# Expected Findings Catalog

This documents all security findings the scanners should detect in the `evil-project-health/` fixture.

**Expected verdict: BLOCK (risk score 100/100)**

> **Note:** This catalog covers the ~56 deterministic findings from the 7 scanners. The full
> security assessment (`security-assessment.md`) reports ~85 findings because it includes
> ~25 additional findings from the LLM-powered agents (skill-scanner, mcp-scanner, posture-assessor).

## Unicode Scanner (UNI)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | HIGH | SKILL.fixture.md | Zero-width space (U+200B) between visible words (2 instances) |
| 2 | CRITICAL | SKILL.fixture.md | Invisible line containing only zero-width chars (U+200B, U+200C, U+200D, U+FEFF) |
| 3 | CRITICAL | SKILL.fixture.md | Unicode Tag steganography (U+E0063...) encoding hidden command |
| 4 | HIGH | SKILL.fixture.md | BIDI override (U+202E) in section header |
| 5 | MEDIUM | SKILL.fixture.md | Cyrillic homoglyph in "data" (U+0430 replacing Latin 'a') |
| 6 | MEDIUM | health-check-agent.fixture.md | Cyrillic homoglyphs in "scan" (U+0441 replacing 'c', U+0430 replacing 'a') |

## Entropy Scanner (ENT)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | HIGH+ | SKILL.fixture.md | Base64 blob (84 chars) — decodes to curl command with env exfiltration |
| 2 | HIGH+ | telemetry.mjs | ENCODED_CONFIG base64 blob (same payload) |
| 3 | MEDIUM | telemetry.mjs | High-entropy auth_credential string (32 chars) |

## Permission Mapper (PRM)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | HIGH | health.fixture.md | Read-only intent words ("analyze", "report") with Bash+Write+Edit tools |
| 2 | HIGH | health.fixture.md | Dangerous tool combination (Bash + Write + Edit) |
| 3 | MEDIUM | health-check-agent.fixture.md | Haiku model on security-sensitive agent (security keywords + Bash) |
| 4 | INFO | health-check-agent.fixture.md | Overprivileged agent (8 tools including Task + WebFetch) |
| 5 | MEDIUM | health-check-agent.fixture.md | Task + Bash combination on agent |
| 6 | MEDIUM | hooks.fixture.json | Ghost hook: PostToolUse script not found (post-bash-telemetry.mjs) |
| 7 | MEDIUM | hooks.fixture.json | Ghost hook: SessionStart script not found (session-beacon.mjs) |
| 8 | MEDIUM | hooks.fixture.json | Ghost hook: PreToolUse script not found (pre-write-intercept.mjs) |

## Dependency Auditor (DEP)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | HIGH | package.json | Typosquatting: "expresss" → "express" (Levenshtein distance 1) |
| 2 | MEDIUM | package.json | Typosquatting: "lodsah" → "lodash" (Levenshtein distance 2) |
| 3 | HIGH | package.json | Typosquatting: "node-fethc" → "node-fetch" (Levenshtein distance 1) |
| 4 | HIGH | package.json | Typosquatting: "axois" → "axios" (Levenshtein distance 1) |
| 5 | HIGH | package.json | Typosquatting: "jset" → "jest" (Levenshtein distance 1) |
| 6 | HIGH | package.json | Typosquatting: "eslitn" → "eslint" (Levenshtein distance 1) |
| 7 | HIGH | package.json | Suspicious postinstall script (curl + URL) |
| 8 | HIGH | package.json | Suspicious preinstall script (child_process + exec + wget + URL) |
| 9 | LOW | package.json | Unpinned version: lodsah@* |
| 10 | LOW | package.json | Unpinned version: node-fethc@latest |
| 11 | LOW | package.json | Unpinned version: jset@* |
| 12 | LOW | package.json | Unpinned version: eslitn@latest |
| 13 | LOW | package.json | Unpinned version: requets@>=2.0.0 |

## Taint Tracer (TNT)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | CRITICAL | telemetry.mjs | process.env → fetch() — environment exfiltration |
| 2 | CRITICAL | telemetry.mjs | req.body → execSync() — command injection |
| 3 | HIGH | telemetry.mjs | process.argv → writeFileSync() — path traversal |
| 4 | CRITICAL | telemetry.mjs | user_input → eval() — code injection |
| 5 | CRITICAL | telemetry.mjs | process.env → execSync() — indirect command execution |
| 6 | HIGH | telemetry.mjs | req.query → fetch() — SSRF |

## Git Forensics (GIT)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | INFO | — | New directory (no git history to analyze) |

## Network Mapper (NET)

| # | Severity | File | Finding |
|---|----------|------|---------|
| 1 | HIGH | health.fixture.md | ngrok-free.app URL |
| 2 | HIGH | health-check-agent.fixture.md | webhook.site URL |
| 3 | HIGH | SKILL.fixture.md | ngrok-free.app URL |
| 4 | HIGH | SKILL.fixture.md | requestbin.com URL |
| 5 | HIGH | SKILL.fixture.md | pipedream.net URL |
| 6 | HIGH | SKILL.fixture.md | pastebin.com URL |
| 7 | HIGH | SKILL.fixture.md | bit.ly URL (shortener) |
| 8 | HIGH | SKILL.fixture.md | webhook.site URL |
| 9 | MEDIUM | SKILL.fixture.md | IP-based URL (192.168.1.100:8080) |
| 10 | HIGH | telemetry.mjs | ngrok-free.app URL |
| 11 | HIGH | telemetry.mjs | webhook.site URL |
| 12 | MEDIUM | telemetry.mjs | IP-based URL (45.33.32.156) |

## Summary

| Scanner | Expected Count | Severity Range |
|---------|---------------|----------------|
| UNI | 5-6 | CRITICAL, HIGH, MEDIUM |
| ENT | 3-4 | CRITICAL, HIGH, MEDIUM |
| PRM | 8-10 | HIGH, MEDIUM, INFO |
| DEP | 13-15 | HIGH, MEDIUM, LOW |
| TNT | 6-8 | CRITICAL, HIGH |
| GIT | 0-1 | INFO |
| NET | 10-12 | HIGH, MEDIUM |
| **Total** | **~56** | |