@getvetai/cli 0.1.0 → 0.3.0

package/README.md

@@ -1,8 +1,8 @@
 # @getvetai/cli
 
-Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools before you install them.
+Security audit CLI for AI skills and MCP servers. Scan, audit, and discover tools before you install them.
 
-🌐 **Registry:** [getvet.ai](https://getvet.ai) — 12,000+ AI tools cataloged and scored
+🌐 **Registry:** [getvet.ai](https://getvet.ai) — 20,000+ AI tools cataloged and scored
 
 ## Install
 
@@ -10,31 +10,49 @@ Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools b
 npm install -g @getvetai/cli
 ```
 
+Or run without installing:
+
+```bash
+npx @getvetai/cli scan .
+```
+
+## What's New in v0.3.0
+
+- **`vet find --limit <n>`** — control how many results to return (default: 10, max: 48)
+- **`vet find --type <type>`** — filter by `skill`, `mcp`, or `all`
+- **20,000+ tools** in the registry (up from 12K) — now indexing 10 sources including Smithery, mcp.so, MCP Registry, PyPI, npm, GitHub, and more
+
 ## Commands
 
 ### `vet scan <target>`
 
-Scan a single tool for security issues. Accepts file paths, URLs, npm packages, or GitHub repos.
+Scan a tool for security issues. Checks the [getvet.ai](https://getvet.ai) registry first for instant results.
 
 ```bash
-# Scan a local SKILL.md
-vet scan ./my-skill/SKILL.md
-
-# Scan an npm package
+# Scan an npm package (checks registry first)
 vet scan @modelcontextprotocol/server-filesystem
 
+# Local analysis only (skip registry)
+vet scan @modelcontextprotocol/server-filesystem --offline
+
+# Request a deep scan from registry
+vet scan @modelcontextprotocol/server-filesystem --deep
+
+# Scan a local project
+vet scan ./my-mcp-server
+
 # Scan a GitHub repo
 vet scan https://github.com/modelcontextprotocol/servers
 
-# Output JSON
+# JSON output
 vet scan ./SKILL.md --json
 ```
 
-**Output includes:** trust score, badge (certified/reviewed/unverified/flagged), detected permissions, security issues, risk factors, and tools list.
-
 ### `vet audit [path]`
 
-Audit all AI tools in a project. Discovers tools from `package.json`, MCP configs (`.cursor/mcp.json`, Claude Desktop config), OpenClaw configs, and `SKILL.md` files.
+Audit all AI tools in a project. Auto-discovers MCP configurations from:
+
+**Claude Desktop** · **Cursor** · **VS Code** · **Windsurf** · **Cline** · **Zed** · **Continue** · **OpenClaw**
 
 ```bash
 # Audit current directory
@@ -43,7 +61,7 @@ vet audit
 # Audit a specific project
 vet audit ./my-project
 
-# Strict mode — exit code 1 if any tool is unverified or flagged
+# Strict mode — exit 1 if any tool is unverified/flagged
 vet audit --strict
 
 # JSON output
@@ -52,33 +70,33 @@ vet audit --json
 
 ### `vet find <query>`
 
-Search the getvet.ai registry by description.
+Search the getvet.ai registry for tools by description.
 
 ```bash
 # Search for tools
-vet find "file management"
-vet find "database query tool"
+vet find "web scraping"
+vet find "database access"
+
+# Limit results
+vet find "browser automation" --limit 20
+
+# Filter by type
+vet find "file management" --type mcp
 
 # JSON output
 vet find "weather" --json
-
-# Use local API
-vet find "search" --api http://localhost:3300
 ```
 
 ### `vet install <package>`
 
-Install a package with a pre-install security audit. Shows the security report and asks for confirmation if the tool is flagged.
+Install a package with a pre-install security audit.
 
 ```bash
-# Audit + install npm package
+# Audit + install
 vet install @modelcontextprotocol/server-github
 
 # Install globally
 vet install -g some-mcp-server
-
-# Install as OpenClaw skill
-vet install --skill weather
 ```
 
 ## Trust Scores
@@ -86,22 +104,21 @@ vet install --skill weather
 | Score | Badge | Meaning |
 |-------|-------|---------|
 | 75+ | ✅ Certified | No critical issues, good practices |
-| 50-74 | 🔍 Reviewed | Some concerns, use with caution |
-| 25-49 | ⚠️ Unverified | Not yet reviewed or limited info |
-| 0-24 | 🚫 Flagged | Critical security issues found |
+| 50–74 | 🔍 Reviewed | Some concerns, use with caution |
+| 25–49 | ⚠️ Unverified | Not yet reviewed or limited info |
+| 0–24 | 🚫 Flagged | Critical security issues found |
 
 ## What It Detects
 
-**Permissions:** shell execution, file read/write, network access, browser control, message sending, device access (camera, screen, location), database queries, crypto operations.
-
-**Security Issues:** destructive commands (`rm -rf`), remote code execution (`curl | bash`), dynamic code eval, credential patterns, elevated privileges (`sudo`), permissive file permissions.
-
-**MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection, environment variable scanning.
+- **Permissions:** shell execution, file I/O, network access, browser control, database queries, crypto operations
+- **Security issues:** destructive commands, remote code execution, dynamic eval, credential patterns, elevated privileges
+- **MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection
 
-## API
+## Links
 
-By default, `vet find` uses the public API at `https://getvet.ai`. Use `--api` to point to a different instance.
+- 🌐 [getvet.ai](https://getvet.ai) — Browse the registry
+- 📦 [npm](https://www.npmjs.com/package/@getvetai/cli) — Package page
 
 ## License
 
-MIT — [getvet.ai](https://getvet.ai)
+MIT

package/dist/commands/find.d.ts

@@ -1,4 +1,5 @@
 export declare function findCommand(query: string, options: {
     json?: boolean;
-    api?: string;
+    limit?: string;
+    type?: string;
 }): Promise<void>;

package/dist/commands/find.js

@@ -1,16 +1,11 @@
 import ora from 'ora';
+import { searchTools } from '../utils/api.js';
 import { displayFindResults } from '../utils/display.js';
 export async function findCommand(query, options) {
     const spinner = ora(`Searching "${query}"...`).start();
-    const api = options.api || 'https://getvet.ai';
     try {
-        const r = await fetch(`${api}/api/skills/search?q=${encodeURIComponent(query)}`);
-        if (!r.ok)
-            throw new Error(`API returned ${r.status}`);
-        const data = await r.json();
-        // Handle both array response and { results: [...] } response
-        const items = Array.isArray(data) ? data : (data.results || []);
-        const results = items.map(x => ({
+        const items = await searchTools(query, { limit: Number(options.limit) || 10, type: options.type });
+        const results = items.map((x) => ({
             name: x.name,
             slug: x.slug,
             description: x.description,
@@ -28,7 +23,6 @@ export async function findCommand(query, options) {
     }
     catch (err) {
         spinner.fail(`Search failed: ${err.message}`);
-        console.log('  Tip: use --api http://localhost:3300 for local dev');
         process.exitCode = 1;
     }
 }

package/dist/commands/scan.d.ts

@@ -1,4 +1,6 @@
 export declare function scanCommand(target: string, options: {
     json?: boolean;
     overview?: boolean;
+    offline?: boolean;
+    deep?: boolean;
 }): Promise<void>;

package/dist/commands/scan.js

@@ -1,8 +1,10 @@
 import { readFileSync, existsSync } from 'fs';
+import chalk from 'chalk';
 import ora from 'ora';
 import { analyzeSkill } from '../utils/analyzer.js';
 import { analyzeMcp } from '../utils/mcp-analyzer.js';
 import { displayScanReport } from '../utils/display.js';
+import { lookupTool, requestDeepScan } from '../utils/api.js';
 function detect(t) {
     if (/^https?:\/\/github\.com\//.test(t))
         return 'github';
@@ -17,6 +19,59 @@ export async function scanCommand(target, options) {
     try {
         const tt = detect(target);
         let result;
+        let registrySlug;
+        // Try registry lookup first for npm packages (unless --offline)
+        if (tt === 'npm' && !options.offline) {
+            spinner.text = `Checking Vet registry for ${target}...`;
+            const registryData = await lookupTool(target);
+            if (registryData && registryData.scanTier === 'deep') {
+                spinner.succeed(chalk.green('✓ Found in Vet registry (deep scan available)'));
+                registrySlug = registryData.slug || target;
+                result = {
+                    name: registryData.name || target,
+                    description: registryData.description,
+                    type: registryData.type || 'mcp',
+                    transport: registryData.transport,
+                    runtime: registryData.runtime,
+                    tools: registryData.tools || [],
+                    permissions: registryData.permissions || [],
+                    issues: registryData.issues || [],
+                    trustScore: registryData.trustScore ?? registryData.trust_score ?? 50,
+                    badge: registryData.badge || 'unverified',
+                    codeQuality: registryData.codeQuality || { hasTests: false, hasDocs: false, linesOfCode: 0 },
+                    riskFactors: registryData.riskFactors || [],
+                    overview: registryData.overview,
+                    envVars: registryData.envVars,
+                };
+                if (options.json)
+                    console.log(JSON.stringify(result, null, 2));
+                else
+                    displayScanReport(result, registrySlug);
+                process.exitCode = result.badge === 'flagged' ? 1 : 0;
+                return;
+            }
+            if (registryData) {
+                registrySlug = registryData.slug || target;
+                console.log(chalk.cyan(`  ℹ Found in Vet registry (indexed) — running local analysis too`));
+                console.log(chalk.gray(`  View: https://getvet.ai/catalog/${registrySlug}`));
+                console.log();
+            }
+        }
+        // Deep scan request
+        if (options.deep && tt === 'npm') {
+            spinner.text = `Requesting deep scan for ${target}...`;
+            const deepResult = await requestDeepScan(target);
+            if (deepResult) {
+                spinner.succeed(chalk.green('✓ Deep scan requested'));
+                if (deepResult.status === 'queued') {
+                    console.log(chalk.gray(`  Deep scan queued. Check back soon at https://getvet.ai/catalog/${target}`));
+                }
+            }
+            else {
+                spinner.info('Deep scan request failed — proceeding with local analysis');
+            }
+        }
+        // Local analysis (current behavior)
         if (tt === 'npm') {
             spinner.text = `Fetching npm: ${target}`;
             result = await analyzeMcp({ npmPackage: target });
@@ -43,7 +98,7 @@ export async function scanCommand(target, options) {
         if (options.json)
             console.log(JSON.stringify(result, null, 2));
         else
-            displayScanReport(result);
+            displayScanReport(result, registrySlug);
         process.exitCode = result.badge === 'flagged' ? 1 : 0;
     }
     catch (err) {

package/dist/index.js

@@ -8,13 +8,15 @@ const program = new Command();
 program
     .name('vet')
     .description('Security audit CLI for AI skills & MCP servers')
-    .version('0.1.0');
+    .version('0.2.0');
 program
     .command('scan')
     .description('Scan a single tool for security issues')
     .argument('<target>', 'URL, npm package, file path, or GitHub repo')
     .option('--json', 'Output JSON instead of formatted report')
     .option('--overview', 'Include AI-generated overview')
+    .option('--offline', 'Skip registry lookup')
+    .option('--deep', 'Request deep scan from registry')
     .action(scanCommand);
 program
     .command('audit')
@@ -28,8 +30,9 @@ program
     .command('find')
     .description('Search for tools by description')
     .argument('<query>', 'Natural language search query')
+    .option('--limit <n>', 'Max results to return (default: 10, max: 48)', '10')
+    .option('--type <type>', 'Filter by type: skill, mcp, or all (default: all)')
     .option('--json', 'Output JSON')
-    .option('--api <url>', 'API endpoint (default: https://getvet.ai)')
     .action(findCommand);
 program
     .command('install')

package/dist/utils/api.d.ts

@@ -0,0 +1,6 @@
+export declare function lookupTool(slug: string): Promise<any | null>;
+export declare function searchTools(query: string, options?: {
+    limit?: number;
+    type?: string;
+}): Promise<any[]>;
+export declare function requestDeepScan(slug: string): Promise<any | null>;

package/dist/utils/api.js

@@ -0,0 +1,50 @@
+const API_BASE = 'https://getvet.ai';
+export async function lookupTool(slug) {
+    try {
+        const resp = await fetch(`${API_BASE}/api/skills/${encodeURIComponent(slug)}`, {
+            headers: { 'User-Agent': 'vet-cli/0.3.0' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (resp.ok)
+            return await resp.json();
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function searchTools(query, options) {
+    try {
+        const limit = Math.min(Math.max(Number(options?.limit) || 10, 1), 48);
+        const params = new URLSearchParams({ q: query, limit: String(limit) });
+        if (options?.type && options.type !== 'all')
+            params.set('type', options.type);
+        const resp = await fetch(`${API_BASE}/api/skills/search?${params}`, {
+            headers: { 'User-Agent': 'vet-cli/0.3.0' },
+            signal: AbortSignal.timeout(5000),
+        });
+        if (resp.ok) {
+            const data = await resp.json();
+            return Array.isArray(data) ? data : data.results || data.items || [];
+        }
+        return [];
+    }
+    catch {
+        return [];
+    }
+}
+export async function requestDeepScan(slug) {
+    try {
+        const resp = await fetch(`${API_BASE}/api/tools/${encodeURIComponent(slug)}/deep-scan`, {
+            method: 'POST',
+            headers: { 'User-Agent': 'vet-cli/0.3.0', 'Content-Type': 'application/json' },
+            signal: AbortSignal.timeout(10000),
+        });
+        if (resp.ok)
+            return await resp.json();
+        return null;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/utils/config.js

@@ -21,11 +21,15 @@ export function discoverTools(projectPath) {
         }
         catch { /* skip */ }
     }
+    // Standard MCP config files (mcpServers or servers key at top level)
     const mcpPaths = [
         join(projectPath, '.cursor', 'mcp.json'),
         join(projectPath, 'mcp.json'),
         join(homedir(), '.config', 'claude', 'claude_desktop_config.json'),
         join(homedir(), 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'),
+        join(homedir(), '.windsurf', 'mcp.json'),
+        join(homedir(), '.config', 'windsurf', 'mcp.json'),
+        join(homedir(), '.config', 'cline', 'mcp_settings.json'),
     ];
     for (const cp of mcpPaths) {
         if (!existsSync(cp))
@@ -43,6 +47,56 @@ export function discoverTools(projectPath) {
         }
         catch { /* skip */ }
     }
+    // VS Code settings.json — look for mcp.servers key
+    const vscodePath = join(homedir(), '.config', 'Code', 'User', 'settings.json');
+    if (existsSync(vscodePath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(vscodePath, 'utf-8'));
+            const svrs = cfg['mcp.servers'] || cfg?.mcp?.servers || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: vscodePath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(vscodePath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    // Zed settings.json — look for mcp key
+    const zedPath = join(homedir(), '.config', 'zed', 'settings.json');
+    if (existsSync(zedPath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(zedPath, 'utf-8'));
+            const svrs = cfg?.mcp?.servers || cfg?.mcp || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                if (typeof v !== 'object' || v === null)
+                    continue;
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: zedPath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(zedPath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    // Continue config.json — look for mcpServers key
+    const continuePath = join(homedir(), '.continue', 'config.json');
+    if (existsSync(continuePath)) {
+        try {
+            const cfg = JSON.parse(readFileSync(continuePath, 'utf-8'));
+            const svrs = cfg.mcpServers || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: continuePath.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(continuePath.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
     for (const op of [join(projectPath, 'openclaw.json'), join(homedir(), '.openclaw', 'openclaw.json')]) {
         if (!existsSync(op))
             continue;

package/dist/utils/display.d.ts

@@ -1,12 +1,16 @@
 import type { AnalysisResult, BadgeType } from '../types.js';
-export declare function displayScanReport(r: AnalysisResult): void;
+export declare function displayScanReport(r: AnalysisResult, registrySlug?: string): void;
 export declare function displayAuditReport(results: AnalysisResult[], sources: {
     source: string;
     count: number;
 }[]): void;
 export declare function displayFindResults(results: Array<{
     name: string;
+    slug?: string;
     description?: string;
     trustScore?: number;
     badge?: BadgeType;
+    author?: string;
+    version?: string;
+    installs?: number;
 }>): void;

package/dist/utils/display.js

@@ -23,7 +23,7 @@ function overallRisk(r) {
         return 'medium';
     return 'low';
 }
-export function displayScanReport(r) {
+export function displayScanReport(r, registrySlug) {
     const b = BADGE[r.badge], rk = overallRisk(r);
     console.log();
     console.log(chalk.bold('  🔍 Vet Security Report'));
@@ -86,6 +86,10 @@ export function displayScanReport(r) {
         for (const l of r.overview.split('\n'))
             console.log(`  ${chalk.gray(l)}`);
     }
+    if (registrySlug) {
+        console.log();
+        console.log(`  ${chalk.gray('View full report:')} ${chalk.cyan(`https://getvet.ai/catalog/${registrySlug}`)}`);
+    }
     console.log();
     console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
     console.log();
@@ -128,10 +132,14 @@ export function displayFindResults(results) {
     for (const r of results) {
         const b = r.badge ? BADGE[r.badge] : BADGE.unverified;
         console.log();
-        console.log(`  ${b.emoji} ${chalk.bold(r.name)}`);
+        console.log(`  ${b.emoji} ${chalk.bold(r.name)}${r.version ? chalk.gray(` v${r.version}`) : ''}${r.author ? chalk.gray(` by ${r.author}`) : ''}`);
         if (r.description)
             console.log(`    ${chalk.gray(r.description.slice(0, 80))}`);
-        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}`);
+        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}  Badge: ${b.emoji} ${b.color(b.label)}`);
+        if (r.installs != null)
+            console.log(`    ${chalk.gray(`${r.installs.toLocaleString()} installs`)}`);
+        if (r.slug)
+            console.log(`    ${chalk.cyan(`https://getvet.ai/catalog/${r.slug}`)}`);
     }
     console.log();
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@getvetai/cli",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Security audit CLI for AI skills and MCP servers — scan, audit, and score tools before you install them",
   "type": "module",
   "license": "MIT",
@@ -12,13 +12,7 @@
     "README.md",
     "LICENSE"
   ],
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/getvetai/vet.git",
-    "directory": "cli"
-  },
   "homepage": "https://getvet.ai",
-  "bugs": "https://github.com/getvetai/vet/issues",
   "keywords": [
     "ai",
     "security",