TS/Python/PHP/Go/Rust, subprocess shell=True, PHP exec family
RAG	RAG-001 – RAG-004	Retrieved content in system role, instruction poisoning, agent memory injection
Encoding	ENC-001 – ENC-002	Base64 as sanitisation bypass, Unicode control character smuggling
Output Handling	OUT-001 – OUT-004	Unvalidated JSON parsing, unsafe Markdown rendering, LLM output in eval/exec/SQL
Multimodal	VIS-001 – VIS-004	Vision API with unvalidated image sources, OCR injection, transcription output risks

---

Quick Start

# Scan current directory
npx hound scan

# Scan with verbose output and SARIF report
npx hound scan --verbose --format console,sarif --out results

# Fail on any critical finding
npx hound scan --fail-on critical

GitHub Actions

- uses: IulianVOStrut/ContextHound@v1
  with:
    fail-on: critical

---

Scoring

Each finding is assigned a risk score based on severity and confidence. The repo-level score is capped at 100. Scans pass when the score is below the configured threshold (default: 60) and no fail-on violations are found.

Severity	Base points
Critical	50
High	30
Medium	15
Low	5

---

MIT License · Static analysis only · No data leaves your machine