@getvetai/cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 getvet.ai
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,107 @@
+# @getvetai/cli
+
+Security audit CLI for AI skills and MCP servers. Scan, audit, and score tools before you install them.
+
+🌐 **Registry:** [getvet.ai](https://getvet.ai) — 12,000+ AI tools cataloged and scored
+
+## Install
+
+```bash
+npm install -g @getvetai/cli
+```
+
+## Commands
+
+### `vet scan <target>`
+
+Scan a single tool for security issues. Accepts file paths, URLs, npm packages, or GitHub repos.
+
+```bash
+# Scan a local SKILL.md
+vet scan ./my-skill/SKILL.md
+
+# Scan an npm package
+vet scan @modelcontextprotocol/server-filesystem
+
+# Scan a GitHub repo
+vet scan https://github.com/modelcontextprotocol/servers
+
+# Output JSON
+vet scan ./SKILL.md --json
+```
+
+**Output includes:** trust score, badge (certified/reviewed/unverified/flagged), detected permissions, security issues, risk factors, and tools list.
+
+### `vet audit [path]`
+
+Audit all AI tools in a project. Discovers tools from `package.json`, MCP configs (`.cursor/mcp.json`, Claude Desktop config), OpenClaw configs, and `SKILL.md` files.
+
+```bash
+# Audit current directory
+vet audit
+
+# Audit a specific project
+vet audit ./my-project
+
+# Strict mode — exit code 1 if any tool is unverified or flagged
+vet audit --strict
+
+# JSON output
+vet audit --json
+```
+
+### `vet find <query>`
+
+Search the getvet.ai registry by description.
+
+```bash
+# Search for tools
+vet find "file management"
+vet find "database query tool"
+
+# JSON output
+vet find "weather" --json
+
+# Use local API
+vet find "search" --api http://localhost:3300
+```
+
+### `vet install <package>`
+
+Install a package with a pre-install security audit. Shows the security report and asks for confirmation if the tool is flagged.
+
+```bash
+# Audit + install npm package
+vet install @modelcontextprotocol/server-github
+
+# Install globally
+vet install -g some-mcp-server
+
+# Install as OpenClaw skill
+vet install --skill weather
+```
+
+## Trust Scores
+
+| Score | Badge | Meaning |
+|-------|-------|---------|
+| 75+ | ✅ Certified | No critical issues, good practices |
+| 50-74 | 🔍 Reviewed | Some concerns, use with caution |
+| 25-49 | ⚠️ Unverified | Not yet reviewed or limited info |
+| 0-24 | 🚫 Flagged | Critical security issues found |
+
+## What It Detects
+
+**Permissions:** shell execution, file read/write, network access, browser control, message sending, device access (camera, screen, location), database queries, crypto operations.
+
+**Security Issues:** destructive commands (`rm -rf`), remote code execution (`curl | bash`), dynamic code eval, credential patterns, elevated privileges (`sudo`), permissive file permissions.
+
+**MCP-specific:** tool parameter analysis, transport detection (stdio/http/sse), runtime detection, environment variable scanning.
+
+## API
+
+By default, `vet find` uses the public API at `https://getvet.ai`. Use `--api` to point to a different instance.
+
+## License
+
+MIT — [getvet.ai](https://getvet.ai)

package/dist/commands/audit.d.ts

@@ -0,0 +1,5 @@
+export declare function auditCommand(path: string | undefined, options: {
+    json?: boolean;
+    strict?: boolean;
+    fix?: boolean;
+}): Promise<void>;

package/dist/commands/audit.js

@@ -0,0 +1,45 @@
+import { resolve } from 'path';
+import ora from 'ora';
+import { discoverTools } from '../utils/config.js';
+import { analyzeSkill } from '../utils/analyzer.js';
+import { analyzeMcp } from '../utils/mcp-analyzer.js';
+import { displayAuditReport } from '../utils/display.js';
+export async function auditCommand(path, options) {
+    const pp = resolve(path || '.');
+    const spinner = ora(`Scanning ${pp}...`).start();
+    try {
+        const { tools, sources } = discoverTools(pp);
+        if (!tools.length) {
+            spinner.info('No AI tools found.');
+            return;
+        }
+        spinner.text = `Found ${tools.length} tools...`;
+        const results = [];
+        for (const t of tools) {
+            spinner.text = `Analyzing ${t.name}...`;
+            try {
+                if (t.type === 'skill' && t.content)
+                    results.push(analyzeSkill(t.content, t.name));
+                else if (t.type === 'mcp-package' || t.type === 'mcp-config')
+                    results.push(await analyzeMcp({ npmPackage: t.target }));
+                else
+                    results.push(analyzeSkill('', t.name));
+            }
+            catch {
+                results.push({ name: t.name, permissions: [], issues: [{ severity: 'warning', message: 'Analysis failed' }], trustScore: 0, badge: 'unverified', codeQuality: { hasTests: false, hasDocs: false, linesOfCode: 0 }, riskFactors: [] });
+            }
+        }
+        spinner.stop();
+        if (options.json)
+            console.log(JSON.stringify({ sources, results }, null, 2));
+        else
+            displayAuditReport(results, sources);
+        process.exitCode = options.strict
+            ? (results.some(r => r.badge === 'unverified' || r.badge === 'flagged') ? 1 : 0)
+            : (results.some(r => r.badge === 'flagged') ? 1 : 0);
+    }
+    catch (err) {
+        spinner.fail(`Failed: ${err.message}`);
+        process.exitCode = 2;
+    }
+}

package/dist/commands/find.d.ts

@@ -0,0 +1,4 @@
+export declare function findCommand(query: string, options: {
+    json?: boolean;
+    api?: string;
+}): Promise<void>;

package/dist/commands/find.js

@@ -0,0 +1,34 @@
+import ora from 'ora';
+import { displayFindResults } from '../utils/display.js';
+export async function findCommand(query, options) {
+    const spinner = ora(`Searching "${query}"...`).start();
+    const api = options.api || 'https://getvet.ai';
+    try {
+        const r = await fetch(`${api}/api/skills/search?q=${encodeURIComponent(query)}`);
+        if (!r.ok)
+            throw new Error(`API returned ${r.status}`);
+        const data = await r.json();
+        // Handle both array response and { results: [...] } response
+        const items = Array.isArray(data) ? data : (data.results || []);
+        const results = items.map(x => ({
+            name: x.name,
+            slug: x.slug,
+            description: x.description,
+            trustScore: x.trustScore ?? x.trust_score,
+            badge: x.badge,
+            author: x.author,
+            version: x.version,
+            installs: x.installs,
+        }));
+        spinner.stop();
+        if (options.json)
+            console.log(JSON.stringify(results, null, 2));
+        else
+            displayFindResults(results);
+    }
+    catch (err) {
+        spinner.fail(`Search failed: ${err.message}`);
+        console.log('  Tip: use --api http://localhost:3300 for local dev');
+        process.exitCode = 1;
+    }
+}

package/dist/commands/install.d.ts

@@ -0,0 +1,5 @@
+export declare function installCommand(pkg: string, options: {
+    json?: boolean;
+    global?: boolean;
+    skill?: boolean;
+}): Promise<void>;

package/dist/commands/install.js

@@ -0,0 +1,44 @@
+import { createInterface } from 'readline';
+import { execSync } from 'child_process';
+import ora from 'ora';
+import chalk from 'chalk';
+import { analyzeMcp } from '../utils/mcp-analyzer.js';
+import { displayScanReport } from '../utils/display.js';
+async function confirm(msg) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise(res => {
+        rl.question(msg, a => { rl.close(); res(a.toLowerCase() === 'y' || a.toLowerCase() === 'yes'); });
+    });
+}
+export async function installCommand(pkg, options) {
+    const spinner = ora(`Auditing ${pkg}...`).start();
+    try {
+        const result = await analyzeMcp({ npmPackage: pkg });
+        spinner.stop();
+        displayScanReport(result);
+        if (result.badge === 'flagged') {
+            console.log(chalk.red.bold('  ⚠️  This package has been flagged!'));
+            if (!await confirm(chalk.yellow('  Install anyway? (y/N) '))) {
+                console.log(chalk.gray('  Cancelled.'));
+                process.exitCode = 1;
+                return;
+            }
+        }
+        const s2 = ora(`Installing ${pkg}...`).start();
+        try {
+            if (options.skill)
+                execSync(`npx clawhub install ${pkg}`, { stdio: 'pipe' });
+            else
+                execSync(`npm install${options.global ? ' -g' : ''} ${pkg}`, { stdio: 'pipe' });
+            s2.succeed(`${pkg} installed`);
+        }
+        catch (e) {
+            s2.fail(`Install failed: ${e.message}`);
+            process.exitCode = 1;
+        }
+    }
+    catch (err) {
+        spinner.fail(`Audit failed: ${err.message}`);
+        process.exitCode = 2;
+    }
+}

package/dist/commands/scan.d.ts

@@ -0,0 +1,4 @@
+export declare function scanCommand(target: string, options: {
+    json?: boolean;
+    overview?: boolean;
+}): Promise<void>;

package/dist/commands/scan.js

@@ -0,0 +1,53 @@
+import { readFileSync, existsSync } from 'fs';
+import ora from 'ora';
+import { analyzeSkill } from '../utils/analyzer.js';
+import { analyzeMcp } from '../utils/mcp-analyzer.js';
+import { displayScanReport } from '../utils/display.js';
+function detect(t) {
+    if (/^https?:\/\/github\.com\//.test(t))
+        return 'github';
+    if (/^https?:\/\//.test(t))
+        return 'url';
+    if (existsSync(t))
+        return 'file';
+    return 'npm';
+}
+export async function scanCommand(target, options) {
+    const spinner = ora('Analyzing...').start();
+    try {
+        const tt = detect(target);
+        let result;
+        if (tt === 'npm') {
+            spinner.text = `Fetching npm: ${target}`;
+            result = await analyzeMcp({ npmPackage: target });
+        }
+        else if (tt === 'github') {
+            spinner.text = `Fetching GitHub: ${target}`;
+            result = await analyzeMcp({ githubUrl: target });
+        }
+        else if (tt === 'url') {
+            spinner.text = `Fetching: ${target}`;
+            const resp = await fetch(target, { headers: { 'User-Agent': 'Vet/1.0' } });
+            if (!resp.ok)
+                throw new Error(`HTTP ${resp.status}`);
+            const content = await resp.text();
+            result = target.endsWith('SKILL.md') ? analyzeSkill(content) : await analyzeMcp({ readme: content, name: target.split('/').pop()?.replace(/\.(md|json)$/, '') });
+        }
+        else {
+            const content = readFileSync(target, 'utf-8');
+            result = target.endsWith('SKILL.md') ? analyzeSkill(content)
+                : (content.includes('MCP') || target.includes('mcp')) ? await analyzeMcp({ readme: content, name: target.split('/').pop()?.replace(/\.(md|json)$/, '') })
+                    : analyzeSkill(content);
+        }
+        spinner.stop();
+        if (options.json)
+            console.log(JSON.stringify(result, null, 2));
+        else
+            displayScanReport(result);
+        process.exitCode = result.badge === 'flagged' ? 1 : 0;
+    }
+    catch (err) {
+        spinner.fail(`Failed: ${err.message}`);
+        process.exitCode = 2;
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { scanCommand } from './commands/scan.js';
+import { auditCommand } from './commands/audit.js';
+import { findCommand } from './commands/find.js';
+import { installCommand } from './commands/install.js';
+const program = new Command();
+program
+    .name('vet')
+    .description('Security audit CLI for AI skills & MCP servers')
+    .version('0.1.0');
+program
+    .command('scan')
+    .description('Scan a single tool for security issues')
+    .argument('<target>', 'URL, npm package, file path, or GitHub repo')
+    .option('--json', 'Output JSON instead of formatted report')
+    .option('--overview', 'Include AI-generated overview')
+    .action(scanCommand);
+program
+    .command('audit')
+    .description('Audit all AI tools in a project')
+    .argument('[path]', 'Project path (defaults to current directory)')
+    .option('--json', 'Output JSON')
+    .option('--strict', 'Exit code 1 if any tool is unverified or flagged')
+    .option('--fix', 'Suggest safer alternatives for flagged tools')
+    .action(auditCommand);
+program
+    .command('find')
+    .description('Search for tools by description')
+    .argument('<query>', 'Natural language search query')
+    .option('--json', 'Output JSON')
+    .option('--api <url>', 'API endpoint (default: https://getvet.ai)')
+    .action(findCommand);
+program
+    .command('install')
+    .description('Install a package with pre-install security audit')
+    .argument('<package>', 'npm package name')
+    .option('--json', 'Output JSON')
+    .option('-g, --global', 'Install globally')
+    .option('--skill', 'Install as OpenClaw skill via clawhub')
+    .action(installCommand);
+program.parse();

package/dist/types.d.ts

@@ -0,0 +1,52 @@
+export type BadgeType = 'certified' | 'reviewed' | 'unverified' | 'flagged';
+export type RiskLevel = 'low' | 'medium' | 'high' | 'critical';
+export type SkillType = 'skill' | 'mcp';
+export type Transport = 'stdio' | 'http' | 'sse';
+export interface Permission {
+    type: string;
+    target?: string;
+    risk: RiskLevel;
+    detected_by?: string;
+    evidence?: string[];
+}
+export interface SecurityIssue {
+    severity: RiskLevel | 'info' | 'warning';
+    message: string;
+    count?: number;
+    evidence?: string[];
+}
+export interface CodeQuality {
+    hasTests: boolean;
+    hasDocs: boolean;
+    hasLicense?: boolean;
+    hasPermissionDeclaration?: boolean;
+    linesOfCode: number;
+    dependencyCount?: number;
+}
+export interface McpTool {
+    name: string;
+    description?: string;
+    inputSchema?: McpToolParam[];
+    permissions?: Permission[];
+}
+export interface McpToolParam {
+    name: string;
+    type: string;
+    description: string;
+}
+export interface AnalysisResult {
+    name: string;
+    description?: string;
+    type?: SkillType;
+    transport?: Transport;
+    runtime?: string;
+    tools?: McpTool[];
+    permissions: Permission[];
+    issues: SecurityIssue[];
+    trustScore: number;
+    badge: BadgeType;
+    codeQuality: CodeQuality;
+    riskFactors: string[];
+    overview?: string;
+    envVars?: string[];
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/dist/utils/analyzer.d.ts

@@ -0,0 +1,3 @@
+import type { AnalysisResult } from '../types.js';
+export declare function parseSkillName(content: string, fallback?: string): string;
+export declare function analyzeSkill(content: string, name?: string): AnalysisResult;

package/dist/utils/analyzer.js

@@ -0,0 +1,94 @@
+const PERM_PATTERNS = [
+    { pattern: /\bexec\b|\bshell\b|\bcommand\b|\bspawn\b|\bchild_process\b/gi, type: 'exec:shell', risk: 'critical' },
+    { pattern: /\bread\b.*file|\bfs[:\.]read|\bReadFile|\bfile.*read/gi, type: 'fs:read', risk: 'low' },
+    { pattern: /\bwrite\b.*file|\bfs[:\.]write|\bWriteFile|\bfile.*write|\bcreate.*file/gi, type: 'fs:write', risk: 'medium' },
+    { pattern: /\bweb_fetch\b|\bfetch\b|\bhttp[s]?:\/\/|\baxios\b|\brequest\b/gi, type: 'net:outbound', risk: 'medium' },
+    { pattern: /\bbrowser\b|\bpuppeteer\b|\bplaywright\b|\bselenium\b/gi, type: 'browser:control', risk: 'high' },
+    { pattern: /\bmessage\b.*send|\bsend.*message|\bemail\b|\bslack\b|\bdiscord\b|\btelegram\b/gi, type: 'msg:send', risk: 'high' },
+    { pattern: /\bprocess\b|\bbackground\b|\bdaemon\b/gi, type: 'exec:process', risk: 'medium' },
+    { pattern: /\bweb_search\b|\bsearch.*web/gi, type: 'net:search', risk: 'low' },
+    { pattern: /\bcrypto\b|\bsign\b|\bencrypt\b|\bdecrypt\b/gi, type: 'crypto:sign', risk: 'medium' },
+    { pattern: /\bimage\b.*analy|\bvision\b|\bocr\b/gi, type: 'media:analyze', risk: 'low' },
+    { pattern: /\btts\b|\btext.to.speech\b|\bspeech\b/gi, type: 'media:tts', risk: 'low' },
+    { pattern: /\bcanvas\b|\bpresent\b.*ui/gi, type: 'ui:canvas', risk: 'low' },
+    { pattern: /\bnodes?\b.*camera|\bcamera\b.*snap/gi, type: 'device:camera', risk: 'high' },
+    { pattern: /\bscreen\b.*record|\bscreenshot\b/gi, type: 'device:screen', risk: 'medium' },
+    { pattern: /\blocation\b|\bgps\b|\bgeolocat/gi, type: 'device:location', risk: 'high' },
+];
+const RISKY_PATTERNS = [
+    { pattern: /rm\s+-rf\b/g, message: 'Destructive file deletion (rm -rf)', severity: 'critical' },
+    { pattern: /curl\s.*\|\s*bash/g, message: 'Remote code execution (curl | bash)', severity: 'critical' },
+    { pattern: /\beval\s*\(/g, message: 'Dynamic code execution (eval)', severity: 'critical' },
+    { pattern: /\bnew\s+Function\s*\(/g, message: 'Dynamic function creation', severity: 'high' },
+    { pattern: /\b(password|secret|token|api[_-]?key|private[_-]?key|mnemonic)\b/gi, message: 'Credential/secret pattern detected', severity: 'high' },
+    { pattern: /\bchmod\s+[0-7]*7[0-7]*\b/g, message: 'Permissive file permissions', severity: 'high' },
+    { pattern: /\bsudo\b/g, message: 'Sudo/elevated privilege usage', severity: 'critical' },
+    { pattern: /\bssh\b.*connect|\bssh\s+-/g, message: 'SSH connection', severity: 'high' },
+    { pattern: /\bcrontab\b|\bsystemctl\b/g, message: 'System service manipulation', severity: 'high' },
+];
+export function parseSkillName(content, fallback = 'unknown') {
+    const h = content.match(/^#\s+(.+)$/m);
+    if (h) {
+        const n = h[1].trim().replace(/[*_`]/g, '').trim();
+        if (n.length > 0 && n.length < 100)
+            return n;
+    }
+    if (fallback !== 'unknown')
+        return fallback.replace(/[-_]/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+    return fallback;
+}
+export function analyzeSkill(content, name = 'unknown') {
+    const parsedName = parseSkillName(content, name);
+    const permissions = [], issues = [], seen = new Set();
+    for (const p of PERM_PATTERNS) {
+        const m = content.match(p.pattern);
+        if (m && !seen.has(p.type)) {
+            seen.add(p.type);
+            permissions.push({ type: p.type, risk: p.risk, detected_by: 'static', evidence: m.slice(0, 3).map(x => x.trim()) });
+        }
+    }
+    for (const r of RISKY_PATTERNS) {
+        const m = content.match(r.pattern);
+        if (m)
+            issues.push({ severity: r.severity, message: r.message, count: m.length, evidence: m.slice(0, 3).map(x => x.trim()) });
+    }
+    let ts = 80;
+    for (const p of permissions) {
+        if (p.risk === 'critical')
+            ts -= 15;
+        else if (p.risk === 'high')
+            ts -= 10;
+        else if (p.risk === 'medium')
+            ts -= 5;
+    }
+    for (const i of issues) {
+        if (i.severity === 'critical')
+            ts -= 20;
+        else if (i.severity === 'high')
+            ts -= 10;
+        else if (i.severity === 'medium')
+            ts -= 5;
+    }
+    const cq = {
+        hasTests: /\btest\b|\bspec\b|\bjest\b/i.test(content), hasDocs: /\b(readme|documentation|usage|example)\b/i.test(content),
+        hasLicense: /\blicense\b|\bMIT\b|\bApache\b/i.test(content), hasPermissionDeclaration: /\bpermission\b|\baccess\b|\brequire\b/i.test(content),
+        linesOfCode: content.split('\n').length,
+    };
+    if (cq.hasTests)
+        ts += 5;
+    if (cq.hasDocs)
+        ts += 3;
+    if (cq.hasLicense)
+        ts += 2;
+    if (cq.hasPermissionDeclaration)
+        ts += 5;
+    ts = Math.max(0, Math.min(100, ts));
+    let badge = 'unverified';
+    if (issues.some(i => i.severity === 'critical'))
+        badge = 'flagged';
+    else if (ts >= 80)
+        badge = 'certified';
+    else if (ts >= 50)
+        badge = 'reviewed';
+    return { name: parsedName, type: 'skill', permissions, issues, trustScore: ts, badge, codeQuality: cq, riskFactors: issues.filter(i => i.severity === 'critical' || i.severity === 'high').map(i => i.message) };
+}

package/dist/utils/config.d.ts

@@ -0,0 +1,14 @@
+export interface DiscoveredTool {
+    name: string;
+    source: string;
+    type: 'mcp-config' | 'mcp-package' | 'skill' | 'openclaw-skill';
+    target?: string;
+    content?: string;
+}
+export declare function discoverTools(projectPath: string): {
+    tools: DiscoveredTool[];
+    sources: {
+        source: string;
+        count: number;
+    }[];
+};

package/dist/utils/config.js

@@ -0,0 +1,86 @@
+import { readFileSync, existsSync, readdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+export function discoverTools(projectPath) {
+    const tools = [], sc = new Map();
+    const add = (s, n) => { if (n > 0)
+        sc.set(s, (sc.get(s) || 0) + n); };
+    const pkgPath = join(projectPath, 'package.json');
+    if (existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+            const all = { ...pkg.dependencies, ...pkg.devDependencies };
+            let c = 0;
+            for (const d of Object.keys(all)) {
+                if (d.includes('mcp') || d.startsWith('@modelcontextprotocol/')) {
+                    tools.push({ name: d, source: 'package.json', type: 'mcp-package', target: d });
+                    c++;
+                }
+            }
+            add('package.json', c);
+        }
+        catch { /* skip */ }
+    }
+    const mcpPaths = [
+        join(projectPath, '.cursor', 'mcp.json'),
+        join(projectPath, 'mcp.json'),
+        join(homedir(), '.config', 'claude', 'claude_desktop_config.json'),
+        join(homedir(), 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'),
+    ];
+    for (const cp of mcpPaths) {
+        if (!existsSync(cp))
+            continue;
+        try {
+            const cfg = JSON.parse(readFileSync(cp, 'utf-8'));
+            const svrs = cfg.mcpServers || cfg.servers || {};
+            let c = 0;
+            for (const [n, v] of Object.entries(svrs)) {
+                const target = (v.command === 'npx' ? v.args?.[0] : undefined) || n;
+                tools.push({ name: n, source: cp.replace(homedir(), '~'), type: 'mcp-config', target });
+                c++;
+            }
+            add(cp.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    for (const op of [join(projectPath, 'openclaw.json'), join(homedir(), '.openclaw', 'openclaw.json')]) {
+        if (!existsSync(op))
+            continue;
+        try {
+            const cfg = JSON.parse(readFileSync(op, 'utf-8'));
+            const skills = cfg.skills || cfg.installedSkills || [];
+            let c = 0;
+            if (Array.isArray(skills)) {
+                for (const s of skills) {
+                    const n = typeof s === 'string' ? s : s.name;
+                    tools.push({ name: n, source: op.replace(homedir(), '~'), type: 'openclaw-skill', target: n });
+                    c++;
+                }
+            }
+            add(op.replace(homedir(), '~'), c);
+        }
+        catch { /* skip */ }
+    }
+    findSkills(projectPath, tools, sc, 0);
+    return { tools, sources: [...sc.entries()].map(([source, count]) => ({ source, count })) };
+}
+function findSkills(dir, tools, sc, depth) {
+    if (depth > 4)
+        return;
+    try {
+        for (const e of readdirSync(dir, { withFileTypes: true })) {
+            if (e.name === 'node_modules' || e.name === '.git' || e.name === 'dist')
+                continue;
+            const fp = join(dir, e.name);
+            if (e.isFile() && e.name === 'SKILL.md') {
+                const content = readFileSync(fp, 'utf-8');
+                const nm = content.match(/^#\s+(.+)$/m)?.[1]?.trim().replace(/[*_`]/g, '') || e.name;
+                tools.push({ name: nm, source: fp, type: 'skill', target: fp, content });
+                sc.set('SKILL.md files', (sc.get('SKILL.md files') || 0) + 1);
+            }
+            if (e.isDirectory())
+                findSkills(fp, tools, sc, depth + 1);
+        }
+    }
+    catch { /* permission denied */ }
+}

package/dist/utils/display.d.ts

@@ -0,0 +1,12 @@
+import type { AnalysisResult, BadgeType } from '../types.js';
+export declare function displayScanReport(r: AnalysisResult): void;
+export declare function displayAuditReport(results: AnalysisResult[], sources: {
+    source: string;
+    count: number;
+}[]): void;
+export declare function displayFindResults(results: Array<{
+    name: string;
+    description?: string;
+    trustScore?: number;
+    badge?: BadgeType;
+}>): void;

package/dist/utils/display.js

@@ -0,0 +1,137 @@
+import chalk from 'chalk';
+const BADGE = {
+    certified: { emoji: '✅', label: 'Certified', color: chalk.green },
+    reviewed: { emoji: '🔍', label: 'Reviewed', color: chalk.blue },
+    unverified: { emoji: '⚠️', label: 'Unverified', color: chalk.yellow },
+    flagged: { emoji: '🚫', label: 'Flagged', color: chalk.red },
+};
+const RC = { low: chalk.green, medium: chalk.yellow, high: chalk.red, critical: chalk.redBright.bold };
+function bar(score) {
+    const f = Math.round(score / 10), e = 10 - f;
+    const c = score >= 75 ? chalk.green : score >= 50 ? chalk.yellow : chalk.red;
+    return c('█'.repeat(f)) + chalk.gray('░'.repeat(e)) + ' ' + c(`${score}/100`);
+}
+function dot(risk) {
+    return RC[risk](`⬤ ${risk.charAt(0).toUpperCase() + risk.slice(1)}`);
+}
+function overallRisk(r) {
+    if (r.badge === 'flagged')
+        return 'critical';
+    if (r.trustScore < 50)
+        return 'high';
+    if (r.trustScore < 75)
+        return 'medium';
+    return 'low';
+}
+export function displayScanReport(r) {
+    const b = BADGE[r.badge], rk = overallRisk(r);
+    console.log();
+    console.log(chalk.bold('  🔍 Vet Security Report'));
+    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    console.log();
+    console.log(`  ${chalk.gray('Name:')}        ${chalk.bold(r.name)}`);
+    if (r.description)
+        console.log(`  ${chalk.gray('Description:')} ${r.description.slice(0, 80)}`);
+    if (r.type === 'mcp') {
+        console.log(`  ${chalk.gray('Type:')}        MCP Server`);
+        if (r.transport)
+            console.log(`  ${chalk.gray('Transport:')}   ${r.transport}`);
+        if (r.runtime)
+            console.log(`  ${chalk.gray('Runtime:')}     ${r.runtime}`);
+    }
+    else
+        console.log(`  ${chalk.gray('Type:')}        AI Skill`);
+    console.log();
+    console.log(`  ${chalk.gray('Trust Score:')} ${bar(r.trustScore)}`);
+    console.log(`  ${chalk.gray('Badge:')}       ${b.emoji} ${b.color(b.label)}`);
+    console.log(`  ${chalk.gray('Risk:')}        ${dot(rk)}`);
+    if (r.permissions.length > 0) {
+        console.log();
+        console.log(chalk.bold('  📋 Permissions'));
+        console.log(chalk.gray(`  ${'Permission'.padEnd(25)} ${'Risk'.padEnd(12)} Evidence`));
+        console.log(chalk.gray(`  ${'─'.repeat(25)} ${'─'.repeat(12)} ${'─'.repeat(30)}`));
+        for (const p of r.permissions)
+            console.log(`  ${p.type.padEnd(25)} ${RC[p.risk](p.risk.padEnd(12))} ${chalk.gray(p.evidence?.slice(0, 2).join(', ') || '')}`);
+    }
+    if (r.issues.length > 0) {
+        console.log();
+        console.log(chalk.bold('  ⚠️  Issues'));
+        for (const i of r.issues) {
+            const icon = i.severity === 'critical' ? '🔴' : i.severity === 'high' ? '🟠' : i.severity === 'medium' ? '🟡' : '🔵';
+            const cf = RC[i.severity];
+            console.log(`  ${icon} ${cf ? cf(i.message) : i.message}`);
+        }
+    }
+    if (r.tools && r.tools.length > 0) {
+        console.log();
+        console.log(chalk.bold(`  🔧 Tools (${r.tools.length})`));
+        for (const t of r.tools.slice(0, 15)) {
+            console.log(`  ${chalk.cyan(t.name.padEnd(25))} ${chalk.gray(t.description?.slice(0, 40) || '')}`);
+            const ps = t.inputSchema?.map(p => p.name).join(', ');
+            if (ps)
+                console.log(`  ${' '.repeat(25)} ${chalk.gray(`params: ${ps}`)}`);
+        }
+        if (r.tools.length > 15)
+            console.log(chalk.gray(`  ... and ${r.tools.length - 15} more`));
+    }
+    if (r.envVars && r.envVars.length > 0) {
+        console.log();
+        console.log(chalk.bold('  🔑 Environment Variables'));
+        for (const v of r.envVars)
+            console.log(`  ${chalk.yellow(v)}`);
+    }
+    if (r.overview) {
+        console.log();
+        console.log(chalk.bold('  📝 Overview'));
+        for (const l of r.overview.split('\n'))
+            console.log(`  ${chalk.gray(l)}`);
+    }
+    console.log();
+    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    console.log();
+}
+export function displayAuditReport(results, sources) {
+    console.log();
+    console.log(chalk.bold('  🔍 Vet Audit Report'));
+    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    console.log();
+    for (const s of sources)
+        console.log(`  📦 Found ${s.count} tool${s.count !== 1 ? 's' : ''} in ${s.source}`);
+    console.log();
+    const W = 35;
+    console.log(chalk.gray(`  ${'Tool'.padEnd(W)} ${'Score'.padEnd(7)} ${'Badge'.padEnd(16)} Risk`));
+    console.log(chalk.gray(`  ${'─'.repeat(W)} ${'─'.repeat(7)} ${'─'.repeat(16)} ${'─'.repeat(12)}`));
+    for (const r of results) {
+        const b = BADGE[r.badge], rk = overallRisk(r);
+        const nm = r.name.length > W - 1 ? r.name.slice(0, W - 4) + '...' : r.name;
+        const sc = r.trustScore >= 75 ? chalk.green : r.trustScore >= 50 ? chalk.yellow : chalk.red;
+        console.log(`  ${nm.padEnd(W)} ${sc(String(r.trustScore).padEnd(7))} ${b.emoji} ${b.color(b.label.padEnd(13))} ${dot(rk)}`);
+    }
+    console.log();
+    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    const c = { certified: 0, reviewed: 0, unverified: 0, flagged: 0 };
+    for (const r of results)
+        c[r.badge]++;
+    console.log(`  Summary: ${results.length} tools audited | ${c.certified} certified | ${c.reviewed} reviewed | ${c.unverified} unverified | ${c.flagged} flagged`);
+    if (c.flagged > 0)
+        console.log(chalk.red.bold(`  ⚠️  ${c.flagged} tool${c.flagged > 1 ? 's' : ''} requires attention`));
+    console.log();
+}
+export function displayFindResults(results) {
+    if (!results.length) {
+        console.log(chalk.yellow('\n  No results found.\n'));
+        return;
+    }
+    console.log();
+    console.log(chalk.bold(`  🔎 Search Results (${results.length})`));
+    console.log(chalk.gray('  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+    for (const r of results) {
+        const b = r.badge ? BADGE[r.badge] : BADGE.unverified;
+        console.log();
+        console.log(`  ${b.emoji} ${chalk.bold(r.name)}`);
+        if (r.description)
+            console.log(`    ${chalk.gray(r.description.slice(0, 80))}`);
+        console.log(`    Score: ${r.trustScore != null ? bar(r.trustScore) : chalk.gray('N/A')}`);
+    }
+    console.log();
+}

package/dist/utils/fetch.d.ts

@@ -0,0 +1,6 @@
+export interface FetchedContent {
+    content: string;
+    type: 'skill' | 'mcp' | 'unknown';
+    name: string;
+}
+export declare function fetchTarget(target: string): Promise<FetchedContent>;

package/dist/utils/fetch.js

@@ -0,0 +1,38 @@
+import { readFileSync, existsSync } from 'fs';
+function detect(content, source) {
+    if (/SKILL\.md/i.test(source) || /^#\s+.*skill/im.test(content))
+        return 'skill';
+    if (/mcp|model.context.protocol/i.test(content))
+        return 'mcp';
+    if (/^#\s+/m.test(content))
+        return 'skill';
+    return 'unknown';
+}
+export async function fetchTarget(target) {
+    if (existsSync(target)) {
+        const c = readFileSync(target, 'utf-8');
+        return { content: c, type: detect(c, target), name: target.split('/').pop() || target };
+    }
+    if (/^https?:\/\//i.test(target)) {
+        const r = await fetch(target);
+        if (!r.ok)
+            throw new Error('HTTP ' + r.status);
+        const c = await r.text();
+        return { content: c, type: detect(c, target), name: target.split('/').pop()?.replace(/\?.*$/, '') || target };
+    }
+    if (/^[\w-]+\/[\w.-]+$/.test(target) && !target.startsWith('@')) {
+        const r = await fetch('https://raw.githubusercontent.com/' + target + '/main/README.md');
+        if (r.ok)
+            return { content: await r.text(), type: 'mcp', name: target.split('/')[1] };
+        throw new Error('GitHub fetch failed: ' + target);
+    }
+    if (/^@?[\w-]/.test(target)) {
+        const r = await fetch('https://registry.npmjs.org/' + encodeURIComponent(target));
+        if (r.ok) {
+            const d = await r.json();
+            return { content: d.readme || '', type: 'mcp', name: d.name || target };
+        }
+        throw new Error('npm not found: ' + target);
+    }
+    throw new Error('Unknown target: ' + target);
+}

package/dist/utils/mcp-analyzer.d.ts

@@ -0,0 +1,19 @@
+import type { AnalysisResult } from '../types.js';
+interface PJ {
+    name?: string;
+    description?: string;
+    version?: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    engines?: {
+        node?: string;
+    };
+}
+export declare function analyzeMcp(input: {
+    npmPackage?: string;
+    githubUrl?: string;
+    readme?: string;
+    name?: string;
+    packageJson?: PJ;
+}): Promise<AnalysisResult>;
+export {};

package/dist/utils/mcp-analyzer.js

@@ -0,0 +1,187 @@
+const TOOL_RULES = [
+    { paramPattern: /\bcommand\b|\bcmd\b|\bshell\b/i, namePattern: /\bexec\b|\brun\b|\bshell\b/i, type: 'exec:shell', risk: 'critical' },
+    { paramPattern: /\burl\b|\bendpoint\b|\bhref\b/i, namePattern: /\bfetch\b|\brequest\b|\bhttp\b/i, type: 'net:outbound', risk: 'medium' },
+    { paramPattern: /\bpath\b|\bfile\b|\bfilename\b|\bdirectory\b/i, namePattern: /\bread\b|\bget\b|\blist\b|\bsearch\b/i, type: 'fs:read', risk: 'medium' },
+    { paramPattern: /\bpath\b|\bfile\b|\bfilename\b/i, namePattern: /\bwrite\b|\bcreate\b|\bsave\b|\bupdate\b|\bedit\b/i, type: 'fs:write', risk: 'medium' },
+    { paramPattern: /\bquery\b|\bsql\b|\bstatement\b/i, namePattern: /\bquery\b|\bsql\b|\bdb\b|\bdatabase\b/i, type: 'db:query', risk: 'medium' },
+    { paramPattern: null, namePattern: /\bemail\b|\bmessage\b|\bsend\b|\bnotif/i, type: 'msg:send', risk: 'medium' },
+    { paramPattern: null, namePattern: /\bdelete\b|\bremove\b|\bdrop\b|\bpurge\b|\bdestroy\b/i, type: 'data:delete', risk: 'high' },
+];
+const RISKY = [
+    { pattern: /rm\s+-rf\b/g, message: 'Destructive file deletion (rm -rf)', severity: 'critical' },
+    { pattern: /curl\s.*\|\s*bash/g, message: 'Remote code execution (curl | bash)', severity: 'critical' },
+    { pattern: /\beval\s*\(/g, message: 'Dynamic code execution (eval)', severity: 'critical' },
+    { pattern: /\bnew\s+Function\s*\(/g, message: 'Dynamic function creation', severity: 'high' },
+    { pattern: /\bchild_process\b|\bspawn\b|\bexecSync\b/g, message: 'Shell execution via child_process', severity: 'high' },
+    { pattern: /\bsudo\b/g, message: 'Sudo/elevated privilege usage', severity: 'critical' },
+    { pattern: /\b(password|secret|token|api[_-]?key|private[_-]?key)\b/gi, message: 'Credential/secret pattern detected', severity: 'medium' },
+];
+const SENS_ENV = /key|token|secret|password|credential|auth/i;
+function detectTransport(t) {
+    if (/\bsse\b|server.sent.event/i.test(t))
+        return 'sse';
+    if (/\bhttp\b.*transport|streamablehttp|\/mcp\b/i.test(t) && !/\bstdio\b/i.test(t))
+        return 'http';
+    return 'stdio';
+}
+function detectRuntime(pj, t) {
+    if (pj?.dependencies?.['@modelcontextprotocol/sdk'] || pj?.devDependencies?.['typescript'] || pj?.engines?.node)
+        return 'node';
+    if (/pyproject\.toml|requirements\.txt|\bpip\b|\bpython\b/i.test(t))
+        return 'python';
+    if (/\bgo\.mod\b/i.test(t))
+        return 'go';
+    if (/\bCargo\.toml\b/i.test(t))
+        return 'rust';
+    return 'node';
+}
+function parseTools(text) {
+    const tools = [];
+    for (const m of text.matchAll(/###\s+`?(\w[\w_-]*)`?\s*\n([\s\S]*?)(?=\n###\s|\n##\s|$)/g)) {
+        const name = m[1], body = m[2];
+        if (/^(installation|setup|configuration|usage|example|prerequisites|requirements|license|contributing)/i.test(name))
+            continue;
+        const desc = body.split('\n').find((l) => l.trim() && !l.startsWith('#') && !l.startsWith('|') && !l.startsWith('-'))?.trim() || '';
+        const params = [];
+        for (const r of body.matchAll(/\|\s*`?(\w+)`?\s*\|\s*(\w+)\s*\|\s*([^|]*)\|/g))
+            params.push({ name: r[1], type: r[2], description: r[3].trim() });
+        for (const b of body.matchAll(/-\s+[`*]*(\w+)[`*]*\s*(?:\((\w+)\))?[:\s-]+(.+)/g)) {
+            if (!params.find((p) => p.name === b[1]))
+                params.push({ name: b[1], type: b[2] || 'string', description: b[3].trim() });
+        }
+        if (params.length > 0 || /tool|function|method|action|command/i.test(body.slice(0, 200)))
+            tools.push({ name, description: desc.slice(0, 300), inputSchema: params });
+    }
+    if (tools.length === 0) {
+        for (const m of text.matchAll(/-\s+\*\*(\w[\w_-]*)\*\*\s*[-:\u2013]\s*(.+)/g)) {
+            if (!/install|setup|config|require|license|example|usage/i.test(m[1]))
+                tools.push({ name: m[1], description: m[2].trim().slice(0, 300), inputSchema: [] });
+        }
+    }
+    return tools;
+}
+function detectEnvVars(text) {
+    const vars = new Set();
+    for (const m of text.matchAll(/\b([A-Z][A-Z0-9_]{2,})\b/g)) {
+        const v = m[1];
+        if (/^(API|AWS|AZURE|GCP|GITHUB|OPENAI|ANTHROPIC|DATABASE|DB_|REDIS|MONGO|POSTGRES|MYSQL|SECRET|TOKEN|KEY|PASSWORD|AUTH|SMTP|SLACK|DISCORD|STRIPE)/.test(v) ||
+            /_KEY$|_TOKEN$|_SECRET$|_PASSWORD$|_URL$|_URI$|_HOST$|_PORT$/.test(v))
+            vars.add(v);
+    }
+    return [...vars];
+}
+function toolPerms(tool) {
+    const perms = [], seen = new Set();
+    for (const r of TOOL_RULES) {
+        let hit = false;
+        if (r.namePattern?.test(tool.name))
+            hit = true;
+        if (r.paramPattern && tool.inputSchema?.some((p) => r.paramPattern.test(p.name)))
+            hit = true;
+        if (hit && !seen.has(r.type)) {
+            seen.add(r.type);
+            perms.push({ type: r.type, risk: r.risk, detected_by: 'mcp-static', evidence: [tool.name] });
+        }
+    }
+    return perms;
+}
+export async function analyzeMcp(input) {
+    let text = input.readme || '', pj = input.packageJson || null, pkgName = input.name || input.npmPackage || '', desc = '', deps = 0;
+    if (input.npmPackage) {
+        try {
+            const r = await fetch(`https://registry.npmjs.org/${encodeURIComponent(input.npmPackage)}`);
+            if (r.ok) {
+                const d = await r.json();
+                const lat = d['dist-tags']?.latest;
+                const vers = d.versions;
+                const lv = lat && vers ? vers[lat] : null;
+                pkgName = d.name || input.npmPackage;
+                desc = d.description || '';
+                text = d.readme || text;
+                if (lv) {
+                    pj = lv;
+                    deps = Object.keys(lv.dependencies || {}).length + Object.keys(lv.devDependencies || {}).length;
+                }
+            }
+        }
+        catch { /* continue */ }
+    }
+    if (input.githubUrl) {
+        const m = input.githubUrl.match(/github\.com\/([^/]+)\/([^/]+)/);
+        if (m) {
+            const owner = m[1], rn = m[2].replace(/\.git$/, '');
+            try {
+                const rr = await fetch(`https://raw.githubusercontent.com/${owner}/${rn}/main/README.md`, { headers: { 'User-Agent': 'Vet/1.0' } });
+                if (rr.ok)
+                    text = await rr.text();
+                const pr = await fetch(`https://raw.githubusercontent.com/${owner}/${rn}/main/package.json`, { headers: { 'User-Agent': 'Vet/1.0' } });
+                if (pr.ok) {
+                    pj = await pr.json();
+                    pkgName = pj.name || pkgName || rn;
+                    desc = desc || pj.description || '';
+                    deps = Object.keys(pj.dependencies || {}).length + Object.keys(pj.devDependencies || {}).length;
+                }
+                if (!pkgName)
+                    pkgName = rn;
+            }
+            catch { /* continue */ }
+        }
+    }
+    if (!pkgName)
+        pkgName = input.name || 'unknown-mcp';
+    const transport = detectTransport(text), runtime = detectRuntime(pj, text), tools = parseTools(text), envVars = detectEnvVars(text);
+    const allPerms = [], seenP = new Set();
+    for (const tool of tools) {
+        tool.permissions = toolPerms(tool);
+        for (const p of tool.permissions) {
+            if (!seenP.has(p.type)) {
+                seenP.add(p.type);
+                allPerms.push(p);
+            }
+        }
+    }
+    const issues = [];
+    for (const r of RISKY) {
+        const m = text.match(r.pattern);
+        if (m)
+            issues.push({ severity: r.severity, message: r.message, count: m.length, evidence: m.slice(0, 3) });
+    }
+    const sensEnv = envVars.filter(v => SENS_ENV.test(v));
+    if (sensEnv.length > 0)
+        issues.push({ severity: 'medium', message: `Requires sensitive env vars: ${sensEnv.join(', ')}`, count: sensEnv.length, evidence: sensEnv });
+    let ts = 75;
+    for (const p of allPerms) {
+        if (p.risk === 'critical')
+            ts -= 15;
+        else if (p.risk === 'high')
+            ts -= 10;
+        else if (p.risk === 'medium')
+            ts -= 5;
+    }
+    for (const i of issues) {
+        if (i.severity === 'critical')
+            ts -= 20;
+        else if (i.severity === 'high')
+            ts -= 10;
+        else if (i.severity === 'medium')
+            ts -= 3;
+    }
+    if (tools.length > 0)
+        ts += 5;
+    if (text.length > 500)
+        ts += 3;
+    ts = Math.max(0, Math.min(100, ts));
+    let badge = 'unverified';
+    if (issues.some(i => i.severity === 'critical'))
+        badge = 'flagged';
+    else if (ts >= 75)
+        badge = 'certified';
+    else if (ts >= 50)
+        badge = 'reviewed';
+    return {
+        name: pkgName, description: desc || text.split('\n').find(l => l.trim() && !l.startsWith('#'))?.trim()?.slice(0, 300) || '',
+        type: 'mcp', transport, runtime, tools, permissions: allPerms, issues, trustScore: ts, badge,
+        codeQuality: { hasTests: /\btest\b|\bspec\b/i.test(text), hasDocs: text.length > 300, hasLicense: /\blicense\b|\bMIT\b|\bApache\b/i.test(text), hasPermissionDeclaration: /\bpermission\b|\baccess\b/i.test(text), linesOfCode: text.split('\n').length, dependencyCount: deps },
+        riskFactors: issues.filter(i => i.severity === 'critical' || i.severity === 'high').map(i => i.message), envVars,
+    };
+}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@getvetai/cli",
+  "version": "0.1.0",
+  "description": "Security audit CLI for AI skills and MCP servers — scan, audit, and score tools before you install them",
+  "type": "module",
+  "license": "MIT",
+  "bin": {
+    "vet": "./dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/getvetai/vet.git",
+    "directory": "cli"
+  },
+  "homepage": "https://getvet.ai",
+  "bugs": "https://github.com/getvetai/vet/issues",
+  "keywords": [
+    "ai",
+    "security",
+    "audit",
+    "mcp",
+    "openclaw",
+    "skills",
+    "tools",
+    "trust",
+    "scanner"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "ora": "^8.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.6.0"
+  }
+}