npm - @aiclude/security-skill - Versions diffs - 2.0.0 → 2.0.1 - Mend

@aiclude/security-skill 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,88 @@
+# @aiclude/security-skill
+Security vulnerability scanner for MCP Servers and AI Agent Skills. Provides the `/security-scan` slash command for Claude Code.
+## What It Does
+- **Name-based lookup**: Query the [AIclude scan database](https://vs.aiclude.com) for existing vulnerability reports. If none exists, the target is automatically registered and scanned.
+- **Local scan**: Run 7 scan engines directly on a local directory — fully offline, no data sent anywhere.
+## Scan Engines
+| Engine | What It Detects |
+|--------|----------------|
+| SAST | Code vulnerabilities via pattern matching |
+| SCA | Known CVEs in dependencies (OSV.dev) |
+| Tool Analyzer | MCP tool poisoning, shadowing, rug-pull |
+| DAST | SQL/Command/XSS injection via fuzzing |
+| Permission Checker | Excessive filesystem/network/process access |
+| Behavior Monitor | Suspicious runtime behavior patterns |
+| Malware Detector | Backdoors, cryptominers, ransomware, data stealers |
+## Installation
+```bash
+npm install @aiclude/security-skill
+```
+## Usage
+### As a Claude Code Skill
+```
+# Look up scan results by package name
+/security-scan --name @anthropic/mcp-server-fetch
+# Scan a local directory
+/security-scan ./my-mcp-server
+```
+### Programmatic API
+```typescript
+import { SkillHandler } from "@aiclude/security-skill";
+const handler = new SkillHandler();
+// Remote lookup — queries AIclude scan database
+const report = await handler.lookup({
+  name: "@some/mcp-server",
+  type: "mcp-server",
+});
+// Local scan — runs 7 engines offline
+const result = await handler.handle({
+  targetPath: "./my-project",
+  type: "mcp-server",
+  format: "markdown",
+});
+```
+## Parameters
+| Parameter | Description |
+|-----------|-------------|
+| `--name` | Package name to search (npm, GitHub, etc.) |
+| `target-path` | Local directory to scan |
+| `--type` | `mcp-server` or `skill` (auto-detected) |
+| `--profile` | Sandbox profile: `strict`, `standard`, `permissive` |
+| `--format` | Output: `markdown` or `json` |
+| `--engines` | Comma-separated engine list |
+## Output
+Reports include:
+1. **Risk Level** — CRITICAL / HIGH / MEDIUM / LOW / INFO
+2. **Vulnerability List** — code location, description, severity
+3. **Risk Assessment** — impact and likelihood analysis
+4. **Remediation** — how to fix each finding
+## Related Packages
+- [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp) — MCP Server interface
+- [vs.aiclude.com](https://vs.aiclude.com) — Web dashboard
+## License
+MIT — [AICLUDE Inc.](https://aiclude.com)

package/SKILL.md CHANGED Viewed

@@ -1,91 +1,55 @@
 ---
 name: aiclude-vulns-scan
-description: Scan MCP Servers and AI Agent Skills for security vulnerabilities. 7 parallel engines detect prompt injection, tool poisoning, malware, supply chain attacks, and more.
-tags: [security, vulnerability, scanner, mcp, ai-agent, sast, sca, malware]
+description: Search security vulnerability scan results for MCP Servers and AI Agent Skills from the AIclude scan database.
+tags: [security, vulnerability, scanner, mcp, ai-agent]
 homepage: https://vs.aiclude.com
 repository: https://github.com/aiclude/asvs
 ---
-# /security-scan - AIclude Security Vulnerability Scanner
+# /security-scan - AIclude Vulnerability Scanner
-Scan MCP Servers and AI Agent Skills for security vulnerabilities. Queries existing scan results from the AIclude database, or registers a new scan and returns the results.
+Search the AIclude security scan database for vulnerability reports on MCP Servers and AI Agent Skills. If no report exists, the target is registered and scanned automatically.
 ## Usage
 ```
-# Search by package name (queries AIclude scan database)
-/security-scan --name <package-name> [options]
-# Scan a local directory (offline, no network)
-/security-scan <target-path> [options]
+/security-scan --name <package-name> [--type mcp-server|skill]
 ```
 ## Parameters
 - `--name`: Package name to search (npm package, GitHub repo, etc.)
-- `target-path`: Local directory path to scan directly
 - `--type`: Target type (`mcp-server` | `skill`) - auto-detected if omitted
-- `--profile`: Sandbox profile (`strict` | `standard` | `permissive`)
-- `--format`: Output format (`markdown` | `json`)
-- `--engines`: Scan engines to use (comma-separated)
 ## Examples
 ```
-# Look up scan results for an MCP server
 /security-scan --name @anthropic/mcp-server-fetch
-# Look up scan results for a Skill
 /security-scan --name my-awesome-skill --type skill
-# Scan local source code (fully offline)
-/security-scan ./my-mcp-server
 ```
 ## How It Works
-- **Name-based lookup** queries the AIclude scan database. If a report exists, it is returned immediately. If not, the target is registered for scanning and results are returned when ready. Only the package name is sent. No source code is uploaded.
-- **Local scan** reads files from the specified directory and runs all 7 engines locally. No network requests are made.
-No environment variables or credentials are required.
-## What It Checks
+1. Sends the package name to the AIclude scan API
+2. If a scan report exists, returns it immediately
+3. If not, registers the target for scanning
+4. Waits for the scan to complete and returns the results
+5. Results are also viewable at https://vs.aiclude.com
-- **Prompt Injection**: Hidden patterns targeting LLMs
-- **Tool Poisoning**: Malicious instructions in tool descriptions
-- **Command Injection**: Unvalidated input passed to exec/spawn
-- **Supply Chain**: Known CVEs, typosquatting
-- **Malware**: Backdoors, cryptominers, ransomware, data stealers
-- **Permission Abuse**: Excessive filesystem/network/process permissions
-## Scan Engines
-7 engines run in parallel:
-| Engine | Description |
-|--------|-------------|
-| SAST | Static code pattern matching |
-| SCA | Dependency CVE lookup via OSV.dev |
-| Tool Analyzer | MCP tool definition analysis |
-| DAST | Parameter fuzzing |
-| Permission Checker | Permission analysis |
-| Behavior Monitor | Runtime behavior detection |
-| Malware Detector | Signature scanning, entropy analysis |
+Only the package name and type are sent. No source code or credentials are transmitted.
 ## Output
-1. **Risk Level** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
-2. **Vulnerability List** with code locations
-3. **Risk Assessment** and impact analysis
-4. **Remediation Recommendations**
+- **Risk Level** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
+- **Vulnerability List** with locations and descriptions
+- **Risk Assessment** and remediation recommendations
 ## Links
+- **Web Dashboard**: https://vs.aiclude.com
 - **npm**: [`@aiclude/security-skill`](https://www.npmjs.com/package/@aiclude/security-skill)
 - **MCP Server**: [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp)
-- **Web Dashboard**: https://vs.aiclude.com
 ## License
 MIT - AICLUDE Inc.
-Inc.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aiclude/security-skill",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for inline security scanning",
   "type": "module",
   "main": "./dist/index.js",