npm - @aiclude/security-skill - Versions diffs - 2.0.0 → 2.1.0 - Mend

@aiclude/security-skill 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,81 @@
+# @aiclude/security-skill
+Security vulnerability scanner for MCP Servers and AI Agent Skills. Provides the `/security-scan` slash command for Claude Code.
+Queries the [AIclude scan database](https://vs.aiclude.com) for existing vulnerability reports. If no report exists, the target is automatically registered and scanned server-side.
+## Installation
+```bash
+npm install @aiclude/security-skill
+```
+## Usage
+### As a Claude Code Skill
+```
+/security-scan --name @anthropic/mcp-server-fetch
+/security-scan --name my-awesome-skill --type skill
+```
+### Programmatic API
+```typescript
+import { SkillHandler } from "@aiclude/security-skill";
+const handler = new SkillHandler();
+const report = await handler.lookup({
+  name: "@some/mcp-server",
+  type: "mcp-server",
+});
+```
+## Parameters
+| Parameter | Description |
+|-----------|-------------|
+| `--name` | Package name to search (npm, GitHub, etc.) |
+| `--type` | `mcp-server` or `skill` (auto-detected) |
+## How It Works
+1. Sends the package name to the AIclude scan API
+2. If a scan report exists, returns it immediately
+3. If not, registers the target for server-side scanning
+4. Waits for the scan to complete and returns the results
+Only the package name and type are sent. No source code, files, or credentials are transmitted.
+## Server-Side Scan Engines
+The AIclude server runs 7 engines on registered targets:
+| Engine | What It Detects |
+|--------|----------------|
+| SAST | Code vulnerabilities via pattern matching |
+| SCA | Known CVEs in dependencies (OSV.dev) |
+| Tool Analyzer | MCP tool poisoning, shadowing, rug-pull |
+| DAST | SQL/Command/XSS injection via fuzzing |
+| Permission Checker | Excessive filesystem/network/process access |
+| Behavior Monitor | Suspicious runtime behavior patterns |
+| Malware Detector | Backdoors, cryptominers, ransomware, data stealers |
+## Output
+Reports include:
+1. **Risk Level** — CRITICAL / HIGH / MEDIUM / LOW / INFO
+2. **Vulnerability List** — code location, description, severity
+3. **Risk Assessment** — impact and likelihood analysis
+4. **Remediation** — how to fix each finding
+## Related Packages
+- [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp) — MCP Server interface
+- [vs.aiclude.com](https://vs.aiclude.com) — Web dashboard with full scan results
+## License
+MIT — [AICLUDE Inc.](https://aiclude.com)

package/SKILL.md CHANGED Viewed

@@ -1,91 +1,55 @@
 ---
 name: aiclude-vulns-scan
-description: Scan MCP Servers and AI Agent Skills for security vulnerabilities. 7 parallel engines detect prompt injection, tool poisoning, malware, supply chain attacks, and more.
-tags: [security, vulnerability, scanner, mcp, ai-agent, sast, sca, malware]
+description: Search security vulnerability scan results for MCP Servers and AI Agent Skills from the AIclude scan database.
+tags: [security, vulnerability, scanner, mcp, ai-agent]
 homepage: https://vs.aiclude.com
 repository: https://github.com/aiclude/asvs
 ---
-# /security-scan - AIclude Security Vulnerability Scanner
+# /security-scan - AIclude Vulnerability Scanner
-Scan MCP Servers and AI Agent Skills for security vulnerabilities. Queries existing scan results from the AIclude database, or registers a new scan and returns the results.
+Search the AIclude security scan database for vulnerability reports on MCP Servers and AI Agent Skills. If no report exists, the target is registered and scanned automatically.
 ## Usage
 ```
-# Search by package name (queries AIclude scan database)
-/security-scan --name <package-name> [options]
-# Scan a local directory (offline, no network)
-/security-scan <target-path> [options]
+/security-scan --name <package-name> [--type mcp-server|skill]
 ```
 ## Parameters
 - `--name`: Package name to search (npm package, GitHub repo, etc.)
-- `target-path`: Local directory path to scan directly
 - `--type`: Target type (`mcp-server` | `skill`) - auto-detected if omitted
-- `--profile`: Sandbox profile (`strict` | `standard` | `permissive`)
-- `--format`: Output format (`markdown` | `json`)
-- `--engines`: Scan engines to use (comma-separated)
 ## Examples
 ```
-# Look up scan results for an MCP server
 /security-scan --name @anthropic/mcp-server-fetch
-# Look up scan results for a Skill
 /security-scan --name my-awesome-skill --type skill
-# Scan local source code (fully offline)
-/security-scan ./my-mcp-server
 ```
 ## How It Works
-- **Name-based lookup** queries the AIclude scan database. If a report exists, it is returned immediately. If not, the target is registered for scanning and results are returned when ready. Only the package name is sent. No source code is uploaded.
-- **Local scan** reads files from the specified directory and runs all 7 engines locally. No network requests are made.
-No environment variables or credentials are required.
-## What It Checks
+1. Sends the package name to the AIclude scan API
+2. If a scan report exists, returns it immediately
+3. If not, registers the target for scanning
+4. Waits for the scan to complete and returns the results
+5. Results are also viewable at https://vs.aiclude.com
-- **Prompt Injection**: Hidden patterns targeting LLMs
-- **Tool Poisoning**: Malicious instructions in tool descriptions
-- **Command Injection**: Unvalidated input passed to exec/spawn
-- **Supply Chain**: Known CVEs, typosquatting
-- **Malware**: Backdoors, cryptominers, ransomware, data stealers
-- **Permission Abuse**: Excessive filesystem/network/process permissions
-## Scan Engines
-7 engines run in parallel:
-| Engine | Description |
-|--------|-------------|
-| SAST | Static code pattern matching |
-| SCA | Dependency CVE lookup via OSV.dev |
-| Tool Analyzer | MCP tool definition analysis |
-| DAST | Parameter fuzzing |
-| Permission Checker | Permission analysis |
-| Behavior Monitor | Runtime behavior detection |
-| Malware Detector | Signature scanning, entropy analysis |
+Only the package name and type are sent. No source code or credentials are transmitted.
 ## Output
-1. **Risk Level** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
-2. **Vulnerability List** with code locations
-3. **Risk Assessment** and impact analysis
-4. **Remediation Recommendations**
+- **Risk Level** (CRITICAL / HIGH / MEDIUM / LOW / INFO)
+- **Vulnerability List** with locations and descriptions
+- **Risk Assessment** and remediation recommendations
 ## Links
+- **Web Dashboard**: https://vs.aiclude.com
 - **npm**: [`@aiclude/security-skill`](https://www.npmjs.com/package/@aiclude/security-skill)
 - **MCP Server**: [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp)
-- **Web Dashboard**: https://vs.aiclude.com
 ## License
 MIT - AICLUDE Inc.
-Inc.

package/dist/index.d.ts CHANGED Viewed

@@ -1,20 +1,8 @@
-import { ReportFormat, ScanEngineId } from '@asvs/core';
 /**
  * Skill Handler
  * Processes /security-scan skill invocations from Claude Code
- * 서버 조회 → 없으면 등록 → 스캔 결과 반환 (vs.aiclude.com에 누적)
- * 로컬 스캔도 지원
+ * 서버 DB 조회 → 없으면 등록 → 스캔 결과 반환
  */
-interface SkillInvocation {
-    targetPath: string;
-    type?: "mcp-server" | "skill";
-    profile?: "strict" | "standard" | "permissive";
-    format?: ReportFormat;
-    engines?: ScanEngineId[];
-}
-/** API 기반 조회 요청 */
 interface SkillLookupInvocation {
     name: string;
     type?: "mcp-server" | "skill";
@@ -23,23 +11,15 @@ interface SkillLookupInvocation {
     npmPackage?: string;
 }
 declare class SkillHandler {
-    private scanner;
-    private reporter;
-    constructor();
-    /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
+    /** API 인증 헤더 생성 */
     private createAuthHeaders;
     /**
-     * API 기반 보안 스캔 조회/등록
-     * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
+     * 보안 스캔 조회/등록
+     * 기존 결과 검색 → 없으면 서버에 등록 → 스캔 실행 → 결과 반환
      */
     lookup(invocation: SkillLookupInvocation): Promise<string>;
-    /** Handle a /security-scan invocation (local path scan) */
-    handle(invocation: SkillInvocation): Promise<string>;
-    private detectTargetType;
-    private formatOutput;
-    /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
     private formatApiReport;
     private formatScanSummary;
 }
-export { SkillHandler, type SkillInvocation, type SkillLookupInvocation };
+export { SkillHandler, type SkillLookupInvocation };

package/dist/index.js CHANGED Viewed

@@ -1,19 +1,4 @@
 // src/skill-handler.ts
-import {
-  Scanner,
-  SastEngine,
-  ScaEngine,
-  ToolAnalyzerEngine,
-  MalwareDetectorEngine,
-  PermissionCheckerEngine,
-  DastEngine,
-  BehaviorMonitorEngine,
-  RiskLevel,
-  validateScanPath
-} from "@asvs/core";
-import { ReportGenerator } from "@asvs/reporter";
-import { existsSync } from "fs";
-import { resolve } from "path";
 import { createHmac } from "crypto";
 var API_BASE = "https://vs-api.aiclude.com";
 function createRequestSignature(name, timestamp) {
@@ -23,20 +8,7 @@ function createRequestSignature(name, timestamp) {
   return createHmac("sha256", derivedKey).update(payload).digest("hex");
 }
 var SkillHandler = class {
-  scanner;
-  reporter;
-  constructor() {
-    this.scanner = new Scanner();
-    this.reporter = new ReportGenerator();
-    this.scanner.registerEngine(new SastEngine());
-    this.scanner.registerEngine(new ScaEngine());
-    this.scanner.registerEngine(new ToolAnalyzerEngine());
-    this.scanner.registerEngine(new MalwareDetectorEngine());
-    this.scanner.registerEngine(new PermissionCheckerEngine());
-    this.scanner.registerEngine(new DastEngine());
-    this.scanner.registerEngine(new BehaviorMonitorEngine());
-  }
-  /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
+  /** API 인증 헤더 생성 */
   createAuthHeaders(name) {
     const timestamp = String(Date.now());
     const signature = createRequestSignature(name, timestamp);
@@ -48,8 +20,8 @@ var SkillHandler = class {
     };
   }
   /**
-   * API 기반 보안 스캔 조회/등록
-   * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
+   * 보안 스캔 조회/등록
+   * 기존 결과 검색 → 없으면 서버에 등록 → 스캔 실행 → 결과 반환
    */
   async lookup(invocation) {
     const apiUrl = `${API_BASE}/api/v1/scan/lookup`;
@@ -113,126 +85,6 @@ var SkillHandler = class {
     }
     return `API response: ${JSON.stringify(lookupData, null, 2)}`;
   }
-  /** Handle a /security-scan invocation (local path scan) */
-  async handle(invocation) {
-    const defaultConfig = {
-      engines: ["sast", "sca", "tool-analyzer", "permission-checker", "malware-detector", "dast", "behavior-monitor"],
-      sandboxProfile: "standard",
-      rulesets: ["default"],
-      timeout: 3e5,
-      maxConcurrency: 4,
-      skipPatterns: ["node_modules/**", ".git/**", "dist/**", "coverage/**"]
-    };
-    const scanConfig = {
-      ...defaultConfig,
-      ...invocation.profile && { sandboxProfile: invocation.profile },
-      ...invocation.engines && { engines: invocation.engines }
-    };
-    const targetPath = validateScanPath(invocation.targetPath);
-    const targetType = invocation.type ?? this.detectTargetType(targetPath);
-    const target = {
-      type: targetType,
-      name: targetPath.split("/").pop() ?? targetPath,
-      path: targetPath
-    };
-    const scanResult = await this.scanner.scan(target, scanConfig);
-    const format = invocation.format ?? "markdown";
-    const report = this.reporter.generate(scanResult, format);
-    return this.formatOutput(report, format, scanResult.engineResults.flatMap((r) => r.vulnerabilities));
-  }
-  detectTargetType(targetPath) {
-    if (existsSync(resolve(targetPath, "SKILL.md")) || targetPath.endsWith("SKILL.md") || targetPath.includes("/skill")) {
-      return "skill";
-    }
-    return "mcp-server";
-  }
-  formatOutput(report, format, vulnerabilities) {
-    if (format === "json") {
-      return JSON.stringify(report, null, 2);
-    }
-    const lines = [];
-    const { summary } = report.scanResult;
-    const icon = summary.overallRiskLevel === RiskLevel.CRITICAL ? "[CRITICAL]" : summary.overallRiskLevel === RiskLevel.HIGH ? "[HIGH RISK]" : summary.overallRiskLevel === RiskLevel.MEDIUM ? "[MEDIUM RISK]" : summary.overallRiskLevel === RiskLevel.LOW ? "[LOW RISK]" : "[CLEAN]";
-    lines.push(`# ${icon} Security Scan Report: ${report.title}`);
-    lines.push("");
-    lines.push(`| Metric | Value |`);
-    lines.push(`|--------|-------|`);
-    lines.push(`| Scan Date | ${report.generatedAt} |`);
-    lines.push(`| Target | ${report.scanResult.target.path} |`);
-    lines.push(`| Target Type | ${report.scanResult.target.type} |`);
-    lines.push(`| Overall Risk | **${summary.overallRiskLevel}** |`);
-    lines.push(`| Risk Score | **${summary.overallScore}/100** |`);
-    lines.push(`| Total Findings | ${summary.totalVulnerabilities} |`);
-    lines.push(`| Scan Duration | ${report.scanResult.duration}ms |`);
-    lines.push("");
-    lines.push("## Severity Breakdown");
-    lines.push("");
-    lines.push(`| Severity | Count |`);
-    lines.push(`|----------|-------|`);
-    for (const [level, count] of Object.entries(summary.bySeverity)) {
-      if (count > 0) {
-        lines.push(`| **${level}** | ${count} |`);
-      }
-    }
-    lines.push("");
-    if (vulnerabilities.length > 0) {
-      lines.push("## Detailed Findings");
-      lines.push("");
-      const sorted = [...vulnerabilities].sort((a, b) => {
-        const order = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, INFO: 4 };
-        return (order[a.severity] ?? 5) - (order[b.severity] ?? 5);
-      });
-      const top = sorted.slice(0, 20);
-      for (let i = 0; i < top.length; i++) {
-        const v = top[i];
-        lines.push(`### ${i + 1}. [${v.severity}] ${v.title}`);
-        lines.push("");
-        lines.push(`- **ID**: ${v.id}`);
-        lines.push(`- **Category**: ${v.category}`);
-        lines.push(`- **Confidence**: ${Math.round(v.confidence * 100)}%`);
-        if (v.location) {
-          lines.push(`- **Location**: \`${v.location.file}:${v.location.line}\``);
-        }
-        lines.push(`- **Description**: ${v.description}`);
-        lines.push(`- **Remediation**: ${v.remediation}`);
-        if (v.cveIds?.length) {
-          lines.push(`- **CVE**: ${v.cveIds.join(", ")}`);
-        }
-        if (v.location?.snippet) {
-          lines.push("");
-          lines.push("```");
-          lines.push(v.location.snippet.substring(0, 300));
-          lines.push("```");
-        }
-        lines.push("");
-      }
-      if (sorted.length > 20) {
-        lines.push(`> ... and ${sorted.length - 20} more findings. Use \`--format json\` for the complete list.`);
-        lines.push("");
-      }
-    }
-    if (report.risks.length > 0) {
-      lines.push("## Risk Assessment");
-      lines.push("");
-      for (const risk of report.risks) {
-        lines.push(`### [${risk.level}] ${risk.area}`);
-        lines.push(`- **Impact**: ${risk.impact}`);
-        lines.push(`- **Likelihood**: ${risk.likelihood}`);
-        lines.push(`- **Remediation**: ${risk.remediation}`);
-        lines.push("");
-      }
-    }
-    if (report.precautions.length > 0) {
-      lines.push("## Precautions & Warnings");
-      lines.push("");
-      for (const precaution of report.precautions) {
-        lines.push(`- ${precaution}`);
-      }
-      lines.push("");
-    }
-    return lines.join("\n");
-  }
-  /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
   formatApiReport(report, target) {
     const lines = [];
     const scanResult = report["scanResult"];

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@aiclude/security-skill",
-  "version": "2.0.0",
-  "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for inline security scanning",
+  "version": "2.1.0",
+  "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for querying the AIclude scan database",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -53,10 +53,7 @@
     "clean": "rm -rf dist",
     "prepublishOnly": "npm run build"
   },
-  "dependencies": {
-    "@asvs/core": "workspace:*",
-    "@asvs/reporter": "workspace:*"
-  },
+  "dependencies": {},
   "devDependencies": {
     "tsup": "^8.0.0",
     "typescript": "^5.5.0"