vasceannie/openagent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent MCP tool conflicts and mission summary contamination

Browse Source 
P0: Prefix MCP tools with server name
- MCP tools now prefixed (e.g., filesystem_read_file)
- Prevents duplicate function name errors with xAI/Google
- strip_prefix() used when calling actual MCP server

P1: Filter mission summaries by current mission
- In mission mode, only inject summaries from THIS mission
- Prevents cross-mission contamination from past task summaries
- User facts still shared (intentional)

P2: xAI/Google now work with MCP (no duplicate function names)
This commit is contained in:
Thomas Marchand
2025-12-20 13:01:09 +00:00
parent c2c505a2f8
commit f52be88224
7 changed files with 841 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

364
reports/bitget-audit/deepseek-decompilation.md Normal file
View File

@@ -0,0 +1,364 @@
# Mobile App Decompilation Report
## Overview
This report documents the decompilation of Android APK and iOS IPA files using CLI tools. The process extracts source code, JavaScript bundles, and configuration files for security analysis and code review.
## Tools Used
1. **jadx** - Java decompiler for Android APK files
2. **apktool** - Android APK resource decoder and disassembler
3. **binwalk** - Firmware analysis tool for embedded file extraction
4. **unzip** - Standard ZIP archive extraction
5. **strings** - Extract readable strings from binary files
## Android APK Decompilation Results
### Sample APK Analyzed: `small.apk`
**File Information:**
- File size: 9,886 bytes
- Package name: `io.github.skylot.android.smallapp`
- Compiled SDK version: 34 (Android 14)
- Debuggable: Yes
### Extraction Methods Demonstrated:
#### 1. Direct ZIP Extraction (`unzip`)
```bash
unzip small.apk -d output/decompiled/small_apk_unzip/
```
**Extracted Files:**
- `AndroidManifest.xml` (binary)
- `classes.dex` (Dalvik bytecode)
- `resources.arsc` (compiled resources)
- `META-INF/com/android/build/gradle/app-metadata.properties`
- Resource files in `res/` directory
#### 2. APKTool Decompilation (`apktool`)
```bash
apktool d small.apk -o output/decompiled/small_apk_apktool/ -f
```
**Key Files Extracted:**
- `AndroidManifest.xml` (decoded XML)
- `apktool.yml` (apktool metadata)
- `smali/` directory (disassembled bytecode)
- `res/` directory (decoded resources)
**AndroidManifest.xml Analysis:**
```xml
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
android:compileSdkVersion="34"
android:compileSdkVersionCodename="14"
package="io.github.skylot.android.smallapp"
platformBuildVersionCode="34"
platformBuildVersionName="14">
<application android:allowBackup="true"
android:debuggable="true"
android:extractNativeLibs="false"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:supportsRtl="true">
<activity android:exported="true"
android:name="io.github.skylot.android.smallapp.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
</application>
</manifest>
```
**Security Observations:**
-`android:debuggable="true"` - Debug mode enabled (security risk for production apps)
-`android:exported="true"` - Activity exported (could be a security risk)
-`android:allowBackup="true"` - Backup enabled (data could be extracted)
#### 3. Jadx Java Decompilation
```bash
jadx small.apk -d output/decompiled/small_apk_jadx/
```
**Decompiled Java Source Code:**
**MainActivity.java:**
```java
package io.github.skylot.android.smallapp;
import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
public class MainActivity extends Activity {
@Override // android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Log.i("SmallApp", "Hello");
}
}
```
**R.java (Generated Resources Class):**
```java
package io.github.skylot.android.smallapp;
public final class R {
// Resources mapping
}
```
### 4. Binwalk Analysis
```bash
binwalk small.apk
```
**Output:**
```
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, v0.0 compressed size: 52, uncompressed size: 56, name: META-INF/com/android/build/gradle/app-metadata.properties
139 0x8B Zip archive data, v0.0 compressed size: 724, uncompressed size: 1180, name: classes.dex
904 0x388 Zip archive data, v0.0 compressed size: 783, uncompressed size: 2148, name: AndroidManifest.xml
1736 0x6C8 Zip archive data, v0.0 compressed size: 305, uncompressed size: 568, name: res/drawable/ic_launcher_background.xml
2110 0x83E Zip archive data, v0.0 compressed size: 598, uncompressed size: 1268, name: res/drawable/ic_launcher_foreground.xml
2777 0xAD9 Zip archive data, v0.0 compressed size: 274, uncompressed size: 548, name: res/layout/activity_main.xml
3109 0xC25 Zip archive data, v0.0 compressed size: 238, uncompressed size: 548, name: res/mipmap-anydpi-v21/ic_launcher.xml
3414 0xD56 Zip archive data, v0.0 compressed size: 1696, uncompressed size: 1696, name: resources.arsc
5244 0x147C Certificate in DER format (x509 v3), header length: 4, sequence length: 740
9864 0x2688 End of Zip archive, footer length: 22
```
**Key Findings:**
- APK contains standard Android application structure
- Contains signing certificate (DER format)
- All resources properly compressed within ZIP archive
## iOS IPA Decompilation Results
### Sample IPA Analyzed: `test.ipa` (Demo file)
**File Structure Created for Demonstration:**
```
test.ipa
└── Payload/
└── TestApp.app/
├── TestApp (executable binary)
└── Info.plist (property list)
```
### Extraction Method:
```bash
unzip test.ipa -d output/decompiled/test_ipa_extracted/
```
**Info.plist Contents:**
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleName</key>
<string>TestApp</string>
</dict>
</plist>
```
## JavaScript Bundle Extraction Techniques
### For React Native Apps:
```bash
# Extract assets from APK
unzip app.apk assets/* -d extracted/
# Look for JavaScript bundles
find extracted/ -name "*.js" -o -name "*.jsbundle" -o -name "*.bundle"
# Common locations:
# - assets/index.android.bundle
# - assets/www/ (Cordova/PhoneGap)
# - res/raw/ (embedded JavaScript)
```
### For iOS Apps:
```bash
# Extract IPA
unzip app.ipa -d ipa_extracted/
# Look for JavaScript bundles
find ipa_extracted/ -name "*.js" -o -name "*.jsbundle" -o -name "*.bundle"
# React Native apps often have:
# - main.jsbundle
# - iOS bundle files in Frameworks/
```
## Security Analysis Checklist
### 1. Hardcoded Secrets
```bash
grep -r "API_KEY\|SECRET\|PASSWORD\|TOKEN\|KEY\|AUTH\|PASSWD" extracted/ --include="*.java" --include="*.js" --include="*.xml" --include="*.plist" --include="*.json"
```
### 2. Insecure Network Communications
```bash
grep -r "http://" extracted/ --include="*.java" --include="*.js" --include="*.xml"
grep -r "allowAllHostnames\|setHostnameVerifier\|TrustManager\|AllTrustManager" extracted/ --include="*.java"
```
### 3. Debug Flags and Development Settings
```bash
grep -r "BuildConfig.DEBUG\|isDebug\|debuggable\|develop" extracted/ --include="*.java" --include="*.xml"
```
### 4. Exportable Components (Android)
```bash
grep -r "android:exported=\"true\"" extracted/AndroidManifest.xml
grep -r "permission" extracted/AndroidManifest.xml
```
### 5. Binary Analysis
```bash
# Extract strings from binaries
strings Payload/*.app/* | grep -i "secret\|key\|token\|password"
# Check for debug symbols
nm -a Payload/*.app/executable | grep -i "debug\|test\|dev"
```
## Configuration Files Extraction
### Android:
- **AndroidManifest.xml**: App permissions, components, and configuration
- **resources.arsc**: Compiled resources
- **META-INF/**: Signing certificates and manifests
- **assets/**: Web assets, JavaScript, configuration files
### iOS:
- **Info.plist**: App configuration, permissions, URL schemes
- **embedded.mobileprovision**: Provisioning profile
- **Frameworks/**: Embedded frameworks and libraries
- **PlugIns/**: App extensions
## Practical Commands for Security Researchers
### 1. Extract All Files
```bash
# APK
unzip target.apk -d extracted_apk/
# or
apktool d target.apk -o decompiled_apk/
# IPA
unzip target.ipa -d extracted_ipa/
```
### 2. Decompile Java/Smali Code
```bash
# Decompile to Java
jadx target.apk -d java_source/
# Disassemble to Smali
apktool d target.apk -o smali_code/
```
### 3. Analyze Binaries
```bash
# iOS Mach-O binaries
file Payload/*.app/*
otool -l Payload/*.app/executable
# Android native libraries
file extracted/lib/*/*.so
strings extracted/lib/*/*.so | head -100
```
### 4. Search for Sensitive Information
```bash
# Search for URLs
grep -r "https://\|http://\|www\." extracted/ --include="*.java" --include="*.js" --include="*.xml"
# Search for keys and tokens
grep -r "key\|token\|secret\|password\|auth" extracted/ -i --include="*.java" --include="*.js"
# Search for IP addresses
grep -r "\b\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\.\d\{1,3\}\b" extracted/ --include="*.java" --include="*.js"
```
### 5. Analyze Certificates and Signing
```bash
# Android
keytool -printcert -file extracted/META-INF/CERT.RSA
# iOS codesign
codesign -dvvv Payload/*.app/
codesign --display --verbose=4 Payload/*.app/
```
## Output Structure
All decompilation outputs are organized in:
```
/root/work/mission-5c260e59/output/
├── decompiled/
│ ├── small_apk_jadx/ # Jadx Java decompilation
│ ├── small_apk_apktool/ # Apktool resource decoding
│ ├── small_apk_unzip/ # Direct ZIP extraction
│ └── test_ipa_extracted/ # IPA extraction
├── decompilation_guide.md # Comprehensive guide
└── decompilation_report.md # This report
```
## Key Findings from Sample APK
1. **Application Structure**: Simple Android app with single Activity
2. **Security Issues**:
- Debug flag enabled (`android:debuggable="true"`)
- Activity exported (`android:exported="true"`)
3. **Code Analysis**: Minimal Java code with basic logging
4. **Resources**: Standard Android resource structure with vector drawables
5. **Build Info**: Compiled with SDK 34 (Android 14)
## Recommendations
1. **For Production Apps**:
- Disable debug flag (`android:debuggable="false"`)
- Review exported components and permissions
- Remove hardcoded secrets before building
- Enable code obfuscation (ProGuard/R8)
2. **For Security Analysis**:
- Always start with `jadx` for Java source recovery
- Use `apktool` for resource decoding and Smali analysis
- Extract with `unzip` for quick file access
- Use `binwalk` for embedded file discovery
- Combine tools for comprehensive analysis
3. **Automation**:
```bash
# Script to analyze APK/IPA
#!/bin/bash
FILE=$1
OUTPUT_DIR="analysis_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT_DIR
if [[ $FILE == *.apk ]]; then
unzip $FILE -d $OUTPUT_DIR/unzip/
apktool d $FILE -o $OUTPUT_DIR/apktool/
jadx $FILE -d $OUTPUT_DIR/jadx/
elif [[ $FILE == *.ipa ]]; then
unzip $FILE -d $OUTPUT_DIR/unzip/
fi
# Run security checks
grep -r "key\|secret\|token" $OUTPUT_DIR/ -i > $OUTPUT_DIR/secrets.txt
```
## Conclusion
The decompilation tools successfully extracted source code, resources, and configuration files from both Android APK and iOS IPA files. The process demonstrates:
1. **Android APK Analysis**: Complete Java source recovery, resource extraction, and manifest analysis
2. **iOS IPA Analysis**: File structure extraction and configuration file analysis
3. **Security Assessment**: Identification of debug flags, exported components, and potential vulnerabilities
4. **Tool Integration**: Multiple tools used together for comprehensive analysis
This setup provides a complete environment for mobile application security assessment and code review.

149
reports/bitget-audit/deepseek-final-summary.md Normal file
View File

@@ -0,0 +1,149 @@
# Final Security Analysis Summary: web3.bitget.com
## Analysis Date
December 20, 2025
## Website Overview
**web3.bitget.com** is the official website for Bitget Wallet, a cryptocurrency wallet service with multi-chain support. The site appears to be built with Vue.js/Nuxt.js framework and serves as a landing page for wallet downloads and information.
## Critical Security Findings
### 1. Content Security Policy (CSP) Vulnerabilities
**Severity: HIGH**
#### Major Issues:
1. **`unsafe-eval` directive allowed** - Enables execution of arbitrary code via eval()
2. **`unsafe-inline` directive allowed** - Allows inline scripts, reducing XSS protection
3. **Extensive domain allowlist** - Over 60 domains allowed, increasing attack surface
4. **Report-Only Mode** - CSP violations are reported but not blocked
5. **Non-standard ports** - Allows `ta.bitkeep.buzz:8993` (potentially insecure)
#### Risk Impact:
- XSS attacks could execute malicious scripts
- Code injection vulnerabilities easier to exploit
- Supply chain attacks via compromised third-party domains
### 2. Third-Party Script Dependencies
**Severity: MEDIUM**
#### Concerns:
1. **Multiple Chinese CDNs**: `jjdsn.vip`, `bitkeep.vip`, `bjxnyj.com`
2. **Unfamiliar domains**: `broearn.com`, various `bwb.*` domains, `noxiaohao.com`
3. **Mixed content sources**: Chinese and international services mixed
#### Risk Impact:
- Dependency on potentially untrusted third parties
- Data leakage risks through analytics/tracking
- Supply chain attacks if any CDN is compromised
### 3. Missing Security Headers
**Severity: MEDIUM**
#### Missing Headers:
1. **X-Frame-Options**: No protection against clickjacking (though CSP frame-ancestors provides some)
2. **Permissions-Policy**: No restrictions on browser features (camera, microphone, geolocation, etc.)
3. **X-XSS-Protection**: Not present (less critical with modern CSP)
### 4. JavaScript Analysis
**Severity: LOW-MEDIUM**
#### Findings:
1. **Minified/obfuscated code**: Standard practice but makes code review difficult
2. **Large inline state object**: `window.__NUXT__` contains application state
3. **Multiple external scripts**: 20+ JavaScript files from CDN
4. **No obvious malicious patterns**: No clear evidence of malware in sampled scripts
### 5. Configuration Files
**Severity: LOW**
#### Positive Findings:
✅ Common sensitive files (`.env`, `.git/config`, `package.json`) return 404
`robots.txt` properly configured
✅ No exposed API keys or secrets in HTML
## Domain Trust Analysis
### Trusted/Reputable Domains:
- `*.google.com`, `*.googleapis.com` (Google services)
- `*.bitget.com` (own domain)
- `*.walletconnect.org` (established crypto service)
- `firebase.googleapis.com` (Google Firebase)
### Potentially Risky Domains Requiring Verification:
- `*.jjdsn.vip` (primary CDN - ownership unknown)
- `*.bitkeep.*` domains (related but separate entity)
- `*.bwb.*` domains (purpose unclear)
- `broearn.com` (unknown service)
- `noxiaohao.com` (CSP reporting endpoint)
- `geetest.com`, `geevisit.com`, `gsensebot.com` (captcha services)
### High-Risk Indicators:
1. `ta.bitkeep.buzz:8993` - Non-standard port usage
2. Multiple unfamiliar Chinese domains
3. Overly permissive CSP with `unsafe-eval` and `unsafe-inline`
## Security Scorecard
| Category | Score (0-10) | Notes |
|----------|--------------|-------|
| **CSP Configuration** | 3/10 | `unsafe-eval`, `unsafe-inline`, report-only mode |
| **HTTP Headers** | 6/10 | Missing X-Frame-Options, Permissions-Policy |
| **Third-party Dependencies** | 4/10 | Many unfamiliar domains, mixed sources |
| **Code Security** | 7/10 | No obvious vulnerabilities found |
| **Configuration Hardening** | 8/10 | Sensitive files not exposed |
| **Overall Security Posture** | 5.6/10 | **MEDIUM RISK** |
## Recommendations by Priority
### IMMEDIATE ACTION REQUIRED (Critical):
1. **Remove `unsafe-eval` from CSP** - Refactor code to avoid eval(), Function(), setTimeout/setInterval with strings
2. **Remove `unsafe-inline` from CSP** - Move inline scripts to external files
3. **Enable CSP enforcement** - Switch from report-only to enforced mode
4. **Audit all third-party domains** - Verify ownership and security of each allowed domain
### SHORT-TERM (Within 1 month):
5. **Reduce domain allowlist** - Remove unnecessary domains from CSP
6. **Add X-Frame-Options header** - Additional clickjacking protection
7. **Add Permissions-Policy header** - Restrict sensitive browser features
8. **Implement Subresource Integrity (SRI)** - Add integrity attributes to external scripts
### MEDIUM-TERM (Within 3 months):
9. **Consolidate CDN usage** - Reduce number of CDN providers
10. **Regular security audits** - Ongoing monitoring of dependencies
11. **CSP monitoring** - Review reports from `log.noxiaohao.com`
12. **Code review** - Security audit of JavaScript bundles
### LONG-TERM (Ongoing):
13. **Implement Web Application Firewall (WAF)** - Additional protection layer
14. **Regular penetration testing** - External security assessments
15. **Bug bounty program** - Encourage responsible disclosure
16. **Security training** - Development team security awareness
## Technical Details
### Architecture:
- **Framework**: Vue.js/Nuxt.js (server-side rendered)
- **CDN**: Multiple (`static-web.jjdsn.vip`, `cdn.bitkeep.vip`)
- **Analytics**: Google Analytics, Firebase
- **Blockchain Integration**: Multi-chain support (Ethereum, Polygon, BSC, Tron, etc.)
- **Language Support**: 20+ languages
### Infrastructure:
- **Server**: Cloudflare
- **SSL/TLS**: HTTPS enforced with HSTS
- **Cookies**: Secure, HttpOnly, SameSite=None flags set
- **Cache**: No-cache headers for sensitive content
## Conclusion
**web3.bitget.com** implements basic security measures but has significant CSP weaknesses that could expose users to XSS attacks. The extensive third-party dependencies and permissive CSP directives (`unsafe-eval`, `unsafe-inline`) represent the most critical vulnerabilities.
**Overall Risk Level: MEDIUM-HIGH**
The website processes cryptocurrency wallet information, making security paramount. While no active exploits were found, the security posture could be significantly improved by addressing the CSP weaknesses and reducing third-party dependencies.
## Files Generated:
1. `/root/work/mission-5c260e59/output/security_analysis_report.md` - Detailed technical analysis
2. `/root/work/mission-5c260e59/output/csp_domain_analysis.md` - Domain-by-domain CSP analysis
3. `/root/work/mission-5c260e59/output/index_en.html` - Downloaded website HTML
4. `/root/work/mission-5c260e59/output/final_analysis_summary.md` - This summary report

222
reports/bitget-audit/deepseek-security-analysis.md Normal file
View File

@@ -0,0 +1,222 @@
# Static Security Analysis Report: web3.bitget.com
## Executive Summary
A comprehensive security analysis of `web3.bitget.com` was conducted, focusing on Content Security Policy (CSP), JavaScript vulnerabilities, and configuration files. The website appears to be a legitimate cryptocurrency wallet service (Bitget Wallet) with reasonable security measures but some notable vulnerabilities.
## 1. Content Security Policy (CSP) Analysis
### CSP Header (Report-Only Mode)
The site uses a **Content-Security-Policy-Report-Only** header, which means violations are reported but not blocked.
### Key CSP Directives:
#### **script-src** (Critical Findings):
-**Good**: Includes 'self' directive
- ⚠️ **High Risk**: Allows `'unsafe-eval'` and `'unsafe-inline'`
- ⚠️ **Moderate Risk**: Allows `blob:` and `data:` protocols
- ⚠️ **Moderate Risk**: Extensive allowlist of 60+ external domains including:
- `*.youtube.com`
- `firebase.googleapis.com`
- `*.bitkeep.fun`
- `*.bitget.cloud`
- `keepshare.xyz`
- `gasutopia.com`
- `bitkeep.com`
- `*.facebook.net`
- `api.nileex.io`
- `keepshare.info`
- `*.google.com`
- `share.bitkeep.shop`
- `*.bitkeep.com`
- `ta.bitkeep.buzz:8993` (non-standard port)
- `bitkeep.io`
- `*.bitkeep.io`
- `www.google-analytics.com`
- `fp-constantid.bitkeep.vip`
- `*.bitkeep.page`
- `*.bjxnyj.com`
- `bitkeep.org`
- `*.bitgetstatic.com`
- `share.bwb.live`
- `*.bitkeep.vip`
- `*.bitget.site`
- `*.bitgetpro.site`
- `api.shasta.trongrid.io`
- `s3.infcrypto.com`
- `*.bitkeep.me`
- `*.jjdsn.vip`
- `*.mytokenpocket.vip`
- `sun.tronex.io`
- `goldshare.me`
- `*.bitget.com`
- `firebaseinstallations.googleapis.com`
- `www.googletagmanager.com`
- `*.googleapis.com`
- `share.bwb.site`
- `stats.g.doubleclick.net`
- `rpc-wallet.broearn.com`
- `api.trongrid.io`
- `*.bknode.vip`
- `cdn.bootcdn.net`
- `search.imtt.qq.com`
- `api-web.wwmxd.info`
- `api-web.wwmxd.site`
- `www.recaptcha.net`
- `ordinals.com`
- `www.gstatic.cn`
- `www.gstatic.com`
- `log.noxiaohao.com`
- `*.geetest.com`
- `*.geevisit.com`
- `*.gsensebot.com`
- `share.bwb.online`
- `share.bwb.global`
- `share.bwb.win`
- `share.bwb.inc`
- `share.bwb.space`
- `*.walletconnect.org`
- `wss://*.walletconnect.org`
- `https://*.walletconnect.com`
#### **connect-src**: Similar extensive allowlist with additional blockchain RPC endpoints
#### **frame-src**: Allows framing from multiple domains
#### **frame-ancestors**: Allows embedding from specific domains
#### **report-uri**: `https://log.noxiaohao.com/v1/buried/log/cspSecurity`
### CSP Security Issues:
1. **`unsafe-eval` and `unsafe-inline`**: These directives significantly reduce CSP effectiveness against XSS attacks.
2. **Extensive Domain Allowlist**: Overly permissive policy increases attack surface.
3. **Mixed Content**: Allows both HTTP and HTTPS sources (though most are HTTPS).
4. **Non-standard Ports**: Allows `ta.bitkeep.buzz:8993` (non-standard port).
5. **Report-Only Mode**: Policy violations are only reported, not blocked.
## 2. HTTP Security Headers
### Present Headers:
-`Strict-Transport-Security: max-age=15768000;includeSubDomains;preload`
- Good: Enforces HTTPS with long max-age and includes subdomains
-`X-Content-Type-Options: nosniff`
- Good: Prevents MIME type sniffing
-`Referrer-Policy: unsafe-url`
- Moderate: Sends full URL in Referer header (privacy concern)
### Missing Headers:
-**X-Frame-Options**: Not present (CSP frame-ancestors provides some protection)
-**X-XSS-Protection**: Not present (modern browsers ignore this in favor of CSP)
-**Permissions-Policy**: Not present (could restrict sensitive browser features)
-**Cache-Control**: Present but `no-cache` (could be more restrictive for sensitive content)
## 3. JavaScript Analysis
### Script Sources:
1. **Google Analytics**: `https://www.googletagmanager.com/gtag/js?id=G-BW4GVE68H3`
2. **Multiple Static Assets**: From `static-web.jjdsn.vip` (20+ JavaScript files)
3. **Inline JavaScript**: Large `window.__NUXT__` object with application state
### JavaScript Vulnerabilities:
1. **`unsafe-eval` Usage**: The CSP allows `unsafe-eval`, suggesting eval() or similar functions may be used.
2. **Inline Scripts**: Despite CSP allowing `unsafe-inline`, most scripts are external.
3. **Base64 Data URLs**: Multiple images embedded as base64 data URLs.
### Third-Party Dependencies:
- Google Analytics
- Firebase services
- Multiple Chinese CDNs (`jjdsn.vip`, `bitkeep.vip`)
- Various blockchain/crypto services
- reCAPTCHA
- WalletConnect services
## 4. Configuration Files Analysis
### robots.txt Analysis:
✅ Well-configured robots.txt allowing legitimate crawlers including:
- AI/LLM crawlers (Anthropic, Claude, GPTBot, etc.)
- Search engines (Googlebot, Baiduspider, etc.)
- Disallows sensitive paths (`/dapp/browsinghistory`, `/dapp/collect`, `/dapp/searchresults`)
### Missing/Protected Files:
- `.git/config`: 404 Not Found (good)
- `phpinfo.php`: 404 Not Found (good)
- `README.md`: 404 Not Found (good)
- `package.json`: 404 Not Found (good)
- `.env`: 404 Not Found (good)
## 5. Source Code Analysis
### HTML Structure:
- Modern Vue.js/Nuxt.js application (server-side rendered)
- Uses `data-v-*` attributes for Vue.js scoped styling
- Multiple language support (20+ languages)
- Responsive design with mobile support
### External Resource Domains:
1. **Primary CDN**: `static-web.jjdsn.vip`
2. **Asset CDN**: `cdn.bitkeep.vip`
3. **Analytics**: Google services (Tag Manager, Analytics, DoubleClick)
4. **Blockchain**: Multiple blockchain RPC endpoints
5. **Third-party Services**: Various Chinese domains for tracking/analytics
### Potential Issues:
1. **Multiple Unfamiliar Domains**: Several domains like `*.jjdsn.vip`, `*.bitkeep.*`, `*.bwb.*` raise questions about ownership and security
2. **Mixed Chinese/English Services**: Chinese CDNs mixed with international services
3. **Extensive Third-party Dependencies**: Increases supply chain attack surface
## 6. Security Recommendations
### Critical (High Priority):
1. **Remove `unsafe-eval` from CSP**: Refactor code to avoid eval(), Function(), setTimeout/setInterval with strings
2. **Remove `unsafe-inline` from CSP**: Move inline scripts to external files
3. **Reduce Domain Allowlist**: Restrict to essential domains only
4. **Enable CSP Enforcement**: Switch from `report-only` to enforced mode
### Important (Medium Priority):
5. **Add X-Frame-Options Header**: As additional protection against clickjacking
6. **Add Permissions-Policy Header**: Restrict access to sensitive browser features
7. **Implement Subresource Integrity (SRI)**: Add integrity attributes to external scripts
8. **Audit Third-party Scripts**: Review all external JavaScript for security implications
### Recommended (Low Priority):
9. **Implement Certificate Transparency**: Monitor for fraudulent certificates
10. **Regular Security Audits**: Ongoing monitoring of dependencies
11. **Content Security Policy Testing**: Regular testing with tools like CSP Evaluator
12. **Reduce Cookie Scope**: Review SameSite cookie settings
## 7. Technical Details
### Server Information:
- **Server**: Cloudflare
- **Framework**: Vue.js/Nuxt.js
- **CDN**: Multiple Chinese CDNs
- **Analytics**: Google Analytics, Firebase
- **Blockchain Integration**: Multiple chains (Ethereum, Polygon, BSC, etc.)
### SSL/TLS Configuration:
- HTTPS enforced via HSTS
- Cloudflare-managed SSL
- Includes subdomains in HSTS
## 8. Risk Assessment
### Overall Risk Score: 6/10 (Moderate-High)
**Factors Contributing to Risk:**
1. **CSP Weaknesses**: `unsafe-eval` and `unsafe-inline` directives
2. **Extensive Third-party Dependencies**: Increases attack surface
3. **Mixed Content Sources**: Chinese and international CDNs
4. **Report-Only CSP**: Violations not blocked
**Mitigating Factors:**
1. **HTTPS Enforcement**: Strong HSTS policy
2. **Modern Framework**: Vue.js/Nuxt.js with SSR
3. **Cloudflare Protection**: DDoS and WAF protection likely
4. **No Exposed Config Files**: Common sensitive files return 404
## Conclusion
The website implements several security measures but has significant CSP weaknesses that could expose users to XSS attacks. The extensive allowlist of third-party domains and permissive CSP directives (`unsafe-eval`, `unsafe-inline`) represent the most critical vulnerabilities.
**Recommendation**: Implement a stricter CSP policy, reduce third-party dependencies, and enable CSP enforcement mode to provide actual protection rather than just reporting.

14
src/agents/leaf/executor.rs
View File

@@ -175,12 +175,10 @@ impl TaskExecutor {
None => return String::new(),
};
// In mission mode, skip cross-mission chunks to prevent contamination
let is_mission_mode = ctx.mission_id.is_some();
// In mission mode, filter memory to current mission to prevent contamination
let builder = ContextBuilder::new(&ctx.config.context, &ctx.working_dir_str());
let memory_ctx = builder
.build_memory_context_with_options(memory, task_description, is_mission_mode)
.build_memory_context_with_options(memory, task_description, ctx.mission_id)
.await;
memory_ctx.format()
}
@@ -501,11 +499,13 @@ Use `search_memory` when you encounter a problem you might have solved before or
.await;
}
// Try MCP tools
// Try MCP tools (tool names are prefixed, need to strip for actual call)
if let Some(mcp) = &ctx.mcp {
if let Some(mcp_tool) = mcp.find_tool(tool_name).await {
tracing::debug!("Routing tool call '{}' to MCP server", tool_name);
return mcp.call_tool(mcp_tool.mcp_id, tool_name, args).await;
// Strip the MCP prefix to get the original tool name for the call
let original_name = crate::mcp::McpRegistry::strip_prefix(tool_name);
tracing::debug!("Routing tool call '{}' -> '{}' to MCP server", tool_name, original_name);
return mcp.call_tool(mcp_tool.mcp_id, &original_name, args).await;
}
}

57
src/mcp/registry.rs
View File

@@ -22,6 +22,17 @@ use super::types::*;
/// MCP protocol version we support
const MCP_PROTOCOL_VERSION: &str = "2024-11-05";
/// Sanitize MCP server name to create a valid function name prefix.
///
/// Converts names like "filesystem" or "My Server" to lowercase alphanumeric.
fn sanitize_mcp_prefix(name: &str) -> String {
name.chars()
.filter(|c| c.is_alphanumeric() || *c == '_' || *c == '-')
.collect::<String>()
.to_lowercase()
.replace('-', "_")
}
/// Handle for a stdio MCP process
struct StdioProcess {
child: Child,
@@ -714,6 +725,9 @@ impl McpRegistry {
}
/// List all tools from all connected MCPs.
///
/// Tool names are prefixed with the MCP server name to avoid conflicts
/// with built-in tools (e.g., `filesystem_read_file` instead of `read_file`).
pub async fn list_tools(&self) -> Vec<McpTool> {
let states = self.states.read().await;
let disabled = self.disabled_tools.read().await;
@@ -721,13 +735,24 @@ impl McpRegistry {
let mut tools = Vec::new();
for state in states.values() {
if state.config.enabled && state.status == McpStatus::Connected {
// Derive prefix from MCP server name (sanitized for function names)
let prefix = sanitize_mcp_prefix(&state.config.name);
for descriptor in &state.config.tool_descriptors {
// Prefix tool name with MCP server name to avoid conflicts
let prefixed_name = format!("{}_{}", prefix, descriptor.name);
let prefixed_description = format!(
"[{}] {}",
state.config.name,
descriptor.description
);
tools.push(McpTool {
name: descriptor.name.clone(),
description: descriptor.description.clone(),
name: prefixed_name.clone(),
description: prefixed_description,
parameters_schema: descriptor.input_schema.clone(),
mcp_id: state.config.id,
enabled: !disabled.contains(&descriptor.name),
enabled: !disabled.contains(&descriptor.name) && !disabled.contains(&prefixed_name),
});
}
}
@@ -750,18 +775,24 @@ impl McpRegistry {
!self.disabled_tools.read().await.contains(name)
}
/// Find a tool by name and return its MCP ID if found.
/// Find a tool by name (prefixed) and return its MCP ID if found.
///
/// Tool names should be in prefixed format (e.g., `filesystem_read_file`).
pub async fn find_tool(&self, name: &str) -> Option<McpTool> {
let states = self.states.read().await;
let disabled = self.disabled_tools.read().await;
for state in states.values() {
if state.config.enabled && state.status == McpStatus::Connected {
let prefix = sanitize_mcp_prefix(&state.config.name);
for descriptor in &state.config.tool_descriptors {
if descriptor.name == name && !disabled.contains(&descriptor.name) {
let prefixed_name = format!("{}_{}", prefix, descriptor.name);
if prefixed_name == name && !disabled.contains(&descriptor.name) && !disabled.contains(&prefixed_name) {
return Some(McpTool {
name: descriptor.name.clone(),
description: descriptor.description.clone(),
name: prefixed_name,
description: format!("[{}] {}", state.config.name, descriptor.description),
parameters_schema: descriptor.input_schema.clone(),
mcp_id: state.config.id,
enabled: true,
@@ -772,6 +803,18 @@ impl McpRegistry {
}
None
}
/// Get the original (unprefixed) tool name for an MCP call.
///
/// When calling the MCP server, we need to use the original tool name.
pub fn strip_prefix(prefixed_name: &str) -> String {
// Find the first underscore and return everything after it
if let Some(idx) = prefixed_name.find('_') {
prefixed_name[idx + 1..].to_string()
} else {
prefixed_name.to_string()
}
}
/// Get tool schemas in LLM-compatible format for all connected MCP tools.
pub async fn get_tool_schemas(&self) -> Vec<crate::llm::ToolDefinition> {

44
src/memory/context.rs
View File

@@ -159,27 +159,33 @@ impl<'a> ContextBuilder<'a> {
/// Build memory context (async, requires memory system).
///
/// If `skip_cross_mission_chunks` is true, past task chunks are not retrieved.
/// This prevents context contamination between parallel missions.
/// This is the default mode that retrieves all available memory context.
/// For mission-isolated context, use `build_memory_context_with_options` with a mission_id.
pub async fn build_memory_context(
&self,
memory: &crate::memory::MemorySystem,
task_description: &str,
) -> MemoryContext {
self.build_memory_context_with_options(memory, task_description, false).await
self.build_memory_context_with_options(memory, task_description, None).await
}
/// Build memory context with options for mission isolation.
///
/// If `mission_id` is provided, memory is filtered to that mission only:
/// - Past task chunks are skipped (no cross-mission contamination)
/// - Mission summaries are filtered to the current mission only
/// - User facts are still included (intentionally shared)
pub async fn build_memory_context_with_options(
&self,
memory: &crate::memory::MemorySystem,
task_description: &str,
skip_cross_mission_chunks: bool,
mission_id: Option<uuid::Uuid>,
) -> MemoryContext {
let mut ctx = MemoryContext::default();
let is_mission_mode = mission_id.is_some();
// 1. Search for relevant past task chunks (skip in mission mode to prevent contamination)
if !skip_cross_mission_chunks {
if !is_mission_mode {
if let Ok(chunks) = memory
.retriever
.search(
@@ -198,7 +204,7 @@ impl<'a> ContextBuilder<'a> {
}
}
// 2. Get user facts
// 2. Get user facts (always included - intentionally shared across missions)
if let Ok(facts) = memory
.supabase
.get_all_user_facts(self.config.user_facts_limit)
@@ -210,15 +216,23 @@ impl<'a> ContextBuilder<'a> {
}
}
// 3. Get recent mission summaries
if let Ok(summaries) = memory
.supabase
.get_recent_mission_summaries(self.config.mission_summaries_limit)
.await
{
for summary in summaries {
ctx.mission_summaries.push((summary.success, summary.summary));
}
// 3. Get mission summaries (filtered by mission in mission mode)
let summaries = if let Some(mid) = mission_id {
// In mission mode: only get summaries from THIS mission
memory.supabase
.get_mission_summaries_for_mission(mid, self.config.mission_summaries_limit)
.await
.unwrap_or_default()
} else {
// Regular mode: get recent summaries from all missions
memory.supabase
.get_recent_mission_summaries(self.config.mission_summaries_limit)
.await
.unwrap_or_default()
};
for summary in summaries {
ctx.mission_summaries.push((summary.success, summary.summary));
}
ctx

20
src/memory/supabase.rs
View File

@@ -841,5 +841,25 @@ impl SupabaseClient {
Ok(resp.json().await?)
}
/// Get mission summaries for a specific mission only.
pub async fn get_mission_summaries_for_mission(&self, mission_id: uuid::Uuid, limit: usize) -> anyhow::Result<Vec<MissionSummary>> {
let resp = self.client
.get(format!(
"{}/mission_summaries?mission_id=eq.{}&order=created_at.desc&limit={}",
self.rest_url(), mission_id, limit
))
.header("apikey", &self.service_role_key)
.header("Authorization", format!("Bearer {}", self.service_role_key))
.send()
.await?;
if !resp.status().is_success() {
let text = resp.text().await?;
anyhow::bail!("Failed to get mission summaries for mission {}: {}", mission_id, text);
}
Ok(resp.json().await?)
}
}