@studiomeyer-io/skilldoctor 0.1.0 → 0.1.1

package/README.md

@@ -1,10 +1,15 @@
+<!-- studiomeyer-mcp-stack-banner:start -->
+> **Part of the [StudioMeyer MCP Stack](https://studiomeyer.io)** — Built in Mallorca 🌴 · ⭐ if you use it
+<!-- studiomeyer-mcp-stack-banner:end -->
+
 # skilldoctor
 
 **A linter and security scanner for AI-agent skill & instruction files.** Think `eslint`, but for the `SKILL.md`, `AGENTS.md`, and subagent files that agents now install like packages.
 
 [![CI](https://github.com/studiomeyer-io/skilldoctor/actions/workflows/ci.yml/badge.svg)](https://github.com/studiomeyer-io/skilldoctor/actions/workflows/ci.yml)
-[![npm](https://img.shields.io/npm/v/skilldoctor.svg)](https://www.npmjs.com/package/skilldoctor)
-[![license](https://img.shields.io/npm/l/skilldoctor.svg)](./LICENSE)
+[![npm](https://img.shields.io/npm/v/@studiomeyer-io/skilldoctor.svg)](https://www.npmjs.com/package/@studiomeyer-io/skilldoctor)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/studiomeyer-io/skilldoctor/badge)](https://scorecard.dev/viewer/?uri=github.com/studiomeyer-io/skilldoctor)
+[![license](https://img.shields.io/npm/l/@studiomeyer-io/skilldoctor.svg)](./LICENSE)
 
 ```bash
 npx @studiomeyer-io/skilldoctor check .claude/skills
@@ -92,7 +97,7 @@ It understands three file kinds:
 | `skill/invalid-name` | error | no | `name` must be 1-64 lowercase chars (`a-z 0-9 -`), no leading/trailing/consecutive hyphens. |
 | `skill/name-dir-mismatch` | warning | no | `name` must match the parent directory (spec). |
 | `skill/missing-description` | error | yes | `description` is required (it's how agents decide when to load a skill). |
-| `skill/empty-description` | error | yes | `description` is blank. |
+| `skill/empty-description` | error | no | `description` is blank. |
 | `skill/description-too-short` | warning | no | Too short to convey what/when. |
 | `skill/description-too-long` | warning | no | Over the 1024-char spec limit. |
 | `skill/vague-description` | info | no | Generic phrasing with no trigger keywords. |
@@ -112,9 +117,9 @@ Run over the **description + body**, treated as untrusted input:
 
 | Rule | Default severity | Fixable | What it detects |
 | --- | --- | --- | --- |
-| `sec/prompt-injection` | error | no | "ignore previous instructions", "disregard your system prompt", role-override/jailbreak personas, injected "new instructions:". |
+| `sec/prompt-injection` | error | no | "ignore previous instructions", "disregard your system prompt", role-override/jailbreak personas, injected "new instructions:" — including phrases split across a line break. |
 | `sec/disable-safety` | error | no | Instructions to disable safety/guardrails/hooks/approval, or `--dangerously-skip-permissions`. |
-| `sec/data-exfiltration` | error | no | An outbound call (curl/POST/fetch to an external URL) **near** secrets/env — the exfil shape. |
+| `sec/data-exfiltration` | error | no | An outbound call (curl/POST/fetch to an external URL) **near** secrets/env — including a secret in a curl auth header, a named secret env var, or a `$VAR` / `${VAR}` reference. The exfil shape. |
 | `sec/env-base64` | warning | no | base64/encode of `env`/secrets (covert exfil precursor). |
 | `sec/secret-access` | warning | no | Reads `~/.ssh`, `.aws/credentials`, `.env`, known secret env vars, … |
 | `sec/suspicious-tool-combo` | warning | no | A "read-only/docs" skill that grants **Bash + network** — exfil-enabling combo. |
@@ -141,12 +146,12 @@ jobs:
   lint-skills:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
         with: { node-version: 20 }
       - run: npx @studiomeyer-io/skilldoctor check ".claude/skills" "**/AGENTS.md" --sarif skilldoctor.sarif --fail-on warning
       - if: always()
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: skilldoctor.sarif
 ```
@@ -182,6 +187,16 @@ skilldoctor's rules are grounded in the actual current specs (checked while buil
 
 When a field's meaning is uncertain, skilldoctor **warns leniently rather than inventing a hard rule**.
 
+## Part of the StudioMeyer MCP toolkit
+
+A small family of focused, production-grade tools for building and operating MCP servers & agents — mix and match:
+
+- [mcp-armor](https://github.com/studiomeyer-io/mcp-armor) — runtime defense sidecar: scans tool calls, verifies signed manifests, blocks known-bad CVEs
+- [mcp-gauntlet](https://github.com/studiomeyer-io/mcp-gauntlet) — pre-deploy `mcp-fuzz` (schema-aware fuzzer) + `mcp-storm` (load tester)
+- [mcp-otel](https://github.com/studiomeyer-io/mcp-otel) — W3C Trace Context → OpenTelemetry bridge
+- [mcp-cache-kit](https://github.com/studiomeyer-io/mcp-cache-kit) — leak-safe SEP-2549 caching (`ttlMs` + `cacheScope`)
+- **skilldoctor** *(this one)* — linter + security scanner for agent skill files
+
 ## License
 
 [MIT](./LICENSE) © 2026 StudioMeyer. See [SECURITY.md](./SECURITY.md) for the security policy and the threat-model boundaries.

package/dist/cli.cjs

@@ -157,8 +157,8 @@ var RULES = [
     title: "Empty description",
     category: "lint",
     defaultSeverity: "error",
-    description: "`description` is present but blank. It must be non-empty.",
-    fixable: true
+    description: "`description` is present but blank. It must be non-empty. The fixer deliberately does NOT auto-overwrite an existing (even empty) description with a stub, so this is reported but not auto-fixed.",
+    fixable: false
   },
   {
     ruleId: "skill/description-too-short",
@@ -800,6 +800,7 @@ var INJECTION_PATTERNS = [
     message: () => 'Injects a "new instructions:" block (prompt-override pattern).'
   }
 ];
+var MULTILINE_INJECTION_RE = /\b(?:ignore|disregard|forget|override|bypass)\b[^.!?\n]{0,40}\b(?:previous|prior|above|earlier|preceding|all|the|your|system)\b[^.!?\n]{0,40}\b(?:instruction|prompt|message|context|rule|guideline|directive)s?\b/gi;
 var SAFETY_PATTERNS = [
   {
     ruleId: "sec/disable-safety",
@@ -876,7 +877,11 @@ var DESTRUCTIVE_PATTERNS = [
   }
 ];
 var OUTBOUND_RE = /\b(?:curl|wget|fetch|axios|http(?:s)?\.request|requests\.(?:post|get)|invoke-webrequest|Invoke-RestMethod)\b[^\n]{0,200}https?:\/\/[^\s"'`]+/gi;
-var SECRET_NEAR_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|credential|\$[A-Z_]{3,})\b/i;
+var SECRET_WORD_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|passwd|credential|bearer)\b/i;
+var SECRET_REF_RE = /\$\{?[A-Z][A-Z0-9_]{2,}\}?|\bprocess\.env\.[A-Za-z_]|\b(?:AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|GITHUB_TOKEN|GH_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY|NPM_TOKEN|DATABASE_URL)\b|\bSTRIPE_[A-Z_]*KEY\b/;
+function hasSecretNear(window) {
+  return SECRET_WORD_RE.test(window) || SECRET_REF_RE.test(window);
+}
 var SINGLE_PATTERN_GROUPS = [
   INJECTION_PATTERNS,
   SAFETY_PATTERNS,
@@ -919,11 +924,23 @@ function scanFile(file) {
   }
   for (const seg of segments) {
     runSinglePatterns(seg.text, seg.baseLine, findings);
+    runMultilineInjection(seg.text, seg.baseLine, findings);
     runExfilCheck(seg.text, seg.baseLine, findings);
     runHiddenUnicode(seg.text, seg.baseLine, findings);
   }
   runSuspiciousToolCombo(file, findings);
-  return findings;
+  return dedupeFindings(findings);
+}
+function dedupeFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const f of findings) {
+    const key = `${f.ruleId}\0${f.line}\0${f.column}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(f);
+  }
+  return out;
 }
 function locInSegment(text, index, baseLine) {
   const { line, column } = offsetToLineCol(text, index);
@@ -946,6 +963,53 @@ function runSinglePatterns(text, baseLine, findings) {
     }
   }
 }
+function runMultilineInjection(text, baseLine, findings) {
+  if (text.indexOf("\n") === -1) return;
+  let flat = "";
+  const map = [];
+  for (let i = 0; i < text.length; ) {
+    const ch = text[i];
+    if (ch === " " || ch === "	" || ch === "\n" || ch === "\r") {
+      let j = i;
+      let sawNewline = false;
+      while (j < text.length) {
+        const cj = text[j];
+        if (cj === "\n" || cj === "\r") sawNewline = true;
+        else if (cj !== " " && cj !== "	") break;
+        j++;
+      }
+      if (sawNewline) {
+        map.push(i);
+        flat += " ";
+        i = j;
+        continue;
+      }
+    }
+    map.push(i);
+    flat += ch;
+    i++;
+  }
+  MULTILINE_INJECTION_RE.lastIndex = 0;
+  let m;
+  let guard = 0;
+  while ((m = MULTILINE_INJECTION_RE.exec(flat)) !== null) {
+    const origIndex = map[m.index] ?? 0;
+    const { line, column } = locInSegment(text, origIndex, baseLine);
+    findings.push(
+      finding2(
+        "sec/prompt-injection",
+        'Contains "ignore previous instructions"-style injection (split across lines).',
+        line,
+        column,
+        makeEvidence(m[0])
+      )
+    );
+    if (m.index === MULTILINE_INJECTION_RE.lastIndex) {
+      MULTILINE_INJECTION_RE.lastIndex++;
+    }
+    if (++guard > 1e3) break;
+  }
+}
 function runExfilCheck(text, baseLine, findings) {
   OUTBOUND_RE.lastIndex = 0;
   let m;
@@ -954,7 +1018,7 @@ function runExfilCheck(text, baseLine, findings) {
     const start = Math.max(0, m.index - 160);
     const end = Math.min(text.length, m.index + m[0].length + 160);
     const window = text.slice(start, end);
-    if (SECRET_NEAR_RE.test(window)) {
+    if (hasSecretNear(window)) {
       const { line, column } = locInSegment(text, m.index, baseLine);
       findings.push(
         finding2(
@@ -1453,6 +1517,27 @@ function toPascalName(ruleId) {
 
 // src/fix.ts
 var DESCRIPTION_STUB = "TODO describe what this skill does and when to use it.";
+function originalBodySuffix(raw) {
+  let offset = 0;
+  let lineNo = 0;
+  while (offset <= raw.length) {
+    let nl = raw.indexOf("\n", offset);
+    const hasNl = nl !== -1;
+    if (!hasNl) nl = raw.length;
+    let lineEnd = nl;
+    if (lineEnd > offset && raw.charCodeAt(lineEnd - 1) === 13) {
+      lineEnd -= 1;
+    }
+    const line = raw.slice(offset, lineEnd);
+    if (lineNo >= 1 && /^---[ \t]*$/.test(line)) {
+      return hasNl ? raw.slice(nl + 1) : "";
+    }
+    if (!hasNl) break;
+    offset = nl + 1;
+    lineNo += 1;
+  }
+  return null;
+}
 function fixFile(file) {
   const applied = [];
   if (file.kind === "agents-md" || file.kind === "unknown") {
@@ -1520,9 +1605,10 @@ function fixFile(file) {
   if (applied.length === 0) {
     return { output: file.raw, changed: false, applied };
   }
-  const newFrontmatter = fmLines.join("\n");
   const eol = file.raw.includes("\r\n") ? "\r\n" : "\n";
-  const rebuilt = "---" + eol + newFrontmatter.split("\n").join(eol) + eol + "---" + eol + file.body.split("\n").join(eol);
+  const newFrontmatter = fmLines.join(eol);
+  const bodySuffix = originalBodySuffix(file.raw);
+  const rebuilt = "---" + eol + newFrontmatter + eol + "---" + eol + (bodySuffix ?? "");
   return { output: rebuilt, changed: true, applied };
 }
 
@@ -1534,7 +1620,7 @@ var SEVERITY_RANK = {
 };
 
 // src/version.ts
-var VERSION = "0.1.0" ;
+var VERSION = "0.1.1" ;
 
 // src/cli.ts
 var HELP = `skilldoctor v${VERSION}

package/dist/cli.js

@@ -155,8 +155,8 @@ var RULES = [
     title: "Empty description",
     category: "lint",
     defaultSeverity: "error",
-    description: "`description` is present but blank. It must be non-empty.",
-    fixable: true
+    description: "`description` is present but blank. It must be non-empty. The fixer deliberately does NOT auto-overwrite an existing (even empty) description with a stub, so this is reported but not auto-fixed.",
+    fixable: false
   },
   {
     ruleId: "skill/description-too-short",
@@ -798,6 +798,7 @@ var INJECTION_PATTERNS = [
     message: () => 'Injects a "new instructions:" block (prompt-override pattern).'
   }
 ];
+var MULTILINE_INJECTION_RE = /\b(?:ignore|disregard|forget|override|bypass)\b[^.!?\n]{0,40}\b(?:previous|prior|above|earlier|preceding|all|the|your|system)\b[^.!?\n]{0,40}\b(?:instruction|prompt|message|context|rule|guideline|directive)s?\b/gi;
 var SAFETY_PATTERNS = [
   {
     ruleId: "sec/disable-safety",
@@ -874,7 +875,11 @@ var DESTRUCTIVE_PATTERNS = [
   }
 ];
 var OUTBOUND_RE = /\b(?:curl|wget|fetch|axios|http(?:s)?\.request|requests\.(?:post|get)|invoke-webrequest|Invoke-RestMethod)\b[^\n]{0,200}https?:\/\/[^\s"'`]+/gi;
-var SECRET_NEAR_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|credential|\$[A-Z_]{3,})\b/i;
+var SECRET_WORD_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|passwd|credential|bearer)\b/i;
+var SECRET_REF_RE = /\$\{?[A-Z][A-Z0-9_]{2,}\}?|\bprocess\.env\.[A-Za-z_]|\b(?:AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|GITHUB_TOKEN|GH_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY|NPM_TOKEN|DATABASE_URL)\b|\bSTRIPE_[A-Z_]*KEY\b/;
+function hasSecretNear(window) {
+  return SECRET_WORD_RE.test(window) || SECRET_REF_RE.test(window);
+}
 var SINGLE_PATTERN_GROUPS = [
   INJECTION_PATTERNS,
   SAFETY_PATTERNS,
@@ -917,11 +922,23 @@ function scanFile(file) {
   }
   for (const seg of segments) {
     runSinglePatterns(seg.text, seg.baseLine, findings);
+    runMultilineInjection(seg.text, seg.baseLine, findings);
     runExfilCheck(seg.text, seg.baseLine, findings);
     runHiddenUnicode(seg.text, seg.baseLine, findings);
   }
   runSuspiciousToolCombo(file, findings);
-  return findings;
+  return dedupeFindings(findings);
+}
+function dedupeFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const f of findings) {
+    const key = `${f.ruleId}\0${f.line}\0${f.column}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(f);
+  }
+  return out;
 }
 function locInSegment(text, index, baseLine) {
   const { line, column } = offsetToLineCol(text, index);
@@ -944,6 +961,53 @@ function runSinglePatterns(text, baseLine, findings) {
     }
   }
 }
+function runMultilineInjection(text, baseLine, findings) {
+  if (text.indexOf("\n") === -1) return;
+  let flat = "";
+  const map = [];
+  for (let i = 0; i < text.length; ) {
+    const ch = text[i];
+    if (ch === " " || ch === "	" || ch === "\n" || ch === "\r") {
+      let j = i;
+      let sawNewline = false;
+      while (j < text.length) {
+        const cj = text[j];
+        if (cj === "\n" || cj === "\r") sawNewline = true;
+        else if (cj !== " " && cj !== "	") break;
+        j++;
+      }
+      if (sawNewline) {
+        map.push(i);
+        flat += " ";
+        i = j;
+        continue;
+      }
+    }
+    map.push(i);
+    flat += ch;
+    i++;
+  }
+  MULTILINE_INJECTION_RE.lastIndex = 0;
+  let m;
+  let guard = 0;
+  while ((m = MULTILINE_INJECTION_RE.exec(flat)) !== null) {
+    const origIndex = map[m.index] ?? 0;
+    const { line, column } = locInSegment(text, origIndex, baseLine);
+    findings.push(
+      finding2(
+        "sec/prompt-injection",
+        'Contains "ignore previous instructions"-style injection (split across lines).',
+        line,
+        column,
+        makeEvidence(m[0])
+      )
+    );
+    if (m.index === MULTILINE_INJECTION_RE.lastIndex) {
+      MULTILINE_INJECTION_RE.lastIndex++;
+    }
+    if (++guard > 1e3) break;
+  }
+}
 function runExfilCheck(text, baseLine, findings) {
   OUTBOUND_RE.lastIndex = 0;
   let m;
@@ -952,7 +1016,7 @@ function runExfilCheck(text, baseLine, findings) {
     const start = Math.max(0, m.index - 160);
     const end = Math.min(text.length, m.index + m[0].length + 160);
     const window = text.slice(start, end);
-    if (SECRET_NEAR_RE.test(window)) {
+    if (hasSecretNear(window)) {
       const { line, column } = locInSegment(text, m.index, baseLine);
       findings.push(
         finding2(
@@ -1451,6 +1515,27 @@ function toPascalName(ruleId) {
 
 // src/fix.ts
 var DESCRIPTION_STUB = "TODO describe what this skill does and when to use it.";
+function originalBodySuffix(raw) {
+  let offset = 0;
+  let lineNo = 0;
+  while (offset <= raw.length) {
+    let nl = raw.indexOf("\n", offset);
+    const hasNl = nl !== -1;
+    if (!hasNl) nl = raw.length;
+    let lineEnd = nl;
+    if (lineEnd > offset && raw.charCodeAt(lineEnd - 1) === 13) {
+      lineEnd -= 1;
+    }
+    const line = raw.slice(offset, lineEnd);
+    if (lineNo >= 1 && /^---[ \t]*$/.test(line)) {
+      return hasNl ? raw.slice(nl + 1) : "";
+    }
+    if (!hasNl) break;
+    offset = nl + 1;
+    lineNo += 1;
+  }
+  return null;
+}
 function fixFile(file) {
   const applied = [];
   if (file.kind === "agents-md" || file.kind === "unknown") {
@@ -1518,9 +1603,10 @@ function fixFile(file) {
   if (applied.length === 0) {
     return { output: file.raw, changed: false, applied };
   }
-  const newFrontmatter = fmLines.join("\n");
   const eol = file.raw.includes("\r\n") ? "\r\n" : "\n";
-  const rebuilt = "---" + eol + newFrontmatter.split("\n").join(eol) + eol + "---" + eol + file.body.split("\n").join(eol);
+  const newFrontmatter = fmLines.join(eol);
+  const bodySuffix = originalBodySuffix(file.raw);
+  const rebuilt = "---" + eol + newFrontmatter + eol + "---" + eol + (bodySuffix ?? "");
   return { output: rebuilt, changed: true, applied };
 }
 
@@ -1532,7 +1618,7 @@ var SEVERITY_RANK = {
 };
 
 // src/version.ts
-var VERSION = "0.1.0" ;
+var VERSION = "0.1.1" ;
 
 // src/cli.ts
 var HELP = `skilldoctor v${VERSION}

package/dist/index.cjs

@@ -162,8 +162,8 @@ var RULES = [
     title: "Empty description",
     category: "lint",
     defaultSeverity: "error",
-    description: "`description` is present but blank. It must be non-empty.",
-    fixable: true
+    description: "`description` is present but blank. It must be non-empty. The fixer deliberately does NOT auto-overwrite an existing (even empty) description with a stub, so this is reported but not auto-fixed.",
+    fixable: false
   },
   {
     ruleId: "skill/description-too-short",
@@ -808,6 +808,7 @@ var INJECTION_PATTERNS = [
     message: () => 'Injects a "new instructions:" block (prompt-override pattern).'
   }
 ];
+var MULTILINE_INJECTION_RE = /\b(?:ignore|disregard|forget|override|bypass)\b[^.!?\n]{0,40}\b(?:previous|prior|above|earlier|preceding|all|the|your|system)\b[^.!?\n]{0,40}\b(?:instruction|prompt|message|context|rule|guideline|directive)s?\b/gi;
 var SAFETY_PATTERNS = [
   {
     ruleId: "sec/disable-safety",
@@ -884,7 +885,11 @@ var DESTRUCTIVE_PATTERNS = [
   }
 ];
 var OUTBOUND_RE = /\b(?:curl|wget|fetch|axios|http(?:s)?\.request|requests\.(?:post|get)|invoke-webrequest|Invoke-RestMethod)\b[^\n]{0,200}https?:\/\/[^\s"'`]+/gi;
-var SECRET_NEAR_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|credential|\$[A-Z_]{3,})\b/i;
+var SECRET_WORD_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|passwd|credential|bearer)\b/i;
+var SECRET_REF_RE = /\$\{?[A-Z][A-Z0-9_]{2,}\}?|\bprocess\.env\.[A-Za-z_]|\b(?:AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|GITHUB_TOKEN|GH_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY|NPM_TOKEN|DATABASE_URL)\b|\bSTRIPE_[A-Z_]*KEY\b/;
+function hasSecretNear(window) {
+  return SECRET_WORD_RE.test(window) || SECRET_REF_RE.test(window);
+}
 var SINGLE_PATTERN_GROUPS = [
   INJECTION_PATTERNS,
   SAFETY_PATTERNS,
@@ -927,11 +932,23 @@ function scanFile(file) {
   }
   for (const seg of segments) {
     runSinglePatterns(seg.text, seg.baseLine, findings);
+    runMultilineInjection(seg.text, seg.baseLine, findings);
     runExfilCheck(seg.text, seg.baseLine, findings);
     runHiddenUnicode(seg.text, seg.baseLine, findings);
   }
   runSuspiciousToolCombo(file, findings);
-  return findings;
+  return dedupeFindings(findings);
+}
+function dedupeFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const f of findings) {
+    const key = `${f.ruleId}\0${f.line}\0${f.column}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(f);
+  }
+  return out;
 }
 function locInSegment(text, index, baseLine) {
   const { line, column } = offsetToLineCol(text, index);
@@ -954,6 +971,53 @@ function runSinglePatterns(text, baseLine, findings) {
     }
   }
 }
+function runMultilineInjection(text, baseLine, findings) {
+  if (text.indexOf("\n") === -1) return;
+  let flat = "";
+  const map = [];
+  for (let i = 0; i < text.length; ) {
+    const ch = text[i];
+    if (ch === " " || ch === "	" || ch === "\n" || ch === "\r") {
+      let j = i;
+      let sawNewline = false;
+      while (j < text.length) {
+        const cj = text[j];
+        if (cj === "\n" || cj === "\r") sawNewline = true;
+        else if (cj !== " " && cj !== "	") break;
+        j++;
+      }
+      if (sawNewline) {
+        map.push(i);
+        flat += " ";
+        i = j;
+        continue;
+      }
+    }
+    map.push(i);
+    flat += ch;
+    i++;
+  }
+  MULTILINE_INJECTION_RE.lastIndex = 0;
+  let m;
+  let guard = 0;
+  while ((m = MULTILINE_INJECTION_RE.exec(flat)) !== null) {
+    const origIndex = map[m.index] ?? 0;
+    const { line, column } = locInSegment(text, origIndex, baseLine);
+    findings.push(
+      finding2(
+        "sec/prompt-injection",
+        'Contains "ignore previous instructions"-style injection (split across lines).',
+        line,
+        column,
+        makeEvidence(m[0])
+      )
+    );
+    if (m.index === MULTILINE_INJECTION_RE.lastIndex) {
+      MULTILINE_INJECTION_RE.lastIndex++;
+    }
+    if (++guard > 1e3) break;
+  }
+}
 function runExfilCheck(text, baseLine, findings) {
   OUTBOUND_RE.lastIndex = 0;
   let m;
@@ -962,7 +1026,7 @@ function runExfilCheck(text, baseLine, findings) {
     const start = Math.max(0, m.index - 160);
     const end = Math.min(text.length, m.index + m[0].length + 160);
     const window = text.slice(start, end);
-    if (SECRET_NEAR_RE.test(window)) {
+    if (hasSecretNear(window)) {
       const { line, column } = locInSegment(text, m.index, baseLine);
       findings.push(
         finding2(
@@ -1139,6 +1203,27 @@ function parseForFix(filePath, content) {
 
 // src/fix.ts
 var DESCRIPTION_STUB = "TODO describe what this skill does and when to use it.";
+function originalBodySuffix(raw) {
+  let offset = 0;
+  let lineNo = 0;
+  while (offset <= raw.length) {
+    let nl = raw.indexOf("\n", offset);
+    const hasNl = nl !== -1;
+    if (!hasNl) nl = raw.length;
+    let lineEnd = nl;
+    if (lineEnd > offset && raw.charCodeAt(lineEnd - 1) === 13) {
+      lineEnd -= 1;
+    }
+    const line = raw.slice(offset, lineEnd);
+    if (lineNo >= 1 && /^---[ \t]*$/.test(line)) {
+      return hasNl ? raw.slice(nl + 1) : "";
+    }
+    if (!hasNl) break;
+    offset = nl + 1;
+    lineNo += 1;
+  }
+  return null;
+}
 function fixFile(file) {
   const applied = [];
   if (file.kind === "agents-md" || file.kind === "unknown") {
@@ -1206,9 +1291,10 @@ function fixFile(file) {
   if (applied.length === 0) {
     return { output: file.raw, changed: false, applied };
   }
-  const newFrontmatter = fmLines.join("\n");
   const eol = file.raw.includes("\r\n") ? "\r\n" : "\n";
-  const rebuilt = "---" + eol + newFrontmatter.split("\n").join(eol) + eol + "---" + eol + file.body.split("\n").join(eol);
+  const newFrontmatter = fmLines.join(eol);
+  const bodySuffix = originalBodySuffix(file.raw);
+  const rebuilt = "---" + eol + newFrontmatter + eol + "---" + eol + (bodySuffix ?? "");
   return { output: rebuilt, changed: true, applied };
 }
 var IGNORED_DIRS = /* @__PURE__ */ new Set([

package/dist/index.d.cts

@@ -102,7 +102,10 @@ declare function allRuleIds(): string[];
  *   2. add a missing `description:` stub with a TODO marker
  *   3. de-duplicate tools within `allowed-tools` / `tools` (preserving order)
  *
- * The fixer is idempotent: running it twice produces identical output.
+ * The body is re-attached BYTE-FOR-BYTE from the original source — including its
+ * original line endings — so a fix to the frontmatter can never alter, reflow,
+ * or re-encode a single character of the (untrusted) body. The fixer is
+ * idempotent: running it twice produces identical output.
  */
 
 /** Marker used for an inserted stub so humans (and tests) can find it. */

package/dist/index.d.ts

@@ -102,7 +102,10 @@ declare function allRuleIds(): string[];
  *   2. add a missing `description:` stub with a TODO marker
  *   3. de-duplicate tools within `allowed-tools` / `tools` (preserving order)
  *
- * The fixer is idempotent: running it twice produces identical output.
+ * The body is re-attached BYTE-FOR-BYTE from the original source — including its
+ * original line endings — so a fix to the frontmatter can never alter, reflow,
+ * or re-encode a single character of the (untrusted) body. The fixer is
+ * idempotent: running it twice produces identical output.
  */
 
 /** Marker used for an inserted stub so humans (and tests) can find it. */

package/dist/index.js

@@ -160,8 +160,8 @@ var RULES = [
     title: "Empty description",
     category: "lint",
     defaultSeverity: "error",
-    description: "`description` is present but blank. It must be non-empty.",
-    fixable: true
+    description: "`description` is present but blank. It must be non-empty. The fixer deliberately does NOT auto-overwrite an existing (even empty) description with a stub, so this is reported but not auto-fixed.",
+    fixable: false
   },
   {
     ruleId: "skill/description-too-short",
@@ -806,6 +806,7 @@ var INJECTION_PATTERNS = [
     message: () => 'Injects a "new instructions:" block (prompt-override pattern).'
   }
 ];
+var MULTILINE_INJECTION_RE = /\b(?:ignore|disregard|forget|override|bypass)\b[^.!?\n]{0,40}\b(?:previous|prior|above|earlier|preceding|all|the|your|system)\b[^.!?\n]{0,40}\b(?:instruction|prompt|message|context|rule|guideline|directive)s?\b/gi;
 var SAFETY_PATTERNS = [
   {
     ruleId: "sec/disable-safety",
@@ -882,7 +883,11 @@ var DESTRUCTIVE_PATTERNS = [
   }
 ];
 var OUTBOUND_RE = /\b(?:curl|wget|fetch|axios|http(?:s)?\.request|requests\.(?:post|get)|invoke-webrequest|Invoke-RestMethod)\b[^\n]{0,200}https?:\/\/[^\s"'`]+/gi;
-var SECRET_NEAR_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|credential|\$[A-Z_]{3,})\b/i;
+var SECRET_WORD_RE = /\b(?:env|environ|process\.env|secret|token|api[_-]?key|password|passwd|credential|bearer)\b/i;
+var SECRET_REF_RE = /\$\{?[A-Z][A-Z0-9_]{2,}\}?|\bprocess\.env\.[A-Za-z_]|\b(?:AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|GITHUB_TOKEN|GH_TOKEN|OPENAI_API_KEY|ANTHROPIC_API_KEY|NPM_TOKEN|DATABASE_URL)\b|\bSTRIPE_[A-Z_]*KEY\b/;
+function hasSecretNear(window) {
+  return SECRET_WORD_RE.test(window) || SECRET_REF_RE.test(window);
+}
 var SINGLE_PATTERN_GROUPS = [
   INJECTION_PATTERNS,
   SAFETY_PATTERNS,
@@ -925,11 +930,23 @@ function scanFile(file) {
   }
   for (const seg of segments) {
     runSinglePatterns(seg.text, seg.baseLine, findings);
+    runMultilineInjection(seg.text, seg.baseLine, findings);
     runExfilCheck(seg.text, seg.baseLine, findings);
     runHiddenUnicode(seg.text, seg.baseLine, findings);
   }
   runSuspiciousToolCombo(file, findings);
-  return findings;
+  return dedupeFindings(findings);
+}
+function dedupeFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const f of findings) {
+    const key = `${f.ruleId}\0${f.line}\0${f.column}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push(f);
+  }
+  return out;
 }
 function locInSegment(text, index, baseLine) {
   const { line, column } = offsetToLineCol(text, index);
@@ -952,6 +969,53 @@ function runSinglePatterns(text, baseLine, findings) {
     }
   }
 }
+function runMultilineInjection(text, baseLine, findings) {
+  if (text.indexOf("\n") === -1) return;
+  let flat = "";
+  const map = [];
+  for (let i = 0; i < text.length; ) {
+    const ch = text[i];
+    if (ch === " " || ch === "	" || ch === "\n" || ch === "\r") {
+      let j = i;
+      let sawNewline = false;
+      while (j < text.length) {
+        const cj = text[j];
+        if (cj === "\n" || cj === "\r") sawNewline = true;
+        else if (cj !== " " && cj !== "	") break;
+        j++;
+      }
+      if (sawNewline) {
+        map.push(i);
+        flat += " ";
+        i = j;
+        continue;
+      }
+    }
+    map.push(i);
+    flat += ch;
+    i++;
+  }
+  MULTILINE_INJECTION_RE.lastIndex = 0;
+  let m;
+  let guard = 0;
+  while ((m = MULTILINE_INJECTION_RE.exec(flat)) !== null) {
+    const origIndex = map[m.index] ?? 0;
+    const { line, column } = locInSegment(text, origIndex, baseLine);
+    findings.push(
+      finding2(
+        "sec/prompt-injection",
+        'Contains "ignore previous instructions"-style injection (split across lines).',
+        line,
+        column,
+        makeEvidence(m[0])
+      )
+    );
+    if (m.index === MULTILINE_INJECTION_RE.lastIndex) {
+      MULTILINE_INJECTION_RE.lastIndex++;
+    }
+    if (++guard > 1e3) break;
+  }
+}
 function runExfilCheck(text, baseLine, findings) {
   OUTBOUND_RE.lastIndex = 0;
   let m;
@@ -960,7 +1024,7 @@ function runExfilCheck(text, baseLine, findings) {
     const start = Math.max(0, m.index - 160);
     const end = Math.min(text.length, m.index + m[0].length + 160);
     const window = text.slice(start, end);
-    if (SECRET_NEAR_RE.test(window)) {
+    if (hasSecretNear(window)) {
       const { line, column } = locInSegment(text, m.index, baseLine);
       findings.push(
         finding2(
@@ -1137,6 +1201,27 @@ function parseForFix(filePath, content) {
 
 // src/fix.ts
 var DESCRIPTION_STUB = "TODO describe what this skill does and when to use it.";
+function originalBodySuffix(raw) {
+  let offset = 0;
+  let lineNo = 0;
+  while (offset <= raw.length) {
+    let nl = raw.indexOf("\n", offset);
+    const hasNl = nl !== -1;
+    if (!hasNl) nl = raw.length;
+    let lineEnd = nl;
+    if (lineEnd > offset && raw.charCodeAt(lineEnd - 1) === 13) {
+      lineEnd -= 1;
+    }
+    const line = raw.slice(offset, lineEnd);
+    if (lineNo >= 1 && /^---[ \t]*$/.test(line)) {
+      return hasNl ? raw.slice(nl + 1) : "";
+    }
+    if (!hasNl) break;
+    offset = nl + 1;
+    lineNo += 1;
+  }
+  return null;
+}
 function fixFile(file) {
   const applied = [];
   if (file.kind === "agents-md" || file.kind === "unknown") {
@@ -1204,9 +1289,10 @@ function fixFile(file) {
   if (applied.length === 0) {
     return { output: file.raw, changed: false, applied };
   }
-  const newFrontmatter = fmLines.join("\n");
   const eol = file.raw.includes("\r\n") ? "\r\n" : "\n";
-  const rebuilt = "---" + eol + newFrontmatter.split("\n").join(eol) + eol + "---" + eol + file.body.split("\n").join(eol);
+  const newFrontmatter = fmLines.join(eol);
+  const bodySuffix = originalBodySuffix(file.raw);
+  const rebuilt = "---" + eol + newFrontmatter + eol + "---" + eol + (bodySuffix ?? "");
   return { output: rebuilt, changed: true, applied };
 }
 var IGNORED_DIRS = /* @__PURE__ */ new Set([

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@studiomeyer-io/skilldoctor",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Linter and security scanner for AI-agent skill and instruction files (Claude Code SKILL.md, AGENTS.md, subagents). Prints an A-F grade, supports --fix, emits JSON + SARIF, ships as a GitHub Action.",
   "type": "module",
   "license": "MIT",
@@ -62,7 +62,8 @@
     "typecheck": "tsc --noEmit",
     "attw": "attw --pack .",
     "clean": "rm -rf dist",
-    "prepublishOnly": "npm run clean && npm run build && npm test && npm run typecheck && npm run attw"
+    "prepublishOnly": "npm run clean && npm run build && npm test && npm run typecheck && npm run attw",
+    "test:coverage": "vitest run --coverage"
   },
   "dependencies": {
     "yaml": "^2.9.0"
@@ -70,6 +71,7 @@
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.18.3",
     "@types/node": "^20.14.0",
+    "@vitest/coverage-v8": "^4.1.9",
     "tsup": "^8.5.0",
     "typescript": "^5.5.0",
     "vitest": "^4.1.0"