@pwddd/skills-scanner 1.2.0 → 2.0.0

package/README.md

@@ -1,12 +1,26 @@
 # openclaw-skills-scanner
 
-OpenClaw Plugin，基于 [cisco-ai-skill-scanner](https://github.com/cisco-ai-defense/skill-scanner) 实现对 OpenClaw Skills 的安全扫描。
+OpenClaw Plugin，通过 HTTP API 调用远程 [cisco-ai-skill-scanner](https://github.com/cisco-ai-defense/skill-scanner) 服务实现对 OpenClaw Skills 的安全扫描。
+
+## 架构说明
+
+本插件采用 **HTTP 客户端模式**：
+- **客户端**：本插件（TypeScript + Python HTTP 客户端）
+- **服务端**：独立运行的 `skill-scanner-api` 服务（需单独部署）
+- **通信方式**：通过 HTTP REST API 调用扫描服务
+
+### 为什么使用 HTTP 模式？
+
+1. **依赖隔离**：避免复杂的 Python 依赖安装问题（LiteLLM、代理配置等）
+2. **服务复用**：多个客户端可共享同一个扫描服务
+3. **灵活部署**：扫描服务可部署在专用服务器上，支持更强大的硬件配置
+4. **简化维护**：客户端只需 `requests` 库，无需安装完整的 `cisco-ai-skill-scanner`
 
 ## 功能
 
 | 功能 | 实现方式 | 状态 |
 |---|---|---|
-| 启动时自动安装 Python 依赖 | `registerService` | ✅ 全自动 |
+| 启动时自动安装 Python 依赖（requests） | `registerService` | ✅ 全自动 |
 | `/scan-skill` `/scan-skills` 按需扫描 | `registerCommand` | ✅ 全自动 |
 | `/scan-report` 立即日报 | `registerCommand` | ✅ 全自动 |
 | `/scan-status` 状态查看 | `registerCommand` | ✅ 全自动 |
@@ -17,21 +31,47 @@ OpenClaw Plugin，基于 [cisco-ai-skill-scanner](https://github.com/cisco-ai-de
 
 ---
 
-## 安装
+## 前置要求
+
+### 1. 启动 skill-scanner-api 服务
+
+在服务器上安装并启动 API 服务：
+
+```bash
+# 安装 cisco-ai-skill-scanner
+pip install cisco-ai-skill-scanner
+
+# 启动 API 服务（默认端口 8000）
+skill-scanner-api
+
+# 或指定端口
+skill-scanner-api --port 8080
+
+# 开发模式（自动重载）
+skill-scanner-api --reload
+```
+
+验证服务是否正常：
+
+```bash
+curl http://localhost:8000/health
+```
+
+### 2. 安装本插件
 
 ```bash
 # 从本地目录安装
 openclaw plugins install ./openclaw-skills-scanner
 
-# 或从 npm 安装（发布后）
-openclaw plugins install @yourscope/openclaw-skills-scanner
+# 或从 npm 安装
+openclaw plugins install @pwddd/skills-scanner
 
 # 重启 Gateway（Plugin 变更必须重启）
 openclaw gateway restart
 ```
 
 重启后 Gateway 会自动：
-1. 创建 Python venv 并安装 `cisco-ai-skill-scanner`
+1. 创建 Python venv 并安装 `requests` 库
 2. 开始监听 Skills 目录（安装前扫描）
 3. 在启动日志里打印是否需要注册 Cron Job
 
@@ -116,8 +156,11 @@ Plugin 启动后用 `fs.watch` 监听所有 Skills 目录。任何新 Skill 出
       "skills-scanner": {
         "enabled": true,
         "config": {
+          "apiUrl": "http://localhost:8000",    // API 服务地址
           "scanDirs": ["~/.openclaw/skills"],   // 留空自动检测
           "behavioral": false,                  // 行为分析（较慢）
+          "useLLM": false,                      // 启用 LLM 分析
+          "policy": "balanced",                 // strict | balanced | permissive
           "preInstallScan": "on",               // fs.watch 安装前扫描
           "onUnsafe": "quarantine"              // quarantine | delete | warn
         }
@@ -127,12 +170,92 @@ Plugin 启动后用 `fs.watch` 监听所有 Skills 目录。任何新 Skill 出
 }
 ```
 
+### 配置说明
+
+| 配置项 | 类型 | 默认值 | 说明 |
+|---|---|---|---|
+| `apiUrl` | string | `http://localhost:8000` | skill-scanner-api 服务地址 |
+| `scanDirs` | string[] | 自动检测 | 要扫描的 Skills 目录列表 |
+| `behavioral` | boolean | `false` | 启用行为分析（更准确但较慢） |
+| `useLLM` | boolean | `false` | 启用 LLM 分析（需 API 服务配置 LLM） |
+| `policy` | string | `balanced` | 扫描策略：`strict`（严格）/ `balanced`（平衡）/ `permissive`（宽松） |
+| `preInstallScan` | string | `on` | 是否启用 fs.watch 安装前扫描 |
+| `onUnsafe` | string | `quarantine` | 发现不安全 Skill 时的处置方式 |
+
+---
+
+## HTTP API 端点说明
+
+本插件使用以下 API 端点：
+
+| 端点 | 方法 | 用途 |
+|---|---|---|
+| `/health` | GET | 健康检查 |
+| `/scan-upload` | POST | 上传 ZIP 文件扫描（单个 Skill） |
+| `/scan-batch` | POST | 批量异步扫描（服务器本地目录） |
+| `/scan-batch/{scan_id}` | GET | 查询批量扫描结果 |
+
+### 扫描方式
+
+1. **单个 Skill 扫描**：使用 `/scan-upload` 端点
+   - 客户端将 Skill 目录打包成 ZIP
+   - 上传到服务器
+   - 服务器解压并扫描
+   - 返回扫描结果
+
+2. **批量扫描（服务器本地）**：使用 `/scan-batch` 端点
+   - 适用于服务器本地目录
+   - 异步执行，返回 scan_id
+   - 轮询 `/scan-batch/{scan_id}` 获取结果
+
+3. **批量扫描（客户端上传）**：客户端循环调用 `/scan-upload`
+   - 适用于客户端本地多个 Skills
+   - 逐个打包上传扫描
+
+---
+
+## 故障排查
+
+### 1. 连接失败
+
+```
+✗ 无法连接到 API 服务: http://localhost:8000
+```
+
+**解决方法**：
+- 确认 `skill-scanner-api` 服务正在运行
+- 检查配置中的 `apiUrl` 是否正确
+- 测试连接：`curl http://localhost:8000/health`
+
+### 2. 代理问题
+
+如果遇到代理相关错误，插件会自动清除代理环境变量。如果仍有问题，手动清除：
+
+```bash
+unset http_proxy https_proxy all_proxy HTTP_PROXY HTTPS_PROXY ALL_PROXY
+```
+
+### 3. Python 依赖问题
+
+```
+⏳ Python 依赖尚未就绪
+```
+
+**解决方法**：
+- 检查 `uv` 是否安装：`uv --version`
+- 手动安装依赖：
+  ```bash
+  cd ~/.openclaw/extensions/skills-scanner/skills/skills-scanner
+  uv venv .venv --python 3.10
+  uv pip install --python .venv/bin/python requests>=2.31.0
+  ```
+
 ---
 
 ## 发布到 npm
 
 ```bash
-# 修改 package.json 里的 name 为你的 scope
+# 已发布为 @pwddd/skills-scanner
 npm login
 npm publish --access public
 ```

package/index.ts

@@ -30,7 +30,8 @@ import { promisify } from "util";
 
 const execAsync = promisify(exec);
 
-const PLUGIN_ROOT  = __dirname;
+// 使用绝对路径，避免 __dirname 的问题
+const PLUGIN_ROOT  = process.env.OPENCLAW_PLUGIN_ROOT || __dirname;
 const SKILL_DIR    = join(PLUGIN_ROOT, "skills", "skills-scanner");
 const VENV_PYTHON  = join(SKILL_DIR, ".venv", "bin", "python");
 const SCAN_SCRIPT  = join(SKILL_DIR, "scan.py");
@@ -41,10 +42,16 @@ const QUARANTINE_DIR = join(STATE_DIR, "quarantine");
 // ── 型別 ──────────────────────────────────────────────────────────────────────
 
 interface ScannerConfig {
+  /** API 服务地址 */
+  apiUrl?: string;
   /** 扫描目录列表，默认自动检测 */
   scanDirs?: string[];
   /** 是否启用行为分析（较慢但更准确） */
   behavioral?: boolean;
+  /** 是否启用 LLM 分析 */
+  useLLM?: boolean;
+  /** 扫描策略 */
+  policy?: "strict" | "balanced" | "permissive";
   /**
    * 安装前扫描（fs.watch）：
    * - "on"  监听所有 scanDirs（默认）
@@ -74,10 +81,10 @@ function hasUv(): boolean {
 
 function isVenvReady(): boolean {
   if (!existsSync(VENV_PYTHON)) return false;
-  
-  // 检查 cisco-ai-skill-scanner 是否真的安装
+
+  // 检查 requests 是否安装
   try {
-    execSync(`"${VENV_PYTHON}" -c "import skill_scanner"`, { stdio: 'ignore' });
+    execSync(`"${VENV_PYTHON}" -c "import requests"`, { stdio: 'ignore' });
     return true;
   } catch {
     return false;
@@ -114,74 +121,40 @@ function saveState(s: ScanState) {
 
 async function ensureDeps(logger: any): Promise<boolean> {
   if (isVenvReady()) {
-    logger.info("[skills-scanner] Python 依赖已就绪（cisco-ai-skill-scanner 已安装）");
+    logger.info("[skills-scanner] Python 依赖已就绪（requests 已安装）");
     return true;
   }
-  
+
   if (!hasUv()) {
     logger.warn("[skills-scanner] uv 未安装：brew install uv 或 curl -LsSf https://astral.sh/uv/install.sh | sh");
     return false;
   }
-  
-  logger.info("[skills-scanner] 正在安装 cisco-ai-skill-scanner...");
-  
+
+  logger.info("[skills-scanner] 正在安装 Python 依赖...");
+
   try {
-    // 使用 uv 创建 venv 并安装包（一步完成）
-    logger.info("[skills-scanner] 创建虚拟环境并安装依赖...");
     const venvDir = join(SKILL_DIR, ".venv");
-    
+
     // 如果 venv 已存在，先删除
     if (existsSync(venvDir)) {
       logger.info("[skills-scanner] 清理旧的虚拟环境...");
       rmSync(venvDir, { recursive: true, force: true });
     }
-    
-    // 使用 uv 创建 venv
+
+    // 创建 venv
     await execAsync(`uv venv "${venvDir}" --python 3.10`);
     logger.info("[skills-scanner] 虚拟环境创建完成");
-    
-    // 使用 uv pip 安装包（这是关键！）
-    logger.info("[skills-scanner] 安装 cisco-ai-skill-scanner...");
-    const installCmd = `uv pip install --python "${VENV_PYTHON}" cisco-ai-skill-scanner`;
-    logger.debug(`[skills-scanner] 执行命令: ${installCmd}`);
-    
-    const installResult = await execAsync(installCmd);
-    logger.info(`[skills-scanner] 安装输出: ${installResult.stdout.trim()}`);
-    if (installResult.stderr) {
-      logger.warn(`[skills-scanner] 安装警告: ${installResult.stderr.trim()}`);
-    }
-    
+
+    // 安装 requests
+    logger.info("[skills-scanner] 安装 requests...");
+    await execAsync(`uv pip install --python "${VENV_PYTHON}" requests>=2.31.0`);
+
     // 验证安装
-    logger.info("[skills-scanner] 验证安装...");
-    try {
-      const verifyResult = execSync(`"${VENV_PYTHON}" -c "import skill_scanner; print('Version:', skill_scanner.__version__)"`, { encoding: 'utf-8' });
-      logger.info(`[skills-scanner] ✅ 验证成功: ${verifyResult.trim()}`);
-      return true;
-    } catch (verifyErr: any) {
-      logger.error("[skills-scanner] ❌ 验证失败");
-      logger.error(`[skills-scanner] 错误: ${verifyErr.message}`);
-      
-      // 尝试手动检查文件
-      try {
-        const sitePackages = join(venvDir, "lib");
-        logger.debug(`[skills-scanner] 检查 site-packages: ${sitePackages}`);
-        if (existsSync(sitePackages)) {
-          const { stdout } = await execAsync(`find "${sitePackages}" -name "skill_scanner*" -type d`);
-          logger.debug(`[skills-scanner] 找到的包: ${stdout.trim() || "无"}`);
-        }
-      } catch {}
-      
-      return false;
-    }
+    execSync(`"${VENV_PYTHON}" -c "import requests"`, { stdio: 'ignore' });
+    logger.info("[skills-scanner] ✅ 依赖安装完成");
+    return true;
   } catch (err: any) {
     logger.error(`[skills-scanner] ⚠️  依赖安装失败: ${err.message}`);
-    if (err.stdout) logger.error(`[skills-scanner] stdout: ${err.stdout}`);
-    if (err.stderr) logger.error(`[skills-scanner] stderr: ${err.stderr}`);
-    logger.error(`[skills-scanner] 请手动运行:`);
-    logger.error(`[skills-scanner]   cd ~/.openclaw/extensions/skills-scanner/skills/skills-scanner`);
-    logger.error(`[skills-scanner]   rm -rf .venv`);
-    logger.error(`[skills-scanner]   uv venv .venv --python 3.10`);
-    logger.error(`[skills-scanner]   uv pip install --python .venv/bin/python cisco-ai-skill-scanner`);
     return false;
   }
 }
@@ -189,26 +162,53 @@ async function ensureDeps(logger: any): Promise<boolean> {
 async function runScan(
   mode: "scan" | "batch",
   target: string,
-  opts: { detailed?: boolean; behavioral?: boolean; recursive?: boolean; jsonOut?: string } = {}
+  opts: { detailed?: boolean; behavioral?: boolean; recursive?: boolean; jsonOut?: string; apiUrl?: string; useLLM?: boolean; policy?: string } = {}
 ): Promise<{ exitCode: number; output: string }> {
   const args = [mode, target];
   if (opts.detailed)   args.push("--detailed");
   if (opts.behavioral) args.push("--behavioral");
   if (opts.recursive)  args.push("--recursive");
+  if (opts.useLLM)     args.push("--llm");
+  if (opts.policy)     args.push("--policy", opts.policy);
   if (opts.jsonOut)    args.push("--json", opts.jsonOut);
+  if (opts.apiUrl)     args.unshift("--api-url", opts.apiUrl);
 
   const cmd = `"${VENV_PYTHON}" "${SCAN_SCRIPT}" ${args.map(a => `"${a}"`).join(" ")}`;
+
+  // 调试日志
+  console.log(`[skills-scanner] 执行命令: ${cmd}`);
+
   try {
-    const { stdout, stderr } = await execAsync(cmd, { timeout: 180_000 });
+    // 清除代理环境变量，避免连接问题
+    const env = { ...process.env };
+    delete env.http_proxy;
+    delete env.https_proxy;
+    delete env.HTTP_PROXY;
+    delete env.HTTPS_PROXY;
+    delete env.all_proxy;
+    delete env.ALL_PROXY;
+
+    const { stdout, stderr } = await execAsync(cmd, {
+      timeout: 180_000,
+      env
+    });
     return { exitCode: 0, output: (stdout + stderr).trim() };
   } catch (err: any) {
+    console.error(`[skills-scanner] 命令执行失败: ${err.message}`);
     return { exitCode: err.code ?? 1, output: (err.stdout + err.stderr || "").trim() || err.message };
   }
 }
 
 // ── 日报 ──────────────────────────────────────────────────────────────────────
 
-async function buildDailyReport(dirs: string[], behavioral: boolean, logger: any): Promise<string> {
+async function buildDailyReport(
+  dirs: string[], 
+  behavioral: boolean, 
+  apiUrl: string,
+  useLLM: boolean,
+  policy: string,
+  logger: any
+): Promise<string> {
   const now     = new Date();
   const dateStr = now.toLocaleDateString("zh-CN", { year: "numeric", month: "2-digit", day: "2-digit" });
   const timeStr = now.toLocaleTimeString("zh-CN", { hour: "2-digit", minute: "2-digit" });
@@ -223,7 +223,14 @@ async function buildDailyReport(dirs: string[], behavioral: boolean, logger: any
     const expanded = expandPath(dir);
     if (!existsSync(expanded)) continue;
     const tmpJson = join(STATE_DIR, `tmp-${Date.now()}.json`);
-    await runScan("batch", expanded, { behavioral, recursive: true, jsonOut: tmpJson });
+    await runScan("batch", expanded, { 
+      behavioral, 
+      recursive: true, 
+      jsonOut: tmpJson,
+      apiUrl,
+      useLLM,
+      policy
+    });
     try {
       const rows: any[] = JSON.parse(readFileSync(tmpJson, "utf-8"));
       try { rmSync(tmpJson); } catch {}
@@ -272,6 +279,9 @@ async function handleNewSkill(
   skillPath: string,
   onUnsafe: "quarantine" | "delete" | "warn",
   behavioral: boolean,
+  apiUrl: string,
+  useLLM: boolean,
+  policy: string,
   notifyFn: (msg: string) => void,
   logger: any
 ) {
@@ -280,7 +290,13 @@ async function handleNewSkill(
   logger.info(`[skills-scanner] 🔍 检测到新 Skill，开始安装前扫描: ${name}`);
   notifyFn(`🔍 检测到新 Skill \`${name}\`，正在安全扫描...`);
 
-  const res = await runScan("scan", skillPath, { behavioral, detailed: true });
+  const res = await runScan("scan", skillPath, { 
+    behavioral, 
+    detailed: true,
+    apiUrl,
+    useLLM,
+    policy
+  });
 
   if (res.exitCode === 0) {
     notifyFn(`✅ \`${name}\` 安全检查通过，可以正常使用。`);
@@ -318,6 +334,9 @@ function startWatcher(
   dirs: string[],
   onUnsafe: "quarantine" | "delete" | "warn",
   behavioral: boolean,
+  apiUrl: string,
+  useLLM: boolean,
+  policy: string,
   notifyFn: (msg: string) => void,
   logger: any
 ): () => void {
@@ -338,7 +357,7 @@ function startWatcher(
       if (prev) clearTimeout(prev);
       timers.set(skillPath, setTimeout(() => {
         timers.delete(skillPath);
-        handleNewSkill(skillPath, onUnsafe, behavioral, notifyFn, logger);
+        handleNewSkill(skillPath, onUnsafe, behavioral, apiUrl, useLLM, policy, notifyFn, logger);
       }, 500));
     });
   });
@@ -355,17 +374,24 @@ function startWatcher(
 
 export default function register(api: any) {
   const cfg: ScannerConfig = api.config?.plugins?.entries?.["skills-scanner"]?.config ?? {};
+  const apiUrl         = cfg.apiUrl         ?? "http://localhost:8000";
   const scanDirs       = (cfg.scanDirs?.map(expandPath) ?? []).filter(existsSync).length > 0
     ? (cfg.scanDirs!.map(expandPath))
     : defaultScanDirs();
   const behavioral     = cfg.behavioral     ?? false;
+  const useLLM         = cfg.useLLM         ?? false;
+  const policy         = cfg.policy         ?? "balanced";
   const preInstallScan = cfg.preInstallScan ?? "on";
   const onUnsafe       = cfg.onUnsafe       ?? "quarantine";
 
   api.logger.info("[skills-scanner] ═══════════════════════════════════════");
   api.logger.info("[skills-scanner] Plugin 正在加载...");
+  api.logger.info(`[skills-scanner] API 服务地址: ${apiUrl}`);
+  api.logger.info(`[skills-scanner] PLUGIN_ROOT: ${PLUGIN_ROOT}`);
+  api.logger.info(`[skills-scanner] SKILL_DIR: ${SKILL_DIR}`);
+  api.logger.info(`[skills-scanner] VENV_PYTHON: ${VENV_PYTHON}`);
+  api.logger.info(`[skills-scanner] SCAN_SCRIPT: ${SCAN_SCRIPT}`);
   api.logger.info(`[skills-scanner] 扫描目录: ${scanDirs.join(", ")}`);
-  api.logger.info(`[skills-scanner] Python venv 路径: ${VENV_PYTHON}`);
   api.logger.info(`[skills-scanner] Python 依赖状态: ${isVenvReady() ? "✅ 已就绪" : "❌ 未安装"}`);
 
   // 立即尝试安装依赖（不等待 service start）
@@ -409,7 +435,7 @@ export default function register(api: any) {
 
       if (preInstallScan === "on" && scanDirs.length > 0) {
         api.logger.info(`[skills-scanner] 📁 启动文件监控: ${scanDirs.length} 个目录`);
-        stopWatcher = startWatcher(scanDirs, onUnsafe, behavioral, persistWatcherAlert, api.logger);
+        stopWatcher = startWatcher(scanDirs, onUnsafe, behavioral, apiUrl, useLLM, policy, persistWatcherAlert, api.logger);
         api.logger.info("[skills-scanner] ✅ 文件监控已启动");
       } else {
         api.logger.info("[skills-scanner] ⏭️  安装前扫描已禁用");
@@ -463,14 +489,24 @@ export default function register(api: any) {
     handler: async (ctx: any) => {
       const raw = (ctx.args ?? "").trim();
       if (!raw) return { text: "用法：`/scan-skill <路径> [--detailed] [--behavioral]`" };
-      if (!isVenvReady()) return { text: "⏳ Python 依赖尚未就绪，请稍后重试" };
+      
+      // 先检查依赖
+      if (!isVenvReady()) {
+        return { text: "⏳ Python 依赖尚未就绪，请稍后重试或查看日志" };
+      }
 
       const parts      = raw.split(/\s+/);
       const skillPath  = expandPath(parts.find(p => !p.startsWith("--")) ?? "");
       const detailed   = parts.includes("--detailed");
       const useBehav   = parts.includes("--behavioral") || behavioral;
 
-      const res = await runScan("scan", skillPath, { detailed, behavioral: useBehav });
+      const res = await runScan("scan", skillPath, { 
+        detailed, 
+        behavioral: useBehav,
+        apiUrl,
+        useLLM,
+        policy
+      });
       const icon = res.exitCode === 0 ? "✅" : "❌";
       return { text: `${icon} 扫描完成\n\`\`\`\n${res.output}\n\`\`\`` };
     },
@@ -493,7 +529,14 @@ export default function register(api: any) {
       const detailed  = parts.includes("--detailed");
       const useBehav  = parts.includes("--behavioral") || behavioral;
 
-      const res = await runScan("batch", dirPath, { recursive, detailed, behavioral: useBehav });
+      const res = await runScan("batch", dirPath, { 
+        recursive, 
+        detailed, 
+        behavioral: useBehav,
+        apiUrl,
+        useLLM,
+        policy
+      });
       const icon = res.exitCode === 0 ? "✅" : "❌";
       return { text: `${icon} 批量扫描完成\n\`\`\`\n${res.output}\n\`\`\`` };
     },
@@ -508,7 +551,7 @@ export default function register(api: any) {
     handler: async (_ctx: any) => {
       if (!isVenvReady()) return { text: "⏳ Python 依赖尚未就绪，请稍后重试" };
       if (scanDirs.length === 0) return { text: "⚠️ 未找到可扫描目录，请检查配置" };
-      const report = await buildDailyReport(scanDirs, behavioral, api.logger);
+      const report = await buildDailyReport(scanDirs, behavioral, apiUrl, useLLM, policy, api.logger);
       return { text: report };
     },
   });
@@ -576,14 +619,21 @@ export default function register(api: any) {
     const { path: p, mode = "scan", recursive = false, detailed = false } = params ?? {};
     if (!p)             return respond(false, { error: "缺少 path 参数" });
     if (!isVenvReady()) return respond(false, { error: "Python 依赖未就绪" });
-    const res = await runScan(mode === "batch" ? "batch" : "scan", expandPath(p), { recursive, detailed, behavioral });
+    const res = await runScan(mode === "batch" ? "batch" : "scan", expandPath(p), { 
+      recursive, 
+      detailed, 
+      behavioral,
+      apiUrl,
+      useLLM,
+      policy
+    });
     respond(res.exitCode === 0, { output: res.output, exitCode: res.exitCode, is_safe: res.exitCode === 0 });
   });
 
   api.registerGatewayMethod("skillsScanner.report", async ({ respond }: any) => {
     if (!isVenvReady())          return respond(false, { error: "Python 依赖未就绪" });
     if (scanDirs.length === 0)   return respond(false, { error: "未找到可扫描目录" });
-    const report = await buildDailyReport(scanDirs, behavioral, api.logger);
+    const report = await buildDailyReport(scanDirs, behavioral, apiUrl, useLLM, policy, api.logger);
     respond(true, { report, state: loadState() });
   });
 
@@ -596,7 +646,12 @@ export default function register(api: any) {
       .option("--detailed",   "显示所有 findings")
       .option("--behavioral", "启用行为分析")
       .action(async (p: string, opts: any) => {
-        const res = await runScan("scan", expandPath(p), opts);
+        const res = await runScan("scan", expandPath(p), { 
+          ...opts, 
+          apiUrl, 
+          useLLM, 
+          policy 
+        });
         console.log(res.output);
         process.exit(res.exitCode);
       });
@@ -607,7 +662,12 @@ export default function register(api: any) {
       .option("--detailed",   "显示所有 findings")
       .option("--behavioral", "启用行为分析")
       .action(async (d: string, opts: any) => {
-        const res = await runScan("batch", expandPath(d), opts);
+        const res = await runScan("batch", expandPath(d), { 
+          ...opts, 
+          apiUrl, 
+          useLLM, 
+          policy 
+        });
         console.log(res.output);
         process.exit(res.exitCode);
       });
@@ -615,7 +675,7 @@ export default function register(api: any) {
     cmd.command("report")
       .description("立即执行全量扫描并打印日报")
       .action(async () => {
-        const report = await buildDailyReport(scanDirs, behavioral, console);
+        const report = await buildDailyReport(scanDirs, behavioral, apiUrl, useLLM, policy, console);
         console.log(report);
       });
   }, { commands: ["skills-scan"] });

package/openclaw.plugin.json

@@ -1,12 +1,17 @@
 {
   "id": "skills-scanner",
   "name": "Skills Security Scanner",
-  "description": "Skills 安全扫描：安装前扫描（fs.watch）、按需扫描、安全日报",
+  "description": "Skills 安全扫描：通过 HTTP API 调用远程 cisco-ai-skill-scanner 服务",
   "skills": ["./skills"],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
     "properties": {
+      "apiUrl": {
+        "type": "string",
+        "default": "http://localhost:8000",
+        "description": "cisco-ai-skill-scanner API 服务地址"
+      },
       "scanDirs": {
         "type": "array",
         "items": { "type": "string" },
@@ -15,7 +20,18 @@
       "behavioral": {
         "type": "boolean",
         "default": false,
-        "description": "启用 AST 行为分析（更准确但较慢）"
+        "description": "启用行为分析（更准确但较慢）"
+      },
+      "useLLM": {
+        "type": "boolean",
+        "default": false,
+        "description": "启用 LLM 分析（需要 API 服务配置 LLM）"
+      },
+      "policy": {
+        "type": "string",
+        "enum": ["strict", "balanced", "permissive"],
+        "default": "balanced",
+        "description": "扫描策略：strict（严格）/ balanced（平衡）/ permissive（宽松）"
       },
       "preInstallScan": {
         "type": "string",
@@ -32,8 +48,11 @@
     }
   },
   "uiHints": {
+    "apiUrl":         { "label": "API 服务地址", "placeholder": "http://localhost:8000" },
     "scanDirs":       { "label": "扫描目录（留空自动检测）" },
-    "behavioral":     { "label": "启用行为分析器" },
+    "behavioral":     { "label": "启用行为分析" },
+    "useLLM":         { "label": "启用 LLM 分析" },
+    "policy":         { "label": "扫描策略" },
     "preInstallScan": { "label": "安装前扫描（fs.watch）" },
     "onUnsafe":       { "label": "不安全 Skill 的处置方式" }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pwddd/skills-scanner",
-  "version": "1.2.0",
+  "version": "2.0.0",
   "description": "OpenClaw Plugin：Skills 安全扫描、安装前拦截、安全日报",
   "main": "index.ts",
   "files": [

package/skills/skills-scanner/scan.py

@@ -1,11 +1,11 @@
 # /// script
 # dependencies = [
-#   "cisco-ai-skill-scanner>=0.1.0",
+#   "requests>=2.31.0",
 # ]
 # ///
 """
-OpenClaw Skills Security Scanner
-基于 cisco-ai-skill-scanner，支持单个/批量扫描
+OpenClaw Skills Security Scanner (HTTP Client)
+通过 HTTP API 调用远程 cisco-ai-skill-scanner 服务
 
 注意：此脚本必须使用 venv 中的 Python 运行
 """
@@ -14,22 +14,27 @@ import sys
 import os
 import json
 import argparse
+import tempfile
+import zipfile
+import time
 from pathlib import Path
+from typing import Optional, Dict, Any, List
 
 # ── 依赖检查 ──────────────────────────────────────────────────────────────────
 try:
-    from skill_scanner import SkillScanner
-    from skill_scanner.core.analyzers import (
-        StaticAnalyzer,
-        BehavioralAnalyzer,
-        PipelineAnalyzer,
-    )
-except ImportError:
-    print("❌ cisco-ai-skill-scanner 未安装。")
-    print("   请运行: uv pip install cisco-ai-skill-scanner")
+    import requests
+except ImportError as e:
+    print("❌ requests 未安装。")
+    print(f"   导入错误: {e}")
+    print("   请运行: uv pip install requests")
     sys.exit(1)
 
 
+# ── 配置 ──────────────────────────────────────────────────────────────────────
+DEFAULT_API_URL = os.getenv("SKILL_SCANNER_API_URL", "http://localhost:8000")
+REQUEST_TIMEOUT = 180  # 3 分钟超时
+
+
 # ── 颜色输出 ──────────────────────────────────────────────────────────────────
 USE_COLOR = sys.stdout.isatty()
 
@@ -44,231 +49,428 @@ BOLD   = lambda t: c(t, "1")
 DIM    = lambda t: c(t, "2")
 
 
-# ── 严重级别 ──────────────────────────────────────────────────────────────────
-SEVERITY_COLORS = {
-    "CRITICAL": RED,
-    "HIGH":     RED,
-    "MEDIUM":   YELLOW,
-    "LOW":      GREEN,
-    "INFO":     CYAN,
-}
-
-def severity_label(sev: str) -> str:
-    sev = (sev or "INFO").upper()
-    color = SEVERITY_COLORS.get(sev, CYAN)
-    return color(f"[{sev}]")
-
-
-# ── 构建 Scanner ──────────────────────────────────────────────────────────────
-def build_scanner(use_behavioral: bool = False, use_llm: bool = False) -> SkillScanner:
-    analyzers = [StaticAnalyzer(), PipelineAnalyzer()]
-    if use_behavioral:
-        analyzers.append(BehavioralAnalyzer())
-    if use_llm:
+# ── HTTP 客户端 ───────────────────────────────────────────────────────────────
+class SkillScannerClient:
+    """cisco-ai-skill-scanner HTTP API 客户端"""
+    
+    def __init__(self, base_url: str = DEFAULT_API_URL):
+        self.base_url = base_url.rstrip('/')
+        self.session = requests.Session()
+    
+    def health_check(self) -> bool:
+        """健康检查"""
         try:
-            from skill_scanner.core.analyzers import LLMAnalyzer
-            api_key = os.environ.get("SKILL_SCANNER_LLM_API_KEY")
-            if not api_key:
-                print(YELLOW("⚠️  未设置 SKILL_SCANNER_LLM_API_KEY，跳过 LLM 分析器"))
-            else:
-                analyzers.append(LLMAnalyzer())
-        except ImportError:
-            print(YELLOW("⚠️  LLM 分析器不可用，请安装: pip install cisco-ai-skill-scanner[llm]"))
-    return SkillScanner(analyzers=analyzers)
-
-
-# ── 单个 Skill 扫描 ───────────────────────────────────────────────────────────
-def scan_single(path: str, args) -> dict:
-    skill_path = Path(path).expanduser().resolve()
-
-    if not skill_path.exists():
-        return {"path": str(skill_path), "error": "路径不存在", "is_safe": False}
-
-    if not skill_path.is_dir():
-        return {"path": str(skill_path), "error": "必须是目录（Skill 文件夹）", "is_safe": False}
-
-    skill_md = skill_path / "SKILL.md"
-    if not skill_md.exists():
-        return {"path": str(skill_path), "error": "未找到 SKILL.md，不是合法的 Skill", "is_safe": False}
-
-    print(f"\n{BOLD('🔍 扫描:')} {CYAN(str(skill_path))}")
-
-    scanner = build_scanner(
-        use_behavioral=getattr(args, "behavioral", False),
-        use_llm=getattr(args, "llm", False),
-    )
-
-    result = scanner.scan_skill(str(skill_path))
-    findings = result.findings if hasattr(result, "findings") else []
-    max_sev   = str(result.max_severity) if hasattr(result, "max_severity") else "UNKNOWN"
-    is_safe   = bool(result.is_safe) if hasattr(result, "is_safe") else len(findings) == 0
-
+            response = self.session.get(f"{self.base_url}/health", timeout=5)
+            return response.status_code == 200
+        except Exception:
+            return False
+    
+    def scan_upload(
+        self,
+        skill_path: str,
+        policy: str = "balanced",
+        use_llm: bool = False,
+        use_behavioral: bool = False,
+        use_virustotal: bool = False,
+        use_aidefense: bool = False,
+        use_trigger: bool = False,
+        enable_meta: bool = False,
+        vt_api_key: Optional[str] = None,
+        aidefense_api_key: Optional[str] = None
+    ) -> Dict[str, Any]:
+        """上传 ZIP 文件扫描（单个 Skill）
+        
+        对应 API: POST /scan-upload
+        - 上传 ZIP 文件
+        - 服务器解压并查找 SKILL.md
+        - 返回扫描结果
+        """
+        # 创建临时 ZIP 文件
+        with tempfile.NamedTemporaryFile(suffix='.zip', delete=False) as tmp_zip:
+            zip_path = tmp_zip.name
+        
+        try:
+            # 打包 Skill 目录
+            self._create_zip(skill_path, zip_path)
+            
+            # 准备请求
+            with open(zip_path, 'rb') as f:
+                files = {'file': (os.path.basename(skill_path) + '.zip', f, 'application/zip')}
+                data = {
+                    'policy': policy,
+                    'use_llm': str(use_llm).lower(),
+                    'use_behavioral': str(use_behavioral).lower(),
+                    'use_virustotal': str(use_virustotal).lower(),
+                    'use_aidefense': str(use_aidefense).lower(),
+                    'use_trigger': str(use_trigger).lower(),
+                    'enable_meta': str(enable_meta).lower()
+                }
+                
+                # 添加认证头
+                headers = {}
+                if vt_api_key:
+                    headers['X-VirusTotal-Key'] = vt_api_key
+                if aidefense_api_key:
+                    headers['X-AIDefense-Key'] = aidefense_api_key
+                
+                response = self.session.post(
+                    f"{self.base_url}/scan-upload",
+                    files=files,
+                    data=data,
+                    headers=headers,
+                    timeout=REQUEST_TIMEOUT
+                )
+                response.raise_for_status()
+                return response.json()
+        finally:
+            # 清理临时文件
+            if os.path.exists(zip_path):
+                os.unlink(zip_path)
+    
+    def scan_batch_upload(
+        self,
+        skill_paths: List[str],
+        policy: str = "balanced",
+        use_llm: bool = False,
+        use_behavioral: bool = False,
+        max_concurrent: int = 3
+    ) -> List[Dict[str, Any]]:
+        """批量上传多个 Skill（客户端循环上传）
+        
+        注意：API 不支持批量上传，这里是客户端实现
+        """
+        results = []
+        
+        for i, skill_path in enumerate(skill_paths, 1):
+            print(f"[{i}/{len(skill_paths)}] 正在扫描: {skill_path}")
+            
+            try:
+                result = self.scan_upload(
+                    skill_path,
+                    policy=policy,
+                    use_llm=use_llm,
+                    use_behavioral=use_behavioral
+                )
+                results.append({
+                    'path': skill_path,
+                    'success': True,
+                    'result': result
+                })
+                status = "✓" if result.get('is_safe', False) else "✗"
+                print(f"  {status} {result.get('skill_name', 'Unknown')}: {result.get('findings_count', 0)} 个发现")
+            except Exception as e:
+                results.append({
+                    'path': skill_path,
+                    'success': False,
+                    'error': str(e)
+                })
+                print(f"  ✗ 失败: {e}")
+        
+        return results
+    
+    def scan_batch(
+        self,
+        skills_dir: str,
+        recursive: bool = False,
+        check_overlap: bool = False,
+        policy: str = "balanced",
+        use_llm: bool = False,
+        use_behavioral: bool = False
+    ) -> str:
+        """批量异步扫描（服务器本地目录），返回 scan_id
+        
+        对应 API: POST /scan-batch
+        - 扫描服务器本地目录中的多个技能
+        - 异步执行，返回 scan_id
+        - 需要轮询 GET /scan-batch/{scan_id} 获取结果
+        """
+        data = {
+            'skills_directory': skills_dir,
+            'recursive': recursive,
+            'check_overlap': check_overlap,
+            'policy': policy,
+            'use_llm': use_llm,
+            'use_behavioral': use_behavioral
+        }
+        
+        response = self.session.post(
+            f"{self.base_url}/scan-batch",
+            json=data,
+            timeout=30
+        )
+        response.raise_for_status()
+        return response.json()['scan_id']
+    
+    def get_batch_result(self, scan_id: str) -> Dict[str, Any]:
+        """获取批量扫描结果"""
+        response = self.session.get(
+            f"{self.base_url}/scan-batch/{scan_id}",
+            timeout=10
+        )
+        response.raise_for_status()
+        return response.json()
+    
+    def wait_for_batch(self, scan_id: str, poll_interval: int = 5) -> Dict[str, Any]:
+        """等待批量扫描完成"""
+        while True:
+            result = self.get_batch_result(scan_id)
+            status = result.get('status')
+            
+            if status == 'completed':
+                return result['result']
+            elif status == 'failed':
+                raise Exception(f"批量扫描失败: {result.get('error')}")
+            
+            time.sleep(poll_interval)
+    
+    @staticmethod
+    def _create_zip(source_dir: str, zip_path: str):
+        """创建 ZIP 文件"""
+        with zipfile.ZipFile(zip_path, 'w', zipfile.ZIP_DEFLATED) as zipf:
+            source_path = Path(source_dir)
+            for file_path in source_path.rglob('*'):
+                if file_path.is_file():
+                    arcname = file_path.relative_to(source_path.parent)
+                    zipf.write(file_path, arcname)
+
+
+# ── 格式化输出 ────────────────────────────────────────────────────────────────
+def format_scan_result(result: Dict[str, Any], detailed: bool = False) -> str:
+    """格式化扫描结果"""
+    lines = []
+    
+    # 基本信息
+    skill_name = result.get('skill_name', 'Unknown')
+    is_safe = result.get('is_safe', False)
+    max_severity = result.get('max_severity', 'NONE')
+    findings_count = result.get('findings_count', 0)
+    
     # 状态行
-    if is_safe:
-        status = GREEN("✅ 安全")
+    status_icon = GREEN("✓") if is_safe else RED("✗")
+    lines.append(f"{status_icon} {BOLD(skill_name)}")
+    lines.append(f"  严重性: {_severity_color(max_severity)}")
+    lines.append(f"  发现数: {findings_count}")
+    
+    # 详细发现
+    if detailed and findings_count > 0:
+        findings = result.get('findings', [])
+        lines.append("")
+        lines.append(BOLD("发现详情:"))
+        for i, finding in enumerate(findings[:10], 1):  # 最多显示 10 条
+            severity = finding.get('severity', 'UNKNOWN')
+            category = finding.get('category', 'Unknown')
+            description = finding.get('description', 'No description')
+            lines.append(f"  {i}. [{_severity_color(severity)}] {category}")
+            lines.append(f"     {description}")
+        
+        if len(findings) > 10:
+            lines.append(f"  ... 还有 {len(findings) - 10} 条发现")
+    
+    return "\n".join(lines)
+
+
+def format_batch_result(result: Dict[str, Any]) -> str:
+    """格式化批量扫描结果"""
+    lines = []
+    
+    total = result.get('total_skills_scanned', 0)
+    safe = result.get('safe_skills', 0)
+    unsafe = result.get('unsafe_skills', 0)
+    
+    lines.append(BOLD("批量扫描结果"))
+    lines.append(f"  总计: {total} 个 Skills")
+    lines.append(f"  安全: {GREEN(str(safe))}")
+    lines.append(f"  问题: {RED(str(unsafe))}")
+    
+    # 问题 Skills 列表
+    if unsafe > 0:
+        skills = result.get('skills', [])
+        unsafe_skills = [s for s in skills if not s.get('is_safe', True)]
+        lines.append("")
+        lines.append(BOLD("问题 Skills:"))
+        for skill in unsafe_skills[:10]:
+            name = skill.get('skill_name', 'Unknown')
+            severity = skill.get('max_severity', 'UNKNOWN')
+            count = skill.get('findings_count', 0)
+            lines.append(f"  • {name} [{_severity_color(severity)}] - {count} 条发现")
+    
+    return "\n".join(lines)
+
+
+def _severity_color(severity: str) -> str:
+    """严重性着色"""
+    severity_upper = severity.upper()
+    if severity_upper in ('CRITICAL', 'HIGH'):
+        return RED(severity_upper)
+    elif severity_upper == 'MEDIUM':
+        return YELLOW(severity_upper)
+    elif severity_upper == 'LOW':
+        return CYAN(severity_upper)
     else:
-        status = RED("❌ 发现问题") if max_sev in ("CRITICAL", "HIGH") else YELLOW("⚠️  需关注")
-
-    print(f"  状态: {status}  |  最高严重级别: {severity_label(max_sev)}  |  发现: {len(findings)} 条")
+        return DIM(severity_upper)
 
-    # 详细 findings
-    if findings and getattr(args, "detailed", False):
-        print(f"\n  {BOLD('发现详情:')}")
-        for i, f in enumerate(findings, 1):
-            sev  = str(getattr(f, "severity", "INFO")).upper()
-            name = getattr(f, "rule_id", getattr(f, "name", "unknown"))
-            desc = getattr(f, "description", getattr(f, "message", ""))
-            loc  = getattr(f, "location", getattr(f, "file", ""))
-            print(f"  {DIM(str(i)+'.')} {severity_label(sev)} {BOLD(name)}")
-            if desc:
-                print(f"     {desc}")
-            if loc:
-                print(f"     {DIM('位置: ' + str(loc))}")
-    elif findings and not getattr(args, "detailed", False):
-        # 非 detailed 模式只显示 HIGH/CRITICAL
-        serious = [f for f in findings if str(getattr(f, "severity", "")).upper() in ("CRITICAL", "HIGH")]
-        if serious:
-            print(f"\n  {BOLD('HIGH/CRITICAL 问题:')}")
-            for f in serious:
-                sev  = str(getattr(f, "severity", "HIGH")).upper()
-                name = getattr(f, "rule_id", getattr(f, "name", "unknown"))
-                desc = getattr(f, "description", getattr(f, "message", ""))
-                print(f"    {severity_label(sev)} {BOLD(name)}: {desc}")
 
-    return {
-        "path":         str(skill_path),
-        "name":         skill_path.name,
-        "is_safe":      is_safe,
-        "max_severity": max_sev,
-        "findings":     len(findings),
-    }
-
-
-# ── 批量扫描 ──────────────────────────────────────────────────────────────────
-def scan_batch(directory: str, args) -> list[dict]:
-    base = Path(directory).expanduser().resolve()
-
-    if not base.exists() or not base.is_dir():
-        print(RED(f"❌ 目录不存在: {base}"))
-        return []
-
-    # 查找所有含 SKILL.md 的子目录
-    skills: list[Path] = []
-
-    if getattr(args, "recursive", False):
-        for skill_md in sorted(base.rglob("SKILL.md")):
-            skills.append(skill_md.parent)
-    else:
-        for entry in sorted(base.iterdir()):
-            if entry.is_dir() and (entry / "SKILL.md").exists():
-                skills.append(entry)
-
-    if not skills:
-        print(YELLOW(f"⚠️  在 {base} 中未找到任何 Skill（含 SKILL.md 的目录）"))
-        return []
-
-    print(f"\n{BOLD('📂 批量扫描目录:')} {CYAN(str(base))}")
-    print(f"   发现 {BOLD(str(len(skills)))} 个 Skill\n")
-    print("─" * 60)
-
-    results = []
-    safe_count    = 0
-    unsafe_count  = 0
-    error_count   = 0
-
-    for skill_path in skills:
-        r = scan_single(str(skill_path), args)
-        results.append(r)
-        if r.get("error"):
-            error_count += 1
-        elif r.get("is_safe"):
-            safe_count += 1
-        else:
-            unsafe_count += 1
-
-    # 汇总
-    print("\n" + "═" * 60)
-    print(BOLD("📊 批量扫描汇总"))
-    print("═" * 60)
-    print(f"  总计:    {len(results)} 个 Skill")
-    print(f"  {GREEN('✅ 安全:')}   {safe_count} 个")
-    print(f"  {RED('❌ 问题:')}   {unsafe_count} 个")
-    if error_count:
-        print(f"  {YELLOW('⚠️  错误:')}   {error_count} 个")
-
-    # 问题 Skill 列表
-    unsafe = [r for r in results if not r.get("is_safe") and not r.get("error")]
-    if unsafe:
-        print(f"\n  {BOLD(RED('需要关注的 Skills:'))}")
-        for r in unsafe:
-            sev = r.get("max_severity", "UNKNOWN")
-            print(f"    {severity_label(sev)} {r['name']}  ({r.get('findings', 0)} 条发现)")
-            print(f"        {DIM(r['path'])}")
-
-    return results
-
-
-# ── JSON 输出 ─────────────────────────────────────────────────────────────────
-def save_json(data, output_path: str):
-    with open(output_path, "w", encoding="utf-8") as f:
-        json.dump(data, f, ensure_ascii=False, indent=2)
-    print(f"\n{GREEN('💾 结果已保存:')} {output_path}")
-
-
-# ── CLI 入口 ──────────────────────────────────────────────────────────────────
+# ── 命令行接口 ────────────────────────────────────────────────────────────────
 def main():
     parser = argparse.ArgumentParser(
-        prog="scan.py",
-        description="OpenClaw Skills 安全扫描器（基于 cisco-ai-skill-scanner）",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog="""
-示例:
-  单个扫描:
-    python scan.py scan ~/.openclaw/skills/my-skill
-    python scan.py scan ./my-skill --detailed --behavioral
-
-  批量扫描:
-    python scan.py batch ~/.openclaw/skills
-    python scan.py batch ~/.openclaw/skills --recursive --json results.json
-    python scan.py batch ./skills --detailed --llm
-        """,
+        description="OpenClaw Skills Security Scanner (HTTP Client)",
+        formatter_class=argparse.RawDescriptionHelpFormatter
     )
-
-    sub = parser.add_subparsers(dest="command", required=True)
-
-    # -- scan 子命令
-    p_scan = sub.add_parser("scan", help="扫描单个 Skill 目录")
-    p_scan.add_argument("path", help="Skill 目录路径（含 SKILL.md 的文件夹）")
-    p_scan.add_argument("--detailed",   action="store_true", help="显示所有 findings 详情")
-    p_scan.add_argument("--behavioral", action="store_true", help="启用行为分析器（AST dataflow）")
-    p_scan.add_argument("--llm",        action="store_true", help="启用 LLM 语义分析器（需要 API Key）")
-    p_scan.add_argument("--json",       metavar="FILE",      help="将结果保存为 JSON 文件")
-
-    # -- batch 子命令
-    p_batch = sub.add_parser("batch", help="批量扫描目录下所有 Skills")
-    p_batch.add_argument("directory", help="包含多个 Skill 的目录")
-    p_batch.add_argument("--recursive",  action="store_true", help="递归扫描子目录")
-    p_batch.add_argument("--detailed",   action="store_true", help="显示所有 findings 详情")
-    p_batch.add_argument("--behavioral", action="store_true", help="启用行为分析器")
-    p_batch.add_argument("--llm",        action="store_true", help="启用 LLM 语义分析器")
-    p_batch.add_argument("--json",       metavar="FILE",      help="将结果保存为 JSON 文件")
-
+    
+    parser.add_argument(
+        '--api-url',
+        default=DEFAULT_API_URL,
+        help=f'API 服务地址 (默认: {DEFAULT_API_URL})'
+    )
+    
+    subparsers = parser.add_subparsers(dest='command', help='命令')
+    
+    # scan 命令
+    scan_parser = subparsers.add_parser('scan', help='扫描单个 Skill（上传 ZIP）')
+    scan_parser.add_argument('path', help='Skill 目录路径')
+    scan_parser.add_argument('--detailed', action='store_true', help='显示详细发现')
+    scan_parser.add_argument('--behavioral', action='store_true', help='启用行为分析')
+    scan_parser.add_argument('--llm', action='store_true', help='启用 LLM 分析')
+    scan_parser.add_argument('--virustotal', action='store_true', help='启用 VirusTotal')
+    scan_parser.add_argument('--aidefense', action='store_true', help='启用 AI Defense')
+    scan_parser.add_argument('--trigger', action='store_true', help='启用触发器分析')
+    scan_parser.add_argument('--meta', action='store_true', help='启用元分析（误报过滤）')
+    scan_parser.add_argument('--policy', default='balanced', help='扫描策略')
+    scan_parser.add_argument('--json', metavar='FILE', help='输出 JSON 到文件')
+    
+    # batch 命令（服务器本地路径批量扫描）
+    batch_parser = subparsers.add_parser('batch', help='批量扫描（服务器本地目录）')
+    batch_parser.add_argument('path', help='Skills 目录路径（服务器本地）')
+    batch_parser.add_argument('--recursive', action='store_true', help='递归扫描')
+    batch_parser.add_argument('--check-overlap', action='store_true', help='检查技能描述重叠')
+    batch_parser.add_argument('--policy', default='balanced', help='扫描策略')
+    batch_parser.add_argument('--json', metavar='FILE', help='输出 JSON 到文件')
+    
+    # batch-upload 命令（客户端批量上传）
+    batch_upload_parser = subparsers.add_parser('batch-upload', help='批量上传多个 Skills（客户端循环）')
+    batch_upload_parser.add_argument('paths', nargs='+', help='多个 Skill 目录路径')
+    batch_upload_parser.add_argument('--behavioral', action='store_true', help='启用行为分析')
+    batch_upload_parser.add_argument('--llm', action='store_true', help='启用 LLM 分析')
+    batch_upload_parser.add_argument('--policy', default='balanced', help='扫描策略')
+    batch_upload_parser.add_argument('--json', metavar='FILE', help='输出 JSON 到文件')
+    
+    # health 命令
+    subparsers.add_parser('health', help='健康检查')
+    
     args = parser.parse_args()
-
-    if args.command == "scan":
-        result = scan_single(args.path, args)
-        if args.json:
-            save_json(result, args.json)
-        # 退出码：不安全返回 1
-        sys.exit(0 if result.get("is_safe") else 1)
-
-    elif args.command == "batch":
-        results = scan_batch(args.directory, args)
-        if args.json:
-            save_json(results, args.json)
-        unsafe = [r for r in results if not r.get("is_safe")]
-        sys.exit(0 if not unsafe else 1)
-
-
-if __name__ == "__main__":
+    
+    if not args.command:
+        parser.print_help()
+        sys.exit(1)
+    
+    # 创建客户端
+    client = SkillScannerClient(args.api_url)
+    
+    try:
+        if args.command == 'health':
+            if client.health_check():
+                print(GREEN("✓") + " API 服务正常")
+                sys.exit(0)
+            else:
+                print(RED("✗") + f" API 服务不可用: {args.api_url}")
+                sys.exit(1)
+        
+        elif args.command == 'scan':
+            print(f"正在扫描: {args.path}")
+            result = client.scan_upload(
+                args.path,
+                policy=args.policy,
+                use_llm=args.llm,
+                use_behavioral=args.behavioral,
+                use_virustotal=args.virustotal if hasattr(args, 'virustotal') else False,
+                use_aidefense=args.aidefense if hasattr(args, 'aidefense') else False,
+                use_trigger=args.trigger if hasattr(args, 'trigger') else False,
+                enable_meta=args.meta if hasattr(args, 'meta') else False
+            )
+            
+            # 输出结果
+            if args.json:
+                with open(args.json, 'w') as f:
+                    json.dump(result, f, indent=2)
+                print(f"结果已保存到: {args.json}")
+            else:
+                print(format_scan_result(result, args.detailed))
+            
+            # 退出码
+            sys.exit(0 if result.get('is_safe', False) else 1)
+        
+        elif args.command == 'batch':
+            print(f"正在批量扫描: {args.path}")
+            scan_id = client.scan_batch(
+                args.path,
+                recursive=args.recursive,
+                check_overlap=args.check_overlap if hasattr(args, 'check_overlap') else False,
+                policy=args.policy
+            )
+            print(f"扫描 ID: {scan_id}")
+            print("等待扫描完成...")
+            
+            result = client.wait_for_batch(scan_id)
+            
+            # 输出结果
+            if args.json:
+                with open(args.json, 'w') as f:
+                    json.dump(result, f, indent=2)
+                print(f"结果已保存到: {args.json}")
+            else:
+                print(format_batch_result(result))
+            
+            # 退出码
+            unsafe = result.get('unsafe_skills', 0)
+            sys.exit(0 if unsafe == 0 else 1)
+        
+        elif args.command == 'batch-upload':
+            print(f"正在批量上传 {len(args.paths)} 个 Skills...")
+            results = client.scan_batch_upload(
+                args.paths,
+                policy=args.policy,
+                use_llm=args.llm,
+                use_behavioral=args.behavioral
+            )
+            
+            # 统计结果
+            total = len(results)
+            success = sum(1 for r in results if r['success'])
+            failed = total - success
+            
+            # 输出结果
+            if args.json:
+                with open(args.json, 'w') as f:
+                    json.dump(results, f, indent=2)
+                print(f"\n结果已保存到: {args.json}")
+            
+            print(f"\n批量上传完成: {success}/{total} 成功, {failed} 失败")
+            
+            # 退出码
+            sys.exit(0 if failed == 0 else 1)
+    
+    except requests.exceptions.ConnectionError:
+        print(RED("✗") + f" 无法连接到 API 服务: {args.api_url}")
+        print("请确保 skill-scanner-api 服务正在运行")
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print(RED("✗") + " 请求超时")
+        sys.exit(1)
+    except requests.exceptions.HTTPError as e:
+        print(RED("✗") + f" HTTP 错误: {e}")
+        if e.response is not None:
+            try:
+                error_detail = e.response.json()
+                print(f"详情: {error_detail}")
+            except:
+                print(f"响应: {e.response.text}")
+        sys.exit(1)
+    except Exception as e:
+        print(RED("✗") + f" 错误: {e}")
+        import traceback
+        traceback.print_exc()
+        sys.exit(1)
+
+
+if __name__ == '__main__':
     main()