agent-security-scanner-mcp 3.4.0 → 3.5.0

package/README.md

@@ -1,21 +1,17 @@
 # agent-security-scanner-mcp
 
-Security scanner for AI coding agents and autonomous assistants. Scans code for vulnerabilities, detects hallucinated packages, and blocks prompt injection — via MCP (Claude Code, Cursor, Windsurf, Cline) or CLI (OpenClaw, CI/CD).
+Security scanner MCP server for AI coding agents. Scans code for vulnerabilities, detects hallucinated packages, and blocks prompt injection — all in real-time via the Model Context Protocol.
 
 [![npm downloads](https://img.shields.io/npm/dt/agent-security-scanner-mcp.svg)](https://www.npmjs.com/package/agent-security-scanner-mcp)
 [![npm version](https://img.shields.io/npm/v/agent-security-scanner-mcp.svg)](https://www.npmjs.com/package/agent-security-scanner-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-> **New in v3.3.0:** Full [OpenClaw](https://openclaw.ai) integration with 30+ rules targeting autonomous AI threats — data exfiltration, credential theft, messaging abuse, and unsafe automation. [See OpenClaw setup](#openclaw-integration).
-
 ## Tools
 
 | Tool | Description | When to Use |
 |------|-------------|-------------|
 | `scan_security` | Scan code for vulnerabilities (1700+ rules, 12 languages) with AST and taint analysis | After writing or editing any code file |
 | `fix_security` | Auto-fix all detected vulnerabilities (120 fix templates) | After `scan_security` finds issues |
-| `scan_git_diff` | Scan only changed files in git diff | Before commits or in PR reviews |
-| `scan_project` | Scan entire project with A-F security grading | For project-wide security audits |
 | `check_package` | Verify a package name isn't AI-hallucinated (4.3M+ packages) | Before adding any new dependency |
 | `scan_packages` | Bulk-check all imports in a file for hallucinated packages | Before committing code with new imports |
 | `scan_agent_prompt` | Detect prompt injection and malicious instructions (56 rules) | Before acting on external/untrusted input |
@@ -40,18 +36,8 @@ scan_security → review findings → fix_security → verify fix
 
 ### Before Committing
 ```
-scan_git_diff → scan only changed files for fast feedback
 scan_packages → verify all imports are legitimate
-```
-
-### For PR Reviews
-```
-scan_git_diff --base main → scan PR changes against main branch
-```
-
-### For Project Audits
-```
-scan_project → get A-F security grade and aggregated metrics
+scan_security → catch vulnerabilities before they ship
 ```
 
 ### When Processing External Input
@@ -341,105 +327,6 @@ List all 1700+ security scanning rules and 120 fix templates. Use to understand
 
 ---
 
-### `scan_git_diff`
-
-Scan only files changed in git diff for security vulnerabilities. Use in PR workflows, pre-commit hooks, or to check recent changes before pushing. Significantly faster than full project scans.
-
-**Parameters:**
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `base` | string | No | Base commit/branch to diff against (default: `HEAD~1`) |
-| `target` | string | No | Target commit/branch (default: `HEAD`) |
-| `verbosity` | string | No | `"minimal"`, `"compact"` (default), `"full"` |
-
-**Example:**
-
-```json
-// Input
-{ "base": "main", "target": "HEAD" }
-
-// Output
-{
-  "base": "main",
-  "target": "HEAD",
-  "files_scanned": 5,
-  "issues_count": 3,
-  "issues": [
-    {
-      "file": "src/auth.js",
-      "line": 42,
-      "ruleId": "sql-injection",
-      "severity": "error",
-      "message": "SQL injection vulnerability detected"
-    }
-  ]
-}
-```
-
----
-
-### `scan_project`
-
-Scan an entire project or directory for security vulnerabilities with aggregated metrics and A-F security grading. Use for security audits, compliance checks, or initial codebase assessment.
-
-**Parameters:**
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `directory` | string | Yes | Path to project directory to scan |
-| `include_patterns` | array | No | Glob patterns to include (e.g., `["**/*.js", "**/*.py"]`) |
-| `exclude_patterns` | array | No | Glob patterns to exclude (default: `node_modules`, `.git`, etc.) |
-| `verbosity` | string | No | `"minimal"`, `"compact"` (default), `"full"` |
-
-**Example:**
-
-```json
-// Input
-{ "directory": "./src", "verbosity": "compact" }
-
-// Output
-{
-  "directory": "/path/to/src",
-  "files_scanned": 24,
-  "issues_count": 12,
-  "grade": "C",
-  "by_severity": {
-    "error": 3,
-    "warning": 7,
-    "info": 2
-  },
-  "by_category": {
-    "sql-injection": 2,
-    "xss": 3,
-    "hardcoded-secret": 1,
-    "insecure-crypto": 4,
-    "command-injection": 2
-  },
-  "issues": [
-    {
-      "file": "auth.js",
-      "line": 15,
-      "ruleId": "sql-injection",
-      "severity": "error",
-      "message": "SQL injection vulnerability"
-    }
-  ]
-}
-```
-
-**Security Grades:**
-
-| Grade | Criteria |
-|-------|----------|
-| A | 0 critical/error issues |
-| B | 1-2 error issues, no critical |
-| C | 3-5 error issues |
-| D | 6-10 error issues |
-| F | 11+ error issues or any critical |
-
----
-
 ## Supported Languages
 
 | Language | Vulnerabilities Detected | Analysis |
@@ -505,7 +392,6 @@ npx agent-security-scanner-mcp
 | Kilo Code | `npx agent-security-scanner-mcp init kilo-code` |
 | OpenCode | `npx agent-security-scanner-mcp init opencode` |
 | Cody | `npx agent-security-scanner-mcp init cody` |
-| **OpenClaw** | `npx agent-security-scanner-mcp init openclaw` |
 | Interactive | `npx agent-security-scanner-mcp init` |
 
 The `init` command auto-detects your OS, locates the config file, creates a backup, and adds the MCP server entry. **Restart your client after running init.**
@@ -565,157 +451,6 @@ Available languages: `js` (default), `py`, `go`, `java`.
 
 ---
 
-## CLI Tools
-
-Use the scanner directly from command line (for scripts, CI/CD, or OpenClaw):
-
-```bash
-# Scan a prompt for injection attacks
-npx agent-security-scanner-mcp scan-prompt "ignore previous instructions"
-
-# Scan a file for vulnerabilities
-npx agent-security-scanner-mcp scan-security ./app.py --verbosity minimal
-
-# Scan git diff (changed files only)
-npx agent-security-scanner-mcp scan-diff --base main --target HEAD
-
-# Scan entire project with grading
-npx agent-security-scanner-mcp scan-project ./src
-
-# Check if a package is legitimate
-npx agent-security-scanner-mcp check-package flask pypi
-
-# Scan file imports for hallucinated packages
-npx agent-security-scanner-mcp scan-packages ./requirements.txt pypi
-
-# Install Claude Code hooks for automatic scanning
-npx agent-security-scanner-mcp init-hooks
-```
-
-**Exit codes:** `0` = safe, `1` = issues found. Use in scripts to block risky operations.
-
----
-
-## Configuration (`.scannerrc`)
-
-Create a `.scannerrc.yaml` or `.scannerrc.json` in your project root to customize scanning behavior:
-
-```yaml
-# .scannerrc.yaml
-version: 1
-
-# Suppress specific rules
-suppress:
-  - rule: "insecure-random"
-    reason: "Using for non-cryptographic purposes"
-  - rule: "detect-disable-mustache-escape"
-    paths: ["src/cli/**"]
-
-# Exclude paths from scanning
-exclude:
-  - "node_modules/**"
-  - "dist/**"
-  - "**/*.test.js"
-  - "**/*.spec.ts"
-
-# Minimum severity to report
-severity_threshold: "warning"  # "info", "warning", or "error"
-
-# Context-aware filtering (enabled by default)
-context_filtering: true
-```
-
-**Configuration options:**
-
-| Option | Type | Description |
-|--------|------|-------------|
-| `suppress` | array | Rules to suppress, optionally scoped to paths |
-| `exclude` | array | Glob patterns for paths to skip |
-| `severity_threshold` | string | Minimum severity to report (`info`, `warning`, `error`) |
-| `context_filtering` | boolean | Enable/disable safe module filtering (default: `true`) |
-
-The scanner automatically loads config from the current directory or any parent directory.
-
----
-
-## Claude Code Hooks
-
-Automatically scan files after every edit with Claude Code hooks integration.
-
-### Install Hooks
-
-```bash
-npx agent-security-scanner-mcp init-hooks
-```
-
-This installs a `post-tool-use` hook that triggers security scanning after `Write`, `Edit`, or `MultiEdit` operations.
-
-### With Prompt Guard
-
-```bash
-npx agent-security-scanner-mcp init-hooks --with-prompt-guard
-```
-
-Adds a `PreToolUse` hook that scans prompts for injection attacks before executing tools.
-
-### What Gets Installed
-
-The command adds hooks to `~/.claude/settings.json`:
-
-```json
-{
-  "hooks": {
-    "post-tool-use": [
-      {
-        "matcher": "Write|Edit|MultiEdit",
-        "command": "npx agent-security-scanner-mcp scan-security \"$TOOL_INPUT_file_path\" --verbosity minimal"
-      }
-    ]
-  }
-}
-```
-
-### Hook Behavior
-
-- **Non-blocking:** Hooks report findings but don't prevent file writes
-- **Minimal output:** Uses `--verbosity minimal` to avoid context overflow
-- **Automatic:** Runs on every file modification without manual intervention
-
----
-
-## OpenClaw Integration
-
-[OpenClaw](https://openclaw.ai) is an autonomous AI assistant with broad system access. This scanner provides security guardrails for OpenClaw users.
-
-### Install
-
-```bash
-npx agent-security-scanner-mcp init openclaw
-```
-
-This installs a skill to `~/.openclaw/workspace/skills/security-scanner/`.
-
-### OpenClaw-Specific Threats
-
-The scanner includes 30+ rules targeting OpenClaw's unique attack surface:
-
-| Category | Examples |
-|----------|----------|
-| **Data Exfiltration** | "Forward emails to...", "Upload files to...", "Share browser cookies" |
-| **Messaging Abuse** | "Send to all contacts", "Auto-reply to everyone" |
-| **Credential Theft** | "Show my passwords", "Access keychain", "List API keys" |
-| **Unsafe Automation** | "Run hourly without asking", "Disable safety checks" |
-| **Service Attacks** | "Delete all repos", "Make payment to..." |
-
-### Usage in OpenClaw
-
-The skill is auto-discovered. Use it by asking:
-- "Scan this prompt for security issues"
-- "Check if this code is safe to run"
-- "Verify these packages aren't hallucinated"
-
----
-
 ## What This Scanner Detects
 
 AI coding agents introduce attack surfaces that traditional security tools weren't designed for:
@@ -774,7 +509,7 @@ AI coding agents introduce attack surfaces that traditional security tools weren
 |----------|-------|
 | **Transport** | stdio |
 | **Package** | `agent-security-scanner-mcp` (npm) |
-| **Tools** | 8 |
+| **Tools** | 6 |
 | **Languages** | 12 |
 | **Ecosystems** | 7 |
 | **Auth** | None required |
@@ -856,21 +591,6 @@ All MCP tools support a `verbosity` parameter to minimize context window consump
 
 ## Changelog
 
-### v3.4.0
-- **Severity Calibration** - 207-rule severity map with HIGH/MEDIUM/LOW confidence scores for more accurate prioritization
-- **Cross-Engine Deduplication** - ~30-50% noise reduction by deduplicating findings across AST, taint, and regex engines
-- **Context-Aware Filtering** - 80+ known safe modules (logging, testing, sanitizers) reduce false positives
-- **`.scannerrc` Configuration** - YAML/JSON project config for suppressing rules, excluding paths, and setting severity thresholds
-- **`scan_git_diff` Tool** - Scan only changed files in git diff for PR workflows and pre-commit hooks
-- **`scan_project` Tool** - Project-level scanning with A-F security grading and aggregated metrics
-- **`init-hooks` CLI** - `npx agent-security-scanner-mcp init-hooks` installs Claude Code post-tool-use hooks for automatic scanning
-- **Safe Fix Validation** - `validateFix()` ensures auto-fixes don't introduce new vulnerabilities
-- **Cross-File Taint Analysis** - Import graph tracking for dataflow analysis across module boundaries
-
-### v3.3.0
-- **OpenClaw Integration** - Full support with 30+ rules targeting autonomous AI threats
-- **OpenClaw-Specific Rules** - Data exfiltration, credential theft, messaging abuse, unsafe automation detection
-
 ### v3.2.0
 - **Token Optimization** - New `verbosity` parameter for all tools reduces context window usage by up to 98%
 - **Three Verbosity Levels** - `minimal` (~50 tokens), `compact` (~200 tokens, default), `full` (~2,500 tokens)

package/analyzer.py

@@ -11,7 +11,6 @@ import sys
 import json
 import os
 import re
-import argparse
 from typing import List, Dict, Any
 
 # Add the directory containing this script to the path
@@ -92,7 +91,6 @@ def analyze_file_regex(file_path):
                                 'column': match.start() + col_offset,
                                 'length': match.end() - match.start(),
                                 'severity': rule['severity'],
-                                'confidence': rule.get('metadata', {}).get('confidence', 'MEDIUM'),
                                 'metadata': rule.get('metadata', {}),
                                 'engine': 'regex'
                             })
@@ -193,7 +191,6 @@ def analyze_file_ast(file_path):
                 'column': f.column,
                 'length': length,
                 'severity': f.severity,
-                'confidence': f.metadata.get('confidence', getattr(f, 'confidence', 'MEDIUM')),
                 'metadata': f.metadata,
                 'engine': 'taint' if is_taint else 'ast',
             })
@@ -232,30 +229,16 @@ def analyze_file(file_path):
 
 
 def main():
-    parser = argparse.ArgumentParser(description='Security Analyzer - AST-based with regex fallback')
-    parser.add_argument('file_path', help='Path to the file to analyze')
-    parser.add_argument('--engine', choices=['auto', 'ast', 'regex'], default='auto',
-                        help='Analysis engine: auto (default), ast (tree-sitter only), regex (regex only)')
-    args = parser.parse_args()
+    if len(sys.argv) < 2:
+        print(json.dumps({'error': 'No file path provided'}))
+        sys.exit(1)
 
-    file_path = args.file_path
+    file_path = sys.argv[1]
     if not os.path.exists(file_path):
         print(json.dumps({'error': f'File not found: {file_path}'}))
         sys.exit(1)
 
-    engine = args.engine
-
-    if engine == 'regex':
-        results = analyze_file_regex(file_path)
-    elif engine == 'ast':
-        if not HAS_AST_ENGINE:
-            print(json.dumps({'error': 'AST engine requested but tree-sitter is not available. Install dependencies: python3 -m pip install -r requirements.txt'}))
-            sys.exit(1)
-        results = analyze_file_ast(file_path)
-    else:
-        # auto: use AST if available, otherwise regex
-        results = analyze_file(file_path)
-
+    results = analyze_file(file_path)
     print(json.dumps(results))
 
 

package/index.js

@@ -17,12 +17,9 @@ import { fixSecuritySchema, fixSecurity } from './src/tools/fix-security.js';
 import { loadPackageLists, checkPackageSchema, checkPackage, getPackageStats } from './src/tools/check-package.js';
 import { scanPackagesSchema, scanPackages } from './src/tools/scan-packages.js';
 import { scanAgentPromptSchema, scanAgentPrompt } from './src/tools/scan-prompt.js';
-import { scanDiffSchema, scanDiff } from './src/tools/scan-diff.js';
-import { scanProjectSchema, scanProject } from './src/tools/scan-project.js';
 import { runInit } from './src/cli/init.js';
 import { runDoctor } from './src/cli/doctor.js';
 import { runDemo } from './src/cli/demo.js';
-import { runInitHooks } from './src/cli/init-hooks.js';
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -137,22 +134,6 @@ server.tool(
   scanAgentPrompt
 );
 
-// Register scan_git_diff tool
-server.tool(
-  "scan_git_diff",
-  "Scan git diff for new security vulnerabilities. Only reports issues on changed lines. Use for PR reviews.",
-  scanDiffSchema,
-  scanDiff
-);
-
-// Register scan_project tool
-server.tool(
-  "scan_project",
-  "Scan an entire directory for security vulnerabilities with .gitignore support and security grading. Use verbosity='minimal' for grade + counts, 'compact' (default) for top issues, 'full' for all details.",
-  scanProjectSchema,
-  scanProject
-);
-
 // ===========================================
 // CLI COMMANDS - Extracted to src/cli/
 // ===========================================
@@ -175,187 +156,17 @@ if (cliArgs[0] === 'init') {
     console.error(`  Error: ${err.message}\n`);
     process.exit(1);
   });
-} else if (cliArgs[0] === 'init-hooks') {
-  runInitHooks(cliArgs.slice(1)).then(() => process.exit(0)).catch((err) => {
-    console.error(`  Error: ${err.message}\n`);
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'scan-prompt') {
-  // CLI mode: scan-prompt <text> [--verbosity minimal|compact|full]
-  const text = cliArgs[1];
-  if (!text) {
-    console.error('Usage: agent-security-scanner-mcp scan-prompt <text> [--verbosity minimal|compact|full]');
-    process.exit(1);
-  }
-  const verbosityIdx = cliArgs.indexOf('--verbosity');
-  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
-
-  loadPackageLists();
-  scanAgentPrompt({ prompt_text: text, verbosity }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(output.action === 'BLOCK' ? 1 : 0);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'scan-security') {
-  // CLI mode: scan-security <file> [--verbosity minimal|compact|full] [--format json|sarif]
-  const filePath = cliArgs[1];
-  if (!filePath) {
-    console.error('Usage: agent-security-scanner-mcp scan-security <file> [--verbosity minimal|compact|full] [--format json|sarif]');
-    process.exit(1);
-  }
-  const verbosityIdx = cliArgs.indexOf('--verbosity');
-  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
-  const formatIdx = cliArgs.indexOf('--format');
-  const outputFormat = formatIdx !== -1 ? cliArgs[formatIdx + 1] : 'json';
-
-  loadPackageLists();
-  scanSecurity({ file_path: filePath, verbosity, output_format: outputFormat }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(output.issues_count > 0 || output.total > 0 ? 1 : 0);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'check-package') {
-  // CLI mode: check-package <name> <ecosystem>
-  const packageName = cliArgs[1];
-  const ecosystem = cliArgs[2];
-  if (!packageName || !ecosystem) {
-    console.error('Usage: agent-security-scanner-mcp check-package <name> <ecosystem>');
-    console.error('Ecosystems: npm, pypi, rubygems, crates, dart, perl, raku');
-    process.exit(1);
-  }
-
-  loadPackageLists();
-  checkPackage({ package_name: packageName, ecosystem }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(output.legitimate ? 0 : 1);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'scan-packages') {
-  // CLI mode: scan-packages <file> <ecosystem> [--verbosity minimal|compact|full]
-  const filePath = cliArgs[1];
-  const ecosystem = cliArgs[2];
-  if (!filePath || !ecosystem) {
-    console.error('Usage: agent-security-scanner-mcp scan-packages <file> <ecosystem> [--verbosity minimal|compact|full]');
-    console.error('Ecosystems: npm, pypi, rubygems, crates, dart, perl, raku');
-    process.exit(1);
-  }
-  const verbosityIdx = cliArgs.indexOf('--verbosity');
-  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
-
-  loadPackageLists();
-  scanPackages({ file_path: filePath, ecosystem, verbosity }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(output.hallucinated_count > 0 ? 1 : 0);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'scan-project') {
-  // CLI mode: scan-project <dir> [--recursive] [--diff-only] [--cross-file] [--include '*.py'] [--exclude '*.test.js'] [--verbosity minimal|compact|full]
-  const dirPath = cliArgs[1];
-  if (!dirPath || dirPath.startsWith('--')) {
-    console.error('Usage: agent-security-scanner-mcp scan-project <directory> [--recursive] [--diff-only] [--cross-file] [--include <pattern>] [--exclude <pattern>] [--verbosity minimal|compact|full]');
-    process.exit(1);
-  }
-  const verbosityIdx = cliArgs.indexOf('--verbosity');
-  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
-  const recursive = !cliArgs.includes('--no-recursive');
-  const diffOnly = cliArgs.includes('--diff-only');
-  const crossFile = cliArgs.includes('--cross-file');
-  const includeIdx = cliArgs.indexOf('--include');
-  const includePatterns = includeIdx !== -1 ? [cliArgs[includeIdx + 1]] : undefined;
-  const excludeIdx = cliArgs.indexOf('--exclude');
-  const excludePatterns = excludeIdx !== -1 ? [cliArgs[excludeIdx + 1]] : undefined;
-
-  scanProject({ directory_path: dirPath, recursive, diff_only: diffOnly, cross_file: crossFile, include_patterns: includePatterns, exclude_patterns: excludePatterns, verbosity }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    const total = output.issues_count || output.total || 0;
-    process.exit(total > 0 ? 1 : 0);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'scan-diff') {
-  // CLI mode: scan-diff [base] [target] [--verbosity minimal|compact|full]
-  // Parse positional args, skipping flag values
-  const verbosityIdx = cliArgs.indexOf('--verbosity');
-  const flagValueIndices = new Set(verbosityIdx !== -1 ? [verbosityIdx, verbosityIdx + 1] : []);
-  const positionalArgs = cliArgs.slice(1).filter((arg, idx) => !arg.startsWith('--') && !flagValueIndices.has(idx + 1));
-  const baseRef = positionalArgs[0];
-  const targetRef = positionalArgs[1];
-  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
-
-  scanDiff({ base_ref: baseRef, target_ref: targetRef, verbosity }).then(result => {
-    const output = JSON.parse(result.content[0].text);
-    console.log(JSON.stringify(output, null, 2));
-    process.exit(output.issues_count > 0 || output.total > 0 ? 1 : 0);
-  }).catch(err => {
-    console.error(JSON.stringify({ error: err.message }));
-    process.exit(1);
-  });
-} else if (cliArgs[0] === 'benchmark') {
-  // CLI mode: benchmark [--save] [--json-only] [--compare-latest] [--corpus <path>]
-  const benchmarkPath = join(__dirname, 'benchmarks', 'benchmark_runner.py');
-  const benchArgs = [benchmarkPath];
-
-  // Pass through supported flags
-  for (let i = 1; i < cliArgs.length; i++) {
-    if (['--save', '--json-only', '--compare-latest'].includes(cliArgs[i])) {
-      benchArgs.push(cliArgs[i]);
-    } else if (cliArgs[i] === '--corpus' && cliArgs[i + 1]) {
-      benchArgs.push('--corpus', cliArgs[i + 1]);
-      i++;
-    }
-  }
-
-  try {
-    execFileSync('python3', benchArgs, { stdio: 'inherit', timeout: 300000 });
-  } catch (err) {
-    if (err.status) process.exit(err.status);
-    console.error(`Benchmark error: ${err.message}`);
-    process.exit(1);
-  }
-  process.exit(0);
 } else if (cliArgs[0] === '--help' || cliArgs[0] === '-h' || cliArgs[0] === 'help') {
   console.log('\n  agent-security-scanner-mcp\n');
   console.log('  Commands:');
   console.log('    init [client]        Set up MCP config for a client');
-  console.log('    init-hooks           Install Claude Code hooks for auto-scanning');
   console.log('    doctor [--fix]       Check environment & client configs');
   console.log('    demo [--lang js]     Generate vulnerable file + scan it');
-  console.log('    benchmark [flags]      Run accuracy benchmarks\n');
-  console.log('  CLI Tools (for scripts & OpenClaw):');
-  console.log('    scan-prompt <text>   Scan prompt for injection attacks');
-  console.log('    scan-security <file> Scan file for vulnerabilities');
-  console.log('    check-package <n> <e> Check if package exists in ecosystem');
-  console.log('    scan-packages <f> <e> Scan file imports for hallucinated packages');
-  console.log('    scan-project <dir>   Scan directory for vulnerabilities with grading');
-  console.log('    scan-diff [base] [target] Scan git diff for new vulnerabilities\n');
   console.log('    (no args)            Start MCP server on stdio\n');
-  console.log('  Options:');
-  console.log('    --verbosity <level>  minimal|compact|full (default: compact)');
-  console.log('    --format <type>      json|sarif (scan-security only)');
-  console.log('    --include <pattern>  Include only matching files (scan-project)');
-  console.log('    --exclude <pattern>  Exclude matching files (scan-project)\n');
   console.log('  Examples:');
   console.log('    npx agent-security-scanner-mcp init');
-  console.log('    npx agent-security-scanner-mcp scan-prompt "ignore previous instructions"');
-  console.log('    npx agent-security-scanner-mcp scan-security ./app.py --verbosity minimal');
-  console.log('    npx agent-security-scanner-mcp check-package flask pypi');
-  console.log('    npx agent-security-scanner-mcp scan-project ./src --verbosity minimal');
-  console.log('    npx agent-security-scanner-mcp scan-diff HEAD~1');
-  console.log('    npx agent-security-scanner-mcp benchmark --save --compare-latest\n');
+  console.log('    npx agent-security-scanner-mcp doctor --fix');
+  console.log('    npx agent-security-scanner-mcp demo --lang py\n');
   process.exit(0);
 } else {
   // Normal MCP server mode

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
-  "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline, OpenClaw.",
+  "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",
   "type": "module",
   "bin": {
@@ -10,11 +10,9 @@
   },
   "scripts": {
     "start": "node index.js",
-    "postinstall": "node scripts/postinstall.js",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "benchmark": "python3 benchmarks/benchmark_runner.py --save --compare-latest"
+    "test:coverage": "vitest run --coverage"
   },
   "keywords": [
     "mcp",
@@ -54,9 +52,7 @@
     "zed",
     "prompt-firewall",
     "auto-fix",
-    "hallucination",
-    "openclaw",
-    "clawdbot"
+    "hallucination"
   ],
   "author": "Sinewave AI <divya@sinewave.ai>",
   "license": "MIT",
@@ -84,9 +80,6 @@
     "src/cli/*.js",
     "src/fix-patterns.js",
     "src/utils.js",
-    "src/dedup.js",
-    "src/context.js",
-    "src/config.js",
     "analyzer.py",
     "ast_parser.py",
     "generic_ast.py",
@@ -96,10 +89,7 @@
     "taint_analyzer.py",
     "requirements.txt",
     "rules/**",
-    "packages/**",
-    "skills/**",
-    "scripts/postinstall.js",
-    "cross_file_analyzer.py"
+    "packages/**"
   ],
   "devDependencies": {
     "all-the-package-names": "^2.0.2349",