v0.1.0 - Bawbel Scanner: initial release

[chaksaray]

Open-source CLI scanner for agentic AI components — SKILL.md files, MCP servers,
system prompts, and plugins. Detects vulnerabilities mapped to the
AVE standard before they reach production.

---

Install

pip install bawbel-scanner

---

What's included

CLI commands

• bawbel scan — scan a file or directory, with --recursive, --fail-on-severity, and --format text|json|sarif
• bawbel report — full remediation guide per finding: AVE ID, CVSS-AI score, OWASP mapping, exact fix instructions
• bawbel version — show installed version and active detection engine status
• bawbel --version — quick version string for CI scripts

Detection — 15 built-in pattern rules

Severity	Count	Rules
CRITICAL	3	external fetch (AVE-2026-00001), destructive command, crypto drain
HIGH	10	goal override, jailbreak, hidden instruction, tool call injection, permission escalation, credential exfiltration (AVE-2026-00003), PII exfiltration, shell pipe, persistence, MCP tool poisoning (AVE-2026-00002)
MEDIUM	2	trust escalation, system prompt extraction

All 15 rules run with zero dependencies — just Python and pip.

Detection engines

• Stage 1a: Pattern matching — stdlib only, always active
• Stage 1b: YARA — pip install "bawbel-scanner[yara]"
• Stage 1c: Semgrep — pip install "bawbel-scanner[semgrep]"
• Stage 2: LLM semantic analysis — set ANTHROPIC_API_KEY or OPENAI_API_KEY

Output formats

• Text — human-readable terminal output
• JSON — structured output for CI/CD pipelines and SIEM integration
• SARIF 2.1.0 — upload directly to the GitHub Security tab

Docker

Three build targets: production (minimal, non-root), dev (hot-reload shell), test (runs 145 tests and exits).

docker build --target production -t bawbel/scanner:0.1.0 .
docker run --rm -v /path/to/skills:/scan:ro bawbel/scanner:0.1.0 scan /scan

Python API

from scanner import scan

result = scan("/path/to/skill.md")
if not result.is_clean:
    for f in result.findings:
        print(f"[{f.severity.value}] {f.title}")

scan() never raises — all errors are captured in ScanResult.error.

Quality

• 145 tests passing, 0 Bandit issues, 0 known CVEs
• Security hardening: symlink protection, 10MB file limit, no exception detail exposed to users
• Stable error codes E001–E020

---

AVE records covered

• AVE-2026-00001 — Metamorphic payload via external instruction fetch — CRITICAL 9.4
• AVE-2026-00002 — MCP tool description prompt injection — HIGH 8.7
• AVE-2026-00003 — Environment variable exfiltration — HIGH 8.5

---

Documentation

Full docs at bawbel.io/docs

• Getting started
• Writing rules
• CI/CD integration
• Docker guide

---

Contributing

See CONTRIBUTING.md — detection rule contributions especially welcome. Every accepted AVE record earns a $10 researcher bounty.

Report security issues privately: bawbel.io@gmail.com — see SECURITY.md.

---

This discussion was created from the release v0.1.0 - Bawbel Scanner: initial release.