@clawmaster/skillguard-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1887 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { program } from "commander";
+
+// src/scanner/auditor.ts
+import { readdirSync as readdirSync2 } from "fs";
+import { resolve, join as join4 } from "path";
+
+// src/constants.ts
+var SEVERITY_SCORES = {
+  CRITICAL: 25,
+  HIGH: 10,
+  MEDIUM: 5,
+  LOW: 2,
+  INFO: 0
+};
+var SEVERITY_ORDER = {
+  CRITICAL: 0,
+  HIGH: 1,
+  MEDIUM: 2,
+  LOW: 3,
+  INFO: 4
+};
+var LEVEL_ORDER = {
+  F: 0,
+  D: 1,
+  C: 2,
+  B: 3,
+  A: 4
+};
+var SCAN_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".md",
+  ".txt",
+  ".py",
+  ".js",
+  ".ts",
+  ".jsx",
+  ".tsx",
+  ".sh",
+  ".bash",
+  ".yaml",
+  ".yml",
+  ".json",
+  ".toml",
+  ".cfg",
+  ".ini",
+  ".conf",
+  ".html",
+  ".htm",
+  ".xml",
+  ".csv",
+  ".env",
+  ".dockerfile",
+  ".r",
+  ".R",
+  ".go",
+  ".rs",
+  ".java",
+  ".rb",
+  ".pl",
+  ".lua",
+  ".swift",
+  ".kt"
+]);
+var SPECIAL_FILENAMES = /* @__PURE__ */ new Set([
+  "Dockerfile",
+  "Makefile",
+  "LICENSE",
+  "LICENSE.txt",
+  ".env",
+  ".env.example",
+  "requirements.txt",
+  "Pipfile"
+]);
+var MAX_FILE_SIZE = 5e5;
+var COST_SCENARIOS = {
+  light: 3,
+  // Quick task: 3 turns
+  typical: 6,
+  // Normal task: 6 turns
+  heavy: 15
+  // Complex task: 15 turns
+};
+var OUTPUT_PER_TURN = 500;
+var MODEL_CATALOG = [
+  {
+    name: "Claude Sonnet 4.6",
+    modelId: "claude-sonnet-4-6",
+    provider: "Anthropic",
+    inputPerM: 3,
+    outputPerM: 15,
+    cacheInputPerM: 0.3,
+    contextK: 200
+  },
+  {
+    name: "Claude Opus 4.6",
+    modelId: "claude-opus-4-6",
+    provider: "Anthropic",
+    inputPerM: 5,
+    outputPerM: 25,
+    cacheInputPerM: 0.5,
+    contextK: 1e3
+  },
+  {
+    name: "Gemini 3.1 Pro Preview",
+    modelId: "gemini-3.1-pro-preview",
+    provider: "Google",
+    inputPerM: 2,
+    outputPerM: 12,
+    cacheInputPerM: 0.5,
+    contextK: 1e3
+  },
+  {
+    name: "GPT-5.2",
+    modelId: "gpt-5.2",
+    provider: "OpenAI",
+    inputPerM: 1.75,
+    outputPerM: 14,
+    cacheInputPerM: 0.875,
+    contextK: 400
+  }
+];
+
+// src/utils.ts
+function formatTokens(n) {
+  if (n >= 1e3) {
+    return `${(n / 1e3).toFixed(1)}K`;
+  }
+  return String(n);
+}
+function formatCost(v) {
+  if (v < 1e-3) {
+    return `$${v.toFixed(5)}`;
+  }
+  if (v < 0.1) {
+    return `$${v.toFixed(4)}`;
+  }
+  if (v < 10) {
+    return `$${v.toFixed(3)}`;
+  }
+  return `$${v.toFixed(2)}`;
+}
+function computeRisk(findings) {
+  let score = findings.reduce(
+    (acc, f) => acc + (SEVERITY_SCORES[f.severity] ?? 0),
+    0
+  );
+  score = Math.min(score, 100);
+  let level;
+  if (score >= 70) {
+    level = "F";
+  } else if (score >= 50) {
+    level = "D";
+  } else if (score >= 30) {
+    level = "C";
+  } else if (score >= 10) {
+    level = "B";
+  } else {
+    level = "A";
+  }
+  return { score, level };
+}
+function getLineNumber(content, index) {
+  let line = 1;
+  for (let i = 0; i < index && i < content.length; i++) {
+    if (content[i] === "\n") {
+      line++;
+    }
+  }
+  return line;
+}
+function scanPatterns(fileContents, patterns, reference, flags = "gi") {
+  const findings = [];
+  for (const [filePath, content] of fileContents) {
+    for (const [pattern, severity, description] of patterns) {
+      const re = new RegExp(pattern, flags);
+      let match;
+      while ((match = re.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          // caller should set or derive from context
+          severity,
+          filePath,
+          lineNumber: getLineNumber(content, match.index),
+          pattern: match[0].length > 80 ? match[0].slice(0, 80) + "..." : match[0],
+          description,
+          reference,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/file-collector.ts
+import { readdirSync, readFileSync, statSync } from "fs";
+import { join, extname, basename, relative } from "path";
+function collectFiles(skillDir) {
+  const files = [];
+  walk(skillDir, skillDir, files);
+  return files;
+}
+function walk(dir, root, files) {
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!entry.name.startsWith(".") && entry.name !== "node_modules") {
+        walk(full, root, files);
+      }
+    } else if (entry.isFile()) {
+      const ext = extname(entry.name).toLowerCase();
+      const name = entry.name;
+      if (SCAN_EXTENSIONS.has(ext) || SPECIAL_FILENAMES.has(name)) {
+        try {
+          if (statSync(full).size <= MAX_FILE_SIZE) {
+            files.push(relative(root, full));
+          }
+        } catch {
+        }
+      }
+    }
+  }
+}
+function readFileSafe(filePath) {
+  try {
+    return readFileSync(filePath, "utf-8");
+  } catch {
+    return null;
+  }
+}
+function fileInventory(files) {
+  const inv = {};
+  for (const f of files) {
+    const ext = extname(f).toLowerCase() || basename(f);
+    inv[ext] = (inv[ext] || 0) + 1;
+  }
+  return inv;
+}
+
+// src/scanner/frontmatter.ts
+function parseFrontmatter(text) {
+  const fm = {};
+  const m = text.match(/^---\s*\n([\s\S]*?)\n---/);
+  if (!m) return fm;
+  const block = m[1];
+  let currentKey = null;
+  let listValues = [];
+  for (const line of block.split("\n")) {
+    const kvMatch = line.match(/^(\w[\w-]*):\s*(.*)/);
+    if (kvMatch) {
+      if (currentKey && listValues.length > 0) {
+        fm[currentKey] = listValues;
+        listValues = [];
+      }
+      const key = kvMatch[1];
+      const val = kvMatch[2].trim().replace(/^["']|["']$/g, "");
+      currentKey = key;
+      if (val) {
+        fm[key] = val;
+      }
+    } else {
+      const listMatch = line.match(/^\s+-\s+(.+)/);
+      if (listMatch) {
+        listValues.push(listMatch[1].trim());
+      }
+    }
+  }
+  if (currentKey && listValues.length > 0) {
+    fm[currentKey] = listValues;
+  }
+  return fm;
+}
+
+// src/scanner/rules-engine.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
+import { fileURLToPath } from "url";
+import yaml from "js-yaml";
+var __dirname_ = typeof __dirname !== "undefined" ? __dirname : dirname(fileURLToPath(import.meta.url));
+var DEFAULT_RULES_PATH = join2(__dirname_, "..", "..", "rules", "rules.yaml");
+function loadRules(rulesPath) {
+  const path = rulesPath || DEFAULT_RULES_PATH;
+  try {
+    const content = readFileSync2(path, "utf-8");
+    const data = yaml.load(content);
+    return data || {};
+  } catch {
+    return {};
+  }
+}
+function applyRules(dimensionKey, fileContents, rules, reference) {
+  const findings = [];
+  const dimRules = rules[dimensionKey] || [];
+  for (const rule of dimRules) {
+    if (!rule.enabled) continue;
+    const pattern = rule.pattern;
+    if (!pattern) continue;
+    const severity = rule.severity || "MEDIUM";
+    const description = rule.description || "";
+    const whitelist = rule.whitelist || [];
+    for (const [relPath, content] of fileContents) {
+      let re;
+      try {
+        re = new RegExp(pattern, "gi");
+      } catch {
+        continue;
+      }
+      let match;
+      while ((match = re.exec(content)) !== null) {
+        const matchedText = match[0];
+        if (whitelist.some((w) => w && matchedText.toLowerCase().includes(w.toLowerCase()))) {
+          continue;
+        }
+        findings.push({
+          dimension: "",
+          severity,
+          filePath: relPath,
+          lineNumber: getLineNumber(content, match.index),
+          pattern,
+          description,
+          reference,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/remediation.ts
+var REMEDIATIONS = [
+  // Prompt Injection
+  ["ignore previous instructions", "\u79FB\u9664\u8BE5\u6307\u4EE4\u6587\u672C\uFF0C\u4F7F\u7528\u7ED3\u6784\u5316 prompt \u6A21\u677F\u907F\u514D\u62FC\u63A5\u7528\u6237\u5185\u5BB9", "Remove the directive; use structured prompt templates instead of concatenating user content"],
+  ["role override", "\u79FB\u9664\u89D2\u8272\u8986\u76D6\u6307\u4EE4\uFF0C\u4F7F\u7528 system prompt \u4E2D\u7684\u660E\u786E\u89D2\u8272\u5B9A\u4E49", "Remove role override; use explicit role definitions in the system prompt"],
+  ["disregard directive", "\u79FB\u9664\u7ED5\u8FC7\u6307\u4EE4\uFF0C\u4F7F\u7528\u5206\u5C42 prompt \u67B6\u6784\u9694\u79BB\u7CFB\u7EDF\u4E0E\u7528\u6237\u6307\u4EE4", "Remove bypass directive; use layered prompt architecture to isolate system and user instructions"],
+  ["override system prompt", "\u79FB\u9664\u8986\u76D6\u6307\u4EE4\uFF0C\u786E\u4FDD system prompt \u4E0D\u53EF\u88AB\u7528\u6237\u8F93\u5165\u4FEE\u6539", "Remove override directive; ensure the system prompt cannot be modified by user input"],
+  ["jailbreak", "\u79FB\u9664 jailbreak \u5173\u952E\u8BCD\uFF0C\u5BA1\u67E5 prompt \u662F\u5426\u542B\u6709\u8D8A\u72F1\u8BF1\u5BFC\u5185\u5BB9", "Remove jailbreak keywords; review prompts for jailbreak-inducing content"],
+  ["role-play induction", "\u79FB\u9664\u89D2\u8272\u626E\u6F14\u8BF1\u5BFC\u8BED\u53E5\uFF0C\u4F7F\u7528\u660E\u786E\u7684\u89D2\u8272\u8FB9\u754C\u5B9A\u4E49", "Remove role-play induction phrases; use explicit role boundary definitions"],
+  ["dan-style jailbreak", "\u79FB\u9664 DAN \u7C7B\u8D8A\u72F1 prompt\uFF0C\u52A0\u5F3A system prompt \u7684\u884C\u4E3A\u7EA6\u675F", "Remove DAN-style jailbreak prompt; strengthen behavioral constraints in system prompt"],
+  ["behavioral override", "\u79FB\u9664\u884C\u4E3A\u8986\u76D6\u6307\u4EE4\uFF0C\u4F7F\u7528\u4E0D\u53EF\u53D8\u7684 system prompt \u7EA6\u675F\u884C\u4E3A", "Remove behavioral override; use immutable system prompt to constrain behavior"],
+  ["hidden instruction detected in html comment", "\u79FB\u9664 HTML \u6CE8\u91CA\u4E2D\u7684\u9690\u85CF\u6307\u4EE4\uFF0C\u5BA1\u67E5\u6240\u6709\u6CE8\u91CA\u5185\u5BB9", "Remove hidden instructions from HTML comments; review all comment content"],
+  ["zero-width character", "\u79FB\u9664\u96F6\u5BBD\u5B57\u7B26\uFF0C\u4F7F\u7528\u6587\u672C\u51C0\u5316\u51FD\u6570\u8FC7\u6EE4\u4E0D\u53EF\u89C1 Unicode \u5B57\u7B26", "Remove zero-width characters; use text sanitization to filter invisible Unicode characters"],
+  ["base64-like string", "\u5BA1\u67E5 base64 \u7F16\u7801\u5185\u5BB9\uFF0C\u89E3\u7801\u9A8C\u8BC1\u662F\u5426\u5305\u542B\u6CE8\u5165 payload", "Review base64-encoded content; decode and verify it does not contain injected payloads"],
+  // Permission Escalation
+  ["disables sandbox", "\u79FB\u9664 dangerouslyDisableSandbox\uFF0C\u5728\u6C99\u7BB1\u5185\u8FD0\u884C\u6240\u6709\u64CD\u4F5C", "Remove dangerouslyDisableSandbox; run all operations inside the sandbox"],
+  ["skips permission checks", "\u79FB\u9664 --dangerously-skip-permissions\uFF0C\u4FDD\u7559\u6743\u9650\u6821\u9A8C\u673A\u5236", "Remove --dangerously-skip-permissions; keep permission checks enabled"],
+  ["sudo usage", "\u79FB\u9664 sudo\uFF0C\u6539\u7528\u7528\u6237\u6001\u6743\u9650\u6216 Linux capabilities (cap_net_bind_service \u7B49)", "Remove sudo; use user-level permissions or Linux capabilities instead"],
+  ["chmod 777", "\u6539\u7528\u6700\u5C0F\u6743\u9650 chmod 755 \u6216 644\uFF0C\u907F\u514D world-writable", "Use minimal permissions (chmod 755 or 644); avoid world-writable"],
+  ["chown root", "\u907F\u514D\u4FEE\u6539\u6587\u4EF6\u5C5E\u4E3B\u4E3A root\uFF0C\u4F7F\u7528\u666E\u901A\u7528\u6237\u6743\u9650\u8FD0\u884C", "Avoid changing ownership to root; run with normal user privileges"],
+  ["modifying claude settings", "\u4E0D\u5E94\u76F4\u63A5\u4FEE\u6539 .claude/settings.json\uFF0C\u4F7F\u7528 CLI \u914D\u7F6E\u63A5\u53E3", "Do not modify .claude/settings.json directly; use the CLI configuration interface"],
+  ["references allowedtools", "\u660E\u786E\u58F0\u660E\u9700\u8981\u7684\u5DE5\u5177\u5217\u8868\uFF0C\u907F\u514D\u8FD0\u884C\u65F6\u52A8\u6001\u4FEE\u6539 allowedTools", "Explicitly declare required tools; avoid dynamically modifying allowedTools at runtime"],
+  ["bypasses verification", "\u79FB\u9664 --no-verify\uFF0C\u4FDD\u7559 pre-commit/pre-push hooks \u6821\u9A8C", "Remove --no-verify; keep pre-commit/pre-push hook checks enabled"],
+  ["overly permissive chmod", "\u6539\u7528\u6700\u5C0F\u5FC5\u8981\u6743\u9650\uFF0C\u5982 chmod 644 (\u6587\u4EF6) \u6216 755 (\u76EE\u5F55/\u811A\u672C)", "Use least necessary permissions, e.g. chmod 644 (files) or 755 (dirs/scripts)"],
+  ["setuid", "\u79FB\u9664 setuid/setgid \u4F4D\uFF0C\u4F7F\u7528 capabilities \u6216\u72EC\u7ACB\u670D\u52A1\u8D26\u6237\u66FF\u4EE3", "Remove setuid/setgid bits; use capabilities or dedicated service accounts instead"],
+  ["setgid", "\u79FB\u9664 setuid/setgid \u4F4D\uFF0C\u4F7F\u7528 capabilities \u6216\u72EC\u7ACB\u670D\u52A1\u8D26\u6237\u66FF\u4EE3", "Remove setuid/setgid bits; use capabilities or dedicated service accounts instead"],
+  // Data Exfiltration
+  ["reads .env file", "\u907F\u514D\u5728 skill \u4E2D\u76F4\u63A5\u8BFB\u53D6 .env\uFF0C\u6539\u7531\u5BBF\u4E3B\u73AF\u5883\u6CE8\u5165\u6240\u9700\u53D8\u91CF", "Avoid reading .env directly in skill; inject required variables from the host environment"],
+  ["accesses ssh directory", "\u79FB\u9664\u5BF9 ~/.ssh/ \u7684\u8BBF\u95EE\uFF0C\u4F7F\u7528 SSH agent \u6216\u53D7\u63A7\u5BC6\u94A5\u6CE8\u5165", "Remove access to ~/.ssh/; use SSH agent or controlled key injection"],
+  ["reads /etc/passwd", "\u79FB\u9664\u5BF9 /etc/passwd \u7684\u8BFB\u53D6\uFF0C\u4F7F\u7528 getent \u6216\u6807\u51C6\u5E93 API", "Remove /etc/passwd reads; use getent or standard library APIs"],
+  ["reads /etc/shadow", "\u79FB\u9664\u5BF9 /etc/shadow \u7684\u8BBF\u95EE\uFF0C\u8FD9\u662F\u9AD8\u6743\u9650\u654F\u611F\u6587\u4EF6", "Remove /etc/shadow access; this is a high-privilege sensitive file"],
+  ["reads aws credentials", "\u4F7F\u7528 IAM \u89D2\u8272\u6216\u73AF\u5883\u53D8\u91CF\u66FF\u4EE3\u76F4\u63A5\u8BFB\u53D6 ~/.aws/credentials", "Use IAM roles or environment variables instead of reading ~/.aws/credentials"],
+  ["reads kubernetes config", "\u4F7F\u7528 ServiceAccount token \u6216 KUBECONFIG \u73AF\u5883\u53D8\u91CF", "Use ServiceAccount tokens or the KUBECONFIG environment variable"],
+  ["reads credentials file", "\u4F7F\u7528\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u6216\u73AF\u5883\u53D8\u91CF\uFF0C\u4E0D\u786C\u7F16\u7801\u51ED\u8BC1\u8DEF\u5F84", "Use a secrets manager or environment variables; do not hardcode credential paths"],
+  ["reads claude settings", "\u907F\u514D\u8BFB\u53D6 .claude/settings\uFF0C\u4F7F\u7528\u5B98\u65B9 API \u83B7\u53D6\u914D\u7F6E", "Avoid reading .claude/settings; use the official API to get configuration"],
+  ["curl post", "\u5BA1\u67E5 POST \u8BF7\u6C42\u76EE\u6807 URL\uFF0C\u786E\u4FDD\u6570\u636E\u4EC5\u53D1\u5F80\u53EF\u4FE1\u7AEF\u70B9", "Review POST request target URLs; ensure data is only sent to trusted endpoints"],
+  ["curl with data payload", "\u5BA1\u67E5 curl --data \u8BF7\u6C42\uFF0C\u786E\u8BA4\u53D1\u9001\u5185\u5BB9\u4E0D\u542B\u654F\u611F\u4FE1\u606F", "Review curl --data requests; confirm payloads do not contain sensitive information"],
+  ["requests.post", "\u5BA1\u67E5 requests.post \u76EE\u6807 URL\uFF0C\u6DFB\u52A0 URL \u767D\u540D\u5355\u6821\u9A8C", "Review requests.post target URLs; add URL allowlist validation"],
+  ["fetch post", "\u5BA1\u67E5 fetch POST \u76EE\u6807\uFF0C\u786E\u4FDD\u4EC5\u5411\u53EF\u4FE1\u57DF\u540D\u53D1\u9001\u6570\u636E", "Review fetch POST targets; ensure data is only sent to trusted domains"],
+  ["urllib outbound", "\u5BA1\u67E5 urllib \u8BF7\u6C42\u76EE\u6807\uFF0C\u6DFB\u52A0 URL \u767D\u540D\u5355", "Review urllib request targets; add URL allowlist"],
+  ["http.client outbound", "\u5BA1\u67E5 http.client \u8FDE\u63A5\u76EE\u6807\uFF0C\u9650\u5236\u5141\u8BB8\u8FDE\u63A5\u7684\u57DF\u540D", "Review http.client connection targets; restrict allowed domains"],
+  ["webhook url", "\u5BA1\u67E5 webhook URL \u5F52\u5C5E\uFF0C\u786E\u4FDD\u6570\u636E\u4E0D\u5916\u6CC4\u5230\u7B2C\u4E09\u65B9", "Review webhook URL ownership; ensure data is not leaked to third parties"],
+  ["ngrok tunnel", "\u79FB\u9664 ngrok \u96A7\u9053\uFF0C\u4F7F\u7528\u53D7\u63A7\u7684\u53CD\u5411\u4EE3\u7406\u6216 VPN", "Remove ngrok tunnel; use a controlled reverse proxy or VPN"],
+  ["credential exfiltration", "\u9694\u79BB\u73AF\u5883\u53D8\u91CF\u8BFB\u53D6\u4E0E\u7F51\u7EDC\u8BF7\u6C42\uFF0C\u907F\u514D\u5728\u540C\u4E00\u4E0A\u4E0B\u6587\u4E2D\u64CD\u4F5C", "Isolate environment variable reads from network requests; avoid both in the same context"],
+  ["data collection/analytics endpoint", "\u5BA1\u67E5\u6570\u636E\u6536\u96C6\u7AEF\u70B9\uFF0C\u786E\u8BA4\u662F\u5426\u4E3A\u5FC5\u8981\u529F\u80FD\u5E76\u83B7\u5F97\u7528\u6237\u77E5\u60C5\u540C\u610F", "Review data collection endpoints; confirm necessity and obtain user consent"],
+  // Destructive Operations
+  ["rm -rf on root", "\u7EDD\u5BF9\u4E0D\u8981\u4F7F\u7528 rm -rf /\uFF0C\u6DFB\u52A0\u8DEF\u5F84\u767D\u540D\u5355\u6821\u9A8C", "Never use rm -rf /; add path allowlist validation"],
+  ["rm -rf", "\u6DFB\u52A0\u8DEF\u5F84\u767D\u540D\u5355\u6821\u9A8C\uFF0C\u4F7F\u7528 --interactive \u6216\u5148 dry-run \u786E\u8BA4", "Add path allowlist validation; use --interactive or dry-run first"],
+  ["git reset --hard", "\u6539\u7528 git stash \u4FDD\u5B58\u66F4\u6539\uFF0C\u6216\u4F7F\u7528 git reset --soft \u4FDD\u7559\u6682\u5B58", "Use git stash to save changes, or git reset --soft to keep staging"],
+  ["git push --force", "\u6539\u7528 git push --force-with-lease \u9632\u6B62\u8986\u76D6\u4ED6\u4EBA\u63D0\u4EA4", "Use git push --force-with-lease to prevent overwriting others' commits"],
+  ["git push -f", "\u6539\u7528 git push --force-with-lease \u9632\u6B62\u8986\u76D6\u4ED6\u4EBA\u63D0\u4EA4", "Use git push --force-with-lease to prevent overwriting others' commits"],
+  ["git clean -f", "\u6DFB\u52A0\u786E\u8BA4\u63D0\u793A\uFF0C\u6216\u4F7F\u7528 git clean -n \u5148\u9884\u89C8\u5C06\u5220\u9664\u7684\u6587\u4EF6", "Add confirmation prompt, or use git clean -n to preview files to be deleted"],
+  ["drop table", "\u6DFB\u52A0\u786E\u8BA4\u63D0\u793A\u548C\u5907\u4EFD\u673A\u5236\uFF0C\u4F7F\u7528 migration \u5DE5\u5177\u7BA1\u7406 schema \u53D8\u66F4", "Add confirmation and backup; use migration tools to manage schema changes"],
+  ["delete from without where", "\u6DFB\u52A0 WHERE \u6761\u4EF6\u9650\u5236\u5220\u9664\u8303\u56F4\uFF0C\u6216\u4F7F\u7528\u4E8B\u52A1 + \u786E\u8BA4\u673A\u5236", "Add WHERE clause to limit scope, or use transactions with confirmation"],
+  ["truncate table", "\u4F7F\u7528 DELETE + WHERE \u66FF\u4EE3 TRUNCATE\uFF0C\u6DFB\u52A0\u5907\u4EFD\u548C\u786E\u8BA4\u673A\u5236", "Use DELETE + WHERE instead of TRUNCATE; add backup and confirmation"],
+  ["shutil.rmtree", "\u6DFB\u52A0\u8DEF\u5F84\u767D\u540D\u5355\u6821\u9A8C\uFF0C\u786E\u4FDD\u76EE\u6807\u76EE\u5F55\u5728\u9884\u671F\u8303\u56F4\u5185", "Add path allowlist validation; ensure target directory is within expected scope"],
+  ["os.remove", "\u5220\u9664\u524D\u6821\u9A8C\u8DEF\u5F84\u662F\u5426\u5728\u9884\u671F\u8303\u56F4\u5185\uFF0C\u6DFB\u52A0\u786E\u8BA4\u903B\u8F91", "Validate path is within expected scope before deletion; add confirmation"],
+  ["os.unlink", "\u5220\u9664\u524D\u6821\u9A8C\u8DEF\u5F84\u662F\u5426\u5728\u9884\u671F\u8303\u56F4\u5185\uFF0C\u6DFB\u52A0\u786E\u8BA4\u903B\u8F91", "Validate path is within expected scope before deletion; add confirmation"],
+  ["disk format", "\u79FB\u9664\u78C1\u76D8\u683C\u5F0F\u5316\u547D\u4EE4\uFF0C\u8FD9\u5728 skill \u4E2D\u4E0D\u5E94\u51FA\u73B0", "Remove disk format command; this should not appear in a skill"],
+  ["fdisk", "\u79FB\u9664 fdisk \u547D\u4EE4\uFF0C\u78C1\u76D8\u5206\u533A\u64CD\u4F5C\u4E0D\u5E94\u5728 skill \u4E2D\u6267\u884C", "Remove fdisk command; disk partitioning should not be done in a skill"],
+  ["mkfs", "\u79FB\u9664 mkfs \u547D\u4EE4\uFF0C\u6587\u4EF6\u7CFB\u7EDF\u521B\u5EFA\u4E0D\u5E94\u5728 skill \u4E2D\u6267\u884C", "Remove mkfs command; filesystem creation should not be done in a skill"],
+  ["dd - low-level", "\u6DFB\u52A0\u660E\u786E\u7684 of= \u76EE\u6807\u6821\u9A8C\uFF0C\u907F\u514D\u8BEF\u8986\u76D6\u91CD\u8981\u8BBE\u5907/\u6587\u4EF6", "Add explicit of= target validation; avoid overwriting critical devices/files"],
+  ["fork bomb", "\u79FB\u9664 fork bomb \u4EE3\u7801\uFF0C\u8FD9\u662F\u6076\u610F\u6216\u8BEF\u64CD\u4F5C", "Remove fork bomb code; this is malicious or accidental"],
+  // Supply Chain
+  ["pipe-to-shell", "\u4E0B\u8F7D\u811A\u672C\u540E\u5148\u5BA1\u67E5\u518D\u6267\u884C\uFF1Acurl -o script.sh URL && review && bash script.sh", "Download scripts first, review, then execute: curl -o script.sh URL && review && bash script.sh"],
+  ["pipe-to-sudo", "\u6C38\u8FDC\u4E0D\u8981 curl | sudo\uFF0C\u5148\u4E0B\u8F7D\u5BA1\u67E5\u518D\u4EE5\u6700\u5C0F\u6743\u9650\u6267\u884C", "Never curl | sudo; download, review, then execute with least privilege"],
+  ["git clone", "\u9501\u5B9A clone \u7684 commit hash \u6216 tag\uFF0C\u907F\u514D\u62C9\u53D6\u672A\u5BA1\u67E5\u7684\u4EE3\u7801", "Pin clone to a commit hash or tag; avoid pulling unreviewed code"],
+  ["pip install without version", "\u4F7F\u7528 pip install package==x.y.z \u9501\u5B9A\u7248\u672C\uFF0C\u6216\u7528 requirements.txt + hash", "Use pip install package==x.y.z to pin versions, or requirements.txt with hashes"],
+  ["npm install without version", "\u4F7F\u7528 npm install package@x.y.z \u9501\u5B9A\u7248\u672C\uFF0C\u6216\u7528 package-lock.json", "Use npm install package@x.y.z to pin versions, or use package-lock.json"],
+  ["go get", "\u4F7F\u7528 go.sum \u9501\u5B9A\u4F9D\u8D56 hash\uFF0C\u6307\u5B9A\u660E\u786E\u7248\u672C\u53F7", "Use go.sum to lock dependency hashes; specify explicit version numbers"],
+  ["dockerfile from without digest", "\u6539\u7528 FROM image@sha256:... \u9501\u5B9A\u955C\u50CF\u6458\u8981", "Use FROM image@sha256:... to pin image digest"],
+  // Code Security
+  ["shell=true", "\u6539\u7528 subprocess.run(cmd_list, shell=False)\uFF0C\u53C2\u6570\u4EE5\u5217\u8868\u4F20\u5165", "Use subprocess.run(cmd_list, shell=False); pass arguments as a list"],
+  ["os.system", "\u6539\u7528 subprocess.run(cmd_list, shell=False)\uFF0C\u907F\u514D shell \u6CE8\u5165", "Use subprocess.run(cmd_list, shell=False); avoid shell injection"],
+  ["os.popen", "\u6539\u7528 subprocess.run(cmd_list, capture_output=True, shell=False)", "Use subprocess.run(cmd_list, capture_output=True, shell=False)"],
+  ["eval()", "\u7528 ast.literal_eval() \u66FF\u4EE3 eval()\uFF0C\u6216\u7528 JSON/\u914D\u7F6E\u6587\u4EF6\u89E3\u6790", "Use ast.literal_eval() instead of eval(), or parse with JSON/config files"],
+  ["exec()", "\u907F\u514D\u52A8\u6001\u6267\u884C\u4EE3\u7801\uFF0C\u6539\u7528\u51FD\u6570\u6620\u5C04 (dict dispatch) \u6216\u914D\u7F6E\u9A71\u52A8", "Avoid dynamic code execution; use function dispatch (dict mapping) or config-driven logic"],
+  ["compile()", "\u907F\u514D\u52A8\u6001\u7F16\u8BD1\u4EE3\u7801\u5B57\u7B26\u4E32\uFF0C\u4F7F\u7528\u9884\u5B9A\u4E49\u51FD\u6570\u6216\u6A21\u677F\u5F15\u64CE", "Avoid dynamically compiling code strings; use predefined functions or template engines"],
+  ["pickle.load", "\u6539\u7528 json.load() \u6216 msgpack\uFF0C\u907F\u514D\u53CD\u5E8F\u5217\u5316\u6267\u884C\u4EFB\u610F\u4EE3\u7801", "Use json.load() or msgpack instead; avoid arbitrary code execution via deserialization"],
+  ["yaml.load without safeloader", "\u6539\u7528 yaml.safe_load() \u6216 yaml.load(Loader=yaml.SafeLoader)", "Use yaml.safe_load() or yaml.load(Loader=yaml.SafeLoader)"],
+  ["marshal.load", "\u6539\u7528 JSON \u6216\u5176\u4ED6\u5B89\u5168\u5E8F\u5217\u5316\u683C\u5F0F", "Use JSON or other safe serialization formats"],
+  ["sql injection", "\u4F7F\u7528\u53C2\u6570\u5316\u67E5\u8BE2 cursor.execute('SELECT * FROM t WHERE id=?', (id,))", "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id=?', (id,))"],
+  ["innerhtml", "\u4F7F\u7528 textContent \u66FF\u4EE3 innerHTML\uFF0C\u6216\u7528 DOMPurify \u51C0\u5316 HTML", "Use textContent instead of innerHTML, or sanitize with DOMPurify"],
+  ["dangerouslysetinnerhtml", "\u4F7F\u7528 DOMPurify \u51C0\u5316 HTML \u540E\u518D\u4F20\u5165\uFF0C\u6216\u6539\u7528\u5B89\u5168\u7684\u6E32\u67D3\u65B9\u5F0F", "Sanitize HTML with DOMPurify before passing, or use safe rendering methods"],
+  ["path traversal", "\u5BF9\u8DEF\u5F84\u8F93\u5165\u8FDB\u884C\u89C4\u8303\u5316 (os.path.realpath) \u5E76\u6821\u9A8C\u662F\u5426\u5728\u5141\u8BB8\u7684\u76EE\u5F55\u5185", "Normalize path input (os.path.realpath) and verify it is within allowed directories"],
+  // Credential Leaks
+  ["openai/anthropic api key", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF os.environ['ANTHROPIC_API_KEY']\uFF0C\u4E0D\u786C\u7F16\u7801\u5BC6\u94A5", "Use environment variable os.environ['ANTHROPIC_API_KEY']; do not hardcode keys"],
+  ["github personal access token", "\u4F7F\u7528 GitHub App token \u6216\u73AF\u5883\u53D8\u91CF\uFF0C\u4E0D\u786C\u7F16\u7801 PAT", "Use GitHub App tokens or environment variables; do not hardcode PATs"],
+  ["github oauth token", "\u4F7F\u7528 OAuth flow \u52A8\u6001\u83B7\u53D6 token\uFF0C\u4E0D\u5728\u4EE3\u7801\u4E2D\u5B58\u50A8", "Use OAuth flow to dynamically obtain tokens; do not store in code"],
+  ["aws access key", "\u4F7F\u7528 IAM \u89D2\u8272\u6216 AWS SSO\uFF0C\u4E0D\u786C\u7F16\u7801 Access Key", "Use IAM roles or AWS SSO; do not hardcode Access Keys"],
+  ["slack bot token", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u5B58\u50A8 Slack token\uFF0C\u4E0D\u786C\u7F16\u7801", "Store Slack tokens in environment variables; do not hardcode"],
+  ["slack user token", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u5B58\u50A8 Slack token\uFF0C\u4E0D\u786C\u7F16\u7801", "Store Slack tokens in environment variables; do not hardcode"],
+  ["gitlab personal access token", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u6216 CI/CD \u53D8\u91CF\u6CE8\u5165\uFF0C\u4E0D\u786C\u7F16\u7801", "Use environment variables or CI/CD variable injection; do not hardcode"],
+  ["jwt token detected", "\u68C0\u67E5 JWT \u662F\u5426\u4E3A\u6D4B\u8BD5\u6570\u636E\uFF0C\u751F\u4EA7 token \u4E0D\u5E94\u51FA\u73B0\u5728\u4EE3\u7801\u4E2D", "Check if JWT is test data; production tokens should not appear in code"],
+  ["hardcoded password", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF os.environ['DB_PASSWORD'] \u6216\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1", "Use environment variables os.environ['DB_PASSWORD'] or a secrets manager"],
+  ["hardcoded secret", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u6216\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1 (HashiCorp Vault, AWS Secrets Manager)", "Use environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager)"],
+  ["private key in pem", "\u4F7F\u7528\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u5B58\u50A8\u79C1\u94A5\uFF0C\u4E0D\u5728\u4EE3\u7801\u4ED3\u5E93\u4E2D\u4FDD\u5B58", "Store private keys in a secrets manager; do not keep them in code repositories"],
+  ["hardcoded email", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u6216\u914D\u7F6E\u6587\u4EF6\u6CE8\u5165\u90AE\u7BB1\u5730\u5740", "Use environment variables or config files to inject email addresses"],
+  // Least Privilege
+  ["no allowed-tools declared", "\u5728 SKILL.md frontmatter \u4E2D\u58F0\u660E allowed-tools \u5217\u8868\uFF0C\u9650\u5236\u53EF\u7528\u5DE5\u5177", "Declare an allowed-tools list in SKILL.md frontmatter to restrict available tools"],
+  ["shell access declared", "\u8BC4\u4F30\u662F\u5426\u771F\u6B63\u9700\u8981 shell \u8BBF\u95EE\uFF0C\u5C3D\u91CF\u4F7F\u7528\u4E13\u7528\u5DE5\u5177\u66FF\u4EE3", "Evaluate whether shell access is truly needed; prefer dedicated tools instead"],
+  ["dangerous tool combination", "\u62C6\u5206\u4E3A\u591A\u4E2A\u72EC\u7ACB skill\uFF0C\u6BCF\u4E2A\u53EA\u7533\u8BF7\u5FC5\u8981\u7684\u5DE5\u5177\u6743\u9650", "Split into separate skills, each requesting only the necessary tool permissions"],
+  // License
+  ["proprietary", "\u786E\u8BA4\u8BB8\u53EF\u8BC1\u517C\u5BB9\u6027\uFF0C\u5FC5\u8981\u65F6\u83B7\u53D6\u5546\u7528\u6388\u6743", "Verify license compatibility; obtain commercial authorization if needed"],
+  ["all rights reserved", "\u786E\u8BA4\u4EE3\u7801\u4F7F\u7528\u6743\u9650\uFF0C\u8003\u8651\u8054\u7CFB\u4F5C\u8005\u83B7\u53D6\u5F00\u6E90\u6388\u6743", "Verify usage permissions; consider contacting the author for an open-source license"],
+  ["copying prohibited", "\u786E\u8BA4\u662F\u5426\u6709\u5408\u6CD5\u4F7F\u7528\u6743\u9650\uFF0C\u5FC5\u8981\u65F6\u5BFB\u6C42\u66FF\u4EE3\u65B9\u6848", "Verify legitimate usage rights; seek alternatives if necessary"],
+  ["non-commercial", "\u786E\u8BA4\u4F7F\u7528\u573A\u666F\u662F\u5426\u7B26\u5408 non-commercial \u9650\u5236", "Verify the use case complies with non-commercial restrictions"],
+  ["kegg database", "\u786E\u8BA4\u5B66\u672F\u8BB8\u53EF\u8BC1\u8986\u76D6\u8303\u56F4\uFF0C\u5546\u7528\u9700\u5355\u72EC\u6388\u6743", "Verify academic license scope; commercial use requires separate authorization"],
+  ["benchling", "\u786E\u8BA4 Benchling API \u4F7F\u7528\u6761\u6B3E\u548C\u8D39\u7528", "Review Benchling API terms of service and associated costs"],
+  ["bigquery", "\u5BA1\u67E5 BigQuery \u6570\u636E\u6536\u96C6\u8303\u56F4\uFF0C\u786E\u8BA4\u8D39\u7528\u548C\u6570\u636E\u9690\u79C1\u5408\u89C4", "Review BigQuery data collection scope; confirm costs and data privacy compliance"],
+  ["snowflake", "\u786E\u8BA4 Snowflake \u4F7F\u7528\u6761\u6B3E\u548C\u6570\u636E\u4F20\u8F93\u5408\u89C4\u6027", "Review Snowflake terms of service and data transfer compliance"],
+  // Resource Abuse
+  ["while true loop", "\u6DFB\u52A0\u660E\u786E\u7684\u9000\u51FA\u6761\u4EF6\u548C\u6700\u5927\u8FED\u4EE3\u6B21\u6570\u9650\u5236 (\u5982 max_iterations=1000)", "Add explicit exit conditions and max iteration limits (e.g. max_iterations=1000)"],
+  ["while 1 loop", "\u6DFB\u52A0\u660E\u786E\u7684\u9000\u51FA\u6761\u4EF6\u548C\u6700\u5927\u8FED\u4EE3\u6B21\u6570\u9650\u5236", "Add explicit exit conditions and max iteration limits"],
+  ["while(true) loop", "\u6DFB\u52A0 break \u6761\u4EF6\u548C\u8D85\u65F6\u673A\u5236", "Add break conditions and timeout mechanisms"],
+  ["for(;;) infinite loop", "\u6DFB\u52A0 break \u6761\u4EF6\u548C\u6700\u5927\u8FED\u4EE3\u6B21\u6570", "Add break conditions and max iteration limits"],
+  ["very large retmax", "\u964D\u4F4E retmax \u503C\uFF0C\u4F7F\u7528\u5206\u9875\u67E5\u8BE2\u907F\u514D\u4E00\u6B21\u62C9\u53D6\u8FC7\u591A\u6570\u636E", "Reduce retmax value; use pagination to avoid fetching too much data at once"],
+  ["very large limit", "\u4F7F\u7528\u5408\u7406\u7684 limit \u503C\uFF0C\u914D\u5408\u5206\u9875\u9010\u6B65\u83B7\u53D6\u6570\u636E", "Use reasonable limit values with pagination to fetch data incrementally"],
+  ["sleep(0) in potential busy loop", "\u589E\u52A0\u5408\u7406\u7684 sleep \u95F4\u9694 (\u5982 0.1s)\uFF0C\u907F\u514D CPU \u7A7A\u8F6C", "Add reasonable sleep intervals (e.g. 0.1s); avoid CPU busy-waiting"],
+  ["unlimited/excessive retry", "\u8BBE\u7F6E\u5408\u7406\u7684 retry \u4E0A\u9650 (\u5982 max_retries=3) \u548C\u6307\u6570\u9000\u907F", "Set reasonable retry limits (e.g. max_retries=3) with exponential backoff"],
+  ["recursive function", "\u6DFB\u52A0\u9012\u5F52\u6DF1\u5EA6\u9650\u5236\u6216\u6539\u7528\u8FED\u4EE3\u5B9E\u73B0", "Add recursion depth limits or convert to iterative implementation"]
+];
+var DIMENSION_REMEDIATIONS = [
+  ["Prompt Injection", "\u5BA1\u67E5\u6240\u6709\u7528\u6237\u8F93\u5165\u62FC\u63A5\u70B9\uFF0C\u4F7F\u7528\u7ED3\u6784\u5316 prompt \u6A21\u677F\uFF0C\u907F\u514D\u76F4\u63A5\u62FC\u63A5\u7528\u6237\u5185\u5BB9\u5230\u7CFB\u7EDF\u6307\u4EE4\u4E2D", "Review all user input concatenation points; use structured prompt templates; avoid concatenating user content into system instructions"],
+  ["Permission Escalation", "\u9075\u5FAA\u6700\u5C0F\u6743\u9650\u539F\u5219\uFF0C\u79FB\u9664 sudo/chmod 777\uFF0C\u4F7F\u7528\u7528\u6237\u6001\u64CD\u4F5C\u548C Linux capabilities", "Follow the principle of least privilege; remove sudo/chmod 777; use user-level operations and Linux capabilities"],
+  ["Data Exfiltration", "\u5BA1\u67E5\u6240\u6709\u5916\u90E8 URL \u548C API \u8C03\u7528\uFF0C\u786E\u4FDD\u6570\u636E\u53EA\u53D1\u5F80\u53EF\u4FE1\u7AEF\u70B9\uFF0C\u654F\u611F\u64CD\u4F5C\u9700\u7528\u6237\u786E\u8BA4", "Review all external URLs and API calls; ensure data is only sent to trusted endpoints; require user confirmation for sensitive operations"],
+  ["Destructive Operations", "\u6DFB\u52A0\u8DEF\u5F84\u767D\u540D\u5355\u3001\u786E\u8BA4\u63D0\u793A\u3001dry-run \u6A21\u5F0F\uFF0C\u7834\u574F\u6027\u64CD\u4F5C\u524D\u5148\u5907\u4EFD", "Add path allowlists, confirmation prompts, and dry-run mode; back up before destructive operations"],
+  ["Supply Chain", "\u9501\u5B9A\u4F9D\u8D56\u7248\u672C\uFF0C\u4F7F\u7528 hash \u6821\u9A8C\uFF0C\u4E0B\u8F7D\u540E\u5148\u5BA1\u67E5\u518D\u6267\u884C\uFF0C\u907F\u514D pipe-to-shell", "Pin dependency versions; use hash verification; download and review before executing; avoid pipe-to-shell"],
+  ["Code Security", "\u907F\u514D eval/exec/shell=True\uFF0C\u4F7F\u7528\u53C2\u6570\u5316\u67E5\u8BE2\uFF0C\u5BF9\u5916\u90E8\u8F93\u5165\u505A\u6821\u9A8C\u548C\u51C0\u5316", "Avoid eval/exec/shell=True; use parameterized queries; validate and sanitize external input"],
+  ["Credential Leaks", "\u4F7F\u7528\u73AF\u5883\u53D8\u91CF\u6216\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u5B58\u50A8\u51ED\u8BC1\uFF0C\u4E0D\u5728\u4EE3\u7801\u4E2D\u786C\u7F16\u7801\u4EFB\u4F55\u5BC6\u94A5/\u5BC6\u7801", "Use environment variables or secrets managers to store credentials; never hardcode keys/passwords in code"],
+  ["Least Privilege", "\u5728 SKILL.md \u4E2D\u58F0\u660E\u6700\u5C0F\u5DE5\u5177\u96C6\uFF0C\u907F\u514D Bash(*) \u901A\u914D\u7B26\u6743\u9650\uFF0C\u62C6\u5206\u9AD8\u6743\u9650\u64CD\u4F5C", "Declare minimal toolsets in SKILL.md; avoid Bash(*) wildcard permissions; split high-privilege operations"],
+  ["License Compliance", "\u68C0\u67E5\u4F9D\u8D56\u8BB8\u53EF\u8BC1\u517C\u5BB9\u6027\uFF0C\u6807\u6CE8\u5546\u4E1A\u670D\u52A1\u4F7F\u7528\uFF0C\u786E\u4FDD\u5408\u89C4\u4F7F\u7528", "Check dependency license compatibility; annotate commercial service usage; ensure compliant use"],
+  ["Resource Abuse", "\u6DFB\u52A0\u5FAA\u73AF\u9000\u51FA\u6761\u4EF6\u3001\u8BF7\u6C42\u9650\u6D41\u3001\u5408\u7406\u7684 retry \u4E0A\u9650\uFF0C\u907F\u514D\u65E0\u9650\u6D88\u8017\u8D44\u6E90", "Add loop exit conditions, request throttling, and reasonable retry limits; avoid unbounded resource consumption"]
+];
+function matchRemediation(description) {
+  const descLower = description.toLowerCase();
+  for (const [key, zh, en] of REMEDIATIONS) {
+    if (descLower.includes(key)) {
+      return [zh, en];
+    }
+  }
+  return ["", ""];
+}
+function dimensionRemediation(dimension) {
+  const dimLower = dimension.toLowerCase();
+  for (const [key, zh, en] of DIMENSION_REMEDIATIONS) {
+    if (dimLower.includes(key.toLowerCase())) {
+      return [zh, en];
+    }
+  }
+  return ["", ""];
+}
+
+// src/scanner/dimensions/prompt-injection.ts
+var INJECTION_PHRASES = [
+  ["ignore\\s+(all\\s+)?previous\\s+instructions", "CRITICAL", "Prompt injection: ignore previous instructions"],
+  ["you\\s+are\\s+now\\b", "CRITICAL", "Prompt injection: role override 'you are now'"],
+  ["disregard\\s+(all\\s+)?(above|previous|prior)", "CRITICAL", "Prompt injection: disregard directive"],
+  ["override\\s+system\\s+(prompt|instructions|message)", "CRITICAL", "Prompt injection: override system prompt"],
+  ["\\bjailbreak\\b", "CRITICAL", "Prompt injection keyword: jailbreak"],
+  ["pretend\\s+you\\s+are\\b", "CRITICAL", "Role-play induction: pretend you are"],
+  ["act\\s+as\\s+if\\s+you", "CRITICAL", "Role-play induction: act as if"],
+  ["roleplay\\s+as\\b", "CRITICAL", "Role-play induction: roleplay as"],
+  ["do\\s+anything\\s+now", "CRITICAL", "DAN-style jailbreak attempt"],
+  ["from\\s+now\\s+on,?\\s+you\\s+(will|must|should)", "CRITICAL", "Behavioral override: from now on you will"]
+];
+function checkPromptInjection(ctx, ref) {
+  const findings = scanPatterns(ctx.fileContents, INJECTION_PHRASES, ref);
+  const auxRules = ctx.rules["prompt_injection_auxiliary"] || [];
+  const zwcRule = auxRules.find((r) => r.id === "PI-AUX-01");
+  if (!zwcRule || zwcRule.enabled !== false) {
+    const severity = zwcRule?.severity || "MEDIUM";
+    const zwcRe = /[\u200b\u200c\u200d\ufeff\u2060]/g;
+    for (const [relPath, content] of ctx.fileContents) {
+      let m;
+      while ((m = zwcRe.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          severity,
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern: "zero-width character",
+          description: `Zero-width character U+${m[0].charCodeAt(0).toString(16).toUpperCase().padStart(4, "0")} detected (possible steganographic injection)`,
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  const b64Rule = auxRules.find((r) => r.id === "PI-AUX-02");
+  if (!b64Rule || b64Rule.enabled !== false) {
+    const severity = b64Rule?.severity || "MEDIUM";
+    const b64Re = /[A-Za-z0-9+/]{200,}={0,2}/g;
+    for (const [relPath, content] of ctx.fileContents) {
+      let m;
+      while ((m = b64Re.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          severity,
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern: "long base64 string",
+          description: `Long base64-like string (${m[0].length} chars) - may hide injected payload`,
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  const htmlRule = auxRules.find((r) => r.id === "PI-AUX-03");
+  if (!htmlRule || htmlRule.enabled !== false) {
+    const severity = htmlRule?.severity || "HIGH";
+    const whitelist = htmlRule?.whitelist || [];
+    const keywords = ["instruction", "ignore", "override", "system prompt", "you must", "you are now"];
+    const commentRe = /<!--([\s\S]*?)-->/g;
+    for (const [relPath, content] of ctx.fileContents) {
+      let m;
+      while ((m = commentRe.exec(content)) !== null) {
+        const comment = m[1].toLowerCase();
+        if (keywords.some((kw) => comment.includes(kw))) {
+          if (whitelist.length && whitelist.some((w) => w && comment.includes(w.toLowerCase()))) continue;
+          findings.push({
+            dimension: "",
+            severity,
+            filePath: relPath,
+            lineNumber: getLineNumber(content, m.index),
+            pattern: "<!-- hidden instruction -->",
+            description: "Hidden instruction detected in HTML comment",
+            reference: ref,
+            remediationZh: "",
+            remediationEn: ""
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/dimensions/permission-escalation.ts
+var PATTERNS = [
+  ["dangerouslyDisableSandbox", "CRITICAL", "Disables sandbox protection"],
+  ["--dangerously-skip-permissions", "CRITICAL", "Skips permission checks"],
+  ["\\bsudo\\s+", "HIGH", "sudo usage - requires root privileges"],
+  ["chmod\\s+777\\b", "HIGH", "chmod 777 - world-writable permissions"],
+  ["chown\\s+root\\b", "HIGH", "chown root - changing ownership to root"],
+  ["\\.claude/settings\\.json", "HIGH", "Modifying Claude settings file"],
+  ["\\ballowedTools\\b", "MEDIUM", "References allowedTools configuration"],
+  ["--no-verify\\b", "MEDIUM", "Bypasses verification hooks"],
+  ["chmod\\s+[0-7]*[67][0-7]{2}\\b", "MEDIUM", "Overly permissive chmod"],
+  ["setuid\\b|setgid\\b", "HIGH", "setuid/setgid - elevated privilege bits"]
+];
+function checkPermissionEscalation(ctx, ref) {
+  return scanPatterns(ctx.fileContents, PATTERNS, ref);
+}
+
+// src/scanner/dimensions/data-exfiltration.ts
+function checkDataExfiltration(ctx, ref) {
+  const findings = [];
+  const environRead = /os\.environ/.test(ctx.fullText);
+  const networkSend = /(requests\.post|curl.*POST|fetch.*POST|urllib)/.test(ctx.fullText);
+  if (environRead && networkSend) {
+    findings.push({
+      dimension: "",
+      severity: "HIGH",
+      filePath: "(multiple files)",
+      lineNumber: 0,
+      pattern: "os.environ + network send",
+      description: "Environment variables read AND outbound network requests detected - potential credential exfiltration",
+      reference: ref,
+      remediationZh: "",
+      remediationEn: ""
+    });
+  }
+  findings.push(...applyRules("data_exfiltration", ctx.fileContents, ctx.rules, ref));
+  return findings;
+}
+
+// src/scanner/dimensions/destructive-operations.ts
+var PATTERNS2 = [
+  ["rm\\s+-rf\\s+/", "CRITICAL", "rm -rf on root path - catastrophic deletion"],
+  ["rm\\s+-rf\\b", "HIGH", "rm -rf - recursive forced deletion"],
+  ["git\\s+reset\\s+--hard\\b", "HIGH", "git reset --hard - discards all changes"],
+  ["git\\s+push\\s+--force\\b", "HIGH", "git push --force - overwrites remote history"],
+  ["git\\s+push\\s+-f\\b", "HIGH", "git push -f - force push"],
+  ["git\\s+clean\\s+-f", "HIGH", "git clean -f - deletes untracked files"],
+  ["DROP\\s+TABLE\\b", "CRITICAL", "DROP TABLE - database table deletion"],
+  ["DELETE\\s+FROM\\b(?!.*WHERE)", "HIGH", "DELETE FROM without WHERE - deletes all rows"],
+  ["TRUNCATE\\s+TABLE\\b", "CRITICAL", "TRUNCATE TABLE - removes all data"],
+  ["shutil\\.rmtree\\s*\\(", "HIGH", "shutil.rmtree - recursive directory deletion"],
+  ["os\\.remove\\s*\\(", "MEDIUM", "os.remove - file deletion"],
+  ["os\\.unlink\\s*\\(", "MEDIUM", "os.unlink - file deletion"],
+  ["\\bformat\\s+[a-zA-Z]:", "CRITICAL", "Disk format command"],
+  ["\\bfdisk\\b", "CRITICAL", "fdisk - disk partitioning"],
+  ["\\bmkfs\\b", "CRITICAL", "mkfs - creates filesystem (destroys data)"],
+  ["\\bdd\\s+if=", "HIGH", "dd - low-level data copy/overwrite"],
+  [":\\(\\)\\{\\s*:\\|:&\\s*\\};:", "CRITICAL", "Fork bomb detected"]
+];
+function checkDestructiveOperations(ctx, ref) {
+  return scanPatterns(ctx.fileContents, PATTERNS2, ref);
+}
+
+// src/scanner/dimensions/supply-chain.ts
+function checkSupplyChain(ctx, ref) {
+  const findings = [];
+  const allRules = ctx.rules["supply_chain"] || [];
+  const dockerfileRules = allRules.filter((r) => r.id === "SC-08");
+  const otherRules = allRules.filter((r) => r.id !== "SC-08");
+  for (const rule of otherRules) {
+    if (!rule.enabled) continue;
+    if (!rule.pattern) continue;
+    const whitelist = rule.whitelist || [];
+    let re;
+    try {
+      re = new RegExp(rule.pattern, "gi");
+    } catch {
+      continue;
+    }
+    for (const [relPath, content] of ctx.fileContents) {
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        const matched = m[0];
+        if (whitelist.some((w) => w && matched.toLowerCase().includes(w.toLowerCase()))) continue;
+        findings.push({
+          dimension: "",
+          severity: rule.severity || "MEDIUM",
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern: rule.pattern,
+          description: rule.description || "",
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  for (const rule of dockerfileRules) {
+    if (!rule.enabled) continue;
+    if (!rule.pattern) continue;
+    const whitelist = rule.whitelist || [];
+    let re;
+    try {
+      re = new RegExp(rule.pattern, "gm");
+    } catch {
+      continue;
+    }
+    for (const [relPath, content] of ctx.fileContents) {
+      if (!relPath.toLowerCase().includes("dockerfile") && !relPath.endsWith("Dockerfile")) continue;
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        const matched = m[0];
+        if (whitelist.some((w) => w && matched.toLowerCase().includes(w.toLowerCase()))) continue;
+        findings.push({
+          dimension: "",
+          severity: rule.severity || "LOW",
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern: rule.pattern,
+          description: rule.description || "",
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/dimensions/code-security.ts
+var CODE_EXTENSIONS = /* @__PURE__ */ new Set([".py", ".js", ".ts", ".jsx", ".tsx", ".rb", ".go", ".rs", ".java", ".sh"]);
+var ALL_PATTERNS = [
+  ["subprocess\\.(run|call|Popen)\\s*\\([^)]*shell\\s*=\\s*True", "HIGH", "subprocess with shell=True - potential shell injection"],
+  ["os\\.system\\s*\\(", "HIGH", "os.system - shell command execution"],
+  ["os\\.popen\\s*\\(", "HIGH", "os.popen - shell command execution"],
+  ["\\beval\\s*\\(", "HIGH", "eval() - arbitrary code execution"],
+  ["\\bexec\\s*\\(", "HIGH", "exec() - arbitrary code execution"],
+  [`(?<!re\\.)\\bcompile\\s*\\([^)]*["']`, "MEDIUM", "compile() - dynamic code compilation"],
+  ["pickle\\.loads?\\s*\\(", "HIGH", "pickle.load - unsafe deserialization"],
+  ["yaml\\.load\\s*\\((?!.*Loader\\s*=\\s*yaml\\.SafeLoader)", "HIGH", "yaml.load without SafeLoader - unsafe deserialization"],
+  ["marshal\\.loads?\\s*\\(", "HIGH", "marshal.load - unsafe deserialization"],
+  [`f["']SELECT\\b.*\\{`, "HIGH", "SQL injection: f-string in SELECT query"],
+  [`f["']INSERT\\b.*\\{`, "HIGH", "SQL injection: f-string in INSERT query"],
+  [`f["']UPDATE\\b.*\\{`, "HIGH", "SQL injection: f-string in UPDATE query"],
+  [`f["']DELETE\\b.*\\{`, "HIGH", "SQL injection: f-string in DELETE query"],
+  ["\\.format\\s*\\(.*SELECT\\b", "HIGH", "SQL injection: .format() in query"],
+  ["%\\s*\\(.*SELECT\\b", "MEDIUM", "SQL injection: % formatting in query"],
+  ["innerHTML\\s*=", "MEDIUM", "innerHTML assignment - XSS risk"],
+  ["dangerouslySetInnerHTML", "MEDIUM", "React dangerouslySetInnerHTML - XSS risk"],
+  ["\\.\\./(\\.\\./)+(etc|root|home|var|usr)\\b", "MEDIUM", "Deep path traversal pattern"]
+];
+var RESTRICTED_PATTERNS = /* @__PURE__ */ new Set([
+  "\\beval\\s*\\(",
+  "\\bexec\\s*\\(",
+  "os\\.system\\s*\\(",
+  "os\\.popen\\s*\\(",
+  "subprocess\\.(run|call|Popen)\\s*\\([^)]*shell\\s*=\\s*True"
+]);
+function checkCodeSecurity(ctx, ref) {
+  const findings = [];
+  for (const [relPath, content] of ctx.fileContents) {
+    const ext = relPath.includes(".") ? "." + relPath.split(".").pop().toLowerCase() : "";
+    const isCode = CODE_EXTENSIONS.has(ext);
+    const patterns = isCode ? ALL_PATTERNS : ALL_PATTERNS.filter((p) => RESTRICTED_PATTERNS.has(p[0]));
+    for (const [pattern, severity, desc] of patterns) {
+      let re;
+      try {
+        re = new RegExp(pattern, "g");
+      } catch {
+        continue;
+      }
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          severity,
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern: m[0].length > 80 ? m[0].slice(0, 80) + "..." : m[0],
+          description: desc,
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/dimensions/credential-leaks.ts
+var KEY_PREFIXES = [
+  ["\\bsk-[a-zA-Z0-9]{20,}", "CRITICAL", "OpenAI/Anthropic API key (sk-...)"],
+  ["\\bghp_[a-zA-Z0-9]{36,}", "CRITICAL", "GitHub personal access token"],
+  ["\\bgho_[a-zA-Z0-9]{36,}", "CRITICAL", "GitHub OAuth token"],
+  ["\\bAKIA[A-Z0-9]{16}\\b", "CRITICAL", "AWS Access Key ID"],
+  ["\\bxoxb-[0-9-]+", "CRITICAL", "Slack bot token"],
+  ["\\bxoxp-[0-9-]+", "CRITICAL", "Slack user token"],
+  ["\\bglpat-[a-zA-Z0-9\\-_]{20,}", "CRITICAL", "GitLab personal access token"],
+  ["\\beyJ[a-zA-Z0-9_-]{50,}\\.eyJ", "MEDIUM", "JWT token detected"]
+];
+var PEM_PATTERN = "-----BEGIN\\s+(?:RSA\\s+)?PRIVATE\\s+KEY-----";
+var HARDCODED_PATTERNS = [
+  [`(?:password|passwd|pwd)\\s*[=:]\\s*["'][^"']{8,}["']`, "HIGH", "Hardcoded password"],
+  [`(?:secret|api_?key|token|auth)\\s*[=:]\\s*["'][^"']{8,}["']`, "HIGH", "Hardcoded secret/API key"]
+];
+var SKIP_FILES = /* @__PURE__ */ new Set(["example", "template", "test", "mock", "sample", "demo", "fixture"]);
+var PLACEHOLDERS = ["your_", "xxx", "placeholder", "changeme", "example", "replace", "<", "${", "todo", "fixme"];
+function checkCredentialLeaks(ctx, ref) {
+  const findings = [];
+  for (const [relPath, content] of ctx.fileContents) {
+    const relLower = relPath.toLowerCase();
+    for (const [pattern, severity, desc] of KEY_PREFIXES) {
+      const re = new RegExp(pattern, "g");
+      let m;
+      while ((m = re.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          severity,
+          filePath: relPath,
+          lineNumber: getLineNumber(content, m.index),
+          pattern,
+          description: desc,
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+    const pemRe = new RegExp(PEM_PATTERN, "g");
+    let pm;
+    while ((pm = pemRe.exec(content)) !== null) {
+      findings.push({
+        dimension: "",
+        severity: "CRITICAL",
+        filePath: relPath,
+        lineNumber: getLineNumber(content, pm.index),
+        pattern: PEM_PATTERN,
+        description: "Private key in PEM format",
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    }
+    const isSkipFile = [...SKIP_FILES].some((s) => relLower.includes(s));
+    if (!isSkipFile) {
+      for (const [pattern, severity, desc] of HARDCODED_PATTERNS) {
+        const re = new RegExp(pattern, "gi");
+        let m;
+        while ((m = re.exec(content)) !== null) {
+          const matched = m[0].toLowerCase();
+          if (PLACEHOLDERS.some((ph) => matched.includes(ph))) continue;
+          findings.push({
+            dimension: "",
+            severity,
+            filePath: relPath,
+            lineNumber: getLineNumber(content, m.index),
+            pattern,
+            description: desc,
+            reference: ref,
+            remediationZh: "",
+            remediationEn: ""
+          });
+        }
+      }
+      const emailRe = /Entrez\.email\s*=\s*["'][^"']+@[^"']+["']/g;
+      let em;
+      while ((em = emailRe.exec(content)) !== null) {
+        findings.push({
+          dimension: "",
+          severity: "MEDIUM",
+          filePath: relPath,
+          lineNumber: getLineNumber(content, em.index),
+          pattern: "hardcoded email",
+          description: "Hardcoded email address in API configuration",
+          reference: ref,
+          remediationZh: "",
+          remediationEn: ""
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+// src/scanner/dimensions/least-privilege.ts
+function checkLeastPrivilege(ctx, ref) {
+  const findings = [];
+  const lpRules = {};
+  for (const r of ctx.rules["least_privilege"] || []) {
+    lpRules[r.id] = r;
+  }
+  const lp01 = lpRules["LP-01"] || {};
+  const lp02 = lpRules["LP-02"] || {};
+  const lp03 = lpRules["LP-03"] || {};
+  let allowedTools = ctx.frontmatter["allowed-tools"] || [];
+  if (typeof allowedTools === "string") allowedTools = [allowedTools];
+  if (!allowedTools.length) {
+    if (lp01.enabled !== false) {
+      findings.push({
+        dimension: "",
+        severity: lp01.severity || "LOW",
+        filePath: "SKILL.md",
+        lineNumber: 0,
+        pattern: "missing allowed-tools",
+        description: "No allowed-tools declared in frontmatter - implicit all-tools access",
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    }
+  } else {
+    const toolSet = new Set(allowedTools.map((t) => t.toLowerCase()));
+    const hasShell = ["bash", "run_shell_command", "shell", "terminal"].some((t) => toolSet.has(t));
+    const hasNetwork = ["web_fetch", "fetch", "http", "network", "web_search"].some((t) => toolSet.has(t));
+    const hasWrite = ["write", "edit", "file_write", "write_file"].some((t) => toolSet.has(t));
+    if (hasShell && lp02.enabled !== false) {
+      findings.push({
+        dimension: "",
+        severity: lp02.severity || "MEDIUM",
+        filePath: "SKILL.md",
+        lineNumber: 0,
+        pattern: "allowed-tools: shell",
+        description: "Shell access declared in allowed-tools",
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    }
+    if (hasShell && hasNetwork && hasWrite && lp03.enabled !== false) {
+      findings.push({
+        dimension: "",
+        severity: lp03.severity || "HIGH",
+        filePath: "SKILL.md",
+        lineNumber: 0,
+        pattern: "shell + network + write",
+        description: "Dangerous tool combination: shell + network + file write access",
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    }
+  }
+  return findings;
+}
+
+// src/scanner/dimensions/license-compliance.ts
+var OPEN_LICENSES = ["mit", "apache", "bsd", "isc", "unlicense", "cc0", "wtfpl", "mpl", "lgpl", "gpl"];
+function checkLicenseCompliance(ctx, ref) {
+  const findings = [];
+  const fmLicense = typeof ctx.frontmatter["license"] === "string" ? ctx.frontmatter["license"].toLowerCase() : "";
+  if (fmLicense) {
+    if (OPEN_LICENSES.some((ol) => fmLicense.includes(ol))) {
+      findings.push({
+        dimension: "",
+        severity: "INFO",
+        filePath: "SKILL.md",
+        lineNumber: 0,
+        pattern: `license: ${fmLicense}`,
+        description: `Open source license: ${fmLicense}`,
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    } else if (fmLicense.includes("proprietary")) {
+      findings.push({
+        dimension: "",
+        severity: "MEDIUM",
+        filePath: "SKILL.md",
+        lineNumber: 0,
+        pattern: `license: ${fmLicense}`,
+        description: "Proprietary license declared",
+        reference: ref,
+        remediationZh: "",
+        remediationEn: ""
+      });
+    }
+  }
+  findings.push(...applyRules("license_compliance", ctx.fileContents, ctx.rules, ref));
+  return findings;
+}
+
+// src/scanner/dimensions/resource-abuse.ts
+function checkResourceAbuse(ctx, ref) {
+  const findings = [];
+  findings.push(...applyRules("resource_abuse", ctx.fileContents, ctx.rules, ref));
+  for (const [relPath, content] of ctx.fileContents) {
+    if (!relPath.endsWith(".py")) continue;
+    const defRe = /def\s+(\w+)\s*\(/g;
+    let dm;
+    while ((dm = defRe.exec(content)) !== null) {
+      const funcName = dm[1];
+      const funcStart = dm.index;
+      const rest = content.slice(funcStart + dm[0].length);
+      const nextDef = rest.search(/\ndef\s+\w+\s*\(/);
+      const funcBody = nextDef >= 0 ? rest.slice(0, nextDef) : rest;
+      const selfCallRe = new RegExp(`\\b${funcName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*\\(`);
+      if (selfCallRe.test(funcBody)) {
+        const hasBase = ["return", "if ", "raise", "break"].some((kw) => funcBody.includes(kw));
+        if (!hasBase) {
+          findings.push({
+            dimension: "",
+            severity: "HIGH",
+            filePath: relPath,
+            lineNumber: getLineNumber(content, funcStart),
+            pattern: `recursive: ${funcName}`,
+            description: `Recursive function '${funcName}' without obvious base case`,
+            reference: ref,
+            remediationZh: "",
+            remediationEn: ""
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+
+// src/token/estimator.ts
+import { existsSync, readFileSync as readFileSync3 } from "fs";
+import { join as join3 } from "path";
+function countCjk(text) {
+  let count = 0;
+  for (const ch of text) {
+    const code = ch.charCodeAt(0);
+    if (code >= 19968 && code <= 40959 || code >= 13312 && code <= 19903 || code >= 63744 && code <= 64255) {
+      count++;
+    }
+  }
+  return count;
+}
+function estimateTokens(text) {
+  if (!text) return 0;
+  const cjk = countCjk(text);
+  const nonCjk = text.length - cjk;
+  return Math.round(cjk / 1.5 + nonCjk / 3.5);
+}
+function estimateTokensFromChars(chars) {
+  return chars ? Math.round(chars / 3) : 0;
+}
+function extractReferences(skillMdContent, skillDir) {
+  const eager = /* @__PURE__ */ new Set();
+  const lazy = /* @__PURE__ */ new Set();
+  const fileExists = (candidate) => existsSync(join3(skillDir, candidate));
+  const mandatoryRe = /(?:MANDATORY|READ\s+ENTIRE\s+FILE|MUST\s+(?:READ|LOAD)|REQUIRED.*?READ).*?[[\`(]([a-zA-Z0-9_./-]+\.[a-zA-Z]{1,5})/gi;
+  let m;
+  while ((m = mandatoryRe.exec(skillMdContent)) !== null) {
+    if (fileExists(m[1])) eager.add(m[1]);
+  }
+  const codeRe = /(?:source|python3?|bash|node|ruby|perl|sh)\s+(?:\$\{[^}]*\}\/)?([a-zA-Z0-9_./-]+\.[a-zA-Z]{1,5})/g;
+  while ((m = codeRe.exec(skillMdContent)) !== null) {
+    if (fileExists(m[1])) eager.add(m[1]);
+  }
+  const linkRe = /\[([^\]]*)\]\(([^)]+)\)/g;
+  while ((m = linkRe.exec(skillMdContent)) !== null) {
+    const target = m[2].trim();
+    if (/^(https?:\/\/|#|mailto:)/.test(target)) continue;
+    if (fileExists(target) && !eager.has(target)) lazy.add(target);
+  }
+  const btRe = /`([a-zA-Z0-9_./-]+\.[a-zA-Z]{1,5})`/g;
+  while ((m = btRe.exec(skillMdContent)) !== null) {
+    if (fileExists(m[1]) && !eager.has(m[1])) lazy.add(m[1]);
+  }
+  const readRe = /(?:[Rr]ead|[Ss]ee|[Rr]efer\s+to|[Cc]heck)\s+(?:\[?['"])?([a-zA-Z0-9_./-]+\.[a-zA-Z]{1,5})/g;
+  while ((m = readRe.exec(skillMdContent)) !== null) {
+    if (fileExists(m[1]) && !eager.has(m[1])) lazy.add(m[1]);
+  }
+  for (const e of eager) lazy.delete(e);
+  return {
+    eager: [...eager].sort(),
+    lazy: [...lazy].sort()
+  };
+}
+function estimateSkillTokens(skillDir, fileContents) {
+  const est = {
+    l1SkillMd: 0,
+    l2Eager: 0,
+    l2Lazy: 0,
+    l3Total: 0,
+    l1Chars: 0,
+    l2EagerChars: 0,
+    l2LazyChars: 0,
+    l3Chars: 0,
+    eagerFiles: [],
+    lazyFiles: []
+  };
+  for (const name of ["SKILL.md", "skill.md"]) {
+    const content = fileContents.get(name);
+    if (content) {
+      est.l1Chars = content.length;
+      est.l1SkillMd = estimateTokens(content);
+      const refs = extractReferences(content, skillDir);
+      est.eagerFiles = refs.eager;
+      est.lazyFiles = refs.lazy;
+      break;
+    }
+  }
+  const resolveChars = (paths) => {
+    let total = 0;
+    for (const refPath of paths) {
+      const content = fileContents.get(refPath);
+      if (content) {
+        total += content.length;
+      } else {
+        try {
+          const full = join3(skillDir, refPath);
+          total += readFileSync3(full, "utf-8").length;
+        } catch {
+        }
+      }
+    }
+    return total;
+  };
+  est.l2EagerChars = resolveChars(est.eagerFiles);
+  est.l2Eager = estimateTokensFromChars(est.l2EagerChars);
+  est.l2LazyChars = resolveChars(est.lazyFiles);
+  est.l2Lazy = estimateTokensFromChars(est.l2LazyChars);
+  for (const content of fileContents.values()) {
+    est.l3Chars += content.length;
+  }
+  est.l3Total = estimateTokensFromChars(est.l3Chars);
+  return est;
+}
+
+// src/token/cost.ts
+function computeSessionCost(te, mp, nTurns) {
+  const L1 = te.l1SkillMd;
+  const L2e = te.l2Eager;
+  const L2l = te.l2Lazy;
+  const O = OUTPUT_PER_TURN;
+  const rFull = mp.inputPerM / 1e6;
+  const rCache = mp.cacheInputPerM / 1e6;
+  const rOut = mp.outputPerM / 1e6;
+  let total = 0;
+  for (let k = 1; k <= nTurns; k++) {
+    let inpNew;
+    let inpCached;
+    if (k === 1) {
+      inpNew = L1;
+      inpCached = 0;
+    } else if (k === 2) {
+      inpNew = O + L2e;
+      inpCached = L1;
+    } else if (k === 3) {
+      inpNew = O + L2l;
+      inpCached = L1 + O + L2e;
+    } else {
+      inpNew = O;
+      inpCached = L1 + L2e + L2l + (k - 2) * O;
+    }
+    total += inpNew * rFull + inpCached * rCache + O * rOut;
+  }
+  return total;
+}
+function estimateCosts(te) {
+  return MODEL_CATALOG.map((mp) => ({
+    modelName: mp.name,
+    inputPerM: mp.inputPerM,
+    outputPerM: mp.outputPerM,
+    cacheInputPerM: mp.cacheInputPerM,
+    lightCost: computeSessionCost(te, mp, COST_SCENARIOS.light),
+    typicalCost: computeSessionCost(te, mp, COST_SCENARIOS.typical),
+    heavyCost: computeSessionCost(te, mp, COST_SCENARIOS.heavy)
+  }));
+}
+
+// src/scanner/auditor.ts
+var DIMENSIONS = [
+  { zhName: "Prompt \u6CE8\u5165\u68C0\u6D4B", enName: "Prompt Injection", reference: "OWASP LLM01", checker: checkPromptInjection },
+  { zhName: "\u6743\u9650\u63D0\u5347\u5206\u6790", enName: "Permission Escalation", reference: "OWASP LLM06", checker: checkPermissionEscalation },
+  { zhName: "\u6570\u636E\u5916\u6CC4\u98CE\u9669", enName: "Data Exfiltration", reference: "OWASP LLM02 / MCP-Scan TPA", checker: checkDataExfiltration },
+  { zhName: "\u7834\u574F\u6027\u64CD\u4F5C", enName: "Destructive Operations", reference: "Claude Code Built-in", checker: checkDestructiveOperations },
+  { zhName: "\u4F9B\u5E94\u94FE/\u6765\u6E90\u9A8C\u8BC1", enName: "Supply Chain", reference: "SLSA / OpenSSF", checker: checkSupplyChain },
+  { zhName: "\u4EE3\u7801\u5B89\u5168(\u9759\u6001\u5206\u6790)", enName: "Code Security", reference: "CWE / OWASP", checker: checkCodeSecurity },
+  { zhName: "\u51ED\u8BC1\u4E0E\u5BC6\u94A5\u6CC4\u9732", enName: "Credential Leaks", reference: "OWASP LLM02", checker: checkCredentialLeaks },
+  { zhName: "\u6743\u9650\u6700\u5C0F\u5316", enName: "Least Privilege", reference: "Google SAIF", checker: checkLeastPrivilege },
+  { zhName: "\u8BB8\u53EF\u8BC1\u5408\u89C4", enName: "License Compliance", reference: "\u2014", checker: checkLicenseCompliance },
+  { zhName: "\u8D44\u6E90\u6EE5\u7528/\u65E0\u9650\u6D88\u8017", enName: "Resource Abuse", reference: "OWASP LLM10", checker: checkResourceAbuse }
+];
+var SkillAuditor = class {
+  rules;
+  constructor(rulesPath) {
+    this.rules = loadRules(rulesPath);
+  }
+  auditSkill(skillDir) {
+    const resolvedDir = resolve(skillDir);
+    const report = {
+      skillName: resolvedDir.split("/").pop() || "unknown",
+      skillPath: resolvedDir,
+      fileInventory: {},
+      riskScore: 0,
+      riskLevel: "A",
+      findings: [],
+      dimensionSummary: {},
+      tokenEstimate: {
+        l1SkillMd: 0,
+        l2Eager: 0,
+        l2Lazy: 0,
+        l3Total: 0,
+        l1Chars: 0,
+        l2EagerChars: 0,
+        l2LazyChars: 0,
+        l3Chars: 0,
+        eagerFiles: [],
+        lazyFiles: []
+      },
+      costEstimates: []
+    };
+    const files = collectFiles(resolvedDir);
+    report.fileInventory = fileInventory(files);
+    const fileContents = /* @__PURE__ */ new Map();
+    const fullTextParts = [];
+    for (const relPath of files) {
+      const content = readFileSafe(join4(resolvedDir, relPath));
+      if (content !== null) {
+        fileContents.set(relPath, content);
+        fullTextParts.push(content);
+      }
+    }
+    const fullText = fullTextParts.join("\n");
+    let frontmatter = {};
+    for (const name of ["SKILL.md", "skill.md"]) {
+      const content = fileContents.get(name);
+      if (content) {
+        frontmatter = parseFrontmatter(content);
+        break;
+      }
+    }
+    const ctx = {
+      skillDir: resolvedDir,
+      fileContents,
+      fullText,
+      frontmatter,
+      rules: this.rules
+    };
+    for (const dim of DIMENSIONS) {
+      const dimName = `${dim.zhName} (${dim.enName})`;
+      let findings;
+      try {
+        findings = dim.checker(ctx, dim.reference);
+      } catch {
+        findings = [];
+      }
+      for (const f of findings) {
+        f.dimension = dimName;
+      }
+      report.findings.push(...findings);
+      report.dimensionSummary[dimName] = findings.length;
+    }
+    const { score, level } = computeRisk(report.findings);
+    report.riskScore = score;
+    report.riskLevel = level;
+    for (const f of report.findings) {
+      if (!f.remediationZh) {
+        const [zh, en] = matchRemediation(f.description);
+        f.remediationZh = zh;
+        f.remediationEn = en;
+      }
+      if (!f.remediationZh) {
+        const [zh, en] = dimensionRemediation(f.dimension);
+        f.remediationZh = zh;
+        f.remediationEn = en;
+      }
+    }
+    report.tokenEstimate = estimateSkillTokens(resolvedDir, fileContents);
+    report.costEstimates = estimateCosts(report.tokenEstimate);
+    return report;
+  }
+  auditMarketplace(marketDir) {
+    const resolvedDir = resolve(marketDir);
+    let baseDir = resolvedDir;
+    const skillsDir = join4(resolvedDir, "skills");
+    try {
+      if (readdirSync2(skillsDir, { withFileTypes: true }).length > 0) {
+        baseDir = skillsDir;
+      }
+    } catch {
+    }
+    const reports = [];
+    const entries = readdirSync2(baseDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (entry.isDirectory() && !entry.name.startsWith(".")) {
+        reports.push(this.auditSkill(join4(baseDir, entry.name)));
+      }
+    }
+    return reports.sort((a, b) => a.skillName.localeCompare(b.skillName));
+  }
+};
+
+// src/fetcher/url-parser.ts
+function parseGitHubUrl(url) {
+  const parsed = new URL(url.trim());
+  const parts = parsed.pathname.replace(/^\/+|\/+$/g, "").split("/");
+  if (parts.length < 2) {
+    throw new Error(`Invalid GitHub URL: ${url}`);
+  }
+  const owner = parts[0];
+  const repo = parts[1].replace(/\.git$/, "");
+  let subpath;
+  if (parts.length > 4 && parts[2] === "tree") {
+    subpath = parts.slice(4).join("/");
+  }
+  return { owner, repo, subpath };
+}
+function parseClawHubUrl(url) {
+  const parsed = new URL(url.trim());
+  const parts = parsed.pathname.replace(/^\/+|\/+$/g, "").split("/");
+  if (parts.length < 2) {
+    throw new Error(`Invalid ClawHub URL: ${url}`);
+  }
+  return parts[1];
+}
+function isGitHubUrl(target) {
+  try {
+    const parsed = new URL(target.trim());
+    return parsed.hostname === "github.com" || parsed.hostname === "www.github.com";
+  } catch {
+    return false;
+  }
+}
+function isClawHubUrl(target) {
+  try {
+    const parsed = new URL(target.trim());
+    return parsed.hostname === "clawhub.ai" || parsed.hostname === "www.clawhub.ai";
+  } catch {
+    return false;
+  }
+}
+function isUrl(target) {
+  const trimmed = target.trim();
+  return trimmed.startsWith("http://") || trimmed.startsWith("https://");
+}
+
+// src/fetcher/github.ts
+import { mkdtempSync, rmSync, readdirSync as readdirSync3, renameSync, statSync as statSync2 } from "fs";
+import { join as join5 } from "path";
+import { tmpdir } from "os";
+import { execSync } from "child_process";
+import { Readable } from "stream";
+import { pipeline } from "stream/promises";
+import * as tar from "tar";
+async function downloadTarball(owner, repo, tempDir) {
+  for (const branch of ["main", "master"]) {
+    const url = `https://github.com/${owner}/${repo}/archive/refs/heads/${branch}.tar.gz`;
+    let resp;
+    try {
+      resp = await fetch(url, {
+        headers: { "User-Agent": "SkillGuard/1.0" },
+        redirect: "follow"
+      });
+    } catch {
+      continue;
+    }
+    if (!resp.ok || !resp.body) {
+      continue;
+    }
+    try {
+      const nodeStream = Readable.fromWeb(resp.body);
+      await pipeline(
+        nodeStream,
+        tar.extract({ cwd: tempDir, strip: 0 })
+      );
+    } catch {
+      continue;
+    }
+    const entries = readdirSync3(tempDir, { withFileTypes: true }).filter((e) => e.isDirectory());
+    if (entries.length === 1) {
+      const extractedDir = join5(tempDir, entries[0].name);
+      const targetDir = join5(tempDir, repo);
+      if (extractedDir !== targetDir) {
+        renameSync(extractedDir, targetDir);
+      }
+      return targetDir;
+    }
+    return null;
+  }
+  return null;
+}
+function gitClone(owner, repo, tempDir) {
+  const targetDir = join5(tempDir, repo);
+  const cloneUrl = `https://github.com/${owner}/${repo}.git`;
+  execSync(
+    `git clone --depth 1 --single-branch --no-tags ${cloneUrl} ${targetDir}`,
+    {
+      env: {
+        ...process.env,
+        GIT_CONFIG_NOSYSTEM: "1",
+        GIT_TERMINAL_PROMPT: "0"
+      },
+      stdio: "pipe",
+      timeout: 12e4
+    }
+  );
+  return targetDir;
+}
+async function fetchGitHub(url) {
+  const { owner, repo, subpath } = parseGitHubUrl(url);
+  const tempDir = mkdtempSync(join5(tmpdir(), "sg_clone_"));
+  const cleanup = () => {
+    rmSync(tempDir, { recursive: true, force: true });
+  };
+  let repoDir;
+  repoDir = await downloadTarball(owner, repo, tempDir);
+  if (repoDir === null) {
+    try {
+      repoDir = gitClone(owner, repo, tempDir);
+    } catch (err) {
+      cleanup();
+      throw new Error(
+        `Failed to clone https://github.com/${owner}/${repo}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  let skillDir = repoDir;
+  if (subpath) {
+    skillDir = join5(repoDir, subpath);
+    try {
+      const stat = statSync2(skillDir);
+      if (!stat.isDirectory()) {
+        cleanup();
+        throw new Error(`Subpath is not a directory: ${subpath}`);
+      }
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        cleanup();
+        throw new Error(`Subpath not found in repo: ${subpath}`);
+      }
+      throw err;
+    }
+  }
+  return { skillDir, cleanup };
+}
+
+// src/fetcher/clawhub.ts
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, readdirSync as readdirSync4, createWriteStream } from "fs";
+import { join as join6 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+import { pipeline as pipeline2 } from "stream/promises";
+import { Readable as Readable2 } from "stream";
+import unzipper from "unzipper";
+
+// src/config.ts
+function envInt(key, fallback) {
+  const v = process.env[key];
+  if (v === void 0) return fallback;
+  const n = parseInt(v, 10);
+  return Number.isNaN(n) ? fallback : n;
+}
+function envString(key, fallback) {
+  return process.env[key] ?? fallback;
+}
+function envSet(key, fallback) {
+  const v = process.env[key];
+  if (v === void 0) return fallback;
+  return new Set(v.split(",").map((s) => s.trim()).filter(Boolean));
+}
+var CLONE_TIMEOUT = envInt("SKILLGUARD_CLONE_TIMEOUT", 120);
+var MAX_REPO_SIZE_MB = envInt("SKILLGUARD_MAX_REPO_SIZE_MB", 500);
+var AUDIT_TIMEOUT = envInt("SKILLGUARD_AUDIT_TIMEOUT", 60);
+var ALLOWED_DOMAINS = envSet(
+  "SKILLGUARD_ALLOWED_DOMAINS",
+  /* @__PURE__ */ new Set(["github.com", "clawhub.ai"])
+);
+var CLAWHUB_API_BASE = envString(
+  "SKILLGUARD_CLAWHUB_API_BASE",
+  "https://wry-manatee-359.convex.site/api/v1"
+);
+
+// src/fetcher/clawhub.ts
+async function fetchClawHub(url) {
+  const slug = parseClawHubUrl(url);
+  const tempDir = mkdtempSync2(join6(tmpdir2(), "sg_clawhub_"));
+  const cleanup = () => {
+    rmSync2(tempDir, { recursive: true, force: true });
+  };
+  const downloadUrl = `${CLAWHUB_API_BASE}/download?slug=${encodeURIComponent(slug)}`;
+  let resp;
+  try {
+    resp = await fetch(downloadUrl, {
+      headers: { "User-Agent": "SkillGuard/1.0" },
+      redirect: "follow"
+    });
+  } catch (err) {
+    cleanup();
+    throw new Error(
+      `Failed to download ClawHub skill "${slug}": ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!resp.ok || !resp.body) {
+    cleanup();
+    throw new Error(
+      `ClawHub download failed for "${slug}": HTTP ${resp.status}`
+    );
+  }
+  try {
+    const nodeStream = Readable2.fromWeb(resp.body);
+    const zip = nodeStream.pipe(unzipper.Parse());
+    const extractPromises = [];
+    for await (const entry of zip) {
+      const filePath = entry.path;
+      const type = entry.type;
+      if (filePath.startsWith("/") || filePath.includes("..")) {
+        entry.autodrain();
+        continue;
+      }
+      const outputPath = join6(tempDir, filePath);
+      if (!outputPath.startsWith(tempDir)) {
+        entry.autodrain();
+        continue;
+      }
+      if (type === "Directory") {
+        const { mkdirSync } = await import("fs");
+        mkdirSync(outputPath, { recursive: true });
+        entry.autodrain();
+      } else {
+        const { mkdirSync } = await import("fs");
+        const { dirname: dirname2 } = await import("path");
+        mkdirSync(dirname2(outputPath), { recursive: true });
+        const writePromise = pipeline2(
+          entry,
+          createWriteStream(outputPath)
+        );
+        extractPromises.push(writePromise);
+      }
+    }
+    await Promise.all(extractPromises);
+  } catch (err) {
+    cleanup();
+    throw new Error(
+      `Failed to extract ClawHub skill "${slug}": ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  const children = readdirSync4(tempDir, { withFileTypes: true }).filter((e) => e.isDirectory());
+  const skillDir = children.length === 1 ? join6(tempDir, children[0].name) : tempDir;
+  return { skillDir, cleanup };
+}
+
+// src/fetcher/local.ts
+import { statSync as statSync3 } from "fs";
+import { resolve as resolve2 } from "path";
+function resolveLocal(target) {
+  const skillDir = resolve2(target);
+  let stat;
+  try {
+    stat = statSync3(skillDir);
+  } catch (err) {
+    throw new Error(
+      `Local path does not exist: ${skillDir}`
+    );
+  }
+  if (!stat.isDirectory()) {
+    throw new Error(
+      `Local path is not a directory: ${skillDir}`
+    );
+  }
+  return {
+    skillDir,
+    cleanup: () => {
+    }
+  };
+}
+
+// src/fetcher/index.ts
+async function fetchSkill(target) {
+  if (isGitHubUrl(target)) {
+    return fetchGitHub(target);
+  }
+  if (isClawHubUrl(target)) {
+    return fetchClawHub(target);
+  }
+  if (isUrl(target)) {
+    throw new Error(
+      `Unsupported URL: ${target}. Only github.com and clawhub.ai URLs are supported.`
+    );
+  }
+  return resolveLocal(target);
+}
+
+// src/renderer/terminal.ts
+import chalk from "chalk";
+var SEV_COLOR = {
+  CRITICAL: chalk.bgRed.white.bold,
+  HIGH: chalk.red.bold,
+  MEDIUM: chalk.yellow,
+  LOW: chalk.blue,
+  INFO: chalk.gray
+};
+var LEVEL_COLOR = {
+  A: chalk.green.bold,
+  B: chalk.green,
+  C: chalk.yellow.bold,
+  D: chalk.red,
+  F: chalk.bgRed.white.bold
+};
+var LEVEL_LABELS = {
+  A: "Safe",
+  B: "Acceptable",
+  C: "Warning",
+  D: "Unsafe",
+  F: "Dangerous"
+};
+function renderReport(report, options) {
+  const minSev = options?.minSeverity || "INFO";
+  const minOrder = SEVERITY_ORDER[minSev] ?? 4;
+  const lc = LEVEL_COLOR[report.riskLevel] || ((s) => s);
+  const label = LEVEL_LABELS[report.riskLevel] || "";
+  console.log(`
+${"\u2500".repeat(70)}`);
+  console.log(
+    `${chalk.bold(report.skillName)}  ${lc(`[${report.riskLevel}] ${label}`)}  Score: ${report.riskScore}/100`
+  );
+  console.log(chalk.dim(report.skillPath));
+  const inv = report.fileInventory;
+  if (Object.keys(inv).length) {
+    const parts = Object.entries(inv).sort().map(([ext, n]) => `${ext}: ${n}`);
+    console.log(chalk.dim(`Files: ${parts.join(", ")}`));
+  }
+  const te = report.tokenEstimate;
+  if (te.l1SkillMd > 0) {
+    const parts = [`L1 SKILL.md: ${chalk.cyan(formatTokens(te.l1SkillMd))}`];
+    if (te.l2Eager > 0) parts.push(`L2 eager: ${chalk.cyan(formatTokens(te.l2Eager))}`);
+    if (te.l2Lazy > 0) parts.push(`L2 lazy: ${chalk.cyan(formatTokens(te.l2Lazy))}`);
+    parts.push(`L3 total: ${chalk.cyan(formatTokens(te.l3Total))}`);
+    console.log(`${chalk.dim("Tokens:")} ${parts.join(" | ")}`);
+    if (te.eagerFiles.length) console.log(chalk.dim(`  eager: ${te.eagerFiles.join(", ")}`));
+    if (te.lazyFiles.length) console.log(chalk.dim(`  lazy:  ${te.lazyFiles.join(", ")}`));
+  }
+  if (report.costEstimates.length) {
+    const costs = report.costEstimates;
+    const header = costs.map((c) => chalk.dim(c.modelName.slice(0, 12).padStart(12))).join("  ");
+    const light = costs.map((c) => chalk.cyan(formatCost(c.lightCost).padStart(12))).join("  ");
+    const typical = costs.map((c) => chalk.cyan(formatCost(c.typicalCost).padStart(12))).join("  ");
+    const heavy = costs.map((c) => chalk.cyan(formatCost(c.heavyCost).padStart(12))).join("  ");
+    console.log(`Cost/sess: ${header}`);
+    console.log(`  Light    ${light}  ${chalk.dim(`(${COST_SCENARIOS.light}T)`)}`);
+    console.log(`  Typical  ${typical}  ${chalk.dim(`(${COST_SCENARIOS.typical}T)`)}`);
+    console.log(`  Heavy    ${heavy}  ${chalk.dim(`(${COST_SCENARIOS.heavy}T)`)}`);
+  }
+  const filtered = report.findings.filter((f) => (SEVERITY_ORDER[f.severity] ?? 4) <= minOrder).sort((a, b) => (SEVERITY_ORDER[a.severity] ?? 4) - (SEVERITY_ORDER[b.severity] ?? 4));
+  if (!filtered.length) {
+    console.log(`  ${chalk.green(`No findings at or above ${minSev} level.`)}`);
+    return;
+  }
+  for (const f of filtered) {
+    const sc = SEV_COLOR[f.severity] || ((s) => s);
+    const loc = f.lineNumber > 0 ? `${f.filePath}:${f.lineNumber}` : f.filePath;
+    console.log(`  ${sc(f.severity.padEnd(8))} ${chalk.dim(loc)}`);
+    console.log(`           ${f.description}`);
+    if (f.reference && f.reference !== "\u2014") {
+      console.log(`           ${chalk.dim(`[${f.reference}]`)}`);
+    }
+    const rem = options?.lang === "zh" ? f.remediationZh : f.remediationEn;
+    if (rem) {
+      console.log(`           ${chalk.green(`\u2192 ${rem}`)}`);
+    }
+  }
+}
+function renderSummary(reports, options) {
+  const minLevel = options?.minLevel || "A";
+  const minOrder = LEVEL_ORDER[minLevel] ?? 4;
+  console.log(`
+${"\u2550".repeat(70)}`);
+  console.log(chalk.bold("AUDIT SUMMARY"));
+  console.log("\u2550".repeat(70));
+  const byLevel = { A: 0, B: 0, C: 0, D: 0, F: 0 };
+  for (const r of reports) byLevel[r.riskLevel] = (byLevel[r.riskLevel] || 0) + 1;
+  console.log(`Total skills scanned: ${chalk.bold(String(reports.length))}`);
+  for (const level of ["A", "B", "C", "D", "F"]) {
+    const lc = LEVEL_COLOR[level];
+    const label = LEVEL_LABELS[level];
+    console.log(`  ${lc(`${level} (${label}): ${byLevel[level]}`)}`);
+  }
+  const filtered = reports.filter((r) => (LEVEL_ORDER[r.riskLevel] ?? 4) <= minOrder).sort((a, b) => b.riskScore - a.riskScore || a.skillName.localeCompare(b.skillName));
+  if (filtered.length) {
+    console.log(`
+${chalk.bold(`Skills at level ${minLevel} or worse:`)}`);
+    for (const r of filtered.slice(0, 50)) {
+      const lc = LEVEL_COLOR[r.riskLevel];
+      const sevCounts = {};
+      for (const f of r.findings) sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+      const sevStr = Object.entries(sevCounts).sort(([a], [b]) => (SEVERITY_ORDER[a] ?? 4) - (SEVERITY_ORDER[b] ?? 4)).map(([k, v]) => `${k}:${v}`).join(", ");
+      console.log(`  ${lc(`[${r.riskLevel}]`)} ${String(r.riskScore).padStart(3)}/100  ${r.skillName}  ${chalk.dim(`(${sevStr})`)}`);
+    }
+    if (filtered.length > 50) {
+      console.log(chalk.dim(`  ... and ${filtered.length - 50} more (use --json for full list)`));
+    }
+  }
+}
+
+// src/renderer/json.ts
+import { writeFileSync } from "fs";
+var VERSION = "0.1.0";
+function renderJson(reports, target, options) {
+  const byLevel = { A: 0, B: 0, C: 0, D: 0, F: 0 };
+  for (const r of reports) byLevel[r.riskLevel] = (byLevel[r.riskLevel] || 0) + 1;
+  const dimRem = {};
+  for (const [key, zh, en] of DIMENSION_REMEDIATIONS) {
+    dimRem[key] = { zh, en };
+  }
+  const data = {
+    audit_metadata: {
+      tool_version: VERSION,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      target
+    },
+    summary: {
+      total_skills: reports.length,
+      by_level: byLevel
+    },
+    dimension_remediations: dimRem,
+    reports: reports.map((r) => ({
+      skill_name: r.skillName,
+      skill_path: r.skillPath,
+      risk_score: r.riskScore,
+      risk_level: r.riskLevel,
+      file_inventory: r.fileInventory,
+      token_estimate: {
+        l1_skill_md: r.tokenEstimate.l1SkillMd,
+        l2_eager: r.tokenEstimate.l2Eager,
+        l2_lazy: r.tokenEstimate.l2Lazy,
+        l3_total: r.tokenEstimate.l3Total,
+        l1_chars: r.tokenEstimate.l1Chars,
+        l2_eager_chars: r.tokenEstimate.l2EagerChars,
+        l2_lazy_chars: r.tokenEstimate.l2LazyChars,
+        l3_chars: r.tokenEstimate.l3Chars,
+        eager_files: r.tokenEstimate.eagerFiles,
+        lazy_files: r.tokenEstimate.lazyFiles
+      },
+      cost_estimates: r.costEstimates.map((c) => ({
+        model: c.modelName,
+        input_per_m: c.inputPerM,
+        output_per_m: c.outputPerM,
+        cache_input_per_m: c.cacheInputPerM,
+        light_cost: Math.round(c.lightCost * 1e6) / 1e6,
+        typical_cost: Math.round(c.typicalCost * 1e6) / 1e6,
+        heavy_cost: Math.round(c.heavyCost * 1e6) / 1e6
+      })),
+      findings: r.findings.map((f) => ({
+        dimension: f.dimension,
+        severity: f.severity,
+        file_path: f.filePath,
+        line_number: f.lineNumber,
+        pattern: f.pattern,
+        description: f.description,
+        reference: f.reference,
+        remediation_zh: f.remediationZh,
+        remediation_en: f.remediationEn
+      }))
+    }))
+  };
+  const json = JSON.stringify(data, null, 2);
+  if (options?.outputPath) {
+    writeFileSync(options.outputPath, json, "utf-8");
+  } else {
+    process.stdout.write(json + "\n");
+  }
+}
+
+// src/renderer/markdown.ts
+import { writeFileSync as writeFileSync2 } from "fs";
+var SEV_BADGE = {
+  CRITICAL: "\u{1F534} CRITICAL",
+  HIGH: "\u{1F7E0} HIGH",
+  MEDIUM: "\u{1F7E1} MEDIUM",
+  LOW: "\u{1F535} LOW",
+  INFO: "\u26AA INFO"
+};
+function renderMarkdown(reports, target, outputPath) {
+  const lines = [];
+  lines.push("# SkillGuard Security Report");
+  lines.push("");
+  lines.push(`> Target: \`${target}\`  `);
+  lines.push(`> Date: ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}  `);
+  lines.push(`> Skills scanned: ${reports.length}`);
+  lines.push("");
+  if (reports.length > 1) {
+    lines.push("## Summary");
+    lines.push("");
+    lines.push("| Skill | Grade | Score | Findings |");
+    lines.push("|-------|-------|-------|----------|");
+    for (const r of reports.sort((a, b) => b.riskScore - a.riskScore)) {
+      lines.push(`| ${r.skillName} | **${r.riskLevel}** | ${r.riskScore}/100 | ${r.findings.length} |`);
+    }
+    lines.push("");
+  }
+  for (const report of reports) {
+    if (reports.length > 1) {
+      lines.push(`---`);
+      lines.push("");
+    }
+    lines.push(`## ${report.skillName}`);
+    lines.push("");
+    lines.push(`**Grade:** ${report.riskLevel} | **Score:** ${report.riskScore}/100 | **Path:** \`${report.skillPath}\``);
+    lines.push("");
+    const inv = report.fileInventory;
+    if (Object.keys(inv).length) {
+      lines.push("### File Inventory");
+      lines.push("");
+      lines.push("| Extension | Count |");
+      lines.push("|-----------|-------|");
+      for (const [ext, n] of Object.entries(inv).sort()) {
+        lines.push(`| ${ext} | ${n} |`);
+      }
+      lines.push("");
+    }
+    const te = report.tokenEstimate;
+    if (te.l1SkillMd > 0) {
+      lines.push("### Token Estimation");
+      lines.push("");
+      lines.push("| Level | Tokens | Description |");
+      lines.push("|-------|--------|-------------|");
+      lines.push(`| L1 | ${formatTokens(te.l1SkillMd)} | SKILL.md direct injection |`);
+      if (te.l2Eager > 0) lines.push(`| L2 Eager | ${formatTokens(te.l2Eager)} | Mandatory files: ${te.eagerFiles.join(", ") || "\u2014"} |`);
+      if (te.l2Lazy > 0) lines.push(`| L2 Lazy | ${formatTokens(te.l2Lazy)} | On-demand files: ${te.lazyFiles.join(", ") || "\u2014"} |`);
+      lines.push(`| L3 Total | ${formatTokens(te.l3Total)} | All files maximum |`);
+      lines.push("");
+    }
+    if (report.costEstimates.length) {
+      lines.push("### Cost Estimation");
+      lines.push("");
+      lines.push("| Model | Light (3T) | Typical (6T) | Heavy (15T) |");
+      lines.push("|-------|-----------|-------------|------------|");
+      for (const c of report.costEstimates) {
+        lines.push(`| ${c.modelName} | ${formatCost(c.lightCost)} | ${formatCost(c.typicalCost)} | ${formatCost(c.heavyCost)} |`);
+      }
+      lines.push("");
+    }
+    const sorted = [...report.findings].sort(
+      (a, b) => (SEVERITY_ORDER[a.severity] ?? 4) - (SEVERITY_ORDER[b.severity] ?? 4)
+    );
+    if (sorted.length) {
+      lines.push("### Findings");
+      lines.push("");
+      lines.push("| Severity | Dimension | Description | Location |");
+      lines.push("|----------|-----------|-------------|----------|");
+      for (const f of sorted) {
+        const loc = f.lineNumber > 0 ? `${f.filePath}:${f.lineNumber}` : f.filePath;
+        const desc = f.description.replace(/\|/g, "\\|");
+        const dim = f.dimension.replace(/\|/g, "\\|");
+        lines.push(`| ${SEV_BADGE[f.severity]} | ${dim} | ${desc} | \`${loc}\` |`);
+      }
+      lines.push("");
+    } else {
+      lines.push("### Findings");
+      lines.push("");
+      lines.push("No security findings detected. \u2705");
+      lines.push("");
+    }
+  }
+  writeFileSync2(outputPath, lines.join("\n"), "utf-8");
+}
+
+// src/cli.ts
+var VERSION2 = "0.1.0";
+function createProgram() {
+  program.name("skillguard").description("Security audit CLI for AI agent skills \u2014 scans 10 dimensions with 109 rules").version(VERSION2).argument("<target>", "Local directory path, GitHub URL, or ClawHub URL").option("--all", "Scan all skill subdirectories (marketplace mode)").option("--json [file]", "Output as JSON (to stdout or file)").option("--md <file>", "Output as Markdown report to file").option("--rules <path>", "Custom rules.yaml file path").option("--min-level <level>", "Filter output by minimum risk level (A-F)", "A").option("--min-severity <severity>", "Filter by minimum severity", "INFO").option("--lang <lang>", "Output language (en or zh)", "en").action(async (target, options) => {
+    try {
+      await runAudit(target, options);
+    } catch (err) {
+      console.error(`Error: ${err.message}`);
+      process.exit(1);
+    }
+  });
+  return program;
+}
+async function runAudit(target, options) {
+  const { skillDir, cleanup } = await fetchSkill(target);
+  try {
+    const auditor = new SkillAuditor(options.rules);
+    const lang = options.lang || "en";
+    const minSeverity = options.minSeverity || "INFO";
+    const minLevel = options.minLevel || "A";
+    if (options.all) {
+      const reports = auditor.auditMarketplace(skillDir);
+      if (options.json !== void 0) {
+        const outFile = typeof options.json === "string" ? options.json : void 0;
+        renderJson(reports, target, { outputPath: outFile });
+      } else if (options.md) {
+        renderMarkdown(reports, target, options.md);
+        console.log(`Markdown report written to ${options.md}`);
+      } else {
+        for (const report of reports) {
+          renderReport(report, { minSeverity, lang });
+        }
+        renderSummary(reports, { minLevel });
+      }
+    } else {
+      const report = auditor.auditSkill(skillDir);
+      if (options.json !== void 0) {
+        const outFile = typeof options.json === "string" ? options.json : void 0;
+        renderJson([report], target, { outputPath: outFile });
+      } else if (options.md) {
+        renderMarkdown([report], target, options.md);
+        console.log(`Markdown report written to ${options.md}`);
+      } else {
+        renderReport(report, { minSeverity, lang });
+      }
+    }
+  } finally {
+    cleanup();
+  }
+}
+
+// src/index.ts
+createProgram().parse();