npm - @aiclude/security-skill - Versions diffs - 2.0.1 → 2.1.0 - Mend

@aiclude/security-skill 2.0.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -2,22 +2,7 @@
 Security vulnerability scanner for MCP Servers and AI Agent Skills. Provides the `/security-scan` slash command for Claude Code.
-## What It Does
-- **Name-based lookup**: Query the [AIclude scan database](https://vs.aiclude.com) for existing vulnerability reports. If none exists, the target is automatically registered and scanned.
-- **Local scan**: Run 7 scan engines directly on a local directory — fully offline, no data sent anywhere.
-## Scan Engines
-| Engine | What It Detects |
-|--------|----------------|
-| SAST | Code vulnerabilities via pattern matching |
-| SCA | Known CVEs in dependencies (OSV.dev) |
-| Tool Analyzer | MCP tool poisoning, shadowing, rug-pull |
-| DAST | SQL/Command/XSS injection via fuzzing |
-| Permission Checker | Excessive filesystem/network/process access |
-| Behavior Monitor | Suspicious runtime behavior patterns |
-| Malware Detector | Backdoors, cryptominers, ransomware, data stealers |
+Queries the [AIclude scan database](https://vs.aiclude.com) for existing vulnerability reports. If no report exists, the target is automatically registered and scanned server-side.
 ## Installation
@@ -30,11 +15,8 @@ npm install @aiclude/security-skill
 ### As a Claude Code Skill
 ```
-# Look up scan results by package name
 /security-scan --name @anthropic/mcp-server-fetch
-# Scan a local directory
-/security-scan ./my-mcp-server
+/security-scan --name my-awesome-skill --type skill
 ```
 ### Programmatic API
@@ -44,18 +26,10 @@ import { SkillHandler } from "@aiclude/security-skill";
 const handler = new SkillHandler();
-// Remote lookup — queries AIclude scan database
 const report = await handler.lookup({
   name: "@some/mcp-server",
   type: "mcp-server",
 });
-// Local scan — runs 7 engines offline
-const result = await handler.handle({
-  targetPath: "./my-project",
-  type: "mcp-server",
-  format: "markdown",
-});
 ```
 ## Parameters
@@ -63,11 +37,30 @@ const result = await handler.handle({
 | Parameter | Description |
 |-----------|-------------|
 | `--name` | Package name to search (npm, GitHub, etc.) |
-| `target-path` | Local directory to scan |
 | `--type` | `mcp-server` or `skill` (auto-detected) |
-| `--profile` | Sandbox profile: `strict`, `standard`, `permissive` |
-| `--format` | Output: `markdown` or `json` |
-| `--engines` | Comma-separated engine list |
+## How It Works
+1. Sends the package name to the AIclude scan API
+2. If a scan report exists, returns it immediately
+3. If not, registers the target for server-side scanning
+4. Waits for the scan to complete and returns the results
+Only the package name and type are sent. No source code, files, or credentials are transmitted.
+## Server-Side Scan Engines
+The AIclude server runs 7 engines on registered targets:
+| Engine | What It Detects |
+|--------|----------------|
+| SAST | Code vulnerabilities via pattern matching |
+| SCA | Known CVEs in dependencies (OSV.dev) |
+| Tool Analyzer | MCP tool poisoning, shadowing, rug-pull |
+| DAST | SQL/Command/XSS injection via fuzzing |
+| Permission Checker | Excessive filesystem/network/process access |
+| Behavior Monitor | Suspicious runtime behavior patterns |
+| Malware Detector | Backdoors, cryptominers, ransomware, data stealers |
 ## Output
@@ -81,7 +74,7 @@ Reports include:
 ## Related Packages
 - [`@aiclude/security-mcp`](https://www.npmjs.com/package/@aiclude/security-mcp) — MCP Server interface
-- [vs.aiclude.com](https://vs.aiclude.com) — Web dashboard
+- [vs.aiclude.com](https://vs.aiclude.com) — Web dashboard with full scan results
 ## License

package/dist/index.d.ts CHANGED Viewed

@@ -1,20 +1,8 @@
-import { ReportFormat, ScanEngineId } from '@asvs/core';
 /**
  * Skill Handler
  * Processes /security-scan skill invocations from Claude Code
- * 서버 조회 → 없으면 등록 → 스캔 결과 반환 (vs.aiclude.com에 누적)
- * 로컬 스캔도 지원
+ * 서버 DB 조회 → 없으면 등록 → 스캔 결과 반환
  */
-interface SkillInvocation {
-    targetPath: string;
-    type?: "mcp-server" | "skill";
-    profile?: "strict" | "standard" | "permissive";
-    format?: ReportFormat;
-    engines?: ScanEngineId[];
-}
-/** API 기반 조회 요청 */
 interface SkillLookupInvocation {
     name: string;
     type?: "mcp-server" | "skill";
@@ -23,23 +11,15 @@ interface SkillLookupInvocation {
     npmPackage?: string;
 }
 declare class SkillHandler {
-    private scanner;
-    private reporter;
-    constructor();
-    /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
+    /** API 인증 헤더 생성 */
     private createAuthHeaders;
     /**
-     * API 기반 보안 스캔 조회/등록
-     * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
+     * 보안 스캔 조회/등록
+     * 기존 결과 검색 → 없으면 서버에 등록 → 스캔 실행 → 결과 반환
      */
     lookup(invocation: SkillLookupInvocation): Promise<string>;
-    /** Handle a /security-scan invocation (local path scan) */
-    handle(invocation: SkillInvocation): Promise<string>;
-    private detectTargetType;
-    private formatOutput;
-    /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
     private formatApiReport;
     private formatScanSummary;
 }
-export { SkillHandler, type SkillInvocation, type SkillLookupInvocation };
+export { SkillHandler, type SkillLookupInvocation };

package/dist/index.js CHANGED Viewed

@@ -1,19 +1,4 @@
 // src/skill-handler.ts
-import {
-  Scanner,
-  SastEngine,
-  ScaEngine,
-  ToolAnalyzerEngine,
-  MalwareDetectorEngine,
-  PermissionCheckerEngine,
-  DastEngine,
-  BehaviorMonitorEngine,
-  RiskLevel,
-  validateScanPath
-} from "@asvs/core";
-import { ReportGenerator } from "@asvs/reporter";
-import { existsSync } from "fs";
-import { resolve } from "path";
 import { createHmac } from "crypto";
 var API_BASE = "https://vs-api.aiclude.com";
 function createRequestSignature(name, timestamp) {
@@ -23,20 +8,7 @@ function createRequestSignature(name, timestamp) {
   return createHmac("sha256", derivedKey).update(payload).digest("hex");
 }
 var SkillHandler = class {
-  scanner;
-  reporter;
-  constructor() {
-    this.scanner = new Scanner();
-    this.reporter = new ReportGenerator();
-    this.scanner.registerEngine(new SastEngine());
-    this.scanner.registerEngine(new ScaEngine());
-    this.scanner.registerEngine(new ToolAnalyzerEngine());
-    this.scanner.registerEngine(new MalwareDetectorEngine());
-    this.scanner.registerEngine(new PermissionCheckerEngine());
-    this.scanner.registerEngine(new DastEngine());
-    this.scanner.registerEngine(new BehaviorMonitorEngine());
-  }
-  /** API 인증 헤더 생성 — 시간 기반 서명, 환경변수 불필요 */
+  /** API 인증 헤더 생성 */
   createAuthHeaders(name) {
     const timestamp = String(Date.now());
     const signature = createRequestSignature(name, timestamp);
@@ -48,8 +20,8 @@ var SkillHandler = class {
     };
   }
   /**
-   * API 기반 보안 스캔 조회/등록
-   * 기존 스캔 결과를 검색하고, 없으면 서버에 등록 → 스캔 실행 → 결과 반환
+   * 보안 스캔 조회/등록
+   * 기존 결과 검색 → 없으면 서버에 등록 → 스캔 실행 → 결과 반환
    */
   async lookup(invocation) {
     const apiUrl = `${API_BASE}/api/v1/scan/lookup`;
@@ -113,126 +85,6 @@ var SkillHandler = class {
     }
     return `API response: ${JSON.stringify(lookupData, null, 2)}`;
   }
-  /** Handle a /security-scan invocation (local path scan) */
-  async handle(invocation) {
-    const defaultConfig = {
-      engines: ["sast", "sca", "tool-analyzer", "permission-checker", "malware-detector", "dast", "behavior-monitor"],
-      sandboxProfile: "standard",
-      rulesets: ["default"],
-      timeout: 3e5,
-      maxConcurrency: 4,
-      skipPatterns: ["node_modules/**", ".git/**", "dist/**", "coverage/**"]
-    };
-    const scanConfig = {
-      ...defaultConfig,
-      ...invocation.profile && { sandboxProfile: invocation.profile },
-      ...invocation.engines && { engines: invocation.engines }
-    };
-    const targetPath = validateScanPath(invocation.targetPath);
-    const targetType = invocation.type ?? this.detectTargetType(targetPath);
-    const target = {
-      type: targetType,
-      name: targetPath.split("/").pop() ?? targetPath,
-      path: targetPath
-    };
-    const scanResult = await this.scanner.scan(target, scanConfig);
-    const format = invocation.format ?? "markdown";
-    const report = this.reporter.generate(scanResult, format);
-    return this.formatOutput(report, format, scanResult.engineResults.flatMap((r) => r.vulnerabilities));
-  }
-  detectTargetType(targetPath) {
-    if (existsSync(resolve(targetPath, "SKILL.md")) || targetPath.endsWith("SKILL.md") || targetPath.includes("/skill")) {
-      return "skill";
-    }
-    return "mcp-server";
-  }
-  formatOutput(report, format, vulnerabilities) {
-    if (format === "json") {
-      return JSON.stringify(report, null, 2);
-    }
-    const lines = [];
-    const { summary } = report.scanResult;
-    const icon = summary.overallRiskLevel === RiskLevel.CRITICAL ? "[CRITICAL]" : summary.overallRiskLevel === RiskLevel.HIGH ? "[HIGH RISK]" : summary.overallRiskLevel === RiskLevel.MEDIUM ? "[MEDIUM RISK]" : summary.overallRiskLevel === RiskLevel.LOW ? "[LOW RISK]" : "[CLEAN]";
-    lines.push(`# ${icon} Security Scan Report: ${report.title}`);
-    lines.push("");
-    lines.push(`| Metric | Value |`);
-    lines.push(`|--------|-------|`);
-    lines.push(`| Scan Date | ${report.generatedAt} |`);
-    lines.push(`| Target | ${report.scanResult.target.path} |`);
-    lines.push(`| Target Type | ${report.scanResult.target.type} |`);
-    lines.push(`| Overall Risk | **${summary.overallRiskLevel}** |`);
-    lines.push(`| Risk Score | **${summary.overallScore}/100** |`);
-    lines.push(`| Total Findings | ${summary.totalVulnerabilities} |`);
-    lines.push(`| Scan Duration | ${report.scanResult.duration}ms |`);
-    lines.push("");
-    lines.push("## Severity Breakdown");
-    lines.push("");
-    lines.push(`| Severity | Count |`);
-    lines.push(`|----------|-------|`);
-    for (const [level, count] of Object.entries(summary.bySeverity)) {
-      if (count > 0) {
-        lines.push(`| **${level}** | ${count} |`);
-      }
-    }
-    lines.push("");
-    if (vulnerabilities.length > 0) {
-      lines.push("## Detailed Findings");
-      lines.push("");
-      const sorted = [...vulnerabilities].sort((a, b) => {
-        const order = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, INFO: 4 };
-        return (order[a.severity] ?? 5) - (order[b.severity] ?? 5);
-      });
-      const top = sorted.slice(0, 20);
-      for (let i = 0; i < top.length; i++) {
-        const v = top[i];
-        lines.push(`### ${i + 1}. [${v.severity}] ${v.title}`);
-        lines.push("");
-        lines.push(`- **ID**: ${v.id}`);
-        lines.push(`- **Category**: ${v.category}`);
-        lines.push(`- **Confidence**: ${Math.round(v.confidence * 100)}%`);
-        if (v.location) {
-          lines.push(`- **Location**: \`${v.location.file}:${v.location.line}\``);
-        }
-        lines.push(`- **Description**: ${v.description}`);
-        lines.push(`- **Remediation**: ${v.remediation}`);
-        if (v.cveIds?.length) {
-          lines.push(`- **CVE**: ${v.cveIds.join(", ")}`);
-        }
-        if (v.location?.snippet) {
-          lines.push("");
-          lines.push("```");
-          lines.push(v.location.snippet.substring(0, 300));
-          lines.push("```");
-        }
-        lines.push("");
-      }
-      if (sorted.length > 20) {
-        lines.push(`> ... and ${sorted.length - 20} more findings. Use \`--format json\` for the complete list.`);
-        lines.push("");
-      }
-    }
-    if (report.risks.length > 0) {
-      lines.push("## Risk Assessment");
-      lines.push("");
-      for (const risk of report.risks) {
-        lines.push(`### [${risk.level}] ${risk.area}`);
-        lines.push(`- **Impact**: ${risk.impact}`);
-        lines.push(`- **Likelihood**: ${risk.likelihood}`);
-        lines.push(`- **Remediation**: ${risk.remediation}`);
-        lines.push("");
-      }
-    }
-    if (report.precautions.length > 0) {
-      lines.push("## Precautions & Warnings");
-      lines.push("");
-      for (const precaution of report.precautions) {
-        lines.push(`- ${precaution}`);
-      }
-      lines.push("");
-    }
-    return lines.join("\n");
-  }
-  /** API에서 받은 상세 리포트를 마크다운으로 포맷 */
   formatApiReport(report, target) {
     const lines = [];
     const scanResult = report["scanResult"];

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@aiclude/security-skill",
-  "version": "2.0.1",
-  "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for inline security scanning",
+  "version": "2.1.0",
+  "description": "AIclude Security Vulnerability Scanner - Claude Code Skill for querying the AIclude scan database",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -53,10 +53,7 @@
     "clean": "rm -rf dist",
     "prepublishOnly": "npm run build"
   },
-  "dependencies": {
-    "@asvs/core": "workspace:*",
-    "@asvs/reporter": "workspace:*"
-  },
+  "dependencies": {},
   "devDependencies": {
     "tsup": "^8.0.0",
     "typescript": "^5.5.0"