@skillctl/security 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 skillctl contributors
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,3 @@
1
+ export { runAudit, auditExitCode } from './runner.js';
2
+ export type { AuditReport, AuditFinding, AuditSeverity } from './types.js';
3
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACtD,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC"}
package/dist/index.js ADDED
@@ -0,0 +1,2 @@
1
+ export { runAudit, auditExitCode } from './runner.js';
2
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC"}
@@ -0,0 +1,4 @@
1
+ import type { SkillLockfile } from '@skillctl/core';
2
+ import type { AuditFinding } from '../types.js';
3
+ export declare function checkIntegrityDrift(lock: SkillLockfile): Promise<AuditFinding[]>;
4
+ //# sourceMappingURL=integrity-drift.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"integrity-drift.d.ts","sourceRoot":"","sources":["../../src/rules/integrity-drift.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CA0BtF"}
@@ -0,0 +1,31 @@
1
+ import { stat } from 'node:fs/promises';
2
+ import { computeDirIntegrity } from '@skillctl/core';
3
+ export async function checkIntegrityDrift(lock) {
4
+ const findings = [];
5
+ for (const [name, entry] of Object.entries(lock.skills)) {
6
+ try {
7
+ await stat(entry.canonicalPath);
8
+ const integrity = await computeDirIntegrity(entry.canonicalPath);
9
+ if (integrity !== entry.integrity) {
10
+ findings.push({
11
+ rule: 'integrity-drift',
12
+ severity: 'error',
13
+ skill: name,
14
+ message: `Canonical integrity mismatch (lock: ${entry.integrity.slice(0, 24)}...)`,
15
+ path: entry.canonicalPath,
16
+ });
17
+ }
18
+ }
19
+ catch {
20
+ findings.push({
21
+ rule: 'integrity-drift',
22
+ severity: 'error',
23
+ skill: name,
24
+ message: 'Canonical path missing',
25
+ path: entry.canonicalPath,
26
+ });
27
+ }
28
+ }
29
+ return findings;
30
+ }
31
+ //# sourceMappingURL=integrity-drift.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"integrity-drift.js","sourceRoot":"","sources":["../../src/rules/integrity-drift.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAExC,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAGrD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAmB;IAC3D,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAChC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YACjE,IAAI,SAAS,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,IAAI;oBACX,OAAO,EAAE,uCAAuC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM;oBAClF,IAAI,EAAE,KAAK,CAAC,aAAa;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,IAAI;gBACX,OAAO,EAAE,wBAAwB;gBACjC,IAAI,EAAE,KAAK,CAAC,aAAa;aAC1B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { AuditFinding } from '../types.js';
2
+ export declare function checkNameDirMatch(skillName: string, canonicalPath: string): Promise<AuditFinding[]>;
3
+ //# sourceMappingURL=name-dir-match.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"name-dir-match.d.ts","sourceRoot":"","sources":["../../src/rules/name-dir-match.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAEhD,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAyBzG"}
@@ -0,0 +1,31 @@
1
+ import { readFile } from 'node:fs/promises';
2
+ import { join } from 'node:path';
3
+ import { canonicalizeName } from '@skillctl/core';
4
+ export async function checkNameDirMatch(skillName, canonicalPath) {
5
+ const findings = [];
6
+ for (const f of ['SKILL.md', 'skill.md']) {
7
+ try {
8
+ const content = await readFile(join(canonicalPath, f), 'utf8');
9
+ const match = content.match(/(?:^|\n)\s*name:\s*["']?([^"'\n#]+)["']?/i);
10
+ if (match) {
11
+ const fmName = canonicalizeName(match[1].trim());
12
+ const dirName = canonicalizeName(skillName);
13
+ if (fmName !== dirName) {
14
+ findings.push({
15
+ rule: 'name-dir-match',
16
+ severity: 'warning',
17
+ skill: skillName,
18
+ message: `SKILL.md name "${fmName}" does not match lock name "${dirName}"`,
19
+ path: join(canonicalPath, f),
20
+ });
21
+ }
22
+ }
23
+ break;
24
+ }
25
+ catch {
26
+ // try next
27
+ }
28
+ }
29
+ return findings;
30
+ }
31
+ //# sourceMappingURL=name-dir-match.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"name-dir-match.js","sourceRoot":"","sources":["../../src/rules/name-dir-match.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAGlD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB,EAAE,aAAqB;IAC9E,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACzE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;gBAC5C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;oBACvB,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,gBAAgB;wBACtB,QAAQ,EAAE,SAAS;wBACnB,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,kBAAkB,MAAM,+BAA+B,OAAO,GAAG;wBAC1E,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;qBAC7B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,MAAM;QACR,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { AuditFinding } from '../types.js';
2
+ export declare function checkPathTraversal(skillName: string, canonicalPath: string): Promise<AuditFinding[]>;
3
+ //# sourceMappingURL=path-traversal.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"path-traversal.d.ts","sourceRoot":"","sources":["../../src/rules/path-traversal.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAehD,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAsB1G"}
@@ -0,0 +1,41 @@
1
+ import { readFile, readdir } from 'node:fs/promises';
2
+ import { join } from 'node:path';
3
+ async function walkAll(dir, out) {
4
+ try {
5
+ const entries = await readdir(dir, { withFileTypes: true });
6
+ for (const e of entries) {
7
+ const p = join(dir, e.name);
8
+ if (e.isDirectory() && !e.name.startsWith('.'))
9
+ await walkAll(p, out);
10
+ else if (e.isFile() && /\.(md|txt|sh|py|js|ts|json)$/i.test(e.name))
11
+ out.push(p);
12
+ }
13
+ }
14
+ catch {
15
+ // ignore
16
+ }
17
+ }
18
+ export async function checkPathTraversal(skillName, canonicalPath) {
19
+ const findings = [];
20
+ const files = [];
21
+ await walkAll(canonicalPath, files);
22
+ for (const file of files) {
23
+ try {
24
+ const content = await readFile(file, 'utf8');
25
+ if (/\.\.\//.test(content) || /\/etc\/passwd/.test(content)) {
26
+ findings.push({
27
+ rule: 'path-traversal',
28
+ severity: 'warning',
29
+ skill: skillName,
30
+ message: 'Possible path traversal reference in file content',
31
+ path: file,
32
+ });
33
+ }
34
+ }
35
+ catch {
36
+ // ignore
37
+ }
38
+ }
39
+ return findings;
40
+ }
41
+ //# sourceMappingURL=path-traversal.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"path-traversal.js","sourceRoot":"","sources":["../../src/rules/path-traversal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,KAAK,UAAU,OAAO,CAAC,GAAW,EAAE,GAAa;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,MAAM,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBACjE,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,+BAA+B,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,SAAiB,EAAE,aAAqB;IAC/E,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5D,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,gBAAgB;oBACtB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,mDAAmD;oBAC5D,IAAI,EAAE,IAAI;iBACX,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { AuditFinding } from '../types.js';
2
+ export declare function checkScriptHeuristics(skillName: string, canonicalPath: string): Promise<AuditFinding[]>;
3
+ //# sourceMappingURL=script-heuristics.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"script-heuristics.d.ts","sourceRoot":"","sources":["../../src/rules/script-heuristics.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwBhD,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAyB7G"}
@@ -0,0 +1,52 @@
1
+ import { readFile, readdir } from 'node:fs/promises';
2
+ import { join } from 'node:path';
3
+ const SUSPICIOUS = [
4
+ /\brm\s+-rf\s+\//,
5
+ /\bcurl\b.*\|\s*(ba)?sh/,
6
+ /\bwget\b/,
7
+ /\beval\s*\(/,
8
+ /\bexec\s*\(/,
9
+ /child_process/,
10
+ ];
11
+ async function walkScripts(dir, out) {
12
+ try {
13
+ const entries = await readdir(dir, { withFileTypes: true });
14
+ for (const e of entries) {
15
+ const p = join(dir, e.name);
16
+ if (e.isDirectory() && !e.name.startsWith('.'))
17
+ await walkScripts(p, out);
18
+ else if (e.isFile() && /\.(sh|bash|py|js|ts|mjs)$/i.test(e.name))
19
+ out.push(p);
20
+ }
21
+ }
22
+ catch {
23
+ // ignore
24
+ }
25
+ }
26
+ export async function checkScriptHeuristics(skillName, canonicalPath) {
27
+ const findings = [];
28
+ const scriptsDir = join(canonicalPath, 'scripts');
29
+ const files = [];
30
+ await walkScripts(scriptsDir, files);
31
+ for (const file of files) {
32
+ try {
33
+ const content = await readFile(file, 'utf8');
34
+ for (const pattern of SUSPICIOUS) {
35
+ if (pattern.test(content)) {
36
+ findings.push({
37
+ rule: 'script-heuristics',
38
+ severity: 'warning',
39
+ skill: skillName,
40
+ message: `Suspicious pattern in script: ${pattern.source}`,
41
+ path: file,
42
+ });
43
+ }
44
+ }
45
+ }
46
+ catch {
47
+ // unreadable
48
+ }
49
+ }
50
+ return findings;
51
+ }
52
+ //# sourceMappingURL=script-heuristics.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"script-heuristics.js","sourceRoot":"","sources":["../../src/rules/script-heuristics.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,UAAU,GAAG;IACjB,iBAAiB;IACjB,wBAAwB;IACxB,UAAU;IACV,aAAa;IACb,aAAa;IACb,eAAe;CAChB,CAAC;AAEF,KAAK,UAAU,WAAW,CAAC,GAAW,EAAE,GAAa;IACnD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,MAAM,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBACrE,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;gBAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,SAAiB,EAAE,aAAqB;IAClF,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IAClD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;gBACjC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,mBAAmB;wBACzB,QAAQ,EAAE,SAAS;wBACnB,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,iCAAiC,OAAO,CAAC,MAAM,EAAE;wBAC1D,IAAI,EAAE,IAAI;qBACX,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,aAAa;QACf,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { AuditFinding } from '../types.js';
2
+ export declare function checkSizeLimits(skillName: string, canonicalPath: string): Promise<AuditFinding[]>;
3
+ //# sourceMappingURL=size-limits.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"size-limits.d.ts","sourceRoot":"","sources":["../../src/rules/size-limits.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAKhD,wBAAsB,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CA2CvG"}
@@ -0,0 +1,49 @@
1
+ import { readFile, readdir, stat } from 'node:fs/promises';
2
+ import { join } from 'node:path';
3
+ const MAX_SKILL_MD_LINES = 10_000;
4
+ const MAX_FILE_BYTES = 5 * 1024 * 1024;
5
+ export async function checkSizeLimits(skillName, canonicalPath) {
6
+ const findings = [];
7
+ for (const f of ['SKILL.md', 'skill.md']) {
8
+ try {
9
+ const content = await readFile(join(canonicalPath, f), 'utf8');
10
+ const lines = content.split('\n').length;
11
+ if (lines > MAX_SKILL_MD_LINES) {
12
+ findings.push({
13
+ rule: 'size-limits',
14
+ severity: 'warning',
15
+ skill: skillName,
16
+ message: `SKILL.md has ${lines} lines (>${MAX_SKILL_MD_LINES})`,
17
+ path: join(canonicalPath, f),
18
+ });
19
+ }
20
+ break;
21
+ }
22
+ catch {
23
+ // continue
24
+ }
25
+ }
26
+ async function walk(dir) {
27
+ const entries = await readdir(dir, { withFileTypes: true }).catch(() => []);
28
+ for (const e of entries) {
29
+ const p = join(dir, e.name);
30
+ if (e.isDirectory())
31
+ await walk(p);
32
+ else if (e.isFile()) {
33
+ const st = await stat(p);
34
+ if (st.size > MAX_FILE_BYTES) {
35
+ findings.push({
36
+ rule: 'size-limits',
37
+ severity: 'warning',
38
+ skill: skillName,
39
+ message: `Large file ${(st.size / 1024 / 1024).toFixed(1)}MB`,
40
+ path: p,
41
+ });
42
+ }
43
+ }
44
+ }
45
+ }
46
+ await walk(canonicalPath);
47
+ return findings;
48
+ }
49
+ //# sourceMappingURL=size-limits.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"size-limits.js","sourceRoot":"","sources":["../../src/rules/size-limits.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAClC,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAEvC,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,SAAiB,EAAE,aAAqB;IAC5E,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YACzC,IAAI,KAAK,GAAG,kBAAkB,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,SAAS;oBAChB,OAAO,EAAE,gBAAgB,KAAK,YAAY,kBAAkB,GAAG;oBAC/D,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;iBAC7B,CAAC,CAAC;YACL,CAAC;YACD,MAAM;QACR,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;IACH,CAAC;IAED,KAAK,UAAU,IAAI,CAAC,GAAW;QAC7B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC5E,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,CAAC,WAAW,EAAE;gBAAE,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC;iBAC9B,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC;gBACpB,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,EAAE,CAAC,IAAI,GAAG,cAAc,EAAE,CAAC;oBAC7B,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,aAAa;wBACnB,QAAQ,EAAE,SAAS;wBACnB,KAAK,EAAE,SAAS;wBAChB,OAAO,EAAE,cAAc,CAAC,EAAE,CAAC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;wBAC7D,IAAI,EAAE,CAAC;qBACR,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,4 @@
1
+ import type { AuditReport } from './types.js';
2
+ export declare function runAudit(cwd?: string): Promise<AuditReport>;
3
+ export declare function auditExitCode(report: AuditReport, strict?: boolean): number;
4
+ //# sourceMappingURL=runner.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../src/runner.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAgB,MAAM,YAAY,CAAC;AAO5D,wBAAsB,QAAQ,CAAC,GAAG,SAAgB,GAAG,OAAO,CAAC,WAAW,CAAC,CAwBxE;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,MAAM,UAAQ,GAAG,MAAM,CAKzE"}
package/dist/runner.js ADDED
@@ -0,0 +1,37 @@
1
+ import { loadLockfile } from '@skillctl/lockfile';
2
+ import { checkIntegrityDrift } from './rules/integrity-drift.js';
3
+ import { checkScriptHeuristics } from './rules/script-heuristics.js';
4
+ import { checkNameDirMatch } from './rules/name-dir-match.js';
5
+ import { checkPathTraversal } from './rules/path-traversal.js';
6
+ import { checkSizeLimits } from './rules/size-limits.js';
7
+ export async function runAudit(cwd = process.cwd()) {
8
+ const lock = await loadLockfile(cwd);
9
+ if (!lock || Object.keys(lock.skills).length === 0) {
10
+ return { status: 'ok', findings: [], scanned: 0 };
11
+ }
12
+ const findings = [];
13
+ findings.push(...(await checkIntegrityDrift(lock)));
14
+ for (const [name, entry] of Object.entries(lock.skills)) {
15
+ findings.push(...(await checkNameDirMatch(name, entry.canonicalPath)));
16
+ findings.push(...(await checkScriptHeuristics(name, entry.canonicalPath)));
17
+ findings.push(...(await checkPathTraversal(name, entry.canonicalPath)));
18
+ findings.push(...(await checkSizeLimits(name, entry.canonicalPath)));
19
+ }
20
+ const hasError = findings.some((f) => f.severity === 'error');
21
+ const hasWarning = findings.some((f) => f.severity === 'warning');
22
+ return {
23
+ status: hasError ? 'errors' : hasWarning ? 'warnings' : 'ok',
24
+ findings,
25
+ scanned: Object.keys(lock.skills).length,
26
+ };
27
+ }
28
+ export function auditExitCode(report, strict = false) {
29
+ if (report.status === 'errors')
30
+ return 2;
31
+ if (strict && report.status === 'warnings')
32
+ return 2;
33
+ if (report.status === 'warnings')
34
+ return 1;
35
+ return 0;
36
+ }
37
+ //# sourceMappingURL=runner.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"runner.js","sourceRoot":"","sources":["../src/runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAChD,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,iBAAiB,CAAC,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,qBAAqB,CAAC,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QAC3E,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,kBAAkB,CAAC,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACxE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC;IAElE,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI;QAC5D,QAAQ;QACR,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM;KACzC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAmB,EAAE,MAAM,GAAG,KAAK;IAC/D,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IACzC,IAAI,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,CAAC,CAAC;IACrD,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU;QAAE,OAAO,CAAC,CAAC;IAC3C,OAAO,CAAC,CAAC;AACX,CAAC"}
@@ -0,0 +1,14 @@
1
+ export type AuditSeverity = 'info' | 'warning' | 'error';
2
+ export interface AuditFinding {
3
+ rule: string;
4
+ severity: AuditSeverity;
5
+ skill: string;
6
+ message: string;
7
+ path?: string;
8
+ }
9
+ export interface AuditReport {
10
+ status: 'ok' | 'warnings' | 'errors';
11
+ findings: AuditFinding[];
12
+ scanned: number;
13
+ }
14
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;AAEzD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,aAAa,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,IAAI,GAAG,UAAU,GAAG,QAAQ,CAAC;IACrC,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB"}
package/dist/types.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}
package/package.json ADDED
@@ -0,0 +1,42 @@
1
+ {
2
+ "name": "@skillctl/security",
3
+ "version": "0.2.0",
4
+ "description": "Security scanner and audit for skillctl skills",
5
+ "license": "MIT",
6
+ "author": "skillctl contributors",
7
+ "type": "module",
8
+ "main": "./dist/index.js",
9
+ "types": "./dist/index.d.ts",
10
+ "files": [
11
+ "dist"
12
+ ],
13
+ "dependencies": {
14
+ "@skillctl/core": "0.2.0",
15
+ "@skillctl/lockfile": "0.2.0"
16
+ },
17
+ "devDependencies": {
18
+ "@types/node": "^20.14.0",
19
+ "rimraf": "^5.0.7",
20
+ "typescript": "^5.6.3"
21
+ },
22
+ "engines": {
23
+ "node": ">=22.13"
24
+ },
25
+ "repository": {
26
+ "type": "git",
27
+ "url": "https://github.com/xFurti/skillctl.git",
28
+ "directory": "packages/security"
29
+ },
30
+ "keywords": [
31
+ "security",
32
+ "audit",
33
+ "agent-skills",
34
+ "scanner"
35
+ ],
36
+ "scripts": {
37
+ "build": "tsc -b",
38
+ "clean": "rimraf dist",
39
+ "lint": "tsc --noEmit",
40
+ "test": "node --test ./dist/test/*.test.js 2>&1 || echo 'run after build'"
41
+ }
42
+ }