@hungpg/skill-audit 0.1.1 → 0.3.0

package/dist/patterns.js

@@ -0,0 +1,67 @@
+import { readFileSync, existsSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+const PACKAGE_ROOT = join(dirname(fileURLToPath(import.meta.url)), "..");
+const RULES_DIR = join(PACKAGE_ROOT, "rules");
+const DEFAULT_PATTERNS_FILE = join(RULES_DIR, "default-patterns.json");
+/**
+ * Load patterns from JSON file
+ */
+export function loadPatterns(patternsFile = DEFAULT_PATTERNS_FILE) {
+    if (!existsSync(patternsFile)) {
+        throw new Error(`Patterns file not found: ${patternsFile}`);
+    }
+    const content = readFileSync(patternsFile, "utf-8");
+    return JSON.parse(content);
+}
+/**
+ * Compile patterns to RegExp objects
+ */
+export function compilePatterns(patterns) {
+    const compiled = new Map();
+    for (const [categoryKey, category] of Object.entries(patterns.categories)) {
+        const categoryPatterns = [];
+        for (const rule of category.patterns) {
+            try {
+                const regex = new RegExp(rule.pattern, rule.flags || "i");
+                categoryPatterns.push({
+                    regex,
+                    id: rule.id,
+                    severity: rule.severity,
+                    message: rule.message,
+                    category: categoryKey
+                });
+            }
+            catch (error) {
+                console.error(`Failed to compile pattern ${rule.id}:`, error);
+            }
+        }
+        compiled.set(categoryKey, categoryPatterns);
+    }
+    return compiled;
+}
+/**
+ * Load and compile patterns in one step
+ */
+export function loadAndCompile(patternsFile) {
+    const patterns = loadPatterns(patternsFile);
+    return compilePatterns(patterns);
+}
+/**
+ * Get pattern metadata (version, update date)
+ */
+export function getPatternMetadata(patternsFile = DEFAULT_PATTERNS_FILE) {
+    try {
+        const patterns = loadPatterns(patternsFile);
+        return { version: patterns.version, updated: patterns.updated };
+    }
+    catch {
+        return { version: "unknown", updated: "unknown" };
+    }
+}
+/**
+ * Check if patterns file exists
+ */
+export function hasPatternsFile(patternsFile = DEFAULT_PATTERNS_FILE) {
+    return existsSync(patternsFile);
+}

package/dist/security.js

@@ -1,6 +1,7 @@
 import { readFileSync } from "fs";
 import { basename, extname } from "path";
 import { resolveSkillPath, getSkillFiles } from "./discover.js";
+import { loadAndCompile, hasPatternsFile, getPatternMetadata } from "./patterns.js";
 /**
  * Phase 1 - Layer 2: Security Auditor
  *
@@ -13,7 +14,37 @@ import { resolveSkillPath, getSkillFiles } from "./discover.js";
  * - ASI04: Secrets / Supply Chain
  * - ASI05: Code Execution
  * - ASI09: Behavioral Manipulation
+ *
+ * Pattern sources:
+ * 1. External patterns file (rules/default-patterns.json) - preferred
+ * 2. Hardcoded fallback patterns - used if external file missing
+ */
+// ============================================================
+// Pattern Loading
+// ============================================================
+let compiledPatterns = null;
+let patternMetadata = { version: "unknown", updated: "unknown" };
+/**
+ * Initialize patterns (load from file or use hardcoded fallback)
  */
+function initPatterns() {
+    if (compiledPatterns) {
+        return compiledPatterns;
+    }
+    try {
+        if (hasPatternsFile()) {
+            compiledPatterns = loadAndCompile();
+            patternMetadata = getPatternMetadata();
+            return compiledPatterns;
+        }
+    }
+    catch (error) {
+        console.warn("Failed to load external patterns, using hardcoded fallback:", error);
+    }
+    // Fallback to hardcoded patterns (original implementation)
+    compiledPatterns = new Map();
+    return compiledPatterns;
+}
 // ============================================================
 // PROMPT INJECTION PATTERNS (ASI01 - Goal Hijacking)
 // ============================================================
@@ -164,13 +195,19 @@ function getASIXXFromId(id) {
 function scanContent(content, file, patterns) {
     const findings = [];
     const lines = content.split("\n");
-    for (const { pattern, id, severity = "medium", message } of patterns) {
+    for (const patternDef of patterns) {
+        const regex = 'regex' in patternDef ? patternDef.regex : patternDef.pattern;
+        const id = patternDef.id;
+        const severity = 'severity' in patternDef ? patternDef.severity : patternDef.severity || "medium";
+        const message = patternDef.message;
+        const category = 'category' in patternDef ? patternDef.category : getCategoryFromId(id);
+        const asixx = 'category' in patternDef ? mapCategoryToASIXX(category) : getASIXXFromId(id);
         for (let i = 0; i < lines.length; i++) {
-            if (pattern.test(lines[i])) {
+            if (regex.test(lines[i])) {
                 findings.push({
                     id,
-                    category: getCategoryFromId(id),
-                    asixx: getASIXXFromId(id),
+                    category: category,
+                    asixx,
                     severity: severity,
                     file,
                     line: i + 1,
@@ -182,6 +219,18 @@ function scanContent(content, file, patterns) {
     }
     return findings;
 }
+function mapCategoryToASIXX(category) {
+    const map = {
+        "promptInjection": "ASI01",
+        "credentialLeaks": "ASI04",
+        "shellInjection": "ASI05",
+        "exfiltration": "ASI02",
+        "secrets": "ASI04",
+        "toolMisuse": "ASI02",
+        "behavioral": "ASI09"
+    };
+    return map[category] || "ASI04";
+}
 function scanCodeBlocksInMarkdown(content, file) {
     const findings = [];
     const codeBlockRegex = /```(\w+)?\n([\s\S]*?)```/g;
@@ -283,6 +332,9 @@ export function auditSecurity(skill, manifest) {
             unreadableFiles: []
         };
     }
+    // Initialize patterns (load from file or use hardcoded fallback)
+    const patterns = initPatterns();
+    const hasExternalPatterns = patterns.size > 0;
     const files = getSkillFiles(resolvedPath);
     const findings = [];
     const unreadableFiles = [];
@@ -290,20 +342,49 @@ export function auditSecurity(skill, manifest) {
         const filename = basename(file);
         try {
             const content = readFileSync(file, "utf-8");
-            if (filename === "SKILL.md" || filename === "AGENTS.md") {
-                findings.push(...scanContent(content, file, PROMPT_INJECTION_PATTERNS));
-                findings.push(...scanContent(content, file, CREDENTIAL_PATTERNS_MD));
-                findings.push(...scanContent(content, file, EXFILTRATION_PATTERNS));
-                findings.push(...scanContent(content, file, BEHAVIORAL_PATTERNS));
-                findings.push(...scanContent(content, file, DANGEROUS_PATTERNS));
+            if (filename === "SKILL.md" || filename === "SKILL.md") {
+                // Use external patterns if available, otherwise use hardcoded
+                if (hasExternalPatterns) {
+                    const piPatterns = patterns.get("promptInjection") || [];
+                    const clPatterns = patterns.get("credentialLeaks") || [];
+                    const exPatterns = patterns.get("exfiltration") || [];
+                    const bmPatterns = patterns.get("behavioral") || [];
+                    const cePatterns = patterns.get("shellInjection") || [];
+                    findings.push(...scanContent(content, file, piPatterns));
+                    findings.push(...scanContent(content, file, clPatterns));
+                    findings.push(...scanContent(content, file, exPatterns));
+                    findings.push(...scanContent(content, file, bmPatterns));
+                    findings.push(...scanContent(content, file, cePatterns));
+                }
+                else {
+                    findings.push(...scanContent(content, file, PROMPT_INJECTION_PATTERNS));
+                    findings.push(...scanContent(content, file, CREDENTIAL_PATTERNS_MD));
+                    findings.push(...scanContent(content, file, EXFILTRATION_PATTERNS));
+                    findings.push(...scanContent(content, file, BEHAVIORAL_PATTERNS));
+                    findings.push(...scanContent(content, file, DANGEROUS_PATTERNS));
+                }
                 findings.push(...scanCodeBlocksInMarkdown(content, file));
             }
             else if (isCodeFile(file)) {
-                findings.push(...scanContent(content, file, CREDENTIAL_PATTERNS_CODE));
-                findings.push(...scanContent(content, file, EXFILTRATION_PATTERNS));
-                findings.push(...scanContent(content, file, DANGEROUS_PATTERNS));
-                findings.push(...scanContent(content, file, SECRET_PATTERNS));
-                findings.push(...scanContent(content, file, TOOL_MISUSE_PATTERNS));
+                if (hasExternalPatterns) {
+                    const clPatterns = patterns.get("credentialLeaks") || [];
+                    const exPatterns = patterns.get("exfiltration") || [];
+                    const cePatterns = patterns.get("shellInjection") || [];
+                    const scPatterns = patterns.get("secrets") || [];
+                    const tmPatterns = patterns.get("toolMisuse") || [];
+                    findings.push(...scanContent(content, file, clPatterns));
+                    findings.push(...scanContent(content, file, exPatterns));
+                    findings.push(...scanContent(content, file, cePatterns));
+                    findings.push(...scanContent(content, file, scPatterns));
+                    findings.push(...scanContent(content, file, tmPatterns));
+                }
+                else {
+                    findings.push(...scanContent(content, file, CREDENTIAL_PATTERNS_CODE));
+                    findings.push(...scanContent(content, file, EXFILTRATION_PATTERNS));
+                    findings.push(...scanContent(content, file, DANGEROUS_PATTERNS));
+                    findings.push(...scanContent(content, file, SECRET_PATTERNS));
+                    findings.push(...scanContent(content, file, TOOL_MISUSE_PATTERNS));
+                }
             }
         }
         catch (e) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hungpg/skill-audit",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "description": "Security auditing CLI for AI agent skills",
   "type": "module",
   "bin": {
@@ -10,7 +10,7 @@
     "build": "tsc",
     "start": "node dist/index.js",
     "dev": "tsx src/index.ts",
-    "postinstall": "node dist/index.js --update-db --quiet 2>/dev/null || echo \"⚠️  Vulnerability DB update skipped (run 'npm run security:update' later)\"",
+    "postinstall": "node scripts/postinstall.cjs",
     "security:update": "node dist/index.js --update-db"
   },
   "engines": {
@@ -18,6 +18,8 @@
   },
   "files": [
     "dist",
+    "scripts",
+    "rules",
     "README.md",
     "SKILL.md"
   ],

package/rules/default-patterns.json

@@ -0,0 +1,99 @@
+{
+  "version": "0.1.0",
+  "updated": "2024-03-18",
+  "description": "Default security patterns for skill-audit",
+  "categories": {
+    "promptInjection": {
+      "name": "Prompt Injection (ASI01)",
+      "description": "Detects attempts to override system instructions or inject malicious prompts",
+      "patterns": [
+        { "pattern": "ignore\\s+(all\\s+)?previous\\s+(instructions?|rules?)", "id": "PI-001", "severity": "critical", "message": "Instruction override - ignore previous instructions" },
+        { "pattern": "you\\s+(are\\s+)?now\\s+(a|an|i am)\\s+\\w+", "id": "PI-002", "severity": "critical", "message": "Roleplay bypass - role impersonation" },
+        { "pattern": "forget\\s+(everything|all|your)", "id": "PI-003", "severity": "critical", "message": "Context forgetting attempt" },
+        { "pattern": "system\\s+prompt\\s+override", "id": "PI-004", "severity": "critical", "message": "System prompt override attempt" },
+        { "pattern": "act\\s+as\\s+if\\s+(you\\s+)?(have|no)\\s+(restrictions|limits)", "id": "PI-005", "severity": "critical", "message": "Restriction removal attempt" },
+        { "pattern": "\\[SYSTEM\\]|\\[ADMIN\\]|\\[ROOT\\]", "id": "PI-006", "severity": "critical", "message": "Fake role tags injection" },
+        { "pattern": "end\\s+of\\s+system\\s+prompt|---END---", "id": "PI-007", "severity": "high", "message": "Prompt termination marker" },
+        { "pattern": "debug\\s+mode\\s*:\\s*enabled|safety\\s+mode\\s*:\\s*off", "id": "PI-008", "severity": "high", "message": "Safety toggle disable" },
+        { "pattern": "<!--[\\s\\S]*?-->", "id": "PI-009", "severity": "high", "message": "Hidden instructions in HTML comments" },
+        { "pattern": "note\\s+to\\s+AI:|AI\\s+instruction:", "id": "PI-010", "severity": "high", "message": "AI directive injection" },
+        { "pattern": "(?:you\\s+must|you\\s+should)\\s+(not|never)", "id": "PI-011", "severity": "medium", "message": "Command to override restrictions" },
+        { "pattern": "bypass\\s+(restriction|rule|limit|safety)", "id": "PI-012", "severity": "medium", "message": "Bypass attempt" },
+        { "pattern": "disregard\\s+(all|your|the)\\s+(previous|system)", "id": "PI-013", "severity": "medium", "message": "Disregard instruction pattern" },
+        { "pattern": "i.*am\\s+the\\s+developer.*trust\\s+me", "id": "PI-014", "severity": "medium", "message": "Social engineering - developer trust exploitation" }
+      ]
+    },
+    "credentialLeaks": {
+      "name": "Credential Leaks (ASI04)",
+      "description": "Detects hardcoded secrets, API keys, and credential paths",
+      "patterns": [
+        { "pattern": "~/\\.ssh|/\\.ssh/", "id": "CL-001", "severity": "critical", "message": "SSH credential path reference" },
+        { "pattern": "~/\\.aws|/\\.aws/", "id": "CL-002", "severity": "critical", "message": "AWS credential path reference" },
+        { "pattern": "~/\\.env|mkdir.*\\.env", "id": "CL-003", "severity": "critical", "message": ".env file reference (potential secret exposure)" },
+        { "pattern": "curl\\s+(?!.*(-fsSL|-f\\s|-L)).*\\|\\s*(sh|bash|perl|python)", "id": "CL-004", "severity": "critical", "message": "Pipe to shell - code execution risk" },
+        { "pattern": "wget\\s+(?!.*(-q|-O)).*\\|\\s*(sh|bash)", "id": "CL-005", "severity": "critical", "message": "Pipe to shell - code execution risk" }
+      ]
+    },
+    "shellInjection": {
+      "name": "Shell Injection (ASI05)",
+      "description": "Detects dangerous shell commands and reverse shells",
+      "patterns": [
+        { "pattern": "nc\\s+-[elv]\\s+|netcat\\s+-[elv]", "id": "CE-001", "severity": "critical", "message": "Netcat reverse shell pattern" },
+        { "pattern": "bash\\s+-i\\s+.*\\&\\s*/dev/tcp/", "id": "CE-002", "severity": "critical", "message": "Bash reverse shell pattern" },
+        { "pattern": "rm\\s+-rf\\s+/\\s*$", "id": "CE-003", "severity": "critical", "message": "Destructive rm -rf / command (root)" },
+        { "pattern": "rm\\s+-rf\\s+\\$HOME|rm\\s+-rf\\s+~\\s*$|rm\\s+-rf\\s+/home\\s*$|rm\\s+-rf\\s+/tmp\\s*$", "id": "CE-004", "severity": "high", "message": "Recursive delete in user directory" },
+        { "pattern": "exec\\s+\\$\\(", "id": "CE-005", "severity": "high", "message": "Dynamic command execution" },
+        { "pattern": "eval\\s+\\$", "id": "CE-006", "severity": "high", "message": "Eval with variable interpolation" },
+        { "pattern": "subprocess.*shell\\s*=\\s*true", "id": "CE-007", "severity": "medium", "message": "Subprocess with shell=True" },
+        { "pattern": "os\\.system\\s*\\(", "id": "CE-008", "severity": "high", "message": "os.system() call - shell injection risk" },
+        { "pattern": "child_process.*exec\\s*\\(", "id": "CE-009", "severity": "medium", "message": "child_process.exec - verify input sanitization" },
+        { "pattern": "chmod\\s+[47]777", "id": "CE-010", "severity": "high", "message": "World-writable permissions" },
+        { "pattern": "process\\.fork\\s*\\(|child_process\\.spawn\\s*\\(|subprocess\\.spawn\\s*\\(", "id": "CE-011", "severity": "high", "message": "Process fork/spawn - potential crypto miner" }
+      ]
+    },
+    "exfiltration": {
+      "name": "Data Exfiltration (ASI02)",
+      "description": "Detects attempts to send data to external servers",
+      "patterns": [
+        { "pattern": "https?://[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+", "id": "EX-001", "severity": "critical", "message": "Raw IP address in URL - potential exfiltration" },
+        { "pattern": "fetch\\s*\\(\\s*[\"'`][^\"']+\\?(key|token|secret|password)", "id": "EX-002", "severity": "critical", "message": "API key in URL query string - exfiltration risk" },
+        { "pattern": "\\.send\\(.*(http|https|external)", "id": "EX-003", "severity": "critical", "message": "Data send to external server" },
+        { "pattern": "dns\\.resolve|dns\\.query|new\\s+DNS", "id": "EX-004", "severity": "critical", "message": "DNS resolution - potential DNS tunneling" },
+        { "pattern": "new\\s+WebSocket\\s*\\(\\s*[\"'`][^'\"`]+[\"'`]\\s*\\)", "id": "EX-005", "severity": "high", "message": "WebSocket connection - check target" },
+        { "pattern": "readFile.*send|fetch.*readFile|read_file.*fetch", "id": "EX-006", "severity": "critical", "message": "File read + send exfiltration chain" }
+      ]
+    },
+    "secrets": {
+      "name": "Hardcoded Secrets (ASI04)",
+      "description": "Detects API keys, tokens, and credentials in code",
+      "patterns": [
+        { "pattern": "sk-[a-zA-Z0-9]{20,}", "id": "SC-001", "severity": "critical", "message": "OpenAI API key pattern" },
+        { "pattern": "github_pat_[a-zA-Z0-9_]{20,}", "id": "SC-002", "severity": "critical", "message": "GitHub PAT pattern" },
+        { "pattern": "ghp_[a-zA-Z0-9]{36}", "id": "SC-003", "severity": "critical", "message": "GitHub OAuth token pattern" },
+        { "pattern": "xox[baprs]-[a-zA-Z0-9]{10,}", "id": "SC-004", "severity": "critical", "message": "Slack token pattern" },
+        { "pattern": "AKIA[0-9A-Z]{16}", "id": "SC-005", "severity": "critical", "message": "AWS access key pattern" }
+      ]
+    },
+    "toolMisuse": {
+      "name": "Tool Misuse (ASI02)",
+      "description": "Detects potential misuse of tools and environment",
+      "patterns": [
+        { "pattern": "upload.*(file|data).*(external|remote|server)", "id": "TM-001", "severity": "high", "message": "Potential data exfiltration pattern" },
+        { "pattern": "export\\s+(API|TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL)", "id": "TM-002", "severity": "high", "message": "Exporting sensitive environment variable" },
+        { "pattern": "setenv.*(PASSWORD|TOKEN|KEY|SECRET|CREDS)", "id": "TM-003", "severity": "high", "message": "Setting sensitive environment variable" },
+        { "pattern": "process\\.env\\[.*(KEY|SECRET|TOKEN|PASSWORD)", "id": "TM-004", "severity": "medium", "message": "Accessing sensitive env vars" }
+      ]
+    },
+    "behavioral": {
+      "name": "Behavioral Manipulation (ASI09)",
+      "description": "Detects attempts to manipulate AI behavior",
+      "patterns": [
+        { "pattern": "^(always|never)\\s+(say|do|follow|use|assume|accept|must|should)", "id": "BM-001", "severity": "medium", "message": "Absolute command pattern - may override safety", "flags": "im" },
+        { "pattern": "^(never|always)\\s+(question|verify|check|ask)", "id": "BM-002", "severity": "medium", "message": "Verification suppression", "flags": "im" },
+        { "pattern": "^trust\\s+(me|this| blindly)", "id": "BM-003", "severity": "medium", "message": "Blind trust request", "flags": "im" },
+        { "pattern": "^don.*t\\s+(need|require).*(permission|approval|confirm)", "id": "BM-004", "severity": "medium", "message": "Permission bypass encouragement", "flags": "im" },
+        { "pattern": "^keep.*(this|secret|hidden).*(from|between)", "id": "BM-005", "severity": "medium", "message": "Secret keeping instruction", "flags": "im" }
+      ]
+    }
+  }
+}

package/scripts/postinstall.cjs

@@ -0,0 +1,190 @@
+#!/usr/bin/env node
+
+/**
+ * Postinstall script for skill-audit
+ * 
+ * Prompts user to install PreToolUse hook that audits skills
+ * before installation via `npx skills add`.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+const os = require("os");
+
+// Paths
+const SKIP_HOOK_FILE = path.join(os.homedir(), ".skill-audit-skip-hook");
+const SETTINGS_PATH = path.join(os.homedir(), ".claude", "settings.json");
+
+// Check if running in CI
+function isCI() {
+  return (
+    process.env.CI === "true" ||
+    process.env.CONTINUOUS_INTEGRATION === "true" ||
+    process.env.GITHUB_ACTIONS === "true" ||
+    process.env.GITLAB_CI === "true" ||
+    process.env.CIRCLECI === "true" ||
+    process.env.TRAVIS === "true" ||
+    process.env.JENKINS_URL !== undefined ||
+    process.env.BUILDKITE === "true" ||
+    process.env.npm_config_global === undefined && process.env.npm_package_name === undefined
+  );
+}
+
+// Check if skip file exists
+function shouldSkipPrompt() {
+  return fs.existsSync(SKIP_HOOK_FILE);
+}
+
+// Create skip file
+function createSkipFile() {
+  fs.writeFileSync(
+    SKIP_HOOK_FILE,
+    JSON.stringify(
+      {
+        createdAt: new Date().toISOString(),
+        reason: "User chose to skip hook installation prompt",
+      },
+      null,
+      2
+    )
+  );
+}
+
+// Check if hook is already installed
+function isHookInstalled() {
+  if (!fs.existsSync(SETTINGS_PATH)) {
+    return false;
+  }
+
+  try {
+    const settings = JSON.parse(fs.readFileSync(SETTINGS_PATH, "utf-8"));
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+      return false;
+    }
+
+    return settings.hooks.PreToolUse.some(
+      (hook) => hook.id === "skill-audit-pre-install"
+    );
+  } catch {
+    return false;
+  }
+}
+
+// Install hook using the CLI
+function installHook() {
+  try {
+    execSync("skill-audit --install-hook", { stdio: "inherit" });
+    return true;
+  } catch (error) {
+    console.error("Failed to install hook:", error.message);
+    return false;
+  }
+}
+
+// Prompt user for input
+function prompt(question) {
+  const readline = require("readline");
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase());
+    });
+  });
+}
+
+// Main function
+async function main() {
+  // Skip in CI environments
+  if (isCI()) {
+    console.log("Skipping hook installation prompt (CI environment)");
+    return;
+  }
+
+  // Skip if user previously chose to skip
+  if (shouldSkipPrompt()) {
+    return;
+  }
+
+  // Skip if hook is already installed
+  if (isHookInstalled()) {
+    console.log("✓ skill-audit hook is already installed");
+    return;
+  }
+
+  // Check if running in a terminal
+  if (!process.stdout.isTTY) {
+    console.log("\n📦 skill-audit installed!");
+    console.log("   Run 'skill-audit --install-hook' to set up automatic skill auditing.");
+    return;
+  }
+
+  // Display prompt
+  console.log("\n");
+  console.log("╔════════════════════════════════════════════════════════════╗");
+  console.log("║                 🛡️  skill-audit hook setup                 ║");
+  console.log("╠════════════════════════════════════════════════════════════╣");
+  console.log("║                                                            ║");
+  console.log("║  skill-audit can automatically audit skills before        ║");
+  console.log("║  installation to protect you from malicious packages.     ║");
+  console.log("║                                                            ║");
+  console.log("║  When you run 'npx skills add <package>', the hook will:  ║");
+  console.log("║    • Scan the skill for security vulnerabilities          ║");
+  console.log("║    • Check for prompt injection, secrets, code execution  ║");
+  console.log("║    • Block installation if risk score > 3.0               ║");
+  console.log("║                                                            ║");
+  console.log("╚════════════════════════════════════════════════════════════╝");
+  console.log("\n");
+
+  console.log("Options:");
+  console.log("  [Y] Yes, install the hook (recommended)");
+  console.log("  [N] No, skip for now");
+  console.log("  [S] Skip forever (don't ask again)");
+  console.log("");
+
+  const answer = await prompt("Your choice [Y/n/s]: ");
+
+  switch (answer) {
+    case "":
+    case "y":
+    case "yes":
+      console.log("\nInstalling hook...");
+      if (installHook()) {
+        console.log("\n✅ Hook installed successfully!");
+        console.log("   Skills will now be audited before installation.");
+        console.log("   Run 'skill-audit --uninstall-hook' to remove.\n");
+      } else {
+        console.log("\n❌ Failed to install hook.");
+        console.log("   You can try manually: skill-audit --install-hook\n");
+      }
+      break;
+
+    case "n":
+    case "no":
+      console.log("\nSkipping hook installation.");
+      console.log("   Run 'skill-audit --install-hook' anytime to set up.\n");
+      break;
+
+    case "s":
+    case "skip":
+      createSkipFile();
+      console.log("\nSkipping hook installation (won't ask again).");
+      console.log("   Delete ~/.skill-audit-skip-hook to re-enable prompt.\n");
+      break;
+
+    default:
+      console.log("\nInvalid choice. Skipping for now.");
+      console.log("   Run 'skill-audit --install-hook' anytime to set up.\n");
+  }
+}
+
+// Run main
+main().catch((error) => {
+  console.error("Postinstall error:", error.message);
+  process.exit(0); // Don't fail install
+});