Autonomous AI security testing suite for animal advocacy infrastructure.
Tests all Open Paws repos for vulnerabilities before deployment. Runs in CI/CD on every PR across Open Paws repositories.
Animal advocacy infrastructure faces three distinct adversaries. This scanner tests for each.
Ag-gag laws criminalize undercover investigation of agricultural operations. Law enforcement using subpoenas, warrants, and device seizure can compel disclosure of investigation data. This scanner checks:
- Ag-gag exposure (
src/advocacy/ag_gag_exposure.py) — unencrypted logging, browser storage, and third-party telemetry that could expose investigation workflows to legal discovery - RLS policy gaps — Supabase row-level security misconfigurations that could expose investigation records under compelled disclosure
Corporate investigators posing as volunteers, social engineering against coalition members. This scanner checks:
- Supabase RLS validation (
src/advocacy/rls_checker.py) — verifies activist data is properly isolated, anonymous access is blocked on sensitive tables, and all policies include user_id scoping - Prompt injection (
src/advocacy/prompt_injection.py) — AI agent code paths where user-controlled input reaches LLM prompts without sanitization - White-box invariant analysis (
src/red_team/white_box.py) — verifies investigation data isolation, activist identity protection, and coalition data sharing boundary enforcement
Training data encodes speciesist defaults. Industry actors may attempt to manipulate AI agents through prompt injection. This scanner checks:
- Speciesist bypass testing (
src/advocacy/speciesist_bypass.py) — system prompts and agent configs for language bypass vectors; checks that no-animal-violence enforcement is in the call path - Prompt injection payloads — categorized by adversary class including speciesist bypass, data exfiltration, and safety override attempts
# Install
pip install git+https://github.com/Open-Paws/open-paws-ai-security.git
# Scan a repo
python -m src.scanner.pipeline --target /path/to/repo
# CI mode (fails on HIGH+ findings)
python -m src.scanner.pipeline --target . --ci --fail-on HIGH
# External audit mode (requires authorization confirmation)
python -m src.scanner.pipeline --target https://target.example.com --mode externalAdd to any Open Paws repo's .github/workflows/ directory:
name: Security Scan
on:
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- run: pip install git+https://github.com/Open-Paws/open-paws-ai-security.git
- run: python -m src.scanner.pipeline --target . --ci --fail-on HIGHA pre-built workflow is available in .github/workflows/security-scan.yml.
The MCP server exposes all scanner capabilities to any Claude agent, including Gary.
{
"mcpServers": {
"open-paws-ai-security": {
"command": "python",
"args": ["-m", "src.mcp_server.server"]
}
}
}Available MCP tools:
scan_repo— full security scan of a local repocheck_rls— Supabase RLS policy validationcheck_prompt_injection— AI agent injection vector analysischeck_speciesist_bypass— speciesist language bypass detectioncheck_ag_gag_exposure— investigation data exposure detection
src/
├── scanner/ # Main orchestration (adapted from agentic-security + hexstrike-ai)
│ ├── pipeline.py # Three-phase scan: recon → test → report
│ ├── tools.py # Tool registry
│ └── agents.py # Agent team: ReconAgent, StaticAnalysisAgent, ScannerAgentTeam
├── red_team/ # Autonomous red-teaming (adapted from strix + shannon + redamon)
│ ├── recon.py # Recon chain — maps attack surface (redamon pattern)
│ ├── poc_validator.py # PoC validation — reduces false positives (strix pattern)
│ └── white_box.py # Invariant analysis — application-level security rules (shannon pattern)
├── mcp_server/ # MCP server exposing findings
│ └── server.py
├── advocacy/ # Open Paws specific checks
│ ├── rls_checker.py # Supabase RLS policy validation
│ ├── prompt_injection.py # AI agent prompt injection tests
│ ├── ag_gag_exposure.py # Investigation data exposure detection
│ └── speciesist_bypass.py # Speciesist language bypass testing
└── ci/
└── github_action.py # CI/CD integration utilities
This scanner was built by adapting patterns and approaches from:
| Project | Authors | What we adapted |
|---|---|---|
| hexstrike-ai | 0x4m4 | MCP-compatible framework, 150+ tool registry architecture, 12-agent coordination model |
| strix | usestrix | PoC validation engine — only report confirmed findings, dynamic testing approach |
| agentic-security | ruvnet | CI/CD security pipeline, auto-remediation patterns, DevSecOps integration |
| redamon | samugit83 | Recon → exploitation → post-exploitation chain, parallel agent pipeline |
| shannon | Keygraph | White-box source code analysis, application invariant detection, CPG-based analysis |
See docs/threat-model.md for:
- Full adversary profiles and attack vectors
- What this tool tests and what it does not
- Severity classification rationale
- Limitations and responsible use
This tool is designed for:
- Internal testing of Open Paws infrastructure
- Authorized external audits (requires explicit authorization confirmation)
- Security research on systems you own or have written permission to test
Never use external audit mode against systems without explicit authorization. Unauthorized security testing is illegal and unethical.
Issues and pull requests welcome. Priority areas:
- Integrating the full hexstrike-ai tool registry
- Adding strix PoC validation for live endpoints
- Adding redamon's full recon chain
- Dynamic prompt injection testing against live AI agent endpoints
See GitHub Issues for the full backlog.