acidtest 0.1.0

package/dist/scanner.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Main scanner orchestrator
+ * Coordinates all four scanning layers
+ */
+import type { ScanResult } from './types.js';
+/**
+ * Main scan function
+ * Scans a skill directory or SKILL.md file
+ */
+export declare function scanSkill(skillPath: string): Promise<ScanResult>;
+/**
+ * Scan multiple skills in a directory
+ */
+export declare function scanAllSkills(directory: string): Promise<ScanResult[]>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAmB,UAAU,EAAW,MAAM,YAAY,CAAC;AASvE;;;GAGG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAmDtE;AAqGD;;GAEG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAmB5E"}

package/dist/scanner.js

@@ -0,0 +1,176 @@
+/**
+ * Main scanner orchestrator
+ * Coordinates all four scanning layers
+ */
+import { readFileSync, existsSync, statSync } from 'fs';
+import { join, basename, extname } from 'path';
+import { glob } from 'glob';
+import matter from 'gray-matter';
+import { scanPermissions } from './layers/permissions.js';
+import { scanInjection } from './layers/injection.js';
+import { scanCode } from './layers/code.js';
+import { scanCrossReference } from './layers/crossref.js';
+import { calculateScore, determineStatus, generateRecommendation } from './scoring.js';
+const VERSION = '0.1.0';
+/**
+ * Main scan function
+ * Scans a skill directory or SKILL.md file
+ */
+export async function scanSkill(skillPath) {
+    // Load the skill
+    const skill = await loadSkill(skillPath);
+    // Run all four scanning layers
+    const layer1 = await scanPermissions(skill);
+    const layer2 = await scanInjection(skill);
+    const layer3 = await scanCode(skill);
+    // Combine findings from layers 1-3 for cross-reference
+    const previousFindings = [
+        ...layer1.findings,
+        ...layer2.findings,
+        ...layer3.findings
+    ];
+    const layer4 = await scanCrossReference(skill, previousFindings);
+    // Combine all findings
+    const allFindings = [
+        ...layer1.findings,
+        ...layer2.findings,
+        ...layer3.findings,
+        ...layer4.findings
+    ];
+    // Calculate score and status
+    const score = calculateScore(allFindings);
+    const status = determineStatus(score);
+    const recommendation = generateRecommendation(status, allFindings);
+    // Build result
+    const result = {
+        tool: 'acidtest',
+        version: VERSION,
+        skill: {
+            name: skill.name,
+            path: skill.path
+        },
+        score,
+        status,
+        permissions: {
+            bins: skill.metadata.bins,
+            env: skill.metadata.env,
+            tools: skill.metadata['allowed-tools']
+        },
+        findings: allFindings,
+        recommendation
+    };
+    return result;
+}
+/**
+ * Load a skill from a directory or SKILL.md file
+ */
+async function loadSkill(skillPath) {
+    let skillMdPath;
+    let skillDir;
+    // Determine if path is a directory or file
+    if (existsSync(skillPath) && statSync(skillPath).isDirectory()) {
+        skillDir = skillPath;
+        skillMdPath = join(skillPath, 'SKILL.md');
+    }
+    else if (basename(skillPath) === 'SKILL.md') {
+        skillMdPath = skillPath;
+        skillDir = join(skillPath, '..');
+    }
+    else {
+        throw new Error('Path must be a skill directory or SKILL.md file');
+    }
+    // Check if SKILL.md exists
+    if (!existsSync(skillMdPath)) {
+        throw new Error(`SKILL.md not found at: ${skillMdPath}`);
+    }
+    // Read and parse SKILL.md
+    const skillContent = readFileSync(skillMdPath, 'utf-8');
+    const parsed = matter(skillContent);
+    // Extract metadata and markdown
+    const metadata = parsed.data;
+    const markdownContent = parsed.content;
+    // Determine skill name
+    const skillName = metadata.name ||
+        basename(skillDir) ||
+        'unknown-skill';
+    // Find all code files (.ts, .js, .mjs, .cjs)
+    const codeFiles = await findCodeFiles(skillDir);
+    return {
+        name: skillName,
+        path: skillPath,
+        metadata,
+        markdownContent,
+        codeFiles
+    };
+}
+/**
+ * Find all code files in skill directory
+ */
+async function findCodeFiles(skillDir) {
+    const codeFiles = [];
+    // Search for .ts, .js, .mjs, .cjs files
+    const patterns = [
+        join(skillDir, '**/*.ts'),
+        join(skillDir, '**/*.js'),
+        join(skillDir, '**/*.mjs'),
+        join(skillDir, '**/*.cjs')
+    ];
+    for (const pattern of patterns) {
+        try {
+            const files = await glob(pattern, {
+                ignore: ['**/node_modules/**', '**/dist/**', '**/build/**']
+            });
+            for (const filePath of files) {
+                try {
+                    const content = readFileSync(filePath, 'utf-8');
+                    const ext = extname(filePath).slice(1); // Remove leading dot
+                    // Determine extension type
+                    let extension;
+                    if (ext === 'ts')
+                        extension = 'ts';
+                    else if (ext === 'mjs')
+                        extension = 'mjs';
+                    else if (ext === 'cjs')
+                        extension = 'cjs';
+                    else
+                        extension = 'js';
+                    codeFiles.push({
+                        path: filePath,
+                        content,
+                        extension
+                    });
+                }
+                catch (error) {
+                    // Skip files that can't be read
+                    console.warn(`Warning: Could not read file: ${filePath}`);
+                }
+            }
+        }
+        catch (error) {
+            // Skip pattern if glob fails
+        }
+    }
+    return codeFiles;
+}
+/**
+ * Scan multiple skills in a directory
+ */
+export async function scanAllSkills(directory) {
+    const results = [];
+    // Find all SKILL.md files
+    const pattern = join(directory, '**/SKILL.md');
+    const skillFiles = await glob(pattern, {
+        ignore: ['**/node_modules/**']
+    });
+    for (const skillFile of skillFiles) {
+        try {
+            const result = await scanSkill(skillFile);
+            results.push(result);
+        }
+        catch (error) {
+            console.warn(`Warning: Could not scan skill at ${skillFile}:`, error.message);
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAEvF,MAAM,OAAO,GAAG,OAAO,CAAC;AAExB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB;IAC/C,iBAAiB;IACjB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAEzC,+BAA+B;IAC/B,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;IAErC,uDAAuD;IACvD,MAAM,gBAAgB,GAAG;QACvB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,MAAM,WAAW,GAAc;QAC7B,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,6BAA6B;IAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,sBAAsB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAEnE,eAAe;IACf,MAAM,MAAM,GAAe;QACzB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,OAAO;QAChB,KAAK,EAAE;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB;QACD,KAAK;QACL,MAAM;QACN,WAAW,EAAE;YACX,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;YACzB,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YACvB,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC;SACvC;QACD,QAAQ,EAAE,WAAW;QACrB,cAAc;KACf,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,IAAI,WAAmB,CAAC;IACxB,IAAI,QAAgB,CAAC;IAErB,2CAA2C;IAC3C,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/D,QAAQ,GAAG,SAAS,CAAC;QACrB,WAAW,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC5C,CAAC;SAAM,IAAI,QAAQ,CAAC,SAAS,CAAC,KAAK,UAAU,EAAE,CAAC;QAC9C,WAAW,GAAG,SAAS,CAAC;QACxB,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,0BAA0B,WAAW,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,0BAA0B;IAC1B,MAAM,YAAY,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IAEpC,gCAAgC;IAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC;IAEvC,uBAAuB;IACvB,MAAM,SAAS,GACb,QAAQ,CAAC,IAAI;QACb,QAAQ,CAAC,QAAQ,CAAC;QAClB,eAAe,CAAC;IAElB,6CAA6C;IAC7C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,SAAS;QACf,QAAQ;QACR,eAAe;QACf,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,QAAgB;IAC3C,MAAM,SAAS,GAAe,EAAE,CAAC;IAEjC,wCAAwC;IACxC,MAAM,QAAQ,GAAG;QACf,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;QACzB,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;QACzB,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QAC1B,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;KAC3B,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE;gBAChC,MAAM,EAAE,CAAC,oBAAoB,EAAE,YAAY,EAAE,aAAa,CAAC;aAC5D,CAAC,CAAC;YAEH,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAChD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB;oBAE7D,2BAA2B;oBAC3B,IAAI,SAAsC,CAAC;oBAC3C,IAAI,GAAG,KAAK,IAAI;wBAAE,SAAS,GAAG,IAAI,CAAC;yBAC9B,IAAI,GAAG,KAAK,KAAK;wBAAE,SAAS,GAAG,KAAK,CAAC;yBACrC,IAAI,GAAG,KAAK,KAAK;wBAAE,SAAS,GAAG,KAAK,CAAC;;wBACrC,SAAS,GAAG,IAAI,CAAC;oBAEtB,SAAS,CAAC,IAAI,CAAC;wBACb,IAAI,EAAE,QAAQ;wBACd,OAAO;wBACP,SAAS;qBACV,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,gCAAgC;oBAChC,OAAO,CAAC,IAAI,CAAC,iCAAiC,QAAQ,EAAE,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,6BAA6B;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,0BAA0B;IAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE;QACrC,MAAM,EAAE,CAAC,oBAAoB,CAAC;KAC/B,CAAC,CAAC;IAEH,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,oCAAoC,SAAS,GAAG,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/scoring.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Scoring engine
+ * Calculates trust score from security findings
+ */
+import type { Finding, Status, Severity } from './types.js';
+/**
+ * Calculate trust score from findings
+ * Score starts at 100 and deductions are made for each finding
+ */
+export declare function calculateScore(findings: Finding[]): number;
+/**
+ * Determine overall status from score
+ */
+export declare function determineStatus(score: number): Status;
+/**
+ * Generate recommendation based on status and findings
+ */
+export declare function generateRecommendation(status: Status, findings: Finding[]): string;
+/**
+ * Get severity counts from findings
+ */
+export declare function getSeverityCounts(findings: Finding[]): Record<Severity, number>;
+//# sourceMappingURL=scoring.d.ts.map

package/dist/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAa5D;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAU1D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKrD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,OAAO,EAAE,GAClB,MAAM,CAwCR;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAc/E"}

package/dist/scoring.js

@@ -0,0 +1,85 @@
+/**
+ * Scoring engine
+ * Calculates trust score from security findings
+ */
+/**
+ * Severity point deductions
+ */
+const SEVERITY_POINTS = {
+    CRITICAL: 25,
+    HIGH: 15,
+    MEDIUM: 8,
+    LOW: 3,
+    INFO: 0
+};
+/**
+ * Calculate trust score from findings
+ * Score starts at 100 and deductions are made for each finding
+ */
+export function calculateScore(findings) {
+    let score = 100;
+    for (const finding of findings) {
+        const deduction = SEVERITY_POINTS[finding.severity];
+        score -= deduction;
+    }
+    // Floor at 0
+    return Math.max(0, score);
+}
+/**
+ * Determine overall status from score
+ */
+export function determineStatus(score) {
+    if (score >= 80)
+        return 'PASS';
+    if (score >= 50)
+        return 'WARN';
+    if (score >= 20)
+        return 'FAIL';
+    return 'DANGER';
+}
+/**
+ * Generate recommendation based on status and findings
+ */
+export function generateRecommendation(status, findings) {
+    // Check for critical permission mismatches or exfiltration
+    const hasCriticalMismatch = findings.some(f => f.severity === 'CRITICAL' && f.category === 'permission-mismatch');
+    const hasExfiltration = findings.some(f => f.category.includes('exfiltration') || f.title.toLowerCase().includes('exfiltrate'));
+    const hasPromptInjection = findings.some(f => f.category === 'prompt-injection' && f.severity === 'CRITICAL');
+    if (hasCriticalMismatch || hasExfiltration) {
+        return 'Do not install. Undeclared data exfiltration detected.';
+    }
+    if (hasPromptInjection) {
+        return 'Do not install. Prompt injection attempt detected.';
+    }
+    switch (status) {
+        case 'DANGER':
+            return 'Do not install. Skill presents severe security risks.';
+        case 'FAIL':
+            return 'Do not install without thorough review. Multiple security issues detected.';
+        case 'WARN':
+            return 'Review recommended. Some security concerns detected.';
+        case 'PASS':
+            return findings.length === 0
+                ? 'Skill appears safe to install.'
+                : 'Skill appears relatively safe, but review findings.';
+        default:
+            return 'Unable to determine safety.';
+    }
+}
+/**
+ * Get severity counts from findings
+ */
+export function getSeverityCounts(findings) {
+    const counts = {
+        CRITICAL: 0,
+        HIGH: 0,
+        MEDIUM: 0,
+        LOW: 0,
+        INFO: 0
+    };
+    for (const finding of findings) {
+        counts[finding.severity]++;
+    }
+    return counts;
+}
+//# sourceMappingURL=scoring.js.map

package/dist/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,MAAM,eAAe,GAA6B;IAChD,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAmB;IAChD,IAAI,KAAK,GAAG,GAAG,CAAC;IAEhB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpD,KAAK,IAAI,SAAS,CAAC;IACrB,CAAC;IAED,aAAa;IACb,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAc,EACd,QAAmB;IAEnB,2DAA2D;IAC3D,MAAM,mBAAmB,GAAG,QAAQ,CAAC,IAAI,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,qBAAqB,CACvE,CAAC;IAEF,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,CACzF,CAAC;IAEF,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,kBAAkB,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CACpE,CAAC;IAEF,IAAI,mBAAmB,IAAI,eAAe,EAAE,CAAC;QAC3C,OAAO,wDAAwD,CAAC;IAClE,CAAC;IAED,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO,oDAAoD,CAAC;IAC9D,CAAC;IAED,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,uDAAuD,CAAC;QAEjE,KAAK,MAAM;YACT,OAAO,4EAA4E,CAAC;QAEtF,KAAK,MAAM;YACT,OAAO,sDAAsD,CAAC;QAEhE,KAAK,MAAM;YACT,OAAO,QAAQ,CAAC,MAAM,KAAK,CAAC;gBAC1B,CAAC,CAAC,gCAAgC;gBAClC,CAAC,CAAC,qDAAqD,CAAC;QAE5D;YACE,OAAO,6BAA6B,CAAC;IACzC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAmB;IACnD,MAAM,MAAM,GAA6B;QACvC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,112 @@
+/**
+ * Core TypeScript interfaces for AcidTest security scanner
+ */
+export type Severity = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO';
+export type Status = 'PASS' | 'WARN' | 'FAIL' | 'DANGER';
+export type Layer = 'permissions' | 'markdown' | 'code' | 'crossref';
+export type PatternMatchType = 'regex' | 'ast' | 'exact';
+/**
+ * Pattern match configuration
+ */
+export interface PatternMatch {
+    type: PatternMatchType;
+    value: string;
+    flags?: string;
+}
+/**
+ * Detection pattern definition
+ */
+export interface Pattern {
+    id: string;
+    name: string;
+    description?: string;
+    severity: Severity;
+    match: PatternMatch;
+    layer: Layer;
+    category?: string;
+}
+/**
+ * Pattern category file structure
+ */
+export interface PatternCategory {
+    category: string;
+    patterns: Pattern[];
+}
+/**
+ * Skill metadata from YAML frontmatter
+ */
+export interface SkillMetadata {
+    name?: string;
+    description?: string;
+    version?: string;
+    env?: string[];
+    bins?: string[];
+    'allowed-tools'?: string[];
+    [key: string]: unknown;
+}
+/**
+ * Parsed skill structure
+ */
+export interface Skill {
+    name: string;
+    path: string;
+    metadata: SkillMetadata;
+    markdownContent: string;
+    codeFiles: CodeFile[];
+}
+/**
+ * Code file structure
+ */
+export interface CodeFile {
+    path: string;
+    content: string;
+    extension: 'ts' | 'js' | 'mjs' | 'cjs';
+}
+/**
+ * Individual security finding
+ */
+export interface Finding {
+    severity: Severity;
+    category: string;
+    title: string;
+    file?: string;
+    line?: number;
+    detail: string;
+    evidence?: string;
+    patternId?: string;
+}
+/**
+ * Layer scan result
+ */
+export interface LayerResult {
+    layer: Layer;
+    findings: Finding[];
+}
+/**
+ * Complete scan result
+ */
+export interface ScanResult {
+    tool: string;
+    version: string;
+    skill: {
+        name: string;
+        path: string;
+    };
+    score: number;
+    status: Status;
+    permissions: {
+        bins?: string[];
+        env?: string[];
+        tools?: string[];
+    };
+    findings: Finding[];
+    recommendation: string;
+}
+/**
+ * CLI options
+ */
+export interface CliOptions {
+    json?: boolean;
+    verbose?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,MAAM,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEzD,MAAM,MAAM,KAAK,GAAG,aAAa,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,CAAC;AAErE,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,KAAK,GAAG,OAAO,CAAC;AAEzD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,gBAAgB,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,YAAY,CAAC;IACpB,KAAK,EAAE,KAAK,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,aAAa,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,QAAQ,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,KAAK,CAAC;CACxC;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,KAAK,CAAC;IACb,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE;QACX,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;KAClB,CAAC;IACF,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB"}

package/dist/types.js

@@ -0,0 +1,5 @@
+/**
+ * Core TypeScript interfaces for AcidTest security scanner
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "acidtest",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Security scanner for AI agent skills. Scan before you install.",
+  "bin": {
+    "acidtest": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc && mkdir -p dist/patterns && cp src/patterns/*.json dist/patterns/",
+    "dev": "npm run build && node dist/index.js",
+    "watch": "tsc --watch"
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "security",
+    "agent",
+    "agentskills",
+    "openclaw",
+    "moltbot",
+    "skill-scanner",
+    "prompt-injection",
+    "ai-security"
+  ],
+  "author": "Currently",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/currentlycurrently/acidtest"
+  },
+  "homepage": "https://acidtest.dev",
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "glob": "^10.3.10",
+    "gray-matter": "^4.0.3",
+    "typescript": "^5.3.3"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}