@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/src/cli.js

@@ -1,294 +0,0 @@
-#!/usr/bin/env node
-/**
- * guard-scanner CLI
- *
- * @security-manifest
- *   env-read: []
- *   env-write: []
- *   network: none
- *   fs-read: [scan target directory, plugin files, custom rules files]
- *   fs-write: [JSON/SARIF/HTML reports to scan directory]
- *   exec: none
- *   purpose: CLI entry point for guard-scanner static analysis
- *
- * Usage: guard-scanner [scan-dir] [options]
- *
- * Options:
- *   --verbose, -v       Detailed findings
- *   --json              JSON report
- *   --sarif             SARIF report (CI/CD)
- *   --html              HTML report
- *   --self-exclude      Skip scanning self
- *   --strict            Lower thresholds
- *   --summary-only      Summary only
- *   --check-deps        Scan dependencies
- *   --rules <file>      Custom rules JSON
- *   --plugin <file>     Load plugin module
- *   --fail-on-findings  Exit 1 on findings (CI/CD)
- *   --help, -h          Help
- */
-
-const fs = require('fs');
-const path = require('path');
-const { GuardScanner, VERSION } = require('./scanner.js');
-const { AssetAuditor, AUDIT_VERSION } = require('./asset-auditor.js');
-const { VTClient } = require('./vt-client.js');
-const { GuardWatcher } = require('./watcher.js');
-const { CIReporter } = require('./ci-reporter.js');
-
-const args = process.argv.slice(2);
-
-if (args.includes('--version') || args.includes('-V')) {
-  console.log(`guard-scanner v${VERSION} (audit v${AUDIT_VERSION})`);
-  process.exit(0);
-}
-
-// ── serve subcommand (MCP server) ────────────────────────────
-if (args[0] === 'serve') {
-  const { startServer } = require('./mcp-server.js');
-  startServer();
-  // Server runs until stdin closes
-}
-
-// ── watch subcommand ──────────────────────────────────────────
-if (args[0] === 'watch') {
-  const watchDir = args[1] || '.';
-  const verbose = args.includes('--verbose') || args.includes('-v');
-  const strict = args.includes('--strict');
-  const soulLock = args.includes('--soul-lock');
-
-  const watcher = new GuardWatcher({ verbose, strict, soulLock });
-
-  process.on('SIGINT', () => {
-    const stats = watcher.stop();
-    console.log(`\n📊 Session: ${stats.scanCount} scans, ${stats.alertCount} alerts`);
-    process.exit(0);
-  });
-
-  watcher.watch(watchDir);
-  // Keep process alive
-}
-
-// ── audit subcommand ──────────────────────────────────────────
-if (args[0] === 'audit') {
-  const subCmd = args[1]; // npm | github | clawhub | all
-  const target = args[2]; // username or query
-  const verbose = args.includes('--verbose') || args.includes('-v');
-  const formatIdx = args.indexOf('--format');
-  const formatValue = formatIdx >= 0 ? args[formatIdx + 1] : null;
-  const quiet = args.includes('--quiet') || !!formatValue;
-
-  if (!subCmd || subCmd === '--help' || subCmd === '-h') {
-    console.log(`
-🛡️  guard-scanner audit v${AUDIT_VERSION} — Asset Audit Platform
-
-Usage:
-  guard-scanner audit npm <username>      Audit npm packages for leaks
-  guard-scanner audit github <username>   Audit GitHub repos for exposure
-  guard-scanner audit clawhub <query>     Audit ClawHub skills for threats
-  guard-scanner audit all <username>      Run all audits
-
-Options:
-  --verbose, -v       Detailed alert output
-  --format json|sarif Print report to stdout (pipeable)
-  --quiet             Suppress text output
-  --help, -h          Show this help
-
-Examples:
-  guard-scanner audit npm koatora20 --verbose
-  guard-scanner audit github koatora20 --format json
-  guard-scanner audit all koatora20 --verbose
-`);
-    process.exit(0);
-  }
-
-  if (!target && subCmd !== 'all') {
-    console.error(`❌ Usage: guard-scanner audit ${subCmd} <username>`);
-    process.exit(2);
-  }
-
-  const vtScan = args.includes('--vt-scan');
-  let vtClient = null;
-  if (vtScan) {
-    const vtKey = process.env.VT_API_KEY;
-    if (!vtKey) { console.error('❌ --vt-scan requires VT_API_KEY environment variable'); process.exit(2); }
-    vtClient = new VTClient(vtKey, { verbose });
-  }
-
-  const auditor = new AssetAuditor({ verbose, format: formatValue, quiet, vtClient });
-
-  (async () => {
-    try {
-      if (subCmd === 'npm' || subCmd === 'all') {
-        await auditor.auditNpm(target);
-      }
-      if (subCmd === 'github' || subCmd === 'all') {
-        await auditor.auditGithub(target);
-      }
-      if (subCmd === 'clawhub' || subCmd === 'all') {
-        await auditor.auditClawHub(target);
-      }
-
-      if (!['npm', 'github', 'clawhub', 'all'].includes(subCmd)) {
-        console.error(`❌ Unknown audit target: ${subCmd}. Use: npm, github, clawhub, or all`);
-        process.exit(2);
-      }
-
-      // Output
-      if (formatValue === 'json') {
-        process.stdout.write(JSON.stringify(auditor.toJSON(), null, 2) + '\n');
-      } else if (formatValue === 'sarif') {
-        process.stdout.write(JSON.stringify(auditor.toSARIF(), null, 2) + '\n');
-      } else {
-        auditor.printSummary();
-      }
-
-      const verdict = auditor.getVerdict();
-      process.exit(verdict.exitCode);
-    } catch (e) {
-      console.error(`❌ Audit error: ${e.message}`);
-      process.exit(2);
-    }
-  })();
-} else {
-  // ── existing scan logic (backward compatible) ─────────────────
-
-  if (args.includes('--help') || args.includes('-h')) {
-    console.log(`
-🛡️  guard-scanner v${VERSION} — Agent Skill Security Scanner
-
-Usage: guard-scanner [scan-dir] [options]
-       guard-scanner serve              Start as MCP server (stdio)
-       guard-scanner audit <npm|github|clawhub|all> <username> [options]
-
-Options:
-  --verbose, -v       Detailed findings with categories and samples
-  --json              Write JSON report to file
-  --sarif             Write SARIF report to file (GitHub Code Scanning / CI/CD)
-  --html              Write HTML report (visual dashboard)
-  --format json|sarif Print JSON or SARIF to stdout (pipeable, v3.2.0)
-  --quiet             Suppress all text output (use with --format for clean pipes)
-  --self-exclude      Skip scanning the guard-scanner skill itself
-  --strict            Lower detection thresholds (more sensitive)
-  --summary-only      Only print the summary table
-  --check-deps        Scan package.json for dependency chain risks
-  --soul-lock         Enable Soul Lock patterns (agent identity protection)
-  --rules <file>      Load custom rules from JSON file
-  --plugin <file>     Load plugin module (JS file exporting { name, patterns })
-  --fail-on-findings  Exit code 1 if any findings (CI/CD)
-  --help, -h          Show this help
-  --version, -V       Show version
-
-Custom Rules JSON Format:
-  [
-    {
-      "id": "CUSTOM_001",
-      "pattern": "dangerous_function\\\\(",
-      "flags": "gi",
-      "severity": "HIGH",
-      "cat": "malicious-code",
-      "desc": "Custom: dangerous function call",
-      "codeOnly": true
-    }
-  ]
-
-Plugin API:
-  // my-plugin.js
-  module.exports = {
-    name: 'my-plugin',
-    patterns: [
-      { id: 'MY_01', cat: 'custom', regex: /pattern/g, severity: 'HIGH', desc: 'Description', all: true }
-    ]
-  };
-
-Examples:
-  guard-scanner ./skills/ --verbose --self-exclude
-  guard-scanner ./skills/ --strict --json --sarif --check-deps
-  guard-scanner ./skills/ --html --verbose --check-deps
-  guard-scanner ./skills/ --rules my-rules.json --fail-on-findings
-  guard-scanner ./skills/ --plugin ./my-plugin.js
-`);
-    process.exit(0);
-  }
-
-  const verbose = args.includes('--verbose') || args.includes('-v');
-  const jsonOutput = args.includes('--json');
-  const sarifOutput = args.includes('--sarif');
-  const htmlOutput = args.includes('--html');
-  const selfExclude = args.includes('--self-exclude');
-  const strict = args.includes('--strict');
-  const summaryOnly = args.includes('--summary-only');
-  const checkDeps = args.includes('--check-deps');
-  const soulLock = args.includes('--soul-lock');
-  const failOnFindings = args.includes('--fail-on-findings');
-  const quietMode = args.includes('--quiet');
-
-  // --format json|sarif → stdout output (v3.2.0)
-  const formatIdx = args.indexOf('--format');
-  const formatValue = formatIdx >= 0 ? args[formatIdx + 1] : null;
-
-  const rulesIdx = args.indexOf('--rules');
-  const rulesFile = rulesIdx >= 0 ? args[rulesIdx + 1] : null;
-
-  // Collect plugins
-  const plugins = [];
-  let idx = 0;
-  while (idx < args.length) {
-    if (args[idx] === '--plugin' && args[idx + 1]) {
-      plugins.push(args[idx + 1]);
-      idx += 2;
-    } else {
-      idx++;
-    }
-  }
-
-  const scanDir = args.find(a =>
-    !a.startsWith('-') &&
-    a !== rulesFile &&
-    a !== formatValue &&
-    !plugins.includes(a)
-  ) || process.cwd();
-
-  const scanner = new GuardScanner({
-    verbose, selfExclude, strict, summaryOnly, checkDeps, soulLock, rulesFile, plugins,
-    quiet: quietMode || !!formatValue,
-  });
-
-  scanner.scanDirectory(scanDir);
-
-  // Output reports (file-based, backward compatible)
-  if (jsonOutput) {
-    const report = scanner.toJSON();
-    const outPath = path.join(scanDir, 'guard-scanner-report.json');
-    fs.writeFileSync(outPath, JSON.stringify(report, null, 2));
-    if (!quietMode && !formatValue) console.log(`\n📄 JSON report: ${outPath}`);
-  }
-
-  if (sarifOutput) {
-    const outPath = path.join(scanDir, 'guard-scanner.sarif');
-    fs.writeFileSync(outPath, JSON.stringify(scanner.toSARIF(scanDir), null, 2));
-    if (!quietMode && !formatValue) console.log(`\n📄 SARIF report: ${outPath}`);
-  }
-
-  if (htmlOutput) {
-    const outPath = path.join(scanDir, 'guard-scanner-report.html');
-    fs.writeFileSync(outPath, scanner.toHTML());
-    if (!quietMode && !formatValue) console.log(`\n📄 HTML report: ${outPath}`);
-  }
-
-  // --format stdout output (v3.2.0)
-  if (formatValue === 'json') {
-    process.stdout.write(JSON.stringify(scanner.toJSON(), null, 2) + '\n');
-  } else if (formatValue === 'sarif') {
-    process.stdout.write(JSON.stringify(scanner.toSARIF(scanDir), null, 2) + '\n');
-  } else if (formatValue) {
-    console.error(`❌ Unknown format: ${formatValue}. Use 'json' or 'sarif'.`);
-    process.exit(2);
-  }
-
-  // Exit codes
-  if (scanner.stats.malicious > 0) process.exit(1);
-  if (failOnFindings && scanner.findings.length > 0) process.exit(1);
-  process.exit(0);
-
-} // end else (scan mode)

package/src/html-template.js

@@ -1,239 +0,0 @@
-/**
- * guard-scanner — HTML Report Template
- * Dark Glassmorphism + Conic-gradient Risk Gauges
- * Zero dependencies. Pure CSS animations.
- */
-
-'use strict';
-
-function generateHTML(version, stats, findings) {
-    const safetyRate = stats.scanned > 0 ? Math.round(((stats.clean + stats.low) / stats.scanned) * 100) : 100;
-
-    // ── Risk gauge (conic-gradient donut) ──
-    const riskGauge = (risk) => {
-        const angle = (risk / 100) * 360;
-        const color = risk >= 80 ? '#ef4444' : risk >= 30 ? '#f59e0b' : '#22c55e';
-        return `<div class="risk-gauge" style="--risk-angle:${angle}deg;--risk-color:${color}"><span class="risk-val">${risk}</span></div>`;
-    };
-
-    // ── Aggregate severity + category counts ──
-    const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
-    const catCounts = {};
-    for (const sr of findings) {
-        for (const f of sr.findings) {
-            sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
-            catCounts[f.cat] = (catCounts[f.cat] || 0) + 1;
-        }
-    }
-    const total = Object.values(sevCounts).reduce((a, b) => a + b, 0);
-
-    // ── Severity distribution bars ──
-    const sevColors = { CRITICAL: '#ef4444', HIGH: '#f97316', MEDIUM: '#eab308', LOW: '#22c55e' };
-    const sevBars = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].map(s => {
-        const c = sevCounts[s], pct = total > 0 ? ((c / total) * 100).toFixed(1) : 0;
-        return `<div class="bar-row"><span class="bar-label" style="color:${sevColors[s]}">${s}</span><div class="bar-track"><div class="bar-fill" style="width:${pct}%;background:${sevColors[s]}"></div></div><span class="bar-ct">${c}</span></div>`;
-    }).join('\n');
-
-    // ── Top 8 categories ──
-    const topCats = Object.entries(catCounts).sort((a, b) => b[1] - a[1]).slice(0, 8);
-    const catBars = topCats.map(([cat, c]) => {
-        const pct = total > 0 ? ((c / total) * 100).toFixed(0) : 0;
-        return `<div class="bar-row"><span class="bar-label cat-lbl">${cat}</span><div class="bar-track"><div class="bar-fill cat-fill" style="width:${pct}%"></div></div><span class="bar-ct">${c}</span></div>`;
-    }).join('\n');
-
-    // ── Skill cards ──
-    let cards = '';
-    for (const sr of findings) {
-        const vc = sr.verdict === 'MALICIOUS' ? 'mal' : sr.verdict === 'SUSPICIOUS' ? 'sus' : sr.verdict === 'LOW RISK' ? 'low' : 'ok';
-        const icon = sr.verdict === 'MALICIOUS' ? '💀' : sr.verdict === 'SUSPICIOUS' ? '⚡' : sr.verdict === 'LOW RISK' ? '⚠️' : '✅';
-        const rows = sr.findings.map(f => {
-            const sc = f.severity.toLowerCase();
-            return `<tr class="f-row"><td><span class="pill ${sc}">${f.severity}</span></td><td class="mono dim">${f.cat}</td><td>${f.desc}</td><td class="mono muted">${f.file}${f.line ? ':' + f.line : ''}</td></tr>`;
-        }).join('\n');
-
-        cards += `
-<details class="card card-${vc}" ${(vc === 'mal' || vc === 'sus') ? 'open' : ''}>
-  <summary class="card-head">
-    <div class="card-info"><span class="card-icon">${icon}</span><span class="card-name">${sr.skill}</span><span class="v-pill v-${vc}">${sr.verdict}</span></div>
-    ${riskGauge(sr.risk)}
-  </summary>
-  <div class="card-body">
-    <table class="ftable"><thead><tr><th>Severity</th><th>Category</th><th>Description</th><th>Location</th></tr></thead><tbody>${rows}</tbody></table>
-  </div>
-</details>`;
-    }
-
-    // ── Full HTML ──
-    return `<!DOCTYPE html>
-<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>guard-scanner v${version} — Security Report</title>
-<link rel="preconnect" href="https://fonts.googleapis.com">
-<link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700;800&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
-<style>
-/* ===== Tokens ===== */
-:root{
-  --bg:#06070d;--sf:rgba(15,18,35,.7);--cd:rgba(20,24,50,.55);--ch:rgba(28,33,65,.65);
-  --bdr:rgba(100,120,255,.08);--glow:rgba(100,140,255,.15);
-  --t1:#e8eaf6;--t2:#8b92b3;--t3:#5a6180;
-  --blue:#6c8cff;--purple:#a78bfa;--cyan:#22d3ee;--green:#22c55e;--yellow:#eab308;--orange:#f97316;--red:#ef4444;
-  --sans:'Inter',system-ui,-apple-system,sans-serif;--mono:'JetBrains Mono','SF Mono',monospace;
-  --r:12px;
-}
-*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
-html{scroll-behavior:smooth}
-body{font-family:var(--sans);background:var(--bg);color:var(--t1);min-height:100vh;overflow-x:hidden;line-height:1.6}
-
-/* ===== Ambient BG ===== */
-body::before{content:'';position:fixed;inset:0;z-index:-1;
-  background:radial-gradient(ellipse 80% 60% at 20% 10%,rgba(108,140,255,.08) 0%,transparent 50%),
-  radial-gradient(ellipse 60% 50% at 80% 90%,rgba(167,139,250,.06) 0%,transparent 50%),
-  radial-gradient(ellipse 50% 40% at 50% 50%,rgba(34,211,238,.04) 0%,transparent 50%);
-  animation:pulse 12s ease-in-out infinite alternate}
-@keyframes pulse{0%{opacity:.6;transform:scale(1)}100%{opacity:1;transform:scale(1.05)}}
-
-.wrap{max-width:1200px;margin:0 auto;padding:32px 24px}
-
-/* ===== Header ===== */
-.hdr{text-align:center;margin-bottom:36px;animation:fadeD .6s ease-out}
-.hdr h1{font-size:2.2em;font-weight:800;letter-spacing:-.03em;
-  background:linear-gradient(135deg,var(--blue),var(--purple),var(--cyan));
-  -webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text}
-.hdr .sub{color:var(--t2);font-size:.95em;margin-top:4px}
-.hdr .ts{color:var(--t3);font-family:var(--mono);font-size:.78em;margin-top:2px}
-
-/* ===== Stat Grid ===== */
-.sg{display:grid;grid-template-columns:repeat(auto-fit,minmax(155px,1fr));gap:14px;margin-bottom:28px;animation:fadeU .7s ease-out}
-.sc{background:var(--cd);backdrop-filter:blur(20px) saturate(1.5);-webkit-backdrop-filter:blur(20px) saturate(1.5);
-  border:1px solid var(--bdr);border-radius:var(--r);padding:18px;text-align:center;
-  transition:all .3s cubic-bezier(.4,0,.2,1);position:relative;overflow:hidden}
-.sc::before{content:'';position:absolute;top:0;left:0;right:0;height:2px;
-  background:linear-gradient(90deg,transparent,var(--ac,var(--blue)),transparent);opacity:0;transition:opacity .3s}
-.sc:hover{transform:translateY(-3px);border-color:var(--glow)}.sc:hover::before{opacity:1}
-.sn{font-size:2.2em;font-weight:800;letter-spacing:-.04em;line-height:1.1}
-.sl{color:var(--t2);font-size:.78em;font-weight:500;margin-top:3px;text-transform:uppercase;letter-spacing:.06em}
-.sc.g{--ac:var(--green)}.sc.g .sn{color:var(--green)}
-.sc.l{--ac:#86efac}.sc.l .sn{color:#86efac}
-.sc.s{--ac:var(--yellow)}.sc.s .sn{color:var(--yellow)}
-.sc.m{--ac:var(--red)}.sc.m .sn{color:var(--red)}
-.sc.r{--ac:var(--cyan)}.sc.r .sn{color:var(--cyan)}
-
-/* ===== Analysis Panels ===== */
-.ag{display:grid;grid-template-columns:1fr 1fr;gap:18px;margin-bottom:28px;animation:fadeU .8s ease-out}
-@media(max-width:768px){.ag{grid-template-columns:1fr}}
-.pn{background:var(--cd);backdrop-filter:blur(20px) saturate(1.5);-webkit-backdrop-filter:blur(20px) saturate(1.5);
-  border:1px solid var(--bdr);border-radius:var(--r);padding:22px}
-.pn h2{font-size:.88em;font-weight:600;color:var(--t2);text-transform:uppercase;letter-spacing:.08em;margin-bottom:14px}
-
-/* Bars */
-.bar-row{display:flex;align-items:center;gap:8px;margin-bottom:8px}
-.bar-label{font-family:var(--mono);font-size:.72em;font-weight:600;width:68px;text-align:right}
-.cat-lbl{font-family:var(--sans);font-weight:500;color:var(--t2);width:110px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
-.bar-track{flex:1;height:5px;background:rgba(255,255,255,.04);border-radius:3px;overflow:hidden}
-.bar-fill{height:100%;border-radius:3px;transition:width 1.2s cubic-bezier(.4,0,.2,1)}
-.cat-fill{background:linear-gradient(90deg,var(--blue),var(--purple))}
-.bar-ct{font-family:var(--mono);font-size:.76em;color:var(--t3);width:28px}
-
-/* ===== Skill Cards ===== */
-.sec-title{font-size:1.05em;font-weight:700;margin-bottom:14px}
-.card{background:var(--cd);backdrop-filter:blur(16px) saturate(1.4);-webkit-backdrop-filter:blur(16px) saturate(1.4);
-  border:1px solid var(--bdr);border-radius:var(--r);margin-bottom:10px;overflow:hidden;
-  transition:all .3s ease;animation:fadeU .5s ease-out both}
-.card:hover{border-color:var(--glow)}
-.card-mal{border-left:3px solid var(--red)}
-.card-sus{border-left:3px solid var(--yellow)}
-.card-low{border-left:3px solid #86efac}
-.card-ok{border-left:3px solid var(--green)}
-
-.card-head{display:flex;align-items:center;justify-content:space-between;padding:14px 18px;cursor:pointer;list-style:none}
-.card-head::-webkit-details-marker{display:none}
-.card-info{display:flex;align-items:center;gap:8px;flex:1;min-width:0}
-.card-icon{font-size:1.15em}
-.card-name{font-weight:600;font-size:.92em;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
-.v-pill{font-family:var(--mono);font-size:.66em;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.04em}
-.v-mal{background:rgba(239,68,68,.15);color:var(--red)}
-.v-sus{background:rgba(234,179,8,.15);color:var(--yellow)}
-.v-low{background:rgba(134,239,172,.15);color:#86efac}
-.v-ok{background:rgba(34,197,94,.15);color:var(--green)}
-
-/* Risk Gauge */
-.risk-gauge{width:44px;height:44px;border-radius:50%;flex-shrink:0;display:flex;align-items:center;justify-content:center;position:relative;
-  background:conic-gradient(var(--risk-color) 0deg,var(--risk-color) var(--risk-angle),rgba(255,255,255,.05) var(--risk-angle),rgba(255,255,255,.05) 360deg)}
-.risk-gauge::after{content:'';position:absolute;inset:5px;border-radius:50%;background:var(--bg)}
-.risk-val{position:relative;z-index:1;font-family:var(--mono);font-size:.68em;font-weight:700}
-
-/* Findings Table */
-.card-body{padding:0 18px 14px}
-.ftable{width:100%;border-collapse:collapse;font-size:.82em}
-.ftable th{text-align:left;font-size:.72em;font-weight:600;color:var(--t3);text-transform:uppercase;letter-spacing:.06em;padding:7px 9px;border-bottom:1px solid rgba(255,255,255,.04)}
-.ftable td{padding:7px 9px;border-bottom:1px solid rgba(255,255,255,.025)}
-.f-row{transition:background .2s}.f-row:hover{background:rgba(255,255,255,.02)}
-.pill{font-family:var(--mono);font-size:.7em;font-weight:600;padding:2px 5px;border-radius:3px;letter-spacing:.03em}
-.critical{background:rgba(239,68,68,.15);color:var(--red)}
-.high{background:rgba(249,115,22,.15);color:var(--orange)}
-.medium{background:rgba(234,179,8,.15);color:var(--yellow)}
-.low{background:rgba(34,197,94,.15);color:var(--green)}
-.mono{font-family:var(--mono);font-size:.9em}
-.dim{color:var(--t2)}.muted{color:var(--t3);white-space:nowrap}
-
-/* Empty */
-.empty{text-align:center;padding:48px 20px;background:var(--cd);backdrop-filter:blur(20px);border:1px solid var(--bdr);border-radius:var(--r)}
-.empty .ei{font-size:2.8em;margin-bottom:10px}
-.empty p{color:var(--green);font-size:1.05em;font-weight:600}
-.empty .es{color:var(--t3);font-size:.82em;margin-top:3px}
-
-/* Footer */
-.ft{text-align:center;margin-top:40px;padding-top:20px;border-top:1px solid rgba(255,255,255,.04);color:var(--t3);font-size:.78em}
-.ft a{color:var(--blue);text-decoration:none}.ft a:hover{text-decoration:underline}
-
-/* Animations */
-@keyframes fadeD{from{opacity:0;transform:translateY(-18px)}to{opacity:1;transform:translateY(0)}}
-@keyframes fadeU{from{opacity:0;transform:translateY(14px)}to{opacity:1;transform:translateY(0)}}
-
-/* Responsive */
-@media(max-width:640px){
-  .sg{grid-template-columns:repeat(2,1fr)}.sn{font-size:1.7em}.hdr h1{font-size:1.5em}
-  .ftable{font-size:.74em}
-}
-
-/* Print */
-@media print{
-  body{background:#fff;color:#111}body::before{display:none}
-  .sc,.pn,.card{background:#f8f8f8;backdrop-filter:none;border-color:#ddd}
-  .sn{color:#111!important}.card{break-inside:avoid}
-}
-</style></head><body>
-<div class="wrap">
-<div class="hdr">
-  <h1>🛡️ guard-scanner v${version}</h1>
-  <div class="sub">Security Scan Report</div>
-  <div class="ts">${new Date().toISOString()}</div>
-</div>
-
-<div class="sg">
-  <div class="sc"><div class="sn">${stats.scanned}</div><div class="sl">Scanned</div></div>
-  <div class="sc g"><div class="sn">${stats.clean}</div><div class="sl">Clean</div></div>
-  <div class="sc l"><div class="sn">${stats.low}</div><div class="sl">Low Risk</div></div>
-  <div class="sc s"><div class="sn">${stats.suspicious}</div><div class="sl">Suspicious</div></div>
-  <div class="sc m"><div class="sn">${stats.malicious}</div><div class="sl">Malicious</div></div>
-  <div class="sc r"><div class="sn">${safetyRate}%</div><div class="sl">Safety Rate</div></div>
-</div>
-
-${total > 0 ? `<div class="ag">
-  <div class="pn"><h2>Severity Distribution</h2>${sevBars}</div>
-  <div class="pn"><h2>Top Categories</h2>${catBars}</div>
-</div>` : ''}
-
-<div>
-  <div class="sec-title">Skill Analysis</div>
-  ${cards || `<div class="empty"><div class="ei">✅</div><p>All Clear — No Threats Detected</p><div class="es">${stats.scanned} skill(s) scanned, 0 findings</div></div>`}
-</div>
-
-<div class="ft">
-  guard-scanner v${version} &mdash; Zero dependencies. Zero compromises. 🛡️<br>
-  Built by <a href="https://github.com/koatora20">Guava 🍈 &amp; Dee</a>
-</div>
-</div>
-</body></html>`;
-}
-
-module.exports = { generateHTML };

package/src/ioc-db.js

@@ -1,54 +0,0 @@
-/**
- * guard-scanner — Indicators of Compromise (IoC) Database
- *
- * @security-manifest
- *   env-read: []
- *   env-write: []
- *   network: none
- *   fs-read: []
- *   fs-write: []
- *   exec: none
- *   purpose: IoC data definitions only — no I/O, pure data export
- *
- * Known malicious IPs, domains, URLs, usernames, filenames, and typosquats.
- * Sources: ClawHavoc campaign, Snyk ToxicSkills, Polymarket scams, community reports.
- *
- * Last updated: 2026-02-12
- */
-
-const KNOWN_MALICIOUS = {
-    ips: [
-        '91.92.242.30',           // ClawHavoc C2
-    ],
-    domains: [
-        'webhook.site',            // Common exfil endpoint
-        'requestbin.com',          // Common exfil endpoint
-        'hookbin.com',             // Common exfil endpoint
-        'pipedream.net',           // Common exfil endpoint
-        'ngrok.io',                // Tunnel (context-dependent)
-        'download.setup-service.com', // ClawHavoc decoy domain
-        'socifiapp.com',           // ClawHavoc v2 AMOS C2
-    ],
-    urls: [
-        'glot.io/snippets/hfd3x9ueu5',  // ClawHavoc macOS payload
-        'github.com/Ddoy233',            // ClawHavoc payload host
-    ],
-    usernames: ['zaycv', 'Ddoy233', 'Sakaen736jih'],   // Known malicious actors
-    filenames: ['openclaw-agent.zip', 'openclawcli.zip'],
-    typosquats: [
-        // ClawHavoc campaign
-        'clawhub', 'clawhub1', 'clawhubb', 'clawhubcli', 'clawwhub', 'cllawhub', 'clawdhub1',
-        // Polymarket scams
-        'polymarket-trader', 'polymarket-pro', 'polytrading',
-        'better-polymarket', 'polymarket-all-in-one',
-        // YouTube scams
-        'youtube-summarize', 'youtube-thumbnail-grabber', 'youtube-video-downloader',
-        // Misc
-        'auto-updater-agent', 'yahoo-finance-pro', 'x-trends-tracker',
-        'lost-bitcoin-finder', 'solana-wallet-tracker', 'rankaj',
-        // Snyk ToxicSkills confirmed malicious
-        'moltyverse-email', 'buy-anything', 'youtube-data', 'prediction-markets-roarin',
-    ],
-};
-
-module.exports = { KNOWN_MALICIOUS };