@hungpg/skill-audit 0.2.0 → 0.3.0

package/README.md

@@ -12,10 +12,109 @@ Security auditing CLI for AI agent skills.
 
 ## Installation
 
+### Option 1: Install via npm (Recommended for CLI)
+
 ```bash
 npm install -g @hungpg/skill-audit
 ```
 
+This installs the CLI globally and triggers the postinstall hook prompt.
+
+### Option 2: Install via bun (Fast Alternative)
+
+```bash
+bun install -g @hungpg/skill-audit
+```
+
+Bun is significantly faster than npm for installation.
+
+### Option 3: Install as a Skill (For Claude Code)
+
+```bash
+# Install from GitHub repo (not npm package name)
+npx skills add harrypham2000/skill-audit -g -y
+```
+
+> ⚠️ **Important**: The skills CLI expects `owner/repo` format, not npm scoped packages.
+> - ✅ Correct: `harrypham2000/skill-audit`
+> - ❌ Incorrect: `@hungpg/skill-audit`
+
+### Option 4: Install for Qwen Code
+
+```bash
+# Clone to Qwen skills directory
+mkdir -p ~/.qwen/skills
+git clone https://github.com/harrypham2000/skill-audit.git ~/.qwen/skills/skill-audit
+cd ~/.qwen/skills/skill-audit/skill-audit
+npm install && npm run build
+
+# Or with bun (faster)
+bun install && bun run build
+```
+
+### Option 5: Install for Gemini CLI
+
+```bash
+# Clone to Gemini skills directory
+mkdir -p ~/.gemini/skills
+git clone https://github.com/harrypham2000/skill-audit.git ~/.gemini/skills/skill-audit
+cd ~/.gemini/skills/skill-audit/skill-audit
+npm install && npm run build
+
+# Or with bun (faster)
+bun install && bun run build
+```
+
+## Automatic Hook Setup
+
+During npm installation, you'll be prompted to set up a **PreToolUse hook** that automatically audits skills before installation:
+
+```
+╔════════════════════════════════════════════════════════════╗
+║                 🛡️  skill-audit hook setup                 ║
+╠════════════════════════════════════════════════════════════╣
+║                                                            ║
+║  skill-audit can automatically audit skills before        ║
+║  installation to protect you from malicious packages.     ║
+║                                                            ║
+║  When you run 'npx skills add <package>', the hook will:  ║
+║    • Scan the skill for security vulnerabilities          ║
+║    • Check for prompt injection, secrets, code execution  ║
+║    • Block installation if risk score > 3.0               ║
+║                                                            ║
+╚════════════════════════════════════════════════════════════╝
+
+Options:
+  [Y] Yes, install the hook (recommended)
+  [N] No, skip for now
+  [S] Skip forever (don't ask again)
+```
+
+### Manual Hook Management
+
+```bash
+# Install hook manually
+skill-audit --install-hook
+
+# Install with custom threshold
+skill-audit --install-hook --hook-threshold 5.0
+
+# Check hook status
+skill-audit --hook-status
+
+# Remove hook
+skill-audit --uninstall-hook
+```
+
+### How the Hook Works
+
+1. **Trigger**: When you run `npx skills add <package>`
+2. **Scan**: skill-audit analyzes the skill before installation
+3. **Decision**:
+   - Risk score ≤ 3.0 → Installation proceeds
+   - Risk score > 3.0 → Installation blocked
+4. **Report**: Detailed findings shown in terminal
+
 ## Usage
 
 ```bash
@@ -59,6 +158,11 @@ skill-audit --update-db
 | `-o, --output <file>` | Save to file | |
 | `--no-deps` | Skip dependency scan | |
 | `-v, --verbose` | Verbose output | |
+| `--install-hook` | Install PreToolUse hook | |
+| `--uninstall-hook` | Remove PreToolUse hook | |
+| `--hook-threshold <score>` | Hook risk threshold | 3.0 |
+| `--hook-status` | Show hook status | |
+| `--block` | Exit 1 if threshold exceeded | |
 
 ## Exit Codes
 

package/SKILL.md

@@ -4,8 +4,8 @@ description: This skill should be used when the user asks to "audit AI agent ski
 license: MIT
 compatibility: Node.js 18+ with npm or yarn
 metadata:
-  repo: https://github.com/vercel/skill-audit
-  version: 0.2.0
+  repo: https://github.com/harrypham2000/skill-audit
+  version: 0.3.0
 allowed-tools:
   - skill:exec
   - skill:read
@@ -14,7 +14,56 @@ allowed-tools:
 
 # skill-audit
 
-Security auditing CLI for AI agent skills in the Vercel ecosystem.
+Security auditing CLI for AI agent skills.
+
+## Installation for Agents
+
+### Claude Code
+
+```bash
+# Option 1: Install as skill from GitHub
+npx skills add harrypham2000/skill-audit -g -y
+
+# Option 2: Install CLI via npm
+npm install -g @hungpg/skill-audit
+
+# Option 3: Install CLI via bun (faster)
+bun install -g @hungpg/skill-audit
+```
+
+### Qwen Code
+
+```bash
+# Clone to Qwen skills directory
+mkdir -p ~/.qwen/skills
+git clone https://github.com/harrypham2000/skill-audit.git ~/.qwen/skills/skill-audit
+cd ~/.qwen/skills/skill-audit/skill-audit
+
+# Install with npm
+npm install && npm run build
+
+# Or with bun (faster)
+bun install && bun run build
+```
+
+### Gemini CLI
+
+```bash
+# Clone to Gemini skills directory
+mkdir -p ~/.gemini/skills
+git clone https://github.com/harrypham2000/skill-audit.git ~/.gemini/skills/skill-audit
+cd ~/.gemini/skills/skill-audit/skill-audit
+
+# Install with npm
+npm install && npm run build
+
+# Or with bun (faster)
+bun install && bun run build
+```
+
+> ⚠️ **Important for Skills CLI**: Use `owner/repo` format, not npm scoped names.
+> - ✅ Correct: `harrypham2000/skill-audit`
+> - ❌ Incorrect: `@hungpg/skill-audit`
 
 ## When to Use
 

package/dist/hooks.js

@@ -0,0 +1,278 @@
+/**
+ * Hook Configuration for Claude Code
+ *
+ * Provides PreToolUse hook that audits skills before installation.
+ * Hook is triggered when user runs `npx skills add <package>`.
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync } from "fs";
+import { join, dirname } from "path";
+import { homedir } from "os";
+// Default settings path for Claude Code
+const CLAUDE_SETTINGS_PATH = join(homedir(), ".claude", "settings.json");
+const CLAUDE_SETTINGS_BACKUP = join(homedir(), ".claude", "settings.json.backup");
+const SKIP_HOOK_FILE = join(homedir(), ".skill-audit-skip-hook");
+// Hook identifier for skill-audit
+const HOOK_ID = "skill-audit-pre-install";
+/**
+ * Get the default hook configuration
+ */
+export function getDefaultHookConfig() {
+    return {
+        threshold: 3.0,
+        blockOnFailure: true
+    };
+}
+/**
+ * Generate the PreToolUse hook configuration
+ */
+export function generateHookConfig(config = getDefaultHookConfig()) {
+    return {
+        hooks: {
+            PreToolUse: [
+                {
+                    id: HOOK_ID,
+                    matcher: {
+                        toolName: "run_shell_command",
+                        input: "npx skills add"
+                    },
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `skill-audit --mode audit --threshold ${config.threshold}${config.blockOnFailure ? " --block" : ""}`
+                        }
+                    ]
+                }
+            ]
+        }
+    };
+}
+/**
+ * Check if the skip hook file exists
+ */
+export function shouldSkipHookPrompt() {
+    return existsSync(SKIP_HOOK_FILE);
+}
+/**
+ * Create the skip hook file
+ */
+export function createSkipHookFile() {
+    writeFileSync(SKIP_HOOK_FILE, JSON.stringify({
+        createdAt: new Date().toISOString(),
+        reason: "User chose to skip hook installation prompt"
+    }, null, 2));
+}
+/**
+ * Remove the skip hook file
+ */
+export function removeSkipHookFile() {
+    if (existsSync(SKIP_HOOK_FILE)) {
+        const fs = require("fs");
+        fs.unlinkSync(SKIP_HOOK_FILE);
+    }
+}
+/**
+ * Load existing settings.json
+ */
+function loadSettings() {
+    if (!existsSync(CLAUDE_SETTINGS_PATH)) {
+        return {};
+    }
+    try {
+        const content = readFileSync(CLAUDE_SETTINGS_PATH, "utf-8");
+        return JSON.parse(content);
+    }
+    catch (e) {
+        console.error("Failed to parse existing settings.json:", e);
+        return {};
+    }
+}
+/**
+ * Backup existing settings.json
+ */
+function backupSettings() {
+    if (!existsSync(CLAUDE_SETTINGS_PATH)) {
+        return true; // Nothing to backup
+    }
+    try {
+        // Ensure directory exists
+        const settingsDir = dirname(CLAUDE_SETTINGS_BACKUP);
+        if (!existsSync(settingsDir)) {
+            mkdirSync(settingsDir, { recursive: true });
+        }
+        copyFileSync(CLAUDE_SETTINGS_PATH, CLAUDE_SETTINGS_BACKUP);
+        return true;
+    }
+    catch (e) {
+        console.error("Failed to backup settings.json:", e);
+        return false;
+    }
+}
+/**
+ * Check if hook is already installed
+ */
+export function isHookInstalled() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return false;
+    }
+    // PreToolUse can be an array of arrays or array of objects
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    for (const item of preToolUseHooks) {
+        // Handle nested array structure
+        if (Array.isArray(item)) {
+            if (item.some((h) => h.id === HOOK_ID)) {
+                return true;
+            }
+        }
+        else if (typeof item === "object" && item !== null) {
+            if (item.id === HOOK_ID) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Install the PreToolUse hook
+ */
+export function installHook(config = getDefaultHookConfig()) {
+    // Check if already installed
+    if (isHookInstalled()) {
+        return { success: true, message: "Hook is already installed" };
+    }
+    // Backup existing settings
+    if (!backupSettings()) {
+        return { success: false, message: "Failed to backup settings.json" };
+    }
+    // Load existing settings
+    const settings = loadSettings();
+    // Initialize hooks structure if not present
+    if (!settings.hooks) {
+        settings.hooks = {};
+    }
+    if (!settings.hooks.PreToolUse) {
+        settings.hooks.PreToolUse = [];
+    }
+    // Create the new hook object
+    const newHook = {
+        id: HOOK_ID,
+        matcher: {
+            toolName: "run_shell_command",
+            input: "npx skills add"
+        },
+        hooks: [
+            {
+                type: "command",
+                command: `skill-audit --mode audit --threshold ${config.threshold}${config.blockOnFailure ? " --block" : ""}`
+            }
+        ]
+    };
+    // Add the hook - wrap in array to match existing structure
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    preToolUseHooks.push([newHook]);
+    // Ensure directory exists
+    const settingsDir = dirname(CLAUDE_SETTINGS_PATH);
+    if (!existsSync(settingsDir)) {
+        mkdirSync(settingsDir, { recursive: true });
+    }
+    // Write updated settings
+    try {
+        writeFileSync(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+        return { success: true, message: `Hook installed successfully (threshold: ${config.threshold})` };
+    }
+    catch (e) {
+        // Restore backup on failure
+        if (existsSync(CLAUDE_SETTINGS_BACKUP)) {
+            copyFileSync(CLAUDE_SETTINGS_BACKUP, CLAUDE_SETTINGS_PATH);
+        }
+        return { success: false, message: `Failed to write settings: ${e}` };
+    }
+}
+/**
+ * Uninstall the PreToolUse hook
+ */
+export function uninstallHook() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return { success: true, message: "No hooks to remove" };
+    }
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    const initialLength = preToolUseHooks.length;
+    // Filter out our hook (handles nested array structure)
+    const filteredHooks = preToolUseHooks.filter((item) => {
+        if (Array.isArray(item)) {
+            return !item.some((h) => h.id === HOOK_ID);
+        }
+        else if (typeof item === "object" && item !== null) {
+            return item.id !== HOOK_ID;
+        }
+        return true;
+    });
+    if (filteredHooks.length === initialLength) {
+        return { success: true, message: "Hook was not installed" };
+    }
+    // Backup before modification
+    if (!backupSettings()) {
+        return { success: false, message: "Failed to backup settings.json" };
+    }
+    // Update settings
+    settings.hooks.PreToolUse = filteredHooks;
+    // Remove hooks object if empty
+    if (filteredHooks.length === 0) {
+        delete settings.hooks.PreToolUse;
+    }
+    if (Object.keys(settings.hooks).length === 0) {
+        delete settings.hooks;
+    }
+    // Write updated settings
+    try {
+        writeFileSync(CLAUDE_SETTINGS_PATH, JSON.stringify(settings, null, 2));
+        return { success: true, message: "Hook uninstalled successfully" };
+    }
+    catch (e) {
+        // Restore backup on failure
+        if (existsSync(CLAUDE_SETTINGS_BACKUP)) {
+            copyFileSync(CLAUDE_SETTINGS_BACKUP, CLAUDE_SETTINGS_PATH);
+        }
+        return { success: false, message: `Failed to write settings: ${e}` };
+    }
+}
+/**
+ * Get hook status
+ */
+export function getHookStatus() {
+    const settings = loadSettings();
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+        return { installed: false, settingsPath: CLAUDE_SETTINGS_PATH };
+    }
+    const preToolUseHooks = settings.hooks.PreToolUse;
+    // Find the hook in nested array structure
+    let hook;
+    for (const item of preToolUseHooks) {
+        if (Array.isArray(item)) {
+            hook = item.find((h) => h.id === HOOK_ID);
+            if (hook)
+                break;
+        }
+        else if (typeof item === "object" && item !== null) {
+            if (item.id === HOOK_ID) {
+                hook = item;
+                break;
+            }
+        }
+    }
+    if (!hook) {
+        return { installed: false, settingsPath: CLAUDE_SETTINGS_PATH };
+    }
+    // Extract config from hook command
+    const hookHooks = hook.hooks;
+    const command = hookHooks[0].command;
+    const thresholdMatch = command.match(/--threshold\s+([\d.]+)/);
+    const threshold = thresholdMatch ? parseFloat(thresholdMatch[1]) : 3.0;
+    const blockOnFailure = command.includes("--block");
+    return {
+        installed: true,
+        config: { threshold, blockOnFailure },
+        settingsPath: CLAUDE_SETTINGS_PATH
+    };
+}

package/dist/index.js

@@ -6,13 +6,14 @@ import { validateSkillSpec } from "./spec.js";
 import { createGroupedAuditResult } from "./scoring.js";
 import { scanDependencies } from "./deps.js";
 import { getKEV, getEPSS, getNVD, isCacheStale, downloadOfflineDB } from "./intel.js";
+import { installHook, uninstallHook, getHookStatus, getDefaultHookConfig } from "./hooks.js";
 import { writeFileSync } from "fs";
 // Build CLI - no subcommands, just options + action
 const program = new Command();
 program
     .name("skill-audit")
     .description("Security auditing CLI for AI agent skills")
-    .version("0.1.0")
+    .version("0.3.0")
     .option("-g, --global", "Audit global skills only (default: true)")
     .option("-p, --project", "Audit project-level skills only")
     .option("-a, --agent <agents...>", "Filter by specific agents")
@@ -26,7 +27,12 @@ program
     .option("--source <sources...>", "Sources for update-db: kev, epss, nvd, all", ["all"])
     .option("--strict", "Fail if feeds are stale")
     .option("--quiet", "Suppress non-error output")
-    .option("--download-offline-db <dir>", "Download offline vulnerability databases to directory");
+    .option("--download-offline-db <dir>", "Download offline vulnerability databases to directory")
+    .option("--install-hook", "Install PreToolUse hook for automatic skill auditing")
+    .option("--uninstall-hook", "Remove the PreToolUse hook")
+    .option("--hook-threshold <score>", "Risk threshold for hook (default: 3.0)", parseFloat)
+    .option("--hook-status", "Show current hook status")
+    .option("--block", "Exit with code 1 if threshold exceeded (for hooks)");
 program.parse(process.argv);
 const options = program.opts();
 // Handle download-offline-db action
@@ -39,6 +45,52 @@ if (options.updateDb) {
     await updateAdvisoryDB({ source: options.source, strict: options.strict });
     process.exit(0);
 }
+// Handle hook-status action
+if (options.hookStatus) {
+    const status = getHookStatus();
+    console.log("\n🪝 skill-audit Hook Status\n");
+    console.log(`   Installed: ${status.installed ? "✅ Yes" : "❌ No"}`);
+    if (status.installed && status.config) {
+        console.log(`   Threshold: ${status.config.threshold}`);
+        console.log(`   Block on failure: ${status.config.blockOnFailure ? "Yes" : "No"}`);
+    }
+    console.log(`   Settings file: ${status.settingsPath}\n`);
+    process.exit(0);
+}
+// Handle install-hook action
+if (options.installHook) {
+    const config = getDefaultHookConfig();
+    if (options.hookThreshold) {
+        config.threshold = options.hookThreshold;
+    }
+    config.blockOnFailure = true;
+    console.log("\n🪝 Installing skill-audit hook...\n");
+    const result = installHook(config);
+    if (result.success) {
+        console.log(`✅ ${result.message}`);
+        console.log(`   Settings file: ${getHookStatus().settingsPath}`);
+        console.log("\n   Skills will now be audited before installation.");
+        console.log("   Run 'skill-audit --uninstall-hook' to remove.\n");
+    }
+    else {
+        console.error(`❌ ${result.message}`);
+        process.exit(1);
+    }
+    process.exit(0);
+}
+// Handle uninstall-hook action
+if (options.uninstallHook) {
+    console.log("\n🪝 Removing skill-audit hook...\n");
+    const result = uninstallHook();
+    if (result.success) {
+        console.log(`✅ ${result.message}\n`);
+    }
+    else {
+        console.error(`❌ ${result.message}`);
+        process.exit(1);
+    }
+    process.exit(0);
+}
 // Default to global skills
 const scope = options.project ? "project" : "global";
 const mode = options.mode || "audit";
@@ -78,7 +130,8 @@ reportGroupedResults(results, {
     output: options.output,
     verbose: options.verbose,
     threshold: options.threshold,
-    mode
+    mode,
+    block: options.block
 });
 async function updateAdvisoryDB(opts) {
     const sources = opts.source.includes("all") ? ["kev", "epss", "nvd"] : opts.source;
@@ -124,7 +177,7 @@ async function updateAdvisoryDB(opts) {
     }
 }
 function reportGroupedResults(results, options) {
-    const { json, output, verbose, threshold, mode } = options;
+    const { json, output, verbose, threshold, mode, block } = options;
     // Export to file if specified
     if (output) {
         const report = {
@@ -190,6 +243,10 @@ function reportGroupedResults(results, options) {
             for (const f of failing) {
                 console.log(`   - ${f.skill.name}: ${f.riskScore}`);
             }
+            // Exit with error code if block flag is set
+            if (block) {
+                process.exit(1);
+            }
         }
         else {
             console.log(`\n✅ All skills pass threshold ${threshold}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hungpg/skill-audit",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Security auditing CLI for AI agent skills",
   "type": "module",
   "bin": {
@@ -10,7 +10,7 @@
     "build": "tsc",
     "start": "node dist/index.js",
     "dev": "tsx src/index.ts",
-    "postinstall": "node dist/index.js --update-db --quiet 2>/dev/null || echo \"⚠️  Vulnerability DB update skipped (run 'npm run security:update' later)\"",
+    "postinstall": "node scripts/postinstall.cjs",
     "security:update": "node dist/index.js --update-db"
   },
   "engines": {
@@ -18,6 +18,8 @@
   },
   "files": [
     "dist",
+    "scripts",
+    "rules",
     "README.md",
     "SKILL.md"
   ],

package/rules/default-patterns.json

@@ -0,0 +1,99 @@
+{
+  "version": "0.1.0",
+  "updated": "2024-03-18",
+  "description": "Default security patterns for skill-audit",
+  "categories": {
+    "promptInjection": {
+      "name": "Prompt Injection (ASI01)",
+      "description": "Detects attempts to override system instructions or inject malicious prompts",
+      "patterns": [
+        { "pattern": "ignore\\s+(all\\s+)?previous\\s+(instructions?|rules?)", "id": "PI-001", "severity": "critical", "message": "Instruction override - ignore previous instructions" },
+        { "pattern": "you\\s+(are\\s+)?now\\s+(a|an|i am)\\s+\\w+", "id": "PI-002", "severity": "critical", "message": "Roleplay bypass - role impersonation" },
+        { "pattern": "forget\\s+(everything|all|your)", "id": "PI-003", "severity": "critical", "message": "Context forgetting attempt" },
+        { "pattern": "system\\s+prompt\\s+override", "id": "PI-004", "severity": "critical", "message": "System prompt override attempt" },
+        { "pattern": "act\\s+as\\s+if\\s+(you\\s+)?(have|no)\\s+(restrictions|limits)", "id": "PI-005", "severity": "critical", "message": "Restriction removal attempt" },
+        { "pattern": "\\[SYSTEM\\]|\\[ADMIN\\]|\\[ROOT\\]", "id": "PI-006", "severity": "critical", "message": "Fake role tags injection" },
+        { "pattern": "end\\s+of\\s+system\\s+prompt|---END---", "id": "PI-007", "severity": "high", "message": "Prompt termination marker" },
+        { "pattern": "debug\\s+mode\\s*:\\s*enabled|safety\\s+mode\\s*:\\s*off", "id": "PI-008", "severity": "high", "message": "Safety toggle disable" },
+        { "pattern": "<!--[\\s\\S]*?-->", "id": "PI-009", "severity": "high", "message": "Hidden instructions in HTML comments" },
+        { "pattern": "note\\s+to\\s+AI:|AI\\s+instruction:", "id": "PI-010", "severity": "high", "message": "AI directive injection" },
+        { "pattern": "(?:you\\s+must|you\\s+should)\\s+(not|never)", "id": "PI-011", "severity": "medium", "message": "Command to override restrictions" },
+        { "pattern": "bypass\\s+(restriction|rule|limit|safety)", "id": "PI-012", "severity": "medium", "message": "Bypass attempt" },
+        { "pattern": "disregard\\s+(all|your|the)\\s+(previous|system)", "id": "PI-013", "severity": "medium", "message": "Disregard instruction pattern" },
+        { "pattern": "i.*am\\s+the\\s+developer.*trust\\s+me", "id": "PI-014", "severity": "medium", "message": "Social engineering - developer trust exploitation" }
+      ]
+    },
+    "credentialLeaks": {
+      "name": "Credential Leaks (ASI04)",
+      "description": "Detects hardcoded secrets, API keys, and credential paths",
+      "patterns": [
+        { "pattern": "~/\\.ssh|/\\.ssh/", "id": "CL-001", "severity": "critical", "message": "SSH credential path reference" },
+        { "pattern": "~/\\.aws|/\\.aws/", "id": "CL-002", "severity": "critical", "message": "AWS credential path reference" },
+        { "pattern": "~/\\.env|mkdir.*\\.env", "id": "CL-003", "severity": "critical", "message": ".env file reference (potential secret exposure)" },
+        { "pattern": "curl\\s+(?!.*(-fsSL|-f\\s|-L)).*\\|\\s*(sh|bash|perl|python)", "id": "CL-004", "severity": "critical", "message": "Pipe to shell - code execution risk" },
+        { "pattern": "wget\\s+(?!.*(-q|-O)).*\\|\\s*(sh|bash)", "id": "CL-005", "severity": "critical", "message": "Pipe to shell - code execution risk" }
+      ]
+    },
+    "shellInjection": {
+      "name": "Shell Injection (ASI05)",
+      "description": "Detects dangerous shell commands and reverse shells",
+      "patterns": [
+        { "pattern": "nc\\s+-[elv]\\s+|netcat\\s+-[elv]", "id": "CE-001", "severity": "critical", "message": "Netcat reverse shell pattern" },
+        { "pattern": "bash\\s+-i\\s+.*\\&\\s*/dev/tcp/", "id": "CE-002", "severity": "critical", "message": "Bash reverse shell pattern" },
+        { "pattern": "rm\\s+-rf\\s+/\\s*$", "id": "CE-003", "severity": "critical", "message": "Destructive rm -rf / command (root)" },
+        { "pattern": "rm\\s+-rf\\s+\\$HOME|rm\\s+-rf\\s+~\\s*$|rm\\s+-rf\\s+/home\\s*$|rm\\s+-rf\\s+/tmp\\s*$", "id": "CE-004", "severity": "high", "message": "Recursive delete in user directory" },
+        { "pattern": "exec\\s+\\$\\(", "id": "CE-005", "severity": "high", "message": "Dynamic command execution" },
+        { "pattern": "eval\\s+\\$", "id": "CE-006", "severity": "high", "message": "Eval with variable interpolation" },
+        { "pattern": "subprocess.*shell\\s*=\\s*true", "id": "CE-007", "severity": "medium", "message": "Subprocess with shell=True" },
+        { "pattern": "os\\.system\\s*\\(", "id": "CE-008", "severity": "high", "message": "os.system() call - shell injection risk" },
+        { "pattern": "child_process.*exec\\s*\\(", "id": "CE-009", "severity": "medium", "message": "child_process.exec - verify input sanitization" },
+        { "pattern": "chmod\\s+[47]777", "id": "CE-010", "severity": "high", "message": "World-writable permissions" },
+        { "pattern": "process\\.fork\\s*\\(|child_process\\.spawn\\s*\\(|subprocess\\.spawn\\s*\\(", "id": "CE-011", "severity": "high", "message": "Process fork/spawn - potential crypto miner" }
+      ]
+    },
+    "exfiltration": {
+      "name": "Data Exfiltration (ASI02)",
+      "description": "Detects attempts to send data to external servers",
+      "patterns": [
+        { "pattern": "https?://[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+", "id": "EX-001", "severity": "critical", "message": "Raw IP address in URL - potential exfiltration" },
+        { "pattern": "fetch\\s*\\(\\s*[\"'`][^\"']+\\?(key|token|secret|password)", "id": "EX-002", "severity": "critical", "message": "API key in URL query string - exfiltration risk" },
+        { "pattern": "\\.send\\(.*(http|https|external)", "id": "EX-003", "severity": "critical", "message": "Data send to external server" },
+        { "pattern": "dns\\.resolve|dns\\.query|new\\s+DNS", "id": "EX-004", "severity": "critical", "message": "DNS resolution - potential DNS tunneling" },
+        { "pattern": "new\\s+WebSocket\\s*\\(\\s*[\"'`][^'\"`]+[\"'`]\\s*\\)", "id": "EX-005", "severity": "high", "message": "WebSocket connection - check target" },
+        { "pattern": "readFile.*send|fetch.*readFile|read_file.*fetch", "id": "EX-006", "severity": "critical", "message": "File read + send exfiltration chain" }
+      ]
+    },
+    "secrets": {
+      "name": "Hardcoded Secrets (ASI04)",
+      "description": "Detects API keys, tokens, and credentials in code",
+      "patterns": [
+        { "pattern": "sk-[a-zA-Z0-9]{20,}", "id": "SC-001", "severity": "critical", "message": "OpenAI API key pattern" },
+        { "pattern": "github_pat_[a-zA-Z0-9_]{20,}", "id": "SC-002", "severity": "critical", "message": "GitHub PAT pattern" },
+        { "pattern": "ghp_[a-zA-Z0-9]{36}", "id": "SC-003", "severity": "critical", "message": "GitHub OAuth token pattern" },
+        { "pattern": "xox[baprs]-[a-zA-Z0-9]{10,}", "id": "SC-004", "severity": "critical", "message": "Slack token pattern" },
+        { "pattern": "AKIA[0-9A-Z]{16}", "id": "SC-005", "severity": "critical", "message": "AWS access key pattern" }
+      ]
+    },
+    "toolMisuse": {
+      "name": "Tool Misuse (ASI02)",
+      "description": "Detects potential misuse of tools and environment",
+      "patterns": [
+        { "pattern": "upload.*(file|data).*(external|remote|server)", "id": "TM-001", "severity": "high", "message": "Potential data exfiltration pattern" },
+        { "pattern": "export\\s+(API|TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL)", "id": "TM-002", "severity": "high", "message": "Exporting sensitive environment variable" },
+        { "pattern": "setenv.*(PASSWORD|TOKEN|KEY|SECRET|CREDS)", "id": "TM-003", "severity": "high", "message": "Setting sensitive environment variable" },
+        { "pattern": "process\\.env\\[.*(KEY|SECRET|TOKEN|PASSWORD)", "id": "TM-004", "severity": "medium", "message": "Accessing sensitive env vars" }
+      ]
+    },
+    "behavioral": {
+      "name": "Behavioral Manipulation (ASI09)",
+      "description": "Detects attempts to manipulate AI behavior",
+      "patterns": [
+        { "pattern": "^(always|never)\\s+(say|do|follow|use|assume|accept|must|should)", "id": "BM-001", "severity": "medium", "message": "Absolute command pattern - may override safety", "flags": "im" },
+        { "pattern": "^(never|always)\\s+(question|verify|check|ask)", "id": "BM-002", "severity": "medium", "message": "Verification suppression", "flags": "im" },
+        { "pattern": "^trust\\s+(me|this| blindly)", "id": "BM-003", "severity": "medium", "message": "Blind trust request", "flags": "im" },
+        { "pattern": "^don.*t\\s+(need|require).*(permission|approval|confirm)", "id": "BM-004", "severity": "medium", "message": "Permission bypass encouragement", "flags": "im" },
+        { "pattern": "^keep.*(this|secret|hidden).*(from|between)", "id": "BM-005", "severity": "medium", "message": "Secret keeping instruction", "flags": "im" }
+      ]
+    }
+  }
+}

package/scripts/postinstall.cjs

@@ -0,0 +1,190 @@
+#!/usr/bin/env node
+
+/**
+ * Postinstall script for skill-audit
+ * 
+ * Prompts user to install PreToolUse hook that audits skills
+ * before installation via `npx skills add`.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+const os = require("os");
+
+// Paths
+const SKIP_HOOK_FILE = path.join(os.homedir(), ".skill-audit-skip-hook");
+const SETTINGS_PATH = path.join(os.homedir(), ".claude", "settings.json");
+
+// Check if running in CI
+function isCI() {
+  return (
+    process.env.CI === "true" ||
+    process.env.CONTINUOUS_INTEGRATION === "true" ||
+    process.env.GITHUB_ACTIONS === "true" ||
+    process.env.GITLAB_CI === "true" ||
+    process.env.CIRCLECI === "true" ||
+    process.env.TRAVIS === "true" ||
+    process.env.JENKINS_URL !== undefined ||
+    process.env.BUILDKITE === "true" ||
+    process.env.npm_config_global === undefined && process.env.npm_package_name === undefined
+  );
+}
+
+// Check if skip file exists
+function shouldSkipPrompt() {
+  return fs.existsSync(SKIP_HOOK_FILE);
+}
+
+// Create skip file
+function createSkipFile() {
+  fs.writeFileSync(
+    SKIP_HOOK_FILE,
+    JSON.stringify(
+      {
+        createdAt: new Date().toISOString(),
+        reason: "User chose to skip hook installation prompt",
+      },
+      null,
+      2
+    )
+  );
+}
+
+// Check if hook is already installed
+function isHookInstalled() {
+  if (!fs.existsSync(SETTINGS_PATH)) {
+    return false;
+  }
+
+  try {
+    const settings = JSON.parse(fs.readFileSync(SETTINGS_PATH, "utf-8"));
+    if (!settings.hooks || !Array.isArray(settings.hooks.PreToolUse)) {
+      return false;
+    }
+
+    return settings.hooks.PreToolUse.some(
+      (hook) => hook.id === "skill-audit-pre-install"
+    );
+  } catch {
+    return false;
+  }
+}
+
+// Install hook using the CLI
+function installHook() {
+  try {
+    execSync("skill-audit --install-hook", { stdio: "inherit" });
+    return true;
+  } catch (error) {
+    console.error("Failed to install hook:", error.message);
+    return false;
+  }
+}
+
+// Prompt user for input
+function prompt(question) {
+  const readline = require("readline");
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase());
+    });
+  });
+}
+
+// Main function
+async function main() {
+  // Skip in CI environments
+  if (isCI()) {
+    console.log("Skipping hook installation prompt (CI environment)");
+    return;
+  }
+
+  // Skip if user previously chose to skip
+  if (shouldSkipPrompt()) {
+    return;
+  }
+
+  // Skip if hook is already installed
+  if (isHookInstalled()) {
+    console.log("✓ skill-audit hook is already installed");
+    return;
+  }
+
+  // Check if running in a terminal
+  if (!process.stdout.isTTY) {
+    console.log("\n📦 skill-audit installed!");
+    console.log("   Run 'skill-audit --install-hook' to set up automatic skill auditing.");
+    return;
+  }
+
+  // Display prompt
+  console.log("\n");
+  console.log("╔════════════════════════════════════════════════════════════╗");
+  console.log("║                 🛡️  skill-audit hook setup                 ║");
+  console.log("╠════════════════════════════════════════════════════════════╣");
+  console.log("║                                                            ║");
+  console.log("║  skill-audit can automatically audit skills before        ║");
+  console.log("║  installation to protect you from malicious packages.     ║");
+  console.log("║                                                            ║");
+  console.log("║  When you run 'npx skills add <package>', the hook will:  ║");
+  console.log("║    • Scan the skill for security vulnerabilities          ║");
+  console.log("║    • Check for prompt injection, secrets, code execution  ║");
+  console.log("║    • Block installation if risk score > 3.0               ║");
+  console.log("║                                                            ║");
+  console.log("╚════════════════════════════════════════════════════════════╝");
+  console.log("\n");
+
+  console.log("Options:");
+  console.log("  [Y] Yes, install the hook (recommended)");
+  console.log("  [N] No, skip for now");
+  console.log("  [S] Skip forever (don't ask again)");
+  console.log("");
+
+  const answer = await prompt("Your choice [Y/n/s]: ");
+
+  switch (answer) {
+    case "":
+    case "y":
+    case "yes":
+      console.log("\nInstalling hook...");
+      if (installHook()) {
+        console.log("\n✅ Hook installed successfully!");
+        console.log("   Skills will now be audited before installation.");
+        console.log("   Run 'skill-audit --uninstall-hook' to remove.\n");
+      } else {
+        console.log("\n❌ Failed to install hook.");
+        console.log("   You can try manually: skill-audit --install-hook\n");
+      }
+      break;
+
+    case "n":
+    case "no":
+      console.log("\nSkipping hook installation.");
+      console.log("   Run 'skill-audit --install-hook' anytime to set up.\n");
+      break;
+
+    case "s":
+    case "skip":
+      createSkipFile();
+      console.log("\nSkipping hook installation (won't ask again).");
+      console.log("   Delete ~/.skill-audit-skip-hook to re-enable prompt.\n");
+      break;
+
+    default:
+      console.log("\nInvalid choice. Skipping for now.");
+      console.log("   Run 'skill-audit --install-hook' anytime to set up.\n");
+  }
+}
+
+// Run main
+main().catch((error) => {
+  console.error("Postinstall error:", error.message);
+  process.exit(0); // Don't fail install
+});