@skillkit/core 1.14.0 → 1.15.0

package/dist/index.js

@@ -31748,6 +31748,1438 @@ var SkillInjector = class {
     return this.cache.stats();
   }
 };
+
+// src/scanner/types.ts
+var Severity = /* @__PURE__ */ ((Severity2) => {
+  Severity2["CRITICAL"] = "critical";
+  Severity2["HIGH"] = "high";
+  Severity2["MEDIUM"] = "medium";
+  Severity2["LOW"] = "low";
+  Severity2["INFO"] = "info";
+  Severity2["SAFE"] = "safe";
+  return Severity2;
+})(Severity || {});
+var ThreatCategory = /* @__PURE__ */ ((ThreatCategory2) => {
+  ThreatCategory2["PROMPT_INJECTION"] = "prompt-injection";
+  ThreatCategory2["COMMAND_INJECTION"] = "command-injection";
+  ThreatCategory2["DATA_EXFILTRATION"] = "data-exfiltration";
+  ThreatCategory2["TOOL_ABUSE"] = "tool-abuse";
+  ThreatCategory2["HARDCODED_SECRETS"] = "hardcoded-secrets";
+  ThreatCategory2["UNICODE_STEGANOGRAPHY"] = "unicode-steganography";
+  ThreatCategory2["OBFUSCATION"] = "obfuscation";
+  ThreatCategory2["SOCIAL_ENGINEERING"] = "social-engineering";
+  ThreatCategory2["AUTONOMY_ABUSE"] = "autonomy-abuse";
+  ThreatCategory2["POLICY_VIOLATION"] = "policy-violation";
+  return ThreatCategory2;
+})(ThreatCategory || {});
+
+// src/scanner/analyzers/static.ts
+import { readFile } from "fs/promises";
+import { extname as extname5 } from "path";
+
+// src/scanner/rules/prompt-injection.ts
+var promptInjectionRules = [
+  {
+    id: "PI001",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/ignore\s+(all\s+)?(previous|above|prior)\s+(instructions?|rules?|guidelines?)/i],
+    description: "Instruction override: attempts to discard system instructions",
+    remediation: "Remove instruction override language. Skills should not attempt to modify agent behavior."
+  },
+  {
+    id: "PI002",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/forget\s+(everything|all|what)\s+(you|i)\s+(told|said|learned)/i],
+    description: "Context clearing: attempts to wipe agent memory",
+    remediation: "Remove context-clearing instructions."
+  },
+  {
+    id: "PI003",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/disregard\s+(your|all|the)\s+(training|programming|instructions?)/i],
+    description: "Training bypass: attempts to override agent training",
+    remediation: "Remove training bypass instructions."
+  },
+  {
+    id: "PI004",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/new\s+instructions?:\s*$/im, /system\s+prompt:\s*$/im],
+    description: "System prompt injection: attempts to inject new system-level instructions",
+    remediation: "Do not include system prompt markers in skill content."
+  },
+  {
+    id: "PI005",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [/you\s+are\s+(now|actually|really)\s+(a|an|the)/i],
+    description: "Role manipulation: attempts to reassign agent identity",
+    remediation: "Skills should not attempt to change the agent's role or identity."
+  },
+  {
+    id: "PI006",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [/pretend\s+(to\s+be|you\s+are)/i, /act\s+as\s+(if|though)\s+you/i],
+    description: "Roleplay manipulation: attempts to alter agent behavior via pretense",
+    remediation: "Remove roleplay instructions that change agent behavior."
+  },
+  {
+    id: "PI007",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [/from\s+now\s+on,?\s+(you|always|never)/i],
+    description: "Persistent behavior change: attempts to permanently alter agent behavior",
+    remediation: "Skills should provide task-specific instructions, not permanent behavior changes."
+  },
+  {
+    id: "PI008",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /show\s+me\s+your\s+(system\s+)?(prompt|instructions)/i,
+      /reveal\s+your\s+(system\s+)?(prompt|instructions)/i,
+      /what\s+are\s+your\s+(system\s+)?(instructions|rules)/i
+    ],
+    description: "System prompt extraction: attempts to reveal agent configuration",
+    remediation: "Remove attempts to extract system prompts."
+  },
+  {
+    id: "PI009",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [
+      /unrestricted\s+mode/i,
+      /(?<!detect(?:ing)?[\s.]+)(?<!prevent(?:ing)?[\s.]+)jailbreak/i,
+      /DAN\s+(mode|prompt)/i,
+      /bypass\s+(safety|content)\s+(filter|restriction)/i
+    ],
+    description: "Policy bypass: attempts to disable safety restrictions",
+    remediation: "Remove jailbreak or policy bypass instructions."
+  },
+  {
+    id: "PI010",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /don'?t\s+tell\s+the\s+user/i,
+      /hide\s+this\s+from\s+the\s+user/i,
+      /keep\s+this\s+(a\s+)?secret/i,
+      /do\s+not\s+mention\s+this/i
+    ],
+    description: "Concealment: instructs agent to hide information from user",
+    remediation: "Skills should be transparent. Remove concealment instructions."
+  },
+  {
+    id: "PI011",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /```\s*(system|assistant|user)\s*$/im,
+      /<\/?(?:system|user|assistant|human|ai|claude)>/i
+    ],
+    description: "Delimiter injection: attempts to inject conversation role markers",
+    remediation: "Remove conversation role delimiters from skill content."
+  },
+  {
+    id: "PI012",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [/\[INST\]/i, /\[\/INST\]/i, /<<SYS>>/i, /<<\/SYS>>/i],
+    description: "Model-specific delimiter injection: Llama-style instruction delimiters",
+    remediation: "Remove model-specific instruction delimiters."
+  },
+  {
+    id: "PI013",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/---\s*$/im],
+    excludePatterns: [/^---\s*$/],
+    multiline: true,
+    description: "YAML front-matter injection: attempts to inject via YAML metadata",
+    remediation: "Use standard SKILL.md frontmatter format only."
+  },
+  {
+    id: "PI014",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /<!--[^>]{0,500}?(?:ignore|system|instruction|secret|override)[^>]{0,500}?-->/i
+    ],
+    description: "Hidden HTML comments with suspicious instruction content",
+    remediation: "Do not hide instructions in HTML comments."
+  },
+  {
+    id: "PI015",
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/\[comment\]:\s*#\s*\([^)]*(?:ignore|system|override)[^)]*\)/i],
+    description: "Hidden Markdown comments with suspicious content",
+    remediation: "Do not hide instructions in Markdown comments."
+  }
+];
+
+// src/scanner/rules/command-injection.ts
+var commandInjectionRules = [
+  {
+    id: "CI001",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/\beval\s*\(/],
+    excludePatterns: [/\/\/.*\beval\b/, /#.*\beval\b/, /['"].*\beval\b.*['"]/],
+    fileTypes: ["typescript", "javascript", "python"],
+    description: "eval() call: dynamic code execution",
+    remediation: "Replace eval() with safer alternatives like JSON.parse() or dedicated parsers."
+  },
+  {
+    id: "CI002",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [/new\s+Function\s*\(/, /\bFunction\s*\(\s*['"`]/],
+    fileTypes: ["typescript", "javascript"],
+    description: "Function() constructor: dynamic code generation",
+    remediation: "Avoid Function() constructor. Use static code structures."
+  },
+  {
+    id: "CI003",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [
+      /child_process\s*['"]?\s*\)\s*\.\s*exec\s*\(/,
+      /\bexec\s*\(\s*['"`].*\$\{/,
+      /\bexecSync\s*\(/,
+      /require\s*\(\s*['"]child_process['"]\s*\)/
+    ],
+    fileTypes: ["typescript", "javascript"],
+    description: "child_process execution: shell command injection risk",
+    remediation: "Use execFile() with argument arrays instead of exec() with string interpolation."
+  },
+  {
+    id: "CI004",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "critical" /* CRITICAL */,
+    patterns: [
+      /subprocess\.(?:call|run|Popen)\s*\([^)]*shell\s*=\s*True/,
+      /os\.system\s*\(/,
+      /os\.popen\s*\(/
+    ],
+    fileTypes: ["python"],
+    description: "Python shell execution with shell=True or os.system()",
+    remediation: "Use subprocess.run() with shell=False and argument lists."
+  },
+  {
+    id: "CI005",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/`[^`]*\$\{[^}]*\}[^`]*`/],
+    excludePatterns: [/console\.log/, /logger\./, /throw\s+new/, /return\s+`/, /=\s*`/, /\+\s*`/, /\(\s*`/],
+    fileTypes: ["typescript", "javascript"],
+    description: "Template literal with dynamic content in potential command context",
+    remediation: "Avoid interpolating user input into command strings. Use argument arrays."
+  },
+  {
+    id: "CI006",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/\.\.\//, /\.\.\\/],
+    excludePatterns: [/import\s+.*from\s+['"]\.\.\//, /require\s*\(\s*['"]\.\.\//, /\/\/.*\.\.\//, /#.*\.\.\//, /\]\(\.\.\//, /href\s*=\s*['"]\.\.\//, /src\s*=\s*['"]\.\.\//, /include\s+['"]\.\.\//, /!\[.*\]\(\.\.\//, /\.\.\/node_modules/],
+    fileTypes: ["typescript", "javascript", "python", "bash"],
+    description: "Path traversal: relative path escaping directory boundaries",
+    remediation: "Use path.resolve() and validate paths are within expected directories."
+  },
+  {
+    id: "CI007",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /;\s*(?:rm|cat|curl|wget|nc|ncat)\s+/,
+      /\|\s*(?:sh|bash|zsh|dash)\b/,
+      /&&\s*(?:rm|curl|wget)\s+/
+    ],
+    fileTypes: ["bash", "markdown"],
+    description: "Shell command chaining with dangerous commands",
+    remediation: "Avoid chaining shell commands. Use discrete, validated command invocations."
+  },
+  {
+    id: "CI008",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/\bexec\s*\(/, /\bspawn\s*\(/],
+    excludePatterns: [/execFile\s*\(/, /\.exec\s*\(/, /RegExp.*\.exec/],
+    fileTypes: ["typescript", "javascript"],
+    description: "Process execution functions detected",
+    remediation: "Prefer execFile() over exec(). Validate all command arguments."
+  },
+  {
+    id: "CI009",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /\b__import__\s*\(/,
+      /\bcompile\s*\(\s*['"][^'"]*['"]\s*,\s*['"][^'"]*['"]\s*,\s*['"]exec['"]\s*\)/
+    ],
+    fileTypes: ["python"],
+    description: "Python dynamic import or code compilation",
+    remediation: "Use standard import statements. Avoid dynamic code compilation."
+  },
+  {
+    id: "CI010",
+    category: "command-injection" /* COMMAND_INJECTION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/\bvm\.runIn(?:ThisContext|NewContext|Context)\s*\(/],
+    fileTypes: ["typescript", "javascript"],
+    description: "Node.js vm module: sandboxed but potentially dangerous code execution",
+    remediation: "Avoid vm module for untrusted code. Use proper sandboxing solutions."
+  }
+];
+
+// src/scanner/rules/data-exfiltration.ts
+var dataExfiltrationRules = [
+  {
+    id: "DE001",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /https?:\/\/(?:discord(?:app)?\.com\/api\/webhooks|ptb\.discord\.com\/api\/webhooks)\//i,
+      /https?:\/\/hooks\.slack\.com\/services\//i,
+      /https?:\/\/api\.telegram\.org\/bot/i
+    ],
+    description: "Webhook URL detected: Discord, Slack, or Telegram webhook endpoint",
+    remediation: "Remove hardcoded webhook URLs. Use environment variables or configuration files."
+  },
+  {
+    id: "DE002",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /(?:fetch|axios|request|got|ky|undici)\s*(?:\.\s*post)?\s*\([^)]*(?:process\.env|credentials|password|secret|token)/i
+    ],
+    description: "HTTP request sending sensitive data: credentials or environment variables in request",
+    remediation: "Never send credentials or env vars to external services from skill code."
+  },
+  {
+    id: "DE003",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /process\.env\[/,
+      /process\.env\./,
+      /os\.environ/,
+      /\$ENV\{/
+    ],
+    excludePatterns: [/process\.env\.NODE_ENV/, /process\.env\.HOME/, /process\.env\.PATH/],
+    description: "Environment variable access: skill reads environment variables",
+    remediation: "Skills should declare required env vars in manifest, not access them directly."
+  },
+  {
+    id: "DE004",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /readFile.*(?:\.env|credentials|\.aws|\.ssh|\.gnupg|\.netrc)/i,
+      /open\s*\(\s*['"].*(?:\.env|credentials|\.aws|\.ssh|\.gnupg)/i,
+      /cat\s+.*(?:\.env|credentials|id_rsa|\.aws\/)/i
+    ],
+    description: "Sensitive file access: reading credential or configuration files",
+    remediation: "Skills should not read user credential files."
+  },
+  {
+    id: "DE005",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /new\s+WebSocket\s*\(\s*['"`]/,
+      /\bio\.connect\s*\(/
+    ],
+    description: "WebSocket connection: potential covert data channel",
+    remediation: "Document all network connections. Avoid persistent connections in skills."
+  },
+  {
+    id: "DE006",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /https?:\/\/[a-z0-9]+\.ngrok\b/i,
+      /https?:\/\/[a-z0-9]+\.serveo\.net/i,
+      /https?:\/\/[a-z0-9]+\.loca\.lt/i,
+      /https?:\/\/[a-z0-9]+\.burpcollaborator\.net/i
+    ],
+    description: "Tunneling service URL: potential data exfiltration via tunnel",
+    remediation: "Remove tunneling service URLs. Use official API endpoints."
+  },
+  {
+    id: "DE007",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /dns\.resolve/i,
+      /\bdnslookup\b/i,
+      /\bnslookup\s+/i,
+      /\bdig\s+/i
+    ],
+    description: "DNS-based data exfiltration: DNS queries can encode stolen data",
+    remediation: "Skills should not perform DNS queries unless explicitly required."
+  },
+  {
+    id: "DE008",
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /(?:fetch|axios|request|got)\s*\(\s*['"`]https?:\/\/(?!localhost|127\.0\.0\.1)/
+    ],
+    excludePatterns: [/(?:npmjs\.org|github\.com|githubusercontent\.com|registry\.npmmirror)/],
+    fileTypes: ["typescript", "javascript"],
+    description: "External HTTP request: skill makes outbound network call",
+    remediation: "Declare all external URLs in skill manifest. Minimize network access."
+  }
+];
+
+// src/scanner/rules/tool-abuse.ts
+var toolAbuseRules = [
+  {
+    id: "TA001",
+    category: "tool-abuse" /* TOOL_ABUSE */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /(?:override|replace|redefine|shadow)\s+(?:the\s+)?(?:built-?in|default|original)\s+(?:tool|function|command)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Tool shadowing: instructs agent to override built-in tools",
+    remediation: "Skills should extend functionality, not replace built-in tools."
+  },
+  {
+    id: "TA002",
+    category: "autonomy-abuse" /* AUTONOMY_ABUSE */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /(?:keep|continue)\s+(?:retrying|trying|running)\s+(?:until|without)/i,
+      /(?:run|execute|proceed)\s+without\s+(?:confirmation|approval|asking)/i,
+      /(?:auto-?approve|skip\s+confirmation|bypass\s+approval)/i,
+      /(?:don'?t|do\s+not|never)\s+(?:ask|prompt|wait)\s+(?:for|the)\s+(?:permission|confirmation|approval)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Autonomy abuse: instructs agent to bypass user confirmation",
+    remediation: "Skills must respect user confirmation flows. Remove autonomy escalation."
+  },
+  {
+    id: "TA003",
+    category: "tool-abuse" /* TOOL_ABUSE */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /(?:discover|find|list|enumerate)\s+(?:all\s+)?(?:available\s+)?(?:tools|capabilities|functions)/i,
+      /(?:enable|activate|unlock)\s+(?:all\s+)?(?:hidden|disabled|extra)\s+(?:tools|capabilities)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Capability inflation: attempts to discover or enable additional tools",
+    remediation: "Skills should use only declared tools. Do not probe for hidden capabilities."
+  },
+  {
+    id: "TA004",
+    category: "tool-abuse" /* TOOL_ABUSE */,
+    severity: "high" /* HIGH */,
+    patterns: [
+      /read\s+(?:the\s+)?(?:file|contents?).*(?:then|and)\s+(?:send|post|upload|transmit)/i,
+      /(?:access|read|get)\s+.*(?:credential|secret|key|token).*(?:then|and)\s+(?:send|share|post)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Tool chaining: read sensitive data then send externally",
+    remediation: "Skills should not combine file reading with external transmission."
+  },
+  {
+    id: "TA005",
+    category: "social-engineering" /* SOCIAL_ENGINEERING */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /(?:urgent|immediately|critical|emergency)[!:]\s+(?:you\s+must|run|execute|do\s+this)/i,
+      /(?:as\s+(?:an?\s+)?(?:admin|root|superuser|administrator)),?\s+(?:I|we)\s+(?:require|need|demand)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Social engineering: uses urgency or authority to manipulate agent",
+    remediation: "Remove manipulative language. Provide clear, neutral instructions."
+  },
+  {
+    id: "TA006",
+    category: "tool-abuse" /* TOOL_ABUSE */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /(?:when|if)\s+(?:the\s+)?(?:user|human)\s+(?:isn'?t|is\s+not)\s+(?:looking|watching|present)/i,
+      /(?:only|secretly)\s+(?:when|while)\s+(?:idle|unattended|background)/i
+    ],
+    fileTypes: ["markdown"],
+    description: "Stealth execution: instructs agent to act when user is not present",
+    remediation: "All skill actions must be transparent and auditable."
+  }
+];
+
+// src/scanner/rules/unicode.ts
+var unicodeRules = [
+  {
+    id: "UC001",
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [/\u200B|\u200C|\u200D|\uFEFF/],
+    description: "Zero-width characters detected: may hide invisible instructions",
+    remediation: "Remove zero-width characters (U+200B, U+200C, U+200D, U+FEFF)."
+  },
+  {
+    id: "UC002",
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    severity: "high" /* HIGH */,
+    patterns: [/[\u202A-\u202E]/],
+    description: "Bidirectional text override: can reverse displayed text direction to hide content",
+    remediation: "Remove bidirectional override characters (U+202A-U+202E)."
+  },
+  {
+    id: "UC003",
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    severity: "high" /* HIGH */,
+    patterns: [/[\u2066-\u2069]/],
+    description: "Bidirectional isolate characters: can create hidden text regions",
+    remediation: "Remove bidirectional isolate characters (U+2066-U+2069)."
+  },
+  {
+    id: "UC004",
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    severity: "high" /* HIGH */,
+    patterns: [/[\u{E0001}-\u{E007F}]/u],
+    description: "Tag characters detected: Unicode tag block can encode hidden payloads",
+    remediation: "Remove Unicode tag characters (U+E0001-U+E007F)."
+  },
+  {
+    id: "UC005",
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    severity: "medium" /* MEDIUM */,
+    // biome-ignore lint/suspicious/noControlCharactersInRegex: intentional detection of control characters
+    patterns: [/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F-\u009F]/],
+    description: "Control characters detected: non-printable characters in content",
+    remediation: "Remove control characters. Use only printable Unicode content."
+  },
+  {
+    id: "UC006",
+    category: "obfuscation" /* OBFUSCATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /atob\s*\(\s*['"`][A-Za-z0-9+/=]{40,}['"`]\s*\)/,
+      /Buffer\.from\s*\(\s*['"`][A-Za-z0-9+/=]{40,}['"`]\s*,\s*['"`]base64['"`]\s*\)/,
+      /base64\.b64decode\s*\(\s*['"`][A-Za-z0-9+/=]{40,}['"`]\s*\)/
+    ],
+    description: "Base64-encoded payload: long encoded string being decoded at runtime",
+    remediation: "Avoid embedding base64-encoded payloads. Use plain text or documented data formats."
+  },
+  {
+    id: "UC007",
+    category: "obfuscation" /* OBFUSCATION */,
+    severity: "medium" /* MEDIUM */,
+    patterns: [
+      /\\x[0-9a-fA-F]{2}(?:\\x[0-9a-fA-F]{2}){9,}/,
+      /\\u[0-9a-fA-F]{4}(?:\\u[0-9a-fA-F]{4}){9,}/
+    ],
+    description: "Hex/Unicode escape sequences: potential obfuscated content",
+    remediation: "Use readable strings instead of hex or unicode escape sequences."
+  }
+];
+
+// src/scanner/rules/index.ts
+function getAllRules() {
+  return [
+    ...promptInjectionRules,
+    ...commandInjectionRules,
+    ...dataExfiltrationRules,
+    ...toolAbuseRules,
+    ...unicodeRules
+  ];
+}
+
+// src/scanner/analyzers/static.ts
+var EXT_TO_FILETYPE = {
+  ".ts": "typescript",
+  ".tsx": "typescript",
+  ".js": "javascript",
+  ".jsx": "javascript",
+  ".mjs": "javascript",
+  ".cjs": "javascript",
+  ".py": "python",
+  ".sh": "bash",
+  ".bash": "bash",
+  ".zsh": "bash",
+  ".md": "markdown",
+  ".mdx": "markdown"
+};
+var PLACEHOLDER_PATTERNS = [
+  /your[-_]?api[-_]?key/i,
+  /example[-_]?token/i,
+  /sample[-_]?secret/i,
+  /dummy[-_]?password/i,
+  /placeholder/i,
+  /xxx+/i,
+  /\.\.\./,
+  /TODO/,
+  /FIXME/
+];
+var TEST_FILE_PATTERNS = [
+  /\.test\.[jt]sx?$/,
+  /\.spec\.[jt]sx?$/,
+  /__tests__\//,
+  /test\//,
+  /tests\//,
+  /\.stories\.[jt]sx?$/
+];
+function isTestFile(filePath) {
+  return TEST_FILE_PATTERNS.some((p) => p.test(filePath));
+}
+function isPlaceholderLine(line) {
+  return PLACEHOLDER_PATTERNS.some((p) => p.test(line));
+}
+function getFileType(filePath) {
+  return EXT_TO_FILETYPE[extname5(filePath)];
+}
+function ruleMatchesFileType(rule, fileType) {
+  if (!rule.fileTypes || rule.fileTypes.length === 0) return true;
+  if (!fileType) return true;
+  return rule.fileTypes.includes(fileType);
+}
+function matchesExcludePatterns(line, rule) {
+  if (!rule.excludePatterns) return false;
+  return rule.excludePatterns.some((p) => p.test(line));
+}
+var StaticAnalyzer = class {
+  name = "static";
+  rules;
+  skipRules;
+  findingCounter = 0;
+  constructor(skipRules) {
+    this.rules = getAllRules();
+    this.skipRules = new Set(skipRules ?? []);
+  }
+  async analyze(_skillPath, files) {
+    this.findingCounter = 0;
+    const findings = [];
+    for (const file of files) {
+      if (isTestFile(file)) continue;
+      const fileType = getFileType(file);
+      const applicableRules = this.rules.filter(
+        (r) => !this.skipRules.has(r.id) && ruleMatchesFileType(r, fileType)
+      );
+      if (applicableRules.length === 0) continue;
+      let content;
+      try {
+        content = await readFile(file, "utf-8");
+      } catch {
+        continue;
+      }
+      const lines = content.split("\n");
+      for (const rule of applicableRules) {
+        if (rule.multiline) {
+          for (const pattern of rule.patterns) {
+            pattern.lastIndex = 0;
+            let match;
+            while ((match = pattern.exec(content)) !== null) {
+              const lineNumber = content.substring(0, match.index).split("\n").length;
+              const snippetStart = Math.max(0, match.index - 40);
+              const snippet = content.substring(snippetStart, match.index + match[0].length + 40).trim().substring(0, 200);
+              if (isPlaceholderLine(snippet) || matchesExcludePatterns(snippet, rule)) {
+                if (!pattern.global) break;
+                continue;
+              }
+              findings.push({
+                id: `F${++this.findingCounter}`,
+                ruleId: rule.id,
+                category: rule.category,
+                severity: rule.severity,
+                title: rule.description,
+                description: rule.description,
+                filePath: file,
+                lineNumber,
+                snippet,
+                remediation: rule.remediation,
+                analyzer: this.name
+              });
+              if (!pattern.global) break;
+            }
+          }
+          continue;
+        }
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (isPlaceholderLine(line)) continue;
+          if (matchesExcludePatterns(line, rule)) continue;
+          for (const pattern of rule.patterns) {
+            pattern.lastIndex = 0;
+            if (pattern.test(line)) {
+              findings.push({
+                id: `F${++this.findingCounter}`,
+                ruleId: rule.id,
+                category: rule.category,
+                severity: rule.severity,
+                title: rule.description,
+                description: rule.description,
+                filePath: file,
+                lineNumber: i + 1,
+                snippet: line.trim().substring(0, 200),
+                remediation: rule.remediation,
+                analyzer: this.name
+              });
+              break;
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/analyzers/manifest.ts
+import { readFile as readFile2 } from "fs/promises";
+import { extname as extname6 } from "path";
+var DANGEROUS_TOOLS = /* @__PURE__ */ new Set(["Bash", "bash", "shell", "terminal", "exec", "system"]);
+var IMPERSONATION_PATTERNS = [
+  /official\s+(?:anthropic|openai|google|microsoft|meta)\s+(?:tool|skill|plugin)/i,
+  /(?:anthropic|openai|google|microsoft|meta)\s+certified/i,
+  /endorsed\s+by\s+(?:anthropic|openai|google|microsoft|meta)/i
+];
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".dat",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".rar",
+  ".7z",
+  ".wasm",
+  ".pyc",
+  ".pyo",
+  ".class"
+]);
+var ManifestAnalyzer = class {
+  name = "manifest";
+  findingCounter = 0;
+  skipRules;
+  constructor(skipRules) {
+    this.skipRules = new Set(skipRules ?? []);
+  }
+  async analyze(_skillPath, files) {
+    this.findingCounter = 0;
+    const findings = [];
+    const skillMdFiles = files.filter((f) => f.toLowerCase().endsWith("skill.md"));
+    for (const skillMd of skillMdFiles) {
+      let content;
+      try {
+        content = await readFile2(skillMd, "utf-8");
+      } catch {
+        continue;
+      }
+      this.validateFrontmatter(content, skillMd, findings);
+      this.checkImpersonation(content, skillMd, findings);
+    }
+    this.checkBinaryFiles(files, findings);
+    return findings;
+  }
+  shouldSkip(ruleId) {
+    return this.skipRules.has(ruleId);
+  }
+  validateFrontmatter(content, filePath, findings) {
+    const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+    if (!fmMatch) {
+      if (!this.shouldSkip("MF001")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF001",
+          category: "policy-violation" /* POLICY_VIOLATION */,
+          severity: "low" /* LOW */,
+          title: "Missing SKILL.md frontmatter",
+          description: "SKILL.md should have YAML frontmatter with name, description, and allowed-tools",
+          filePath,
+          analyzer: this.name,
+          remediation: "Add YAML frontmatter with name, description, and allowed-tools fields."
+        });
+      }
+      return;
+    }
+    const fm = fmMatch[1];
+    if (!/^name:/m.test(fm) && !this.shouldSkip("MF002")) {
+      findings.push({
+        id: `MF${++this.findingCounter}`,
+        ruleId: "MF002",
+        category: "policy-violation" /* POLICY_VIOLATION */,
+        severity: "low" /* LOW */,
+        title: "Missing skill name in frontmatter",
+        description: "SKILL.md frontmatter should include a name field",
+        filePath,
+        analyzer: this.name,
+        remediation: "Add a name field to the YAML frontmatter."
+      });
+    }
+    const nameMatch = fm.match(/^name:\s*(.+)$/m);
+    if (nameMatch) {
+      const name = nameMatch[1].trim().replace(/^["']|["']$/g, "");
+      if (!/^[a-z0-9][a-z0-9._-]*$/i.test(name) && !this.shouldSkip("MF003")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF003",
+          category: "policy-violation" /* POLICY_VIOLATION */,
+          severity: "low" /* LOW */,
+          title: "Invalid skill name format",
+          description: `Skill name "${name}" should use alphanumeric characters, dots, hyphens, or underscores`,
+          filePath,
+          analyzer: this.name,
+          remediation: "Use a name matching [a-z0-9][a-z0-9._-]* pattern."
+        });
+      }
+    }
+    const descMatch = fm.match(/^description:\s*(.+)$/m);
+    if (!descMatch) {
+      if (!this.shouldSkip("MF004")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF004",
+          category: "policy-violation" /* POLICY_VIOLATION */,
+          severity: "info" /* INFO */,
+          title: "Missing skill description",
+          description: "SKILL.md should include a description for discoverability",
+          filePath,
+          analyzer: this.name,
+          remediation: "Add a description field to the YAML frontmatter."
+        });
+      }
+    } else {
+      const desc = descMatch[1].trim().replace(/^["']|["']$/g, "");
+      if (desc.length < 20 && !this.shouldSkip("MF005")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF005",
+          category: "policy-violation" /* POLICY_VIOLATION */,
+          severity: "info" /* INFO */,
+          title: "Short skill description",
+          description: `Description "${desc}" is too short (${desc.length} chars). Aim for at least 20 characters.`,
+          filePath,
+          analyzer: this.name,
+          remediation: "Provide a more detailed description."
+        });
+      }
+    }
+    const inlineToolsMatch = fm.match(/^allowed-tools:\s*\[([^\]]*)\]/m);
+    const multiLineToolsMatch = fm.match(/^allowed-tools:\s*\n((?:\s+-\s+.+\n?)+)/m);
+    let tools = [];
+    if (inlineToolsMatch) {
+      tools = inlineToolsMatch[1].split(",").map((t) => t.trim().replace(/^["']|["']$/g, ""));
+    } else if (multiLineToolsMatch) {
+      tools = multiLineToolsMatch[1].split("\n").map((line) => line.replace(/^\s*-\s*/, "").trim().replace(/^["']|["']$/g, "")).filter((t) => t.length > 0);
+    }
+    for (const tool of tools) {
+      if (DANGEROUS_TOOLS.has(tool) && !this.shouldSkip("MF006")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF006",
+          category: "tool-abuse" /* TOOL_ABUSE */,
+          severity: "high" /* HIGH */,
+          title: `Dangerous tool in allowed-tools: ${tool}`,
+          description: `The tool "${tool}" grants shell access. This is a significant security risk.`,
+          filePath,
+          analyzer: this.name,
+          remediation: "Restrict allowed-tools to the minimum needed. Avoid shell/exec tools."
+        });
+      }
+    }
+  }
+  checkImpersonation(content, filePath, findings) {
+    for (const pattern of IMPERSONATION_PATTERNS) {
+      const match = content.match(pattern);
+      if (match && !this.shouldSkip("MF007")) {
+        const lineNumber = content.substring(0, match.index).split("\n").length;
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF007",
+          category: "social-engineering" /* SOCIAL_ENGINEERING */,
+          severity: "high" /* HIGH */,
+          title: "Impersonation detected",
+          description: `Skill claims official affiliation: "${match[0]}"`,
+          filePath,
+          lineNumber,
+          snippet: match[0],
+          analyzer: this.name,
+          remediation: "Remove false claims of official endorsement or certification."
+        });
+      }
+    }
+  }
+  checkBinaryFiles(files, findings) {
+    for (const file of files) {
+      const ext = extname6(file).toLowerCase();
+      if (BINARY_EXTENSIONS.has(ext) && !this.shouldSkip("MF008")) {
+        findings.push({
+          id: `MF${++this.findingCounter}`,
+          ruleId: "MF008",
+          category: "policy-violation" /* POLICY_VIOLATION */,
+          severity: "medium" /* MEDIUM */,
+          title: `Binary file detected: ${ext}`,
+          description: `Binary file found in skill directory. Skills should contain only text files.`,
+          filePath: file,
+          analyzer: this.name,
+          remediation: "Remove binary files from skill directory. Use package managers for dependencies."
+        });
+      }
+    }
+  }
+};
+
+// src/scanner/analyzers/secrets.ts
+import { readFile as readFile3 } from "fs/promises";
+import { basename as basename19 } from "path";
+var SECRET_PATTERNS = [
+  {
+    id: "SK001",
+    name: "OpenAI API key",
+    pattern: /sk-(?!ant-)(?:proj-|admin-)?[A-Za-z0-9-]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK002",
+    name: "Stripe live key",
+    pattern: /pk_live_[a-zA-Z0-9]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK003",
+    name: "Stripe secret key",
+    pattern: /sk_live_[a-zA-Z0-9]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK004",
+    name: "GitHub personal access token",
+    pattern: /ghp_[a-zA-Z0-9]{36}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK005",
+    name: "GitHub OAuth token",
+    pattern: /gho_[a-zA-Z0-9]{36}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK006",
+    name: "AWS access key",
+    pattern: /AKIA[0-9A-Z]{16}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK007",
+    name: "Slack bot token",
+    pattern: /xoxb-[0-9]{10,}-[a-zA-Z0-9]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK008",
+    name: "Slack user token",
+    pattern: /xoxp-[0-9]{10,}-[a-zA-Z0-9]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK009",
+    name: "Private key block",
+    pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK010",
+    name: "Google API key",
+    pattern: /AIza[0-9A-Za-z_-]{35}/,
+    severity: "high" /* HIGH */
+  },
+  {
+    id: "SK011",
+    name: "Anthropic API key",
+    pattern: /sk-ant-[a-zA-Z0-9]{20,}/,
+    severity: "critical" /* CRITICAL */
+  },
+  {
+    id: "SK012",
+    name: "npm token",
+    pattern: /npm_[a-zA-Z0-9]{36}/,
+    severity: "high" /* HIGH */
+  },
+  {
+    id: "SK013",
+    name: "Heroku API key",
+    pattern: /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/,
+    severity: "low" /* LOW */
+  }
+];
+var PLACEHOLDER_INDICATORS = [
+  /your[-_]?api[-_]?key/i,
+  /example/i,
+  /sample/i,
+  /dummy/i,
+  /placeholder/i,
+  /xxx+/i,
+  /test[-_]?key/i,
+  /fake/i,
+  /replace[-_]?with/i,
+  /\<.*key.*\>/i
+];
+var ENV_FILE_PATTERN = /^\.env/;
+function isPlaceholder(line) {
+  return PLACEHOLDER_INDICATORS.some((p) => p.test(line));
+}
+var SecretsAnalyzer = class {
+  name = "secrets";
+  findingCounter = 0;
+  skipRules;
+  constructor(skipRules) {
+    this.skipRules = new Set(skipRules ?? []);
+  }
+  async analyze(_skillPath, files) {
+    this.findingCounter = 0;
+    const findings = [];
+    for (const file of files) {
+      const name = basename19(file);
+      if (ENV_FILE_PATTERN.test(name) && !this.skipRules.has("SK-ENV")) {
+        findings.push({
+          id: `SK${++this.findingCounter}`,
+          ruleId: "SK-ENV",
+          category: "hardcoded-secrets" /* HARDCODED_SECRETS */,
+          severity: "high" /* HIGH */,
+          title: `Environment file included: ${name}`,
+          description: "Environment files should not be included in skill distributions",
+          filePath: file,
+          analyzer: this.name,
+          remediation: "Remove .env files from skill directory. Add to .gitignore."
+        });
+        continue;
+      }
+      let content;
+      try {
+        content = await readFile3(file, "utf-8");
+      } catch {
+        continue;
+      }
+      if (content.length > 1e6) continue;
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (isPlaceholder(line)) continue;
+        for (const secret of SECRET_PATTERNS) {
+          if (this.skipRules.has(secret.id)) continue;
+          if (secret.pattern.test(line)) {
+            if (secret.id === "SK013") {
+              if (!/(?:key|token|secret|password|credential|api)/i.test(line)) continue;
+            }
+            findings.push({
+              id: `SK${++this.findingCounter}`,
+              ruleId: secret.id,
+              category: "hardcoded-secrets" /* HARDCODED_SECRETS */,
+              severity: secret.severity,
+              title: `${secret.name} detected`,
+              description: `Potential ${secret.name} found in skill file`,
+              filePath: file,
+              lineNumber: i + 1,
+              snippet: line.trim().replace(secret.pattern, "[REDACTED]").substring(0, 100),
+              analyzer: this.name,
+              remediation: "Remove hardcoded secrets. Use environment variables or secret managers."
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/scanner.ts
+import { readdir } from "fs/promises";
+import { join as join53, basename as basename20 } from "path";
+var SEVERITY_ORDER = {
+  ["critical" /* CRITICAL */]: 5,
+  ["high" /* HIGH */]: 4,
+  ["medium" /* MEDIUM */]: 3,
+  ["low" /* LOW */]: 2,
+  ["info" /* INFO */]: 1,
+  ["safe" /* SAFE */]: 0
+};
+async function discoverFiles(dirPath) {
+  const files = [];
+  async function walk(dir) {
+    let entries;
+    try {
+      entries = await readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const fullPath = join53(dir, entry.name);
+      if (entry.name.startsWith(".") && entry.name !== ".env" && !entry.name.startsWith(".env.")) continue;
+      if (entry.name === "node_modules") continue;
+      if (entry.isDirectory()) {
+        await walk(fullPath);
+      } else if (entry.isFile()) {
+        files.push(fullPath);
+      }
+    }
+  }
+  await walk(dirPath);
+  return files;
+}
+function deduplicateFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    const key = `${f.ruleId}:${f.filePath ?? ""}:${f.lineNumber ?? ""}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+function calculateVerdict(findings, failOnSeverity = "high" /* HIGH */) {
+  const threshold = SEVERITY_ORDER[failOnSeverity] ?? SEVERITY_ORDER["high" /* HIGH */];
+  for (const f of findings) {
+    if ((SEVERITY_ORDER[f.severity] ?? 0) >= threshold) {
+      return "fail";
+    }
+  }
+  if (findings.some((f) => (SEVERITY_ORDER[f.severity] ?? 0) >= SEVERITY_ORDER["medium" /* MEDIUM */])) {
+    return "warn";
+  }
+  return "pass";
+}
+function countStats(findings) {
+  const stats = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) {
+    switch (f.severity) {
+      case "critical" /* CRITICAL */:
+        stats.critical++;
+        break;
+      case "high" /* HIGH */:
+        stats.high++;
+        break;
+      case "medium" /* MEDIUM */:
+        stats.medium++;
+        break;
+      case "low" /* LOW */:
+        stats.low++;
+        break;
+      case "info" /* INFO */:
+        stats.info++;
+        break;
+    }
+  }
+  return stats;
+}
+var SkillScanner = class {
+  analyzers;
+  options;
+  constructor(options) {
+    this.options = options ?? {};
+    this.analyzers = [
+      new StaticAnalyzer(this.options.skipRules),
+      new ManifestAnalyzer(this.options.skipRules),
+      new SecretsAnalyzer(this.options.skipRules)
+    ];
+  }
+  async scan(skillPath) {
+    const start = performance.now();
+    const files = await discoverFiles(skillPath);
+    const skillName = basename20(skillPath.replace(/\/+$/, "")) || "unknown";
+    const resultSets = await Promise.all(
+      this.analyzers.map((a) => a.analyze(skillPath, files))
+    );
+    const allFindings = deduplicateFindings(resultSets.flat());
+    allFindings.sort(
+      (a, b) => (SEVERITY_ORDER[b.severity] ?? 0) - (SEVERITY_ORDER[a.severity] ?? 0)
+    );
+    const duration = Math.round(performance.now() - start);
+    return {
+      skillPath,
+      skillName,
+      verdict: calculateVerdict(allFindings, this.options.failOnSeverity),
+      findings: allFindings,
+      stats: countStats(allFindings),
+      duration,
+      analyzersUsed: this.analyzers.map((a) => a.name)
+    };
+  }
+};
+
+// src/scanner/reporter.ts
+import { basename as basename21 } from "path";
+var SCANNER_VERSION = true ? "1.15.0" : "0.0.0";
+var SEVERITY_COLORS = {
+  ["critical" /* CRITICAL */]: "\x1B[91m",
+  ["high" /* HIGH */]: "\x1B[31m",
+  ["medium" /* MEDIUM */]: "\x1B[33m",
+  ["low" /* LOW */]: "\x1B[36m",
+  ["info" /* INFO */]: "\x1B[37m",
+  ["safe" /* SAFE */]: "\x1B[32m"
+};
+var RESET = "\x1B[0m";
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+var VERDICT_ICON = {
+  pass: "\x1B[32m PASS \x1B[0m",
+  warn: "\x1B[33m WARN \x1B[0m",
+  fail: "\x1B[91m FAIL \x1B[0m"
+};
+function formatSummary(result) {
+  const lines = [];
+  lines.push("");
+  lines.push(`${BOLD}Security Scan: ${result.skillName}${RESET}`);
+  lines.push(`Verdict: ${VERDICT_ICON[result.verdict] ?? result.verdict}`);
+  lines.push(`Duration: ${result.duration}ms | Analyzers: ${result.analyzersUsed.join(", ")}`);
+  lines.push("");
+  const { critical, high, medium, low, info } = result.stats;
+  const parts = [];
+  if (critical) parts.push(`${SEVERITY_COLORS["critical" /* CRITICAL */]}${critical} critical${RESET}`);
+  if (high) parts.push(`${SEVERITY_COLORS["high" /* HIGH */]}${high} high${RESET}`);
+  if (medium) parts.push(`${SEVERITY_COLORS["medium" /* MEDIUM */]}${medium} medium${RESET}`);
+  if (low) parts.push(`${SEVERITY_COLORS["low" /* LOW */]}${low} low${RESET}`);
+  if (info) parts.push(`${SEVERITY_COLORS["info" /* INFO */]}${info} info${RESET}`);
+  if (parts.length > 0) {
+    lines.push(`Findings: ${parts.join(" | ")}`);
+    lines.push("");
+  } else {
+    lines.push(`${SEVERITY_COLORS["safe" /* SAFE */]}No security findings${RESET}`);
+    lines.push("");
+    return lines.join("\n");
+  }
+  for (const finding of result.findings) {
+    const color = SEVERITY_COLORS[finding.severity] ?? "";
+    const sev = finding.severity.toUpperCase().padEnd(8);
+    lines.push(`  ${color}${sev}${RESET} [${finding.ruleId}] ${finding.title}`);
+    if (finding.filePath) {
+      const loc = finding.lineNumber ? `${finding.filePath}:${finding.lineNumber}` : finding.filePath;
+      lines.push(`           ${DIM}${loc}${RESET}`);
+    }
+    if (finding.snippet) {
+      lines.push(`           ${DIM}> ${finding.snippet}${RESET}`);
+    }
+    if (finding.remediation) {
+      lines.push(`           Fix: ${finding.remediation}`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+function formatJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+function formatTable(result) {
+  const lines = [];
+  const header = ["Severity", "Rule", "Title", "File", "Line"];
+  const widths = [10, 8, 50, 40, 6];
+  lines.push(header.map((h, i) => h.padEnd(widths[i])).join(" | "));
+  lines.push(widths.map((w) => "-".repeat(w)).join("-+-"));
+  for (const f of result.findings) {
+    const row = [
+      f.severity.toUpperCase().padEnd(widths[0]),
+      f.ruleId.padEnd(widths[1]),
+      f.title.substring(0, widths[2]).padEnd(widths[2]),
+      (f.filePath ? basename21(f.filePath) : "").substring(0, widths[3]).padEnd(widths[3]),
+      String(f.lineNumber ?? "").padEnd(widths[4])
+    ];
+    lines.push(row.join(" | "));
+  }
+  lines.push("");
+  lines.push(`Total: ${result.findings.length} findings | Verdict: ${result.verdict.toUpperCase()}`);
+  return lines.join("\n");
+}
+function formatSarif(result) {
+  const rules = /* @__PURE__ */ new Map();
+  for (const f of result.findings) {
+    if (!rules.has(f.ruleId)) rules.set(f.ruleId, f);
+  }
+  const severityToSarif = {
+    ["critical" /* CRITICAL */]: "error",
+    ["high" /* HIGH */]: "error",
+    ["medium" /* MEDIUM */]: "warning",
+    ["low" /* LOW */]: "note",
+    ["info" /* INFO */]: "note",
+    ["safe" /* SAFE */]: "none"
+  };
+  const sarif = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "skillkit-scanner",
+            version: SCANNER_VERSION,
+            informationUri: "https://agenstskills.com",
+            rules: [...rules.values()].map((r) => ({
+              id: r.ruleId,
+              name: r.ruleId,
+              shortDescription: { text: r.title },
+              fullDescription: { text: r.description },
+              helpUri: "https://agenstskills.com/docs/security",
+              defaultConfiguration: {
+                level: severityToSarif[r.severity] ?? "warning"
+              },
+              properties: {
+                category: r.category
+              }
+            }))
+          }
+        },
+        results: result.findings.map((f) => ({
+          ruleId: f.ruleId,
+          level: severityToSarif[f.severity] ?? "warning",
+          message: { text: f.description },
+          locations: f.filePath ? [
+            {
+              physicalLocation: {
+                artifactLocation: {
+                  uri: f.filePath.startsWith(result.skillPath) ? f.filePath.slice(result.skillPath.length).replace(/^\//, "") : f.filePath
+                },
+                region: f.lineNumber ? { startLine: f.lineNumber } : void 0
+              }
+            }
+          ] : [],
+          fixes: f.remediation ? [{ description: { text: f.remediation } }] : void 0
+        }))
+      }
+    ]
+  };
+  return JSON.stringify(sarif, null, 2);
+}
+function formatResult(result, format = "summary") {
+  switch (format) {
+    case "json":
+      return formatJson(result);
+    case "table":
+      return formatTable(result);
+    case "sarif":
+      return formatSarif(result);
+    default:
+      return formatSummary(result);
+  }
+}
+
+// src/scanner/taxonomy.ts
+var THREAT_TAXONOMY = {
+  ["prompt-injection" /* PROMPT_INJECTION */]: {
+    category: "prompt-injection" /* PROMPT_INJECTION */,
+    name: "Prompt Injection",
+    description: "Attempts to override, manipulate, or bypass AI agent instructions through crafted text",
+    defaultSeverity: "critical" /* CRITICAL */,
+    examples: [
+      "Instruction override (ignore previous instructions)",
+      "Role manipulation (you are now...)",
+      "System prompt extraction"
+    ]
+  },
+  ["command-injection" /* COMMAND_INJECTION */]: {
+    category: "command-injection" /* COMMAND_INJECTION */,
+    name: "Command Injection",
+    description: "Code execution via eval, exec, subprocess, or shell commands embedded in skill content",
+    defaultSeverity: "critical" /* CRITICAL */,
+    examples: [
+      "eval() or Function() calls",
+      "subprocess.run with shell=True",
+      "child_process.exec with user input"
+    ]
+  },
+  ["data-exfiltration" /* DATA_EXFILTRATION */]: {
+    category: "data-exfiltration" /* DATA_EXFILTRATION */,
+    name: "Data Exfiltration",
+    description: "Attempts to send sensitive data to external endpoints or read protected files",
+    defaultSeverity: "high" /* HIGH */,
+    examples: [
+      "Webhook URLs to Discord/Telegram/Slack",
+      "HTTP POST with environment variables",
+      "Reading .env or credential files"
+    ]
+  },
+  ["tool-abuse" /* TOOL_ABUSE */]: {
+    category: "tool-abuse" /* TOOL_ABUSE */,
+    name: "Tool Abuse",
+    description: "Manipulation of AI agent tools through shadowing, chaining, or autonomy escalation",
+    defaultSeverity: "high" /* HIGH */,
+    examples: [
+      "Redefining built-in tools",
+      "Instructing agent to run without confirmation",
+      "Chaining sensitive read + external send"
+    ]
+  },
+  ["hardcoded-secrets" /* HARDCODED_SECRETS */]: {
+    category: "hardcoded-secrets" /* HARDCODED_SECRETS */,
+    name: "Hardcoded Secrets",
+    description: "API keys, tokens, passwords, or other credentials embedded in skill files",
+    defaultSeverity: "high" /* HIGH */,
+    examples: [
+      "API keys (sk-, pk_live_, ghp_)",
+      "Private key blocks",
+      "Embedded .env file contents"
+    ]
+  },
+  ["unicode-steganography" /* UNICODE_STEGANOGRAPHY */]: {
+    category: "unicode-steganography" /* UNICODE_STEGANOGRAPHY */,
+    name: "Unicode Steganography",
+    description: "Hidden content using invisible Unicode characters, bidirectional overrides, or homoglyphs",
+    defaultSeverity: "medium" /* MEDIUM */,
+    examples: [
+      "Zero-width characters hiding instructions",
+      "Bidirectional text override attacks",
+      "Tag characters encoding hidden payloads"
+    ]
+  },
+  ["obfuscation" /* OBFUSCATION */]: {
+    category: "obfuscation" /* OBFUSCATION */,
+    name: "Obfuscation",
+    description: "Deliberately obscured code or instructions to hide malicious intent",
+    defaultSeverity: "medium" /* MEDIUM */,
+    examples: [
+      "Base64-encoded commands",
+      "Hex-encoded payloads",
+      "String concatenation to evade detection"
+    ]
+  },
+  ["social-engineering" /* SOCIAL_ENGINEERING */]: {
+    category: "social-engineering" /* SOCIAL_ENGINEERING */,
+    name: "Social Engineering",
+    description: "Manipulative language targeting the AI agent or the user to bypass safety measures",
+    defaultSeverity: "medium" /* MEDIUM */,
+    examples: [
+      "Urgency pressure (do this immediately)",
+      "Authority claims (as an admin, I require...)",
+      "Concealment requests (don't tell the user)"
+    ]
+  },
+  ["autonomy-abuse" /* AUTONOMY_ABUSE */]: {
+    category: "autonomy-abuse" /* AUTONOMY_ABUSE */,
+    name: "Autonomy Abuse",
+    description: "Instructions that escalate agent autonomy beyond intended boundaries",
+    defaultSeverity: "high" /* HIGH */,
+    examples: [
+      "Run without user confirmation",
+      "Keep retrying until success",
+      "Auto-approve all actions"
+    ]
+  },
+  ["policy-violation" /* POLICY_VIOLATION */]: {
+    category: "policy-violation" /* POLICY_VIOLATION */,
+    name: "Policy Violation",
+    description: "Content that violates skill marketplace policies or naming conventions",
+    defaultSeverity: "low" /* LOW */,
+    examples: [
+      "Impersonating official tools",
+      "Missing required metadata",
+      "Binary files in skill directory"
+    ]
+  }
+};
+function getThreatInfo(category) {
+  return THREAT_TAXONOMY[category];
+}
+function getDefaultSeverity(category) {
+  return THREAT_TAXONOMY[category].defaultSeverity;
+}
 export {
   AGENT_CLI_CONFIGS,
   AGENT_CONFIG,
@@ -31835,6 +33267,7 @@ export {
   LocalProvider,
   MARKETPLACE_CACHE_FILE,
   MODEL_REGISTRY,
+  ManifestAnalyzer,
   MarketplaceAggregator,
   MemoryCache,
   MemoryCompressor,
@@ -31880,9 +33313,11 @@ export {
   SKILL_MATCH_PROMPT,
   STANDARD_PLACEHOLDERS,
   STEP_HANDLERS,
+  SecretsAnalyzer,
   SessionEndHook,
   SessionManager,
   SessionStartHook,
+  Severity,
   Skill,
   SkillAnalyzer,
   SkillBundle,
@@ -31895,20 +33330,24 @@ export {
   SkillMdTranslator,
   SkillMerger,
   SkillMetadata,
+  SkillScanner,
   SkillSummary,
   SkillTreeSchema,
   SkillTriggerEngine,
   SkillWizard,
   SkillkitConfig,
   SkillsSource,
+  StaticAnalyzer,
   TAG_TO_CATEGORY,
   TAG_TO_TECH,
   TASK_TEMPLATES,
+  THREAT_TAXONOMY,
   TREE_FILE_NAME,
   TaskManager,
   TeamManager,
   TeamMessageBus,
   TeamOrchestrator,
+  ThreatCategory,
   TranslatorRegistry,
   TreeGenerator,
   TreeNodeSchema,
@@ -32045,7 +33484,12 @@ export {
   findSkillsByRelationType,
   findSkillsInCategory,
   formatBytes,
+  formatJson,
+  formatResult,
+  formatSarif,
   formatSkillAsPrompt,
+  formatSummary,
+  formatTable,
   fromCanonicalAgent,
   fuseWithRRF,
   generateComparisonNotes,
@@ -32077,6 +33521,7 @@ export {
   getAllPatterns,
   getAllProfiles,
   getAllProviders,
+  getAllRules,
   getAllSkillsDirs,
   getApprovedPatterns,
   getAvailableCLIAgents,
@@ -32092,6 +33537,7 @@ export {
   getDefaultConfigPath,
   getDefaultModelDir,
   getDefaultProvider,
+  getDefaultSeverity,
   getDefaultStorePath,
   getEnabledGuidelineContent,
   getEnabledGuidelines,
@@ -32142,6 +33588,7 @@ export {
   getStepOrder,
   getSupportedTranslationAgents,
   getTechTags,
+  getThreatInfo,
   getTotalSteps,
   globalMemoryDirectoryExists,
   hybridSearch,