@aiclude/security-skill 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/SKILL.md +54 -7
  2. package/package.json +1 -1
package/SKILL.md CHANGED
@@ -1,14 +1,55 @@
1
+ ---
2
+ name: aiclude-security-scan
3
+ description: Scan MCP Servers and AI Agent Skills for security vulnerabilities. 7 parallel engines detect prompt injection, tool poisoning, malware, supply chain attacks, and more.
4
+ tags: [security, vulnerability, scanner, mcp, ai-agent, sast, sca, malware]
5
+ ---
6
+
1
7
  # /security-scan - AIclude Security Vulnerability Scanner
2
8
 
3
9
  Scan MCP Servers and AI Agent Skills for security vulnerabilities. Returns existing scan results instantly if available, or registers the target and triggers a new scan automatically.
4
10
 
11
+ ## How It Works
12
+
13
+ This skill operates in **two modes**:
14
+
15
+ 1. **Name-based lookup (`--name`)**: Queries the AIclude API (`https://vs-api.aiclude.com`) to check if a scan report already exists for the given package name. If found, the report is returned immediately. If not found, the target is registered and a server-side scan is triggered. **No local code is uploaded** — only the package name and metadata are sent.
16
+
17
+ 2. **Local scan (`<target-path>`)**: Reads source files from the specified local directory and runs all 7 scan engines **locally on your machine**. Results are generated locally and **no code or scan artifacts are sent to any external service**. The scan is entirely offline.
18
+
19
+ ## Network Behavior
20
+
21
+ | Action | Endpoint | Data Sent | Data Received |
22
+ |--------|----------|-----------|---------------|
23
+ | Name lookup | `POST https://vs-api.aiclude.com/api/v1/scan/lookup` | Package name, type | Scan report (JSON) |
24
+ | Scan status polling | `GET https://vs-api.aiclude.com/api/v1/scan/status/{id}` | Job ID | Scan status |
25
+ | Local scan | None (offline) | Nothing | Nothing |
26
+
27
+ **No source code, file contents, or scan artifacts are ever uploaded.** Name-based lookups only transmit the package name and type.
28
+
29
+ ## Required Environment Variables
30
+
31
+ | Variable | Required | Description |
32
+ |----------|----------|-------------|
33
+ | `ASVS_SIGNING_SECRET` | **Yes** (for `--name` mode) | HMAC signing secret for authenticating API requests. Must be set before using name-based lookups. Without it, name-based mode will fail with an error. |
34
+ | `ASVS_API_URL` | No | API server URL. Defaults to `https://vs-api.aiclude.com` |
35
+
36
+ **Local scan mode** (`/security-scan ./path`) requires **no environment variables** and works fully offline.
37
+
38
+ ## Authentication & Privacy
39
+
40
+ - API requests are authenticated via HMAC-SHA256 signatures using `ASVS_SIGNING_SECRET`. No user tokens or credentials are stored.
41
+ - Name-based lookups transmit only: package name, target type, and a timestamp-based signature.
42
+ - Local scans are fully offline — no network requests are made.
43
+ - Scan reports on the web dashboard (https://vs.aiclude.com) are public and contain only vulnerability metadata, not source code.
44
+ - No telemetry, analytics, or tracking data is collected.
45
+
5
46
  ## Usage
6
47
 
7
48
  ```
8
- # Search by name (recommended - leverages existing scan results)
49
+ # Search by name (requires ASVS_SIGNING_SECRET env var, queries remote API)
9
50
  /security-scan --name <package-name> [options]
10
51
 
11
- # Scan a local directory directly
52
+ # Scan a local directory directly (fully offline, no env vars needed)
12
53
  /security-scan <target-path> [options]
13
54
  ```
14
55
 
@@ -24,13 +65,13 @@ Scan MCP Servers and AI Agent Skills for security vulnerabilities. Returns exist
24
65
  ## Examples
25
66
 
26
67
  ```
27
- # Search security scan results for an MCP server
68
+ # Search security scan results for an MCP server (remote lookup)
28
69
  /security-scan --name @anthropic/mcp-server-fetch
29
70
 
30
- # Search scan results for a Skill
71
+ # Search scan results for a Skill (remote lookup)
31
72
  /security-scan --name my-awesome-skill --type skill
32
73
 
33
- # Scan local source code
74
+ # Scan local source code (fully offline)
34
75
  /security-scan ./my-mcp-server
35
76
  ```
36
77
 
@@ -65,6 +106,12 @@ The report includes:
65
106
  3. **Risk Assessment** (what risks are present and their impact)
66
107
  4. **Remediation Recommendations** (how to fix each vulnerability)
67
108
 
68
- ## Web Dashboard
109
+ ## Source Code & npm Package
110
+
111
+ - **npm**: [`@aiclude/security-skill`](https://www.npmjs.com/package/@aiclude/security-skill)
112
+ - **MCP Server**: [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp)
113
+ - **Web Dashboard**: https://vs.aiclude.com
114
+
115
+ ## License
69
116
 
70
- View all scan results at https://vs.aiclude.com
117
+ MIT - AICLUDE Inc.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aiclude/security-skill",
3
- "version": "1.1.0",
3
+ "version": "1.2.0",
4
4
  "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for inline security scanning",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",