/**
 * GitHub MCP Toxic Agent Flow Scanner
 *
 * Detects the OWASP MCP06 (Intent Flow Subversion) attack surface demonstrated by
 * Invariant Labs against the official GitHub MCP server (github/github-mcp-server,
 * 14k stars): a malicious GitHub Issue triggers prompt injection that causes an
 * agent to exfiltrate private repository data to an external endpoint.
 *
 * Three detection axes:
 *
 *  Axis 1 — Private-repo scope (GTF-001..099):
 *    MCP config contains a GitHub server entry whose token or scope grants
 *    private-repo READ access or higher (full `repo` scope, no explicit
 *    public_repo restriction, or docker image with unscoped env token).
 *
 *  Axis 2 — Toxic tool combination (GTF-100..199):
 *    A single GitHub MCP server exposes both a read-issue/PR tool AND an
 *    external-write/exfiltration tool (e.g. create_gist, push_files, search +
 *    webhook relay), allowing a prompt-injected issue to drive data out.
 *
 *  Axis 3 — Untrusted input route (GTF-200..299):
 *    Webhook or issue-event configuration (GitHub Actions workflow, Express
 *    handler, or similar) passes raw issue body / PR description into agent
 *    context (system prompt, LLM call, tool invocation) without sanitization.
 */
import { ScannerModule, Finding } from '../types';
export declare const githubToxicFlowScanner: ScannerModule;
export declare function scanConfigForGitHubToxicFlow(config: Record<string, unknown>, filePath?: string): Finding[];
//# sourceMappingURL=github-toxic-flow-scanner.d.ts.map