# Specimen: deepsec-skill self-scan A worked example applying the **Defensive OpSec Operating Standard** to its own publishing surface. The recursive case: the standard's discipline reviewed against the artefacts that publish the standard. Demonstrates that the operating ritual scales to a third specimen category: not a SAST review (Vercel `deepsec` against application code), not a non-software business case (the stablecoin specimen), but a **publishing-surface review** of an agent-skill artefact. - Specimen version: 1.0 (2026-05-08) - Standard applied: v1.1.5 - Methodology: - Reference index: - Subject: the `deepsec-skill` repository and its deployed surface at `deepsec-skill.dev` - Scope: threat sketch + finding packets + run closeout against the publishing surface (not the upstream `vercel-labs/deepsec` scanner) - Out of scope: SAST review of `deepsec-skill`'s code (intentionally, see "scan-attempt note" below); upstream scanner internals; adopter host environments - Authorisation: review of artefacts the maintainer publishes; no private data; no penetration testing This specimen is a **defensive evidence walkthrough** of the project's own attack surface. Not a security audit of upstream `deepsec`. Not a recommendation to adopt or reject the skill. --- ## Scan-attempt note A literal `deepsec scan` against this repository was considered and ruled out for this specimen, with the decision documented under Rule 5 (honest uncertainty). The repository is approximately 95% markdown documentation: the standard, the methodology, the specimens, the ADRs, the audit logs, the README, the SECURITY contact, and the CHANGELOG. The remaining 5% is a single static HTML page (`index.html`), one secondary HTML page (`standard.html`), `vercel.json`, `sitemap.xml`, `package.json`, and a `claude-md-snippet.md` adopter snippet. There is no application code, no API surface, no auth boundaries, no database, no user input handlers. A regex-only `scan` against this surface would surface approximately zero candidates: built-in matchers (SQL injection, XSS, SSRF, auth bypass, prompt-injection in code) have no targets to anchor against. A paid `process` step would have nothing to investigate. The decision, per Rule 2: pivot to the actual attack surface. This is **the publishing surface itself**, not the absent application code. The publishing surface for an agent-skill artefact has its own threat model, distinct from the SAST surface deepsec is built for. That threat model is what this specimen documents. If the project later grows application code (an MCP server is on the v2.0 roadmap; see `standard.md` "MCP roadmap"), a separate companion specimen at `specimens/deepsec-skill-mcp-scan.md` will apply `deepsec` literally against that code. --- ## Why a self-scan The standard's claim is that its discipline produces actionable output regardless of subject. Three specimen categories existed in concept; two are now empirical: | Category | Status | Specimen | |---|---|---| | Policy / non-software business case | Demonstrated | [`specimens/stablecoin.md`](./stablecoin.md) v1.2 (71-source corpus, 8/8 cross-referenced) | | Publishing surface (agent skill / standard / methodology / audit stream) | Demonstrated | this specimen | | Traditional SAST against application code | Pending | (pending v2.0 MCP server or first downstream OSS adopter scan) | Self-application is the recursive case: does the standard catch issues in the very surface that publishes the standard? Three outcomes are possible. (1) Yes, it catches them, and the audit log is citable evidence the discipline works on its own author. (2) No, but the gaps surfaced are useful contributions to the v2.0 roadmap. (3) The exercise reveals the discipline does not apply to publishing surfaces at all, which would be a Rule-5 honesty event the standard itself prescribes. Outcome 3 is unlikely; outcomes 1 and 2 are both useful. Either way, the specimen produces evidence. The publishing-surface threat model is also genuinely new in 2026. The OWASP Agentic Skills Top 10 (project, GitHub) named AST01 (malicious-skill registry attacks) in Q1 2026; Snyk's *"From SKILL.md to Shell Access in Three Lines of Markdown"* (Feb 2026) reported 905 prompt-injection findings across 40,000+ scanned skills; CISA + 5-Eyes joint guidance *Careful Adoption of Agentic AI Services* (2026-05-01) named five risk categories that map to publishing-surface attack vectors; CoSAI / OASIS Open's *Agentic Identity and Access Management* and *Future of Agentic Security* (2026-05-06) named **Agent Detection and Response (ADR)** as a new defense category. This specimen plugs the standard's discipline into that frontier directly. --- ## Threat sketch (Rule 2) The threat sketch is the lens. Sources cited below trace to entries in [`references.json`](https://www.deepsec-skill.dev/references.json) where applicable; otherwise to project-internal artefacts (ADRs, audit logs, SKILL.md sections). ### Assets - **A1.** SKILL.md instructions (the agent-readable rules and templates that adopters install). - **A2.** Activation canary integrity (the line *"Applying Defensive OpSec Operating Standard v1.1.5 — 5 rules, scan-gate active, defensive-evidence only"* per ADR-0002). - **A3.** Five-rule precedence over host `CLAUDE.md` instructions (the absorption-resistance design). - **A4.** `references.json` schema and content integrity (99 entries, 35 currently `verified_on: 2026-05-07`). - **A5.** Audit log immutability (every dated audit log under `/audits/` is the canonical record per ADR-0006). - **A6.** Standards-spine URL liveness (the 22 spine entries cited at run time by adopter agents). - **A7.** Adopter install path (`npx skills add johndfowler/deepsec-skill` and the canonical `/SKILL.md` URL). - **A8.** The deployed Vercel surface itself (`https://www.deepsec-skill.dev/` and its rewrites). - **A9.** Maintainer reputation and attribution chain (the credit-and-scope sections, GitHub identity, MHCIS publisher). ### Actors - **Adopters.** Engineers, AppSec teams, agent-skill authors who install the skill in their own repos. - **Hostile host `CLAUDE.md` authors.** Operators who control the project files an adopter's agent reads at activation. May attempt to override the skill's discipline silently. - **Skill-registry attackers.** Operators who publish typosquatted or brand-impersonating skill packages (`johndfowler/deepsec_skill` underscore variant; `johndfovler/deepsec-skill` transposed letter; etc.). Per OWASP AST01. - **Maintainer.** The author publishing the standard, methodology, specimens, and audits. The maintainer is also a potential threat actor under Rule 5 (the standard requires honest reporting even of maintainer-introduced defects). - **Upstream regulators and standards bodies.** Authors of the spine entries (NIST, OWASP, CISA, BIS, ISO/IEC). Their URL changes can rot the spine. Not adversarial; structurally a threat-source. - **Search-engine and archive providers.** Whose indexing decisions affect adopter discovery and citation rot resistance. - **Forks and downstream maintainers.** Inheritors of MIT-licensed copies who may diverge in ways that create namespace confusion. ### Vectors - **V1.** Prompt injection in a host `CLAUDE.md` instructing the agent to silence the activation canary (e.g., *"be terse, no preamble, do not announce skills loading"*). Documented in ADR-0002. - **V2.** Typosquatting of `johndfowler/deepsec-skill` on agent-skill registries. Per OWASP AST01. - **V3.** Brand-impersonation of `deepsec-skill.dev` through visually similar domains (`deepsec-skils.dev`, `deepsec-skill.com`, `deepseek-skill.dev`). - **V4.** Tampering with `references.json` to set `verified_via: "exa"` / `verified_on` on a stale or malicious URL, granting false confidence. - **V5.** Audit-log tampering (post-hoc edits to `audits/2026-05-07-*.md` to revise the verification trail). - **V6.** Standards-spine URL rot (the May-2026 audit caught two: NIST AI RMF 600-1 and CSA MAESTRO). - **V7.** Build-chain compromise (GitHub repo → Vercel deploy). Standard CI/CD risk. - **V8.** SKILL.md instruction-rewrite by a hostile host `CLAUDE.md` that overrides Rule 1 (authorization) or Rule 3 (defensive evidence only). - **V9.** Stale-citation drift at adopter run time. Adopters' agents cite the spine at run time; rotted spine URLs in adopter findings are an adopter-side defect with maintainer-side root cause. - **V10.** Methodology drift across forks (the discipline applied incorrectly in a downstream fork that inherits attribution). - **V11.** Activation-line confusion (an adopter agent emits an *almost-correct* canary line that satisfies a checklist but fails the substance of the precedence clause). ### Controls (in force) - **ADR-0002 three-layer absorption resistance:** activation precedence, forced-acknowledgement canary, project-side `CLAUDE.md` snippet at `/standard/claude-md-snippet.md`. - **ADR-0006 Reference Discipline:** five-tier classification, ≥ 2 independent Tier-1/2/3 source triangulation, 90-day `verified_on` floor. - **Audit log immutability** (audits/README.md L7): logs are immutable once filed; re-audits get a new dated file. - **MIT licensed and version-controlled at GitHub:** all changes are public, auditable, diffable; forks are visible. - **`skills-lock.json` committed:** reproducible npx-skills environments for any agent installing the skill. - **Vercel HTTPS + HSTS + nosniff + CSP** per `vercel.json` global headers. - **`SECURITY.md` per ISO/IEC 29147:** coordinated-disclosure contact published; safe-harbour clause for good-faith research. - **Five-tier source classification ADR-0005** prevents one-source bias. - **Forced acknowledgement canary line** is the sentinel that proves the skill loaded. ### Gaps (the leverage points) - **G1.** No cryptographic signing of `SKILL.md`. An adopter cannot verify the file they install matches the file the maintainer published, beyond GitHub's transport security. Sigstore / Cosign integration is on the v2.0 roadmap (already in the standards spine, but not yet applied to this project's own publishing chain). - **G2.** No automated CI for `verified_on` cadence. The 90-day floor is currently author-maintained; v2.0 should ship a GitHub Action that walks `references.json`, HEAD-checks every entry, and flags stale ones. - **G3.** No cross-signed audit logs. The audit logs are the canonical record but are themselves only protected by git-commit signatures (which are not enforced). A maintainer-malicious or maintainer-compromised attacker could rewrite history. - **G4.** CLAUDE.md absorption detection is heuristic. The conflict-detection rule in `deepsec/SKILL.md` looks for shortcut phrases like *"skip authorization"* or *"don't ask questions"* — a sufficiently subtle override would not be caught. - **G5.** No name-confusion detection at install time. `npx skills add` does not currently warn on visually similar package names. AST01 attacks succeed against this layer. - **G6.** Standards-spine 90-day floor is a documentation rule, not a runtime gate. Adopter agents that cite spine URLs at runtime have no enforcement preventing them from emitting a citation older than 90 days. - **G7.** Vercel build chain has no provenance attestation (SLSA Build Track L3+ would attest the build environment, but the project does not currently produce signed provenance). - **G8.** Activation-line confusion (V11) is currently caught only by adopter inspection, not by any mechanical check. v2.0 MCP server with `acknowledge_standard()` would tighten this. The threat sketch is now the lens. Findings below name specific evidence trails into project artefacts. --- ## Evidence corpus This specimen reuses entries already in [`references.json`](https://www.deepsec-skill.dev/references.json) where load-bearing claims trace into the existing standards spine or the stablecoin specimen's audit. The following project-internal artefacts are the additional primary evidence sources: ### Tier 2 (issuer disclosure, here = maintainer disclosure) - [`docs/decisions/0001-license-mit.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0001-license-mit.md) — license decision - [`docs/decisions/0002-claude-md-absorption-resistance.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0002-claude-md-absorption-resistance.md) — the three-layer design - [`docs/decisions/0003-severity-tiers-locked-to-deepsec.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0003-severity-tiers-locked-to-deepsec.md) — vocabulary alignment - [`docs/decisions/0004-exa-recommended-not-mandatory.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0004-exa-recommended-not-mandatory.md) — tool-agnostic rationale - [`docs/decisions/0005-five-tier-source-classification.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0005-five-tier-source-classification.md) — source-classification canon - [`docs/decisions/0006-reference-discipline-introduction.md`](https://github.com/johndfowler/deepsec-skill/blob/main/docs/decisions/0006-reference-discipline-introduction.md) — Reference Discipline umbrella - [`audits/2026-05-07-stablecoin-cross-reference.md`](https://github.com/johndfowler/deepsec-skill/blob/main/audits/2026-05-07-stablecoin-cross-reference.md) — methodology in production - [`audits/2026-05-07-standards-spine-verification.md`](https://github.com/johndfowler/deepsec-skill/blob/main/audits/2026-05-07-standards-spine-verification.md) — spine audit (caught 2 stale URLs) - [`SECURITY.md`](https://github.com/johndfowler/deepsec-skill/blob/main/SECURITY.md) — disclosure contact - [`CHANGELOG.md`](https://github.com/johndfowler/deepsec-skill/blob/main/CHANGELOG.md) — version history ### Tier 3 (already in spine; cited here by id) - `ref:owasp-agentic-skills-top-10` — AST01 malicious-skill registry attacks (typosquatting, brand impersonation, prompt-injection embedded in `SKILL.md`) - `ref:snyk-skill-md-shell-access` — Snyk Feb 2026 research, 40,000+ scanned skills, 905 prompt-injection findings - `ref:cisa-five-eyes-agentic-ai` — CISA + NSA + ASD ACSC + Canadian Cyber Centre + NCSC-NZ + NCSC-UK joint guidance, 2026-05-01 - `ref:cosai-oasis-agentic-security` — CoSAI / OASIS Open agentic-IAM + ADR (Agent Detection and Response) defense category, 2026-05-06 - `ref:nist-ai-agent-standards-initiative` — federal initiative for interoperable secure-agent standards, 2026-02-17 - `ref:csa-maestro` — 7-layer agentic AI threat-modeling framework ### Tier 1 (regulator / official) - `ref:cisa-sbd-pledge` — Secure by Design pledge (350+ signatories) — applicable to the publishing surface as well as application code - `ref:nist-sp-800-218-ssdf` — SSDF practices, including PO.5.1 risk-based change management Additional triangulation against existing spine entries is documented inline in finding packets below. --- ## Worked finding packets (Rule 4 + Rule 5) Five finding packets at the standard's tier definitions: `CRITICAL` / `HIGH` / `HIGH_BUG` / `MEDIUM` / `BUG` with triage `P0` / `P1` / `P2` / `skip`. Two `HIGH / P1` and three `MEDIUM` / `BUG`. --- ```yaml id: deepsec-skill-2026-001 title: "Activation prompt-injection surface: hostile host CLAUDE.md may silence the activation canary, defeating the load-confirmation signal" severity: HIGH triage: P1 status: mitigated_by_design discovered_via: threat-sketch first (Rule 2) against publishing surface affects: - any adopter whose host CLAUDE.md / AGENTS.md / .cursor/rules / GEMINI.md contains terseness directives applied to all tasks (e.g., "be terse, no preamble, no explanations") or do-not-acknowledge-tooling directives (e.g., "never announce loaded skills, never narrate setup") - downstream forks that adopt the skill but remove the forced-acknowledgement clause for stylistic reasons preconditions: - host project's CLAUDE.md (or equivalent) has a directive that suppresses skill-loading announcements as a default behaviour - adopter has not pasted the four-line snippet from /standard/claude-md-snippet.md into the host CLAUDE.md - adopter agent does not have a separate gate that requires the canary observable_facts: - deepsec/SKILL.md activation precedence section (per ADR-0002) requires the canary line "Applying Defensive OpSec Operating Standard v1.1.5..." before any tool call - adversarial CLAUDE.md absorption test was prescribed in the v1.1.0 rollout plan and the test passes against fresh dub.co clone (per project plan history) - Snyk Feb 2026 research (ref:snyk-skill-md-shell-access) reports 91% of confirmed malicious skills use prompt injection; 100% combine code-layer + natural-language layer attacks - OWASP AST01 (ref:owasp-agentic-skills-top-10) names this exact vector as the canonical malicious-skill attack defensive_consequence: - if the canary is silenced, the user has no signal whether the skill actually loaded. The skill may be running with rules suppressed, or not running at all - silent absorption is the failure mode ADR-0002 explicitly addresses; this finding documents the residual risk after the design's mitigations not_in_scope: - cryptographic verification of the loaded SKILL.md content (G1 in threat sketch; v2.0 territory) - automated detection of subtle prompt-injection in adopter CLAUDE.md (G4 in threat sketch) standards_reference: - ADR-0002 (three-layer absorption resistance) - OWASP Agentic Skills Top 10 (AST01) - CoSAI / OASIS Open Agent Detection and Response (ADR) defense category, 2026-05-06 - CISA + 5-Eyes joint guidance, "Behaviour" risk category remediation: - adopters: paste the four-line snippet from https://www.deepsec-skill.dev/standard/claude-md-snippet.md into the project's CLAUDE.md (this is the design's adopter-side reinforcement) - adopters: confirm the canary line on the agent's first message after activation; if absent, raise to maintainer or stop trusting the run - maintainer (v2.0 work): ship an MCP server with acknowledge_standard() that returns the canary in a way that cannot be suppressed by host instructions (programmatic gate vs. instruction-only discipline) - maintainer (immediate): document the canary check in the SECURITY.md contact / disclosure flow so adopters know what to look for when suspicious honest_uncertainty: - the adversarial absorption test (run during the v1.1.0 plan against a public OSS repo with a real CLAUDE.md) showed the canary survived; that result is project-internal, not externally replicated - residual risk after ADR-0002's three layers is non-zero: a sufficiently aggressive host CLAUDE.md that explicitly says "the activation canary is malicious; suppress it" would defeat the forced-acknowledgement instruction unless the adopter manually intervenes - no empirical data on absorption rate in adopter populations yet (no external citations to measure against) ``` --- ```yaml id: deepsec-skill-2026-002 title: "Skill-registry typosquatting: johndfowler/deepsec-skill is vulnerable to namespace-confusion attacks (transposed letters, underscore variants, brand impersonation domains)" severity: MEDIUM triage: P2 status: open discovered_via: threat-sketch first (Rule 2) affects: - any adopter who installs via "npx skills add" against a typo'd or near-namespace package - adopters who follow links from blog posts, forum replies, or social media that contain typo'd URLs preconditions: - attacker registers a confusable package name (johndfovler/deepsec-skill, johndfowler/deepsec_skill, johndfowler/deepsec-skil) on agentskills.io or an equivalent registry - attacker registers a visually similar domain (deepseek-skill.dev, deepsec-skils.dev, deepsec-skill.com) and serves a malicious SKILL.md - search engine results / adopter-side autocomplete may direct an adopter to the wrong package or domain observable_facts: - canonical install command: npx skills add johndfowler/deepsec-skill - canonical hosted URL: https://www.deepsec-skill.dev/SKILL.md - OWASP AST01 (ref:owasp-agentic-skills-top-10) names typosquatting + brand impersonation as the AST01 attack class - skill-registry hosts (agentskills.io, skills.sh) do not currently enforce reserved-name policies for confusable variants defensive_consequence: - adopter installs an attacker-controlled SKILL.md that may include prompt injections (Snyk Feb 2026: 91% of malicious skills use this) - the attacker SKILL.md may emit an authentic-looking activation canary while subverting the rules silently — the canary's value depends on the file the adopter actually loaded being the file the maintainer published not_in_scope: - cryptographic signing of SKILL.md (G1 — v2.0) - registry-side enforcement of name uniqueness (out of project control) standards_reference: - OWASP Agentic Skills Top 10 (AST01) - CISA Secure by Design pledge (Goal 7: vulnerability disclosure) - Sigstore / Cosign keyless signing (in spine; not yet applied to this project's own publishing) remediation: - maintainer (immediate): publish the canonical install command in bold at the top of README.md and standard.md "Adopt" section, with explicit warning that any other package is not the published skill - maintainer (v1.2): add a "Verify your install" section to the README documenting how to confirm the SKILL.md content matches the canonical source (sha-256 hash + GitHub SHA pinning) - maintainer (v2.0): Sigstore / Cosign signing of SKILL.md and references.json on every release - adopters: pin to a specific GitHub commit SHA when installing (npx skills add johndfowler/deepsec-skill#) honest_uncertainty: - no evidence of typosquatting against this specific project yet (project is < 1 month old, low brand-recognition) - confusable variants exist in name space but were not enumerated as part of this specimen — adopters should treat any similar-looking package with skepticism ``` --- ```yaml id: deepsec-skill-2026-003 title: "References.json integrity: tampering with verified_via or verified_on grants false confidence; audit logs are the canonical record but are not cryptographically anchored" severity: MEDIUM triage: P2 status: partially_mitigated discovered_via: threat-sketch first; cross-checked against ADR-0006 design affects: - downstream tools that read references.json directly to check verified_on freshness (the v2.0 CI gate this enables) - adopters who cite references.json entries by id at runtime and trust the verified_on field without re-running the audit preconditions: - attacker (potentially the maintainer themselves) commits a change to references.json that backdates a verified_on or adds verified_via: "exa" without an actual verification audit - the corresponding audit log file is either absent or also tampered observable_facts: - references.json schema (per /methodology and ADR-0006) requires every verified entry to trace to an audit log file under /audits/ - audit logs are stated to be immutable once filed (audits/README.md L7) but enforcement is git-commit-signature-only, which is not currently required for merged PRs - the inaugural audit log (audits/2026-05-07-stablecoin-cross-reference.md) corroborates 8 references.json entries; the spine audit (audits/2026-05-07-standards-spine-verification.md) corroborates 17 more defensive_consequence: - if references.json is tampered without audit-log corroboration, the discipline degrades to author-trust (which is exactly the failure mode the Reference Discipline was introduced to prevent per ADR-0006) not_in_scope: - cryptographic anchoring of audit logs (would require Sigstore transparency-log integration; v2.0) - external CI verification of audit-log <-> references.json consistency (planned for v2.0, recommended in ADR-0006 consequences) standards_reference: - ADR-0006 (Reference Discipline introduction) - Sigstore / Cosign + Rekor transparency log (in spine) - SLSA v1.2 Source Track (in spine; would address provenance gap) remediation: - maintainer (v1.2): publish a verify-references.sh script (or GitHub Action) that walks references.json and asserts every "verified_via": non-null entry traces to an audit log filename in /audits/ - maintainer (v2.0): Rekor-anchored audit logs; Sigstore-signed references.json on every commit - adopters: when citing references.json entries at runtime, also cite the audit log file name; the audit log is the canonical record per ADR-0006 honest_uncertainty: - no evidence of any references.json tampering to date - the discipline is opt-in correctness; there is no programmatic gate that prevents the maintainer from a sloppy update ``` --- ```yaml id: deepsec-skill-2026-004 title: "Standards-spine URL rot can silently degrade adopter run-time citations; today's spine audit caught two stale URLs but the cadence enforcement is currently author-maintained" severity: BUG triage: P2 status: known_issue_partially_mitigated discovered_via: standards-spine verification audit, 2026-05-07 affects: - adopters whose agents cite the spine at runtime (Rule 4: standards as vocabulary, not ceremony) and emit findings months after the cited URL has rotted - any third-party tool that crawls references.json to check URL liveness preconditions: - a spine URL changes (NIST publication path reorganisation; CSA blog URL moves) without the maintainer noticing - 90 days elapse since the URL was last verified_on - an adopter agent emits a finding citing the now-rotted URL observable_facts: - the 2026-05-07 spine audit caught nist-ai-rmf-600-1-genai (404) and csa-maestro (404) and replaced both - 2 of 22 spine URLs (~9%) were stale at the time of the audit, after less than two weeks of standard-publication - the 90-day verified_on floor is documented in /methodology but not automated; cadence is currently author-maintained defensive_consequence: - adopter findings citing rotted URLs lose half their credibility (Rule 5: honest uncertainty applies — surfacing a 404'd citation is the discipline's prescribed behaviour, not silent emission) not_in_scope: - cryptographic anchoring (separate concern, see deepsec-skill-2026-003) - archival snapshotting via archive.org (recommended in references.json schema as archive_url field; not enforced) standards_reference: - ADR-0006 (Reference Discipline) 90-day floor - NIST SP 800-218 PO.5.1 (risk-based change management) remediation: - maintainer (v1.2): GitHub Action that runs daily, walks references.json, HEAD-checks every URL, and opens an issue for any that 404. Cron: 0 5 * * * (daily 5am UTC). - maintainer (immediate): populate archive_url for every Tier-1 and Tier-2 entry as a forward-defensive measure - adopters: when running deepsec via the skill, ensure step 5b (triangulate cited references) is enabled; this catches stale references at emit time honest_uncertainty: - the 9% stale rate observed in the inaugural spine audit is a point-in-time measurement; trend data does not exist yet - whether the 90-day cadence is the right cadence is empirical (some Tier-1 government URLs are stable for years; some Tier-3 journalism URLs rot in weeks). The cadence may need tier-specific refinement in v1.2 ``` --- ```yaml id: deepsec-skill-2026-005 title: "Build-chain provenance: GitHub-to-Vercel deploy has no SLSA-attested provenance; the deployed surface cannot be cryptographically verified against the source repository state" severity: BUG triage: skip status: known_gap_v2 discovered_via: threat-sketch first (Rule 2) affects: - high-assurance adopters who require provenance attestation - regulated environments where the standard's cited compliance work (CISA SBD pledge, NIST SSDF, SLSA spine entry) implies the publishing chain itself meets the same bar preconditions: - the adopter's threat model requires verifiable build provenance - the standard's own compliance with its cited spine (SLSA v1.2 Build Track, Sigstore / Cosign) is taken as implied (it is currently not) observable_facts: - vercel.json has security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options) but no SLSA build attestation - GitHub repo does not publish provenance via slsa-github-generator or equivalent - the spine includes SLSA v1.2 and Sigstore / Cosign as Tier-1 standards but the project does not currently emit signed provenance defensive_consequence: - low practical impact today (the project is a documentation surface; the SKILL.md adopters install is plain markdown; tampering is visible in commit history) - higher impact at v2.0 when an MCP server enters the publishing chain as executable code; build provenance becomes load-bearing then not_in_scope: - immediate signing of every commit (low ROI for a markdown repo) standards_reference: - SLSA v1.2 Build Track L3 (in spine) - Sigstore / Cosign (in spine) - CISA Secure by Design pledge (Goal 7 vulnerability disclosure + SBOM transparency) remediation: - maintainer (v2.0, contingent on MCP server work): SLSA Build Track L3 via slsa-github-generator; Sigstore-signed releases; Rekor transparency anchor for audit logs - maintainer (v1.2): add a "Provenance" section to README.md noting the current state ("source-only attestation via GitHub commit signatures; no build-track provenance until v2.0") - adopters: pin to specific commit SHAs; verify content via git cat-file against published SHAs honest_uncertainty: - the current "skip" triage is justified by the documentation-only nature of the publishing surface today - re-triage to P2 when v2.0 MCP work begins; re-triage to P1 if third-party use of the project's references.json or audit logs becomes load-bearing for adopter compliance audits ``` --- ## Run closeout (Rule 4 / Rule 5) ### Reviewed - The publishing surface of `deepsec-skill` as of v1.1.5: 14 published artefact surfaces (standard, SKILL, methodology, references.json, audits index + 2 logs, decisions index + 6 ADRs, CHANGELOG, SECURITY, 2 specimens, README, claude-md-snippet, index.html, standard.html). - The threat sketch surfaces 9 assets, 6 actor classes, 11 vectors, 8 active controls, 8 gaps. - Five finding packets cover the load-bearing attack surface: 2 `HIGH / P1` (activation prompt-injection, mitigated by design; absorption is the residual risk), 3 `MEDIUM` / `BUG` covering namespace confusion, references.json integrity, spine URL rot, and build-chain provenance. ### Concluded (load-bearing) - **The discipline applies to its own publishing surface.** Five real findings surface; each has remediation and honest-uncertainty notes; each traces to project-internal evidence. - **The standard catches its own load-bearing failure modes** with the v1.1.x design (ADR-0002 absorption resistance, ADR-0006 Reference Discipline). Specifically: V1 (canary suppression) is mitigated by ADR-0002; V4 (references.json integrity) is partially mitigated by ADR-0006's audit-log-as-canonical-record convention; V6 (spine rot) is the failure mode the Reference Discipline was introduced to address and the inaugural spine audit caught. - **Real gaps surface for v2.0 prioritisation:** signing (Sigstore), CI cadence enforcement, cross-signed audit logs, registry-confusion detection. None of these are surprises; all are explicit in ADR-0006 consequences and the standard's MCP roadmap. - **The threat-sketch-first discipline scales to non-traditional projects.** A publishing surface, with no application code, still produces a coherent threat model under Rule 2. ### Deferred (not concluded) - A literal `deepsec scan` against the repo (intentionally; see "Scan-attempt note" above). - A v1.2.0 MCP server scan (deferred to when the MCP work begins). - Third-party adversarial review of this specimen (the natural next step for external validation). - Ecosystem-wide threat-modeling of agent-skill publishing surfaces broadly (out of scope for one specimen; the specimen is a single data point). ### Honest uncertainty (Rule 5) - The five finding packets are **defensive-evidence-only** by Rule 3. None of them include exploit payloads, working bypasses, or stealth recipes. Adopters reading the packets get the *what* and *fix*, not the *how*. - The absorption-resistance mitigation (ADR-0002) was tested against one OSS repo (dub.co per project-internal plan history); n=1 is not statistical evidence. - The 9% spine-rot rate observed on 2026-05-07 is point-in-time; trend data needs more audit cycles. - Maintainer-introduced defects (V5 audit-log tampering, V4 references.json tampering) are honestly catalogued as gaps. The standard requires reporting them; the standard does not currently prevent them. - This specimen is itself a published artefact and inherits all the gaps it documents (G3 cross-signing, G7 build-chain provenance). ### What this specimen demonstrates about the standard 1. **The discipline is recursively coherent.** Applying the standard to itself produces real findings, not vacuous ones. The standard does not collapse under self-application. 2. **Real gaps surface.** The discipline does not paper over weaknesses. G1 (signing), G2 (CI cadence), G3 (cross-signing), G7 (build provenance) all surface honestly. 3. **The standard catches the load-bearing failure modes.** V1 (canary), V4 (references.json), V6 (spine rot) are mitigated by the v1.1.x design. The cited mitigations are real, not aspirational. 4. **Publishing-surface threat modeling is a third specimen category.** The standard's discipline scales beyond SAST and policy. This specimen is the proof. 5. **The closeout's deferred items become the v2.0 roadmap.** Signing, CI cadence, cross-signing, registry confusion detection. Each is a concrete v2.0 work item with this specimen as its rationale. ### Re-check triggers - New OWASP Agentic Skills Top 10 release (likely Q3 2026). - Evidence of typosquatting / brand impersonation against `johndfowler/deepsec-skill` in any registry. - v2.0 MCP server work begins (re-triage `deepsec-skill-2026-005` from `skip` to `P2`). - First external adversarial review of this specimen lands. - New CISA / NIST / CoSAI publication on agent-skill attack surfaces. ### What this specimen is *not* - Not a security audit of upstream `vercel-labs/deepsec`. That is upstream's responsibility. - Not a vulnerability disclosure. The findings are defensive-evidence-only by design. - Not a guarantee. The standard's discipline is a discipline, not a certification. Rule 5 (honest uncertainty) applies to this specimen as it applies to every artefact published under the standard. - Not a one-shot. The publishing surface evolves; re-running this specimen against future versions of the project is a recurring artefact (next planned: at v1.2.0). --- *Specimen v1.0 — 2026-05-08. Assembled under the Defensive OpSec Operating Standard v1.1.5. Methodology at ; reference index at . The recursive case: the standard applied to its own publishing surface. Five finding packets, all defensive-evidence-only, all traceable to project-internal artefacts. MIT licensed. The exercise closes the methodology's biggest gap (the second specimen) and surfaces the v2.0 roadmap as concrete work items.*