@wingman-ai/gateway 0.3.2 → 0.4.0

package/dist/cli/services/skillRepository.cjs

@@ -39,8 +39,8 @@ function _define_property(obj, key, value) {
 }
 const logger = (0, external_logger_cjs_namespaceObject.createLogger)();
 class SkillRepository {
-    async fetch(path) {
-        const url = `${this.baseUrl}${path}`;
+    async fetchGitHub(path) {
+        const url = `${this.githubBaseUrl}${path}`;
         const headers = {
             Accept: "application/vnd.github.v3+json",
             "User-Agent": "wingman-cli"
@@ -62,29 +62,33 @@ class SkillRepository {
     }
     async listAvailableSkills() {
         try {
-            const contents = await this.fetch(`/repos/${this.owner}/${this.repo}/contents/skills`);
-            const skills = [];
-            for (const item of contents)if ("dir" === item.type) try {
-                const metadata = await this.getSkillMetadata(item.name);
-                skills.push({
-                    name: item.name,
-                    description: metadata.description || "No description",
-                    path: item.path,
-                    metadata
-                });
-            } catch (error) {
-                logger.warn(`Could not read skill ${item.name}`, error instanceof Error ? error.message : String(error));
-            }
-            return skills;
+            if ("clawhub" === this.provider) return await this.listSkillsFromClawhub();
+            return await this.listSkillsFromGitHub();
         } catch (error) {
             if (error instanceof Error) throw new Error(`Failed to list skills: ${error.message}`);
             throw error;
         }
     }
+    async fetchJson(url, options) {
+        const response = await fetch(url, {
+            headers: options?.headers
+        });
+        if (!response.ok) throw new Error(`HTTP ${response.status} ${response.statusText}`);
+        return await response.json();
+    }
+    async fetchBinary(url, options) {
+        const response = await fetch(url, {
+            headers: options?.headers
+        });
+        if (!response.ok) throw new Error(`HTTP ${response.status} ${response.statusText}`);
+        const arrayBuffer = await response.arrayBuffer();
+        return Buffer.from(arrayBuffer);
+    }
     async getSkillMetadata(skillName) {
+        if ("clawhub" === this.provider) return await this.getClawhubSkillMetadata(skillName);
         try {
             const skillMdPath = `/repos/${this.owner}/${this.repo}/contents/skills/${skillName}/SKILL.md`;
-            const skillMd = await this.fetch(skillMdPath);
+            const skillMd = await this.fetchGitHub(skillMdPath);
             if ("file" !== skillMd.type || !skillMd.content) throw new Error("SKILL.md not found or invalid");
             const content = Buffer.from(skillMd.content, "base64").toString("utf-8");
             const metadata = this.parseSkillMetadata(content);
@@ -94,6 +98,35 @@ class SkillRepository {
             throw error;
         }
     }
+    async getClawhubSkillMetadata(skillName) {
+        try {
+            const detail = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(skillName)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const slug = detail.skill?.slug?.trim() || skillName.trim();
+            const description = detail.skill?.summary?.trim() || detail.skill?.displayName?.trim() || "No description";
+            const nameRegex = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+            if (!nameRegex.test(slug)) throw new Error(`Invalid skill name '${slug}': must be lowercase alphanumeric with hyphens only`);
+            return {
+                name: slug,
+                description,
+                metadata: {
+                    ...detail.latestVersion?.version ? {
+                        version: detail.latestVersion.version
+                    } : {},
+                    ...detail.owner?.handle ? {
+                        owner: detail.owner.handle
+                    } : {}
+                }
+            };
+        } catch (error) {
+            if (error instanceof Error) throw new Error(`Failed to fetch skill metadata for ${skillName}: ${error.message}`);
+            throw error;
+        }
+    }
     parseSkillMetadata(content) {
         const frontmatterRegex = /^---\s*\n([\s\S]*?)\n---/;
         const match = content.match(frontmatterRegex);
@@ -134,6 +167,7 @@ class SkillRepository {
         return metadata;
     }
     async downloadSkill(skillName) {
+        if ("clawhub" === this.provider) return await this.downloadSkillFromClawhub(skillName);
         try {
             const files = new Map();
             await this.downloadDirectory(`skills/${skillName}`, files, skillName);
@@ -143,14 +177,51 @@ class SkillRepository {
             throw error;
         }
     }
+    async downloadSkillFromClawhub(skillName) {
+        try {
+            const detail = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(skillName)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const slug = detail.skill?.slug || skillName;
+            const version = detail.latestVersion?.version;
+            if (!version) throw new Error("No latest version available");
+            const filesResponse = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(slug)}/versions/${encodeURIComponent(version)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const files = filesResponse.version?.files || [];
+            const output = new Map();
+            for (const file of files){
+                const fileUrl = new URL(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(slug)}/file`);
+                fileUrl.searchParams.set("path", file.path);
+                fileUrl.searchParams.set("version", version);
+                const content = await this.fetchBinary(fileUrl.toString(), {
+                    headers: {
+                        Accept: "text/plain, application/octet-stream",
+                        "User-Agent": "wingman-cli"
+                    }
+                });
+                output.set(file.path, content);
+            }
+            return output;
+        } catch (error) {
+            if (error instanceof Error) throw new Error(`Failed to download skill ${skillName}: ${error.message}`);
+            throw error;
+        }
+    }
     async downloadDirectory(path, files, skillName) {
-        const contents = await this.fetch(`/repos/${this.owner}/${this.repo}/contents/${path}`);
+        const contents = await this.fetchGitHub(`/repos/${this.owner}/${this.repo}/contents/${path}`);
         for (const item of contents)if ("file" === item.type) if (item.content) {
             const content = Buffer.from(item.content, "base64");
             const relativePath = item.path.replace(`skills/${skillName}/`, "");
             files.set(relativePath, content);
         } else {
-            const fileData = await this.fetch(item.url.replace(this.baseUrl, ""));
+            const fileData = await this.fetchGitHub(item.url.replace(this.githubBaseUrl, ""));
             if (fileData.content && "base64" === fileData.encoding) {
                 const content = Buffer.from(fileData.content, "base64");
                 const relativePath = item.path.replace(`skills/${skillName}/`, "");
@@ -159,14 +230,61 @@ class SkillRepository {
         }
         else if ("dir" === item.type) await this.downloadDirectory(item.path, files, skillName);
     }
+    async listSkillsFromClawhub() {
+        const allSkills = [];
+        let cursor = null;
+        do {
+            const url = new URL(`${this.clawhubBaseUrl}/api/v1/skills`);
+            url.searchParams.set("sort", "downloads");
+            url.searchParams.set("limit", "100");
+            if (cursor) url.searchParams.set("cursor", cursor);
+            const response = await this.fetchJson(url.toString(), {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            for (const item of response.items || [])allSkills.push({
+                name: item.slug,
+                description: item.summary?.trim() || item.displayName?.trim() || "No description",
+                path: item.slug,
+                metadata: {
+                    name: item.slug,
+                    description: item.summary?.trim() || item.displayName?.trim() || "No description"
+                }
+            });
+            cursor = response.nextCursor || null;
+        }while (cursor);
+        return allSkills;
+    }
+    async listSkillsFromGitHub() {
+        const contents = await this.fetchGitHub(`/repos/${this.owner}/${this.repo}/contents/skills`);
+        const skills = [];
+        for (const item of contents)if ("dir" === item.type) try {
+            const metadata = await this.getSkillMetadata(item.name);
+            skills.push({
+                name: item.name,
+                description: metadata.description || "No description",
+                path: item.path,
+                metadata
+            });
+        } catch (error) {
+            logger.warn(`Could not read skill ${item.name}`, error instanceof Error ? error.message : String(error));
+        }
+        return skills;
+    }
     constructor(options = {}){
-        _define_property(this, "baseUrl", "https://api.github.com");
+        _define_property(this, "githubBaseUrl", "https://api.github.com");
         _define_property(this, "owner", void 0);
         _define_property(this, "repo", void 0);
         _define_property(this, "token", void 0);
+        _define_property(this, "provider", void 0);
+        _define_property(this, "clawhubBaseUrl", void 0);
+        this.provider = options.provider || "github";
         this.owner = options.repositoryOwner || "anthropics";
         this.repo = options.repositoryName || "skills";
         this.token = options.githubToken || process.env.GITHUB_TOKEN || void 0;
+        this.clawhubBaseUrl = (options.clawhubBaseUrl || "https://clawhub.ai").replace(/\/+$/, "");
     }
 }
 exports.SkillRepository = __webpack_exports__.SkillRepository;

package/dist/cli/services/skillRepository.d.ts

@@ -3,23 +3,28 @@ import type { SkillInfo, SkillMetadata, SkillRepositoryOptions } from "../types/
  * GitHub API client for interacting with the skills repository
  */
 export declare class SkillRepository {
-    private readonly baseUrl;
+    private readonly githubBaseUrl;
     private readonly owner;
     private readonly repo;
     private readonly token?;
+    private readonly provider;
+    private readonly clawhubBaseUrl;
     constructor(options?: SkillRepositoryOptions);
     /**
      * Fetch data from GitHub API
      */
-    private fetch;
+    private fetchGitHub;
     /**
      * List available skills from the repository
      */
     listAvailableSkills(): Promise<SkillInfo[]>;
+    private fetchJson;
+    private fetchBinary;
     /**
      * Get skill metadata by fetching and parsing SKILL.md
      */
     getSkillMetadata(skillName: string): Promise<SkillMetadata>;
+    private getClawhubSkillMetadata;
     /**
      * Parse SKILL.md content to extract YAML frontmatter
      */
@@ -28,8 +33,11 @@ export declare class SkillRepository {
      * Download all files for a skill
      */
     downloadSkill(skillName: string): Promise<Map<string, string | Buffer>>;
+    private downloadSkillFromClawhub;
     /**
      * Recursively download all files in a directory
      */
     private downloadDirectory;
+    private listSkillsFromClawhub;
+    private listSkillsFromGitHub;
 }

package/dist/cli/services/skillRepository.js

@@ -11,8 +11,8 @@ function _define_property(obj, key, value) {
 }
 const logger = createLogger();
 class SkillRepository {
-    async fetch(path) {
-        const url = `${this.baseUrl}${path}`;
+    async fetchGitHub(path) {
+        const url = `${this.githubBaseUrl}${path}`;
         const headers = {
             Accept: "application/vnd.github.v3+json",
             "User-Agent": "wingman-cli"
@@ -34,29 +34,33 @@ class SkillRepository {
     }
     async listAvailableSkills() {
         try {
-            const contents = await this.fetch(`/repos/${this.owner}/${this.repo}/contents/skills`);
-            const skills = [];
-            for (const item of contents)if ("dir" === item.type) try {
-                const metadata = await this.getSkillMetadata(item.name);
-                skills.push({
-                    name: item.name,
-                    description: metadata.description || "No description",
-                    path: item.path,
-                    metadata
-                });
-            } catch (error) {
-                logger.warn(`Could not read skill ${item.name}`, error instanceof Error ? error.message : String(error));
-            }
-            return skills;
+            if ("clawhub" === this.provider) return await this.listSkillsFromClawhub();
+            return await this.listSkillsFromGitHub();
         } catch (error) {
             if (error instanceof Error) throw new Error(`Failed to list skills: ${error.message}`);
             throw error;
         }
     }
+    async fetchJson(url, options) {
+        const response = await fetch(url, {
+            headers: options?.headers
+        });
+        if (!response.ok) throw new Error(`HTTP ${response.status} ${response.statusText}`);
+        return await response.json();
+    }
+    async fetchBinary(url, options) {
+        const response = await fetch(url, {
+            headers: options?.headers
+        });
+        if (!response.ok) throw new Error(`HTTP ${response.status} ${response.statusText}`);
+        const arrayBuffer = await response.arrayBuffer();
+        return Buffer.from(arrayBuffer);
+    }
     async getSkillMetadata(skillName) {
+        if ("clawhub" === this.provider) return await this.getClawhubSkillMetadata(skillName);
         try {
             const skillMdPath = `/repos/${this.owner}/${this.repo}/contents/skills/${skillName}/SKILL.md`;
-            const skillMd = await this.fetch(skillMdPath);
+            const skillMd = await this.fetchGitHub(skillMdPath);
             if ("file" !== skillMd.type || !skillMd.content) throw new Error("SKILL.md not found or invalid");
             const content = Buffer.from(skillMd.content, "base64").toString("utf-8");
             const metadata = this.parseSkillMetadata(content);
@@ -66,6 +70,35 @@ class SkillRepository {
             throw error;
         }
     }
+    async getClawhubSkillMetadata(skillName) {
+        try {
+            const detail = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(skillName)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const slug = detail.skill?.slug?.trim() || skillName.trim();
+            const description = detail.skill?.summary?.trim() || detail.skill?.displayName?.trim() || "No description";
+            const nameRegex = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+            if (!nameRegex.test(slug)) throw new Error(`Invalid skill name '${slug}': must be lowercase alphanumeric with hyphens only`);
+            return {
+                name: slug,
+                description,
+                metadata: {
+                    ...detail.latestVersion?.version ? {
+                        version: detail.latestVersion.version
+                    } : {},
+                    ...detail.owner?.handle ? {
+                        owner: detail.owner.handle
+                    } : {}
+                }
+            };
+        } catch (error) {
+            if (error instanceof Error) throw new Error(`Failed to fetch skill metadata for ${skillName}: ${error.message}`);
+            throw error;
+        }
+    }
     parseSkillMetadata(content) {
         const frontmatterRegex = /^---\s*\n([\s\S]*?)\n---/;
         const match = content.match(frontmatterRegex);
@@ -106,6 +139,7 @@ class SkillRepository {
         return metadata;
     }
     async downloadSkill(skillName) {
+        if ("clawhub" === this.provider) return await this.downloadSkillFromClawhub(skillName);
         try {
             const files = new Map();
             await this.downloadDirectory(`skills/${skillName}`, files, skillName);
@@ -115,14 +149,51 @@ class SkillRepository {
             throw error;
         }
     }
+    async downloadSkillFromClawhub(skillName) {
+        try {
+            const detail = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(skillName)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const slug = detail.skill?.slug || skillName;
+            const version = detail.latestVersion?.version;
+            if (!version) throw new Error("No latest version available");
+            const filesResponse = await this.fetchJson(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(slug)}/versions/${encodeURIComponent(version)}`, {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            const files = filesResponse.version?.files || [];
+            const output = new Map();
+            for (const file of files){
+                const fileUrl = new URL(`${this.clawhubBaseUrl}/api/v1/skills/${encodeURIComponent(slug)}/file`);
+                fileUrl.searchParams.set("path", file.path);
+                fileUrl.searchParams.set("version", version);
+                const content = await this.fetchBinary(fileUrl.toString(), {
+                    headers: {
+                        Accept: "text/plain, application/octet-stream",
+                        "User-Agent": "wingman-cli"
+                    }
+                });
+                output.set(file.path, content);
+            }
+            return output;
+        } catch (error) {
+            if (error instanceof Error) throw new Error(`Failed to download skill ${skillName}: ${error.message}`);
+            throw error;
+        }
+    }
     async downloadDirectory(path, files, skillName) {
-        const contents = await this.fetch(`/repos/${this.owner}/${this.repo}/contents/${path}`);
+        const contents = await this.fetchGitHub(`/repos/${this.owner}/${this.repo}/contents/${path}`);
         for (const item of contents)if ("file" === item.type) if (item.content) {
             const content = Buffer.from(item.content, "base64");
             const relativePath = item.path.replace(`skills/${skillName}/`, "");
             files.set(relativePath, content);
         } else {
-            const fileData = await this.fetch(item.url.replace(this.baseUrl, ""));
+            const fileData = await this.fetchGitHub(item.url.replace(this.githubBaseUrl, ""));
             if (fileData.content && "base64" === fileData.encoding) {
                 const content = Buffer.from(fileData.content, "base64");
                 const relativePath = item.path.replace(`skills/${skillName}/`, "");
@@ -131,14 +202,61 @@ class SkillRepository {
         }
         else if ("dir" === item.type) await this.downloadDirectory(item.path, files, skillName);
     }
+    async listSkillsFromClawhub() {
+        const allSkills = [];
+        let cursor = null;
+        do {
+            const url = new URL(`${this.clawhubBaseUrl}/api/v1/skills`);
+            url.searchParams.set("sort", "downloads");
+            url.searchParams.set("limit", "100");
+            if (cursor) url.searchParams.set("cursor", cursor);
+            const response = await this.fetchJson(url.toString(), {
+                headers: {
+                    Accept: "application/json",
+                    "User-Agent": "wingman-cli"
+                }
+            });
+            for (const item of response.items || [])allSkills.push({
+                name: item.slug,
+                description: item.summary?.trim() || item.displayName?.trim() || "No description",
+                path: item.slug,
+                metadata: {
+                    name: item.slug,
+                    description: item.summary?.trim() || item.displayName?.trim() || "No description"
+                }
+            });
+            cursor = response.nextCursor || null;
+        }while (cursor);
+        return allSkills;
+    }
+    async listSkillsFromGitHub() {
+        const contents = await this.fetchGitHub(`/repos/${this.owner}/${this.repo}/contents/skills`);
+        const skills = [];
+        for (const item of contents)if ("dir" === item.type) try {
+            const metadata = await this.getSkillMetadata(item.name);
+            skills.push({
+                name: item.name,
+                description: metadata.description || "No description",
+                path: item.path,
+                metadata
+            });
+        } catch (error) {
+            logger.warn(`Could not read skill ${item.name}`, error instanceof Error ? error.message : String(error));
+        }
+        return skills;
+    }
     constructor(options = {}){
-        _define_property(this, "baseUrl", "https://api.github.com");
+        _define_property(this, "githubBaseUrl", "https://api.github.com");
         _define_property(this, "owner", void 0);
         _define_property(this, "repo", void 0);
         _define_property(this, "token", void 0);
+        _define_property(this, "provider", void 0);
+        _define_property(this, "clawhubBaseUrl", void 0);
+        this.provider = options.provider || "github";
         this.owner = options.repositoryOwner || "anthropics";
         this.repo = options.repositoryName || "skills";
         this.token = options.githubToken || process.env.GITHUB_TOKEN || void 0;
+        this.clawhubBaseUrl = (options.clawhubBaseUrl || "https://clawhub.ai").replace(/\/+$/, "");
     }
 }
 export { SkillRepository };

package/dist/cli/services/skillSecurityScanner.cjs

@@ -0,0 +1,158 @@
+"use strict";
+var __webpack_require__ = {};
+(()=>{
+    __webpack_require__.d = (exports1, definition)=>{
+        for(var key in definition)if (__webpack_require__.o(definition, key) && !__webpack_require__.o(exports1, key)) Object.defineProperty(exports1, key, {
+            enumerable: true,
+            get: definition[key]
+        });
+    };
+})();
+(()=>{
+    __webpack_require__.o = (obj, prop)=>Object.prototype.hasOwnProperty.call(obj, prop);
+})();
+(()=>{
+    __webpack_require__.r = (exports1)=>{
+        if ("u" > typeof Symbol && Symbol.toStringTag) Object.defineProperty(exports1, Symbol.toStringTag, {
+            value: 'Module'
+        });
+        Object.defineProperty(exports1, '__esModule', {
+            value: true
+        });
+    };
+})();
+var __webpack_exports__ = {};
+__webpack_require__.r(__webpack_exports__);
+__webpack_require__.d(__webpack_exports__, {
+    __skillSecurityScanner: ()=>__skillSecurityScanner,
+    scanSkillDirectory: ()=>scanSkillDirectory
+});
+const external_node_child_process_namespaceObject = require("node:child_process");
+const uv_cjs_namespaceObject = require("../../utils/uv.cjs");
+const DEFAULT_SCANNER_COMMAND = "uvx";
+const DEFAULT_SCANNER_ARGS = [
+    "--from",
+    "mcp-scan>=0.4,<0.5",
+    "mcp-scan",
+    "--json",
+    "--skills"
+];
+const DEFAULT_BLOCKED_CODES = [
+    "MCP501",
+    "MCP506",
+    "MCP507",
+    "MCP508",
+    "MCP509",
+    "MCP510",
+    "MCP511"
+];
+function getScannerCommand(security) {
+    return security?.scannerCommand?.trim() || DEFAULT_SCANNER_COMMAND;
+}
+function getScannerArgs(security) {
+    if (Array.isArray(security?.scannerArgs) && security.scannerArgs.length > 0) return security.scannerArgs;
+    return DEFAULT_SCANNER_ARGS;
+}
+function getBlockedIssueCodes(security) {
+    const configured = security?.blockIssueCodes || DEFAULT_BLOCKED_CODES;
+    return new Set(configured.map((code)=>code.trim().toUpperCase()).filter(Boolean));
+}
+function parseScanResult(stdout) {
+    try {
+        return JSON.parse(stdout);
+    } catch  {
+        const firstBrace = stdout.indexOf("{");
+        const lastBrace = stdout.lastIndexOf("}");
+        if (-1 === firstBrace || -1 === lastBrace || lastBrace < firstBrace) throw new Error("Scanner output did not include JSON");
+        const jsonPayload = stdout.slice(firstBrace, lastBrace + 1);
+        return JSON.parse(jsonPayload);
+    }
+}
+async function runCommand(command, args) {
+    return await new Promise((resolve, reject)=>{
+        const child = (0, external_node_child_process_namespaceObject.spawn)(command, args, {
+            stdio: [
+                "ignore",
+                "pipe",
+                "pipe"
+            ]
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk)=>{
+            stdout += chunk.toString();
+        });
+        child.stderr.on("data", (chunk)=>{
+            stderr += chunk.toString();
+        });
+        child.on("error", reject);
+        child.on("close", (exitCode)=>{
+            resolve({
+                exitCode,
+                stdout,
+                stderr
+            });
+        });
+    });
+}
+async function scanSkillDirectory(skillPath, logger, security) {
+    const scanOnInstall = security?.scanOnInstall ?? true;
+    if (!scanOnInstall) return;
+    const command = getScannerCommand(security);
+    (0, uv_cjs_namespaceObject.ensureUvAvailableForFeature)(command, "skills.security.scanOnInstall");
+    const args = [
+        ...getScannerArgs(security),
+        skillPath
+    ];
+    logger.info(`Running skill security scan: ${command} ${args.join(" ")}`);
+    const result = await runCommand(command, args);
+    if (0 !== result.exitCode) {
+        const details = result.stderr.trim() || result.stdout.trim();
+        throw new Error(`Skill security scan failed with exit code ${result.exitCode ?? "unknown"}${details ? `: ${details}` : ""}`);
+    }
+    const parsed = parseScanResult(result.stdout);
+    const failedPaths = Object.entries(parsed).filter(([, value])=>Boolean(value.error && false !== value.error.is_failure));
+    if (failedPaths.length > 0) {
+        const formatted = failedPaths.map(([path, value])=>{
+            const category = value.error?.category ? ` (${value.error.category})` : "";
+            return `${path}: ${value.error?.message || "unknown scan error"}${category}`;
+        }).join("; ");
+        throw new Error(`Skill security scan reported errors: ${formatted}`);
+    }
+    const blockedCodes = getBlockedIssueCodes(security);
+    const blockingIssues = [];
+    const nonBlockingIssues = [];
+    for (const value of Object.values(parsed))for (const issue of value.issues || []){
+        const code = (issue.code || "").trim().toUpperCase();
+        if (!code) continue;
+        const issueDetails = {
+            code,
+            message: issue.message || ""
+        };
+        if (blockedCodes.has(code)) blockingIssues.push(issueDetails);
+        else nonBlockingIssues.push(issueDetails);
+    }
+    if (nonBlockingIssues.length > 0) {
+        const codes = Array.from(new Set(nonBlockingIssues.map((issue)=>issue.code)));
+        logger.warn(`Skill security scan returned non-blocking issues: ${codes.join(", ")}`);
+    }
+    if (blockingIssues.length > 0) {
+        const codes = Array.from(new Set(blockingIssues.map((issue)=>issue.code)));
+        throw new Error(`Skill security scan blocked installation due to issue codes: ${codes.join(", ")}`);
+    }
+}
+const __skillSecurityScanner = {
+    parseScanResult,
+    getScannerArgs,
+    getScannerCommand,
+    getBlockedIssueCodes
+};
+exports.__skillSecurityScanner = __webpack_exports__.__skillSecurityScanner;
+exports.scanSkillDirectory = __webpack_exports__.scanSkillDirectory;
+for(var __rspack_i in __webpack_exports__)if (-1 === [
+    "__skillSecurityScanner",
+    "scanSkillDirectory"
+].indexOf(__rspack_i)) exports[__rspack_i] = __webpack_exports__[__rspack_i];
+Object.defineProperty(exports, '__esModule', {
+    value: true
+});

package/dist/cli/services/skillSecurityScanner.d.ts

@@ -0,0 +1,28 @@
+import type { Logger } from "@/logger.js";
+import type { SkillSecurityOptions } from "../types/skill.js";
+type ScanIssue = {
+    code?: string;
+    message?: string;
+};
+type ScanError = {
+    message?: string;
+    is_failure?: boolean;
+    category?: string;
+};
+type ScanPathResult = {
+    issues?: ScanIssue[];
+    error?: ScanError | null;
+};
+type ScanResultMap = Record<string, ScanPathResult>;
+declare function getScannerCommand(security?: SkillSecurityOptions): string;
+declare function getScannerArgs(security?: SkillSecurityOptions): string[];
+declare function getBlockedIssueCodes(security?: SkillSecurityOptions): Set<string>;
+declare function parseScanResult(stdout: string): ScanResultMap;
+export declare function scanSkillDirectory(skillPath: string, logger: Logger, security?: SkillSecurityOptions): Promise<void>;
+export declare const __skillSecurityScanner: {
+    parseScanResult: typeof parseScanResult;
+    getScannerArgs: typeof getScannerArgs;
+    getScannerCommand: typeof getScannerCommand;
+    getBlockedIssueCodes: typeof getBlockedIssueCodes;
+};
+export {};