npm - agentaudit - Versions diffs - 3.10.10 → 3.12.1 - Mend

agentaudit 3.10.10 → 3.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/cli.mjs +1200 -132
package/index.mjs +795 -659
package/package.json +5 -1
package/scan-tool-poisoning.mjs +297 -0
package/tool-poisoning-detector.mjs +913 -0

package/cli.mjs CHANGED Viewed

@@ -5,7 +5,7 @@
  * Usage: agentaudit <command> [options]
  *
  * Commands:
- *   discover              Find MCP servers in AI editors
+ *   discover              Find MCP servers across all AI tools
  *   scan <url> [url...]   Quick static scan (regex)
  *   audit <url> [url...]  Deep LLM-powered security audit
  *   lookup <name>         Look up package in registry
@@ -17,6 +17,7 @@
  *   model [name|reset]    Configure LLM provider + model
  *   setup                 Log in to agentaudit.dev (for report uploads)
  *   status                Show current config + auth status
+ *   profile               Your profile — rank, points, audit stats
  *   help [command]        Show help
  *
  * Flags: --json, --quiet, --no-color, --no-upload, --model, --export, --debug
@@ -554,7 +555,7 @@ function banner() {
     const ptsStr = `${fmtNum(cache.total_points)}pts`;
     const auditsStr = `${fmtNum(cache.total_reports)} audits`;
     const profile = [cache.agent_name, rankStr, ptsStr, auditsStr].filter(Boolean).join(' \u00b7 ');
-    console.log(`  ${c.bold}${c.cyan}\u26e8 AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}  ${c.dim}\u2502${c.reset}  ${profile}`);
+    console.log(`  ${c.bold}${c.cyan}\u25c6 AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}  ${c.dim}\u2502${c.reset}  ${profile}`);
   } else {
     console.log(`  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}`);
     console.log(`  ${c.dim}Security scanner for AI packages${c.reset}`);
@@ -575,10 +576,14 @@ function elapsed(startMs) {
 }
 function riskBadge(score) {
-  if (score === 0) return `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`;
-  if (score <= 10) return `${c.bgGreen}${c.white} LOW ${c.reset}`;
-  if (score <= 30) return `${c.bgYellow}${c.bold} CAUTION ${c.reset}`;
-  return `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
+  const badge = score === 0 ? `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`
+    : score <= 10 ? `${c.bgGreen}${c.white} LOW ${c.reset}`
+    : score <= 30 ? `${c.bgYellow}${c.bold} CAUTION ${c.reset}`
+    : `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
+  const filled = Math.min(Math.round(score / 20), 5);
+  const gaugeColor = score <= 10 ? c.green : score <= 30 ? c.yellow : c.red;
+  const gauge = `${gaugeColor}${'▰'.repeat(filled)}${c.dim}${'▱'.repeat(5 - filled)}${c.reset}`;
+  return `${badge} ${gauge}  ${score}/100`;
 }
 function severityColor(sev) {
@@ -638,15 +643,17 @@ function padLeft(str, len) {
 function drawBox(title, contentLines, width) {
   const inner = width - 4; // 2 for "│ " + 2 for " │"
+  const totalDash = inner + 2; // total horizontal line chars between corners
   const lines = [];
   const titleStr = title ? ` ${title} ` : '';
   const titleLen = visLen(titleStr);
-  const topDash = BOX.h.repeat(Math.max(1, inner + 2 - titleLen));
-  lines.push(`  ${BOX.tl}${c.dim}─${c.reset}${c.bold}${titleStr}${c.reset}${c.dim}${topDash}${c.reset}${BOX.tr}`);
+  // Top: ╭─ Title ────────────╮  (1 dash before title + title + remaining dashes)
+  const topDash = BOX.h.repeat(Math.max(1, totalDash - 1 - titleLen));
+  lines.push(`  ${BOX.tl}${c.dim}${BOX.h}${c.reset}${c.bold}${titleStr}${c.reset}${c.dim}${topDash}${c.reset}${BOX.tr}`);
   for (const line of contentLines) {
     lines.push(`  ${BOX.v} ${padRight(line, inner + 1)}${BOX.v}`);
   }
-  lines.push(`  ${BOX.bl}${c.dim}${BOX.h.repeat(inner + 2)}${c.reset}${BOX.br}`);
+  lines.push(`  ${BOX.bl}${c.dim}${BOX.h.repeat(totalDash)}${c.reset}${BOX.br}`);
   return lines;
 }
@@ -695,6 +702,47 @@ function sparkline(values) {
   }).join('');
 }
+// ─── Section Header ─────────── labeled divider
+function sectionHeader(title, width = 60) {
+  const dashAfter = Math.max(3, width - 5 - title.length);
+  return `  ${c.dim}───${c.reset} ${c.bold}${title}${c.reset} ${c.dim}${'─'.repeat(dashAfter)}${c.reset}`;
+}
+// █████░░░░░░░░░░░░░░ coverage bar
+function coverageBar(filled, total, width = 20) {
+  if (total === 0) return `${c.dim}${'░'.repeat(width)}${c.reset}  0/0`;
+  const barFilled = Math.max(filled > 0 ? 1 : 0, Math.round((filled / total) * width));
+  const barEmpty = width - barFilled;
+  const pct = Math.round((filled / total) * 100);
+  const color = pct >= 80 ? c.green : pct >= 50 ? c.yellow : c.red;
+  return `${color}${'█'.repeat(barFilled)}${c.dim}${'░'.repeat(barEmpty)}${c.reset}  ${filled}/${total} (${pct}%)`;
+}
+// Severity histogram for findings
+function severityHistogram(findings) {
+  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const f of findings) {
+    const sev = (f.severity || '').toLowerCase();
+    if (counts[sev] !== undefined) counts[sev]++;
+  }
+  const max = Math.max(...Object.values(counts), 1);
+  const lines = [];
+  for (const sev of ['critical', 'high', 'medium', 'low']) {
+    const count = counts[sev];
+    if (count === 0) continue;
+    const barLen = Math.max(1, Math.round((count / max) * 24));
+    const sc = severityColor(sev);
+    const label = sev.toUpperCase().padEnd(10);
+    lines.push(`  ${sc}${label}${c.reset} ${sc}${'█'.repeat(barLen)}${c.reset}${' '.repeat(24 - barLen)}  ${count}`);
+  }
+  return lines;
+}
+// ▰▰▰▱ step progress indicator
+function stepProgress(current, total) {
+  return `${c.cyan}${'▰'.repeat(current)}${c.dim}${'▱'.repeat(total - current)}${c.reset}`;
+}
 function fmtNum(n) {
   if (n == null) return '0';
   return n.toLocaleString('en-US');
@@ -709,7 +757,7 @@ function dashboardBanner() {
   const ver = getVersion();
   return [
     `  ${BOX.tl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.tr}`,
-    `  ${BOX.v}  ${c.bold}${c.cyan}⛨  AgentAudit${c.reset}  ${c.dim}v${ver}${c.reset}${' '.repeat(Math.max(0, 19 - ver.length))}${BOX.v}`,
+    `  ${BOX.v}  ${c.bold}${c.cyan}◆  AgentAudit${c.reset}  ${c.dim}v${ver}${c.reset}${' '.repeat(Math.max(0, 19 - ver.length))}${BOX.v}`,
     `  ${BOX.v}  ${c.dim}Security Registry for AI Agents${c.reset}  ${BOX.v}`,
     `  ${BOX.bl}${c.dim}${BOX.h.repeat(35)}${c.reset}${BOX.br}`,
   ];
@@ -883,24 +931,38 @@ function detectPackageInfo(repoPath, files) {
     info.type = 'library';
   }
-  // Extract MCP tools (look for tool definitions)
+  // Extract MCP tools — only from files that reference MCP SDK
+  const mcpKeywords = ['modelcontextprotocol', 'FastMCP', 'mcp.server', 'mcp_server', '@mcp.tool', '@server.tool', '.tool(', 'ListTools', 'CallTool'];
+  const mcpFiles = files.filter(f => mcpKeywords.some(kw => f.content.includes(kw)));
+  // Fallback: if no MCP-specific files found, try entrypoint files
+  if (mcpFiles.length === 0) {
+    const entryNames = ['index.js', 'index.ts', 'index.mjs', 'main.py', 'server.py', 'app.py', 'src/index.ts', 'src/main.ts', 'src/index.js'];
+    for (const f of files) {
+      if (entryNames.includes(f.path)) mcpFiles.push(f);
+    }
+  }
   const toolPatterns = [
-    // JS/TS: name: 'tool_name' or "tool_name" in tool definitions
-    /(?:name|tool_name)['":\s]+['"]([a-z_][a-z0-9_]*)['"]/gi,
-    // Python: @mcp.tool() def func_name or Tool(name="...")
-    /(?:@(?:mcp|server)\.tool\(\)[\s\S]*?def\s+([a-z_][a-z0-9_]*))|(?:Tool\s*\(\s*name\s*=\s*['"]([a-z_][a-z0-9_]*)['"])/gi,
-    // Direct: tool names in ListTools handlers
-    /['"]name['"]\s*:\s*['"]([a-z_][a-z0-9_]*)['"]/gi,
+    // JS/TS MCP SDK: server.tool('name', ...) or .setTool('name', ...)
+    /\.tool\s*\(\s*['"]([a-z_][a-z0-9_]*)['"]/gi,
+    // Python: @mcp.tool() / @server.tool() followed by def name
+    /@(?:mcp|server)\.tool\s*\(.*?\)[\s\S]*?def\s+([a-z_][a-z0-9_]*)/gi,
+    // Python: Tool(name="xxx")
+    /Tool\s*\(\s*name\s*=\s*['"]([a-z_][a-z0-9_]*)['"]/gi,
+    // ListTools handler: { name: "tool_name", description: ... }
+    /{\s*(?:['"]?)name(?:['"]?)\s*:\s*['"]([a-z_][a-z0-9_]*)['"]\s*,\s*(?:['"]?)description(?:['"]?)\s*:/gi,
   ];
+  const toolBlacklist = new Set(['type', 'name', 'string', 'object', 'number', 'boolean', 'array', 'required', 'description', 'default', 'null', 'true', 'false', 'none', 'test', 'self', 'args', 'kwargs', 'input', 'output', 'result', 'data', 'error', 'value', 'index', 'item', 'list', 'dict', 'set', 'map', 'key', 'url', 'env', 'config', 'options']);
   const toolSet = new Set();
-  for (const file of files) {
+  for (const file of mcpFiles) {
     for (const pattern of toolPatterns) {
       pattern.lastIndex = 0;
       let m;
       while ((m = pattern.exec(file.content)) !== null) {
         const name = m[1] || m[2];
-        if (name && name.length > 2 && name.length < 50 && !['type', 'name', 'string', 'object', 'number', 'boolean', 'array', 'required', 'description', 'default', 'null', 'true', 'false', 'none'].includes(name)) {
+        if (name && name.length > 2 && name.length < 50 && !toolBlacklist.has(name)) {
           toolSet.add(name);
         }
       }
@@ -1120,31 +1182,38 @@ function printScanResult(url, info, files, findings, registryData, duration) {
     console.log(`${icons.pipe}  ${c.dim}(no tools or prompts detected)${c.reset}`);
   }
-  // Findings
+  // Findings with severity stripe
   if (findings.length > 0) {
-    console.log(`${icons.pipe}`);
-    console.log(`${icons.pipe}  ${c.bold}Findings (${findings.length})${c.reset}  ${c.dim}static analysis — may include false positives${c.reset}`);
-    for (let i = 0; i < findings.length; i++) {
-      const f = findings[i];
-      const isLast = i === findings.length - 1;
-      const branch = isLast ? icons.treeLast : icons.tree;
-      const pipeOrSpace = isLast ? '   ' : `${icons.pipe}  `;
+    console.log();
+    console.log(sectionHeader(`Findings (${findings.length})`));
+    console.log(`  ${c.dim}static analysis — may include false positives${c.reset}`);
+    console.log();
+    for (const f of findings) {
       const sc = severityColor(f.severity);
-      console.log(`${branch}  ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      console.log(`${pipeOrSpace}   ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset}  ${c.bold}${f.title}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
+    }
+    // Severity histogram
+    const histLines = severityHistogram(findings);
+    if (histLines.length > 1) {
+      console.log();
+      console.log(sectionHeader('Severity'));
+      for (const line of histLines) console.log(line);
     }
   }
   // Registry status
-  console.log(`${icons.pipe}`);
+  console.log();
+  console.log(sectionHeader('Registry'));
   if (registryData) {
     const rd = registryData;
     const riskScore = rd.risk_score ?? rd.latest_risk_score ?? 0;
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${riskBadge(riskScore)} Risk ${riskScore}  ${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
+    console.log(`  ${riskBadge(riskScore)}  ${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
   } else {
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${c.dim}not audited yet${c.reset}`);
+    console.log(`  ${c.dim}not audited yet${c.reset}`);
   }
   console.log();
 }
@@ -1153,27 +1222,23 @@ function printSummary(results) {
   const safe = results.filter(r => r.findings.length === 0).length;
   const withFindings = total - safe;
   const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${total} packages scanned`);
+  const allFindings = results.flatMap(r => r.findings);
+  console.log(sectionHeader(`Summary — ${total} packages scanned`));
   console.log();
   if (safe > 0) console.log(`  ${icons.safe}  ${c.green}${safe} clean${c.reset}`);
   if (withFindings > 0) console.log(`  ${icons.caution}  ${c.yellow}${withFindings} with findings${c.reset} (${totalFindings} total)`);
-  // Breakdown by severity
-  const bySev = {};
-  results.forEach(r => r.findings.forEach(f => {
-    bySev[f.severity] = (bySev[f.severity] || 0) + 1;
-  }));
-  if (Object.keys(bySev).length > 0) {
+  console.log();
+  console.log(`  ${coverageBar(safe, total)}`);
+  // Severity histogram
+  const histLines = severityHistogram(allFindings);
+  if (histLines.length > 0) {
     console.log();
-    for (const sev of ['critical', 'high', 'medium', 'low']) {
-      if (bySev[sev]) {
-        console.log(`    ${severityIcon(sev)} ${bySev[sev]}× ${severityColor(sev)}${sev}${c.reset}`);
-      }
-    }
+    console.log(sectionHeader('Severity'));
+    for (const line of histLines) console.log(line);
   }
   console.log();
 }
@@ -1230,51 +1295,522 @@ async function scanRepo(url) {
 // ── Discover local MCP configs ──────────────────────────
+/**
+ * Minimal YAML parser — extracts MCP server list entries from
+ * Continue.dev (mcpServers: list) and Goose (extensions: list).
+ * Zero dependencies. Only handles the subset of YAML used by these tools.
+ */
+function parseSimpleYaml(text, rootKey) {
+  const result = { mcpServers: {} };
+  const lines = text.split('\n');
+  let inSection = false;
+  let currentName = null;
+  let currentServer = {};
+  let collectingArgs = false;
+  let argsIndent = -1;
+  for (const line of lines) {
+    const trimmed = line.trimEnd();
+    if (trimmed === '' || /^\s*#/.test(trimmed)) continue;
+    const indent = line.search(/\S/);
+    if (indent === 0 && trimmed === rootKey + ':') { inSection = true; continue; }
+    if (indent === 0 && inSection && /^\w/.test(trimmed)) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      break;
+    }
+    if (!inSection) continue;
+    const nameMatch = trimmed.match(/^\s*-\s+name:\s*(.+)/);
+    if (nameMatch) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = nameMatch[1].replace(/^["']|["']$/g, '');
+      currentServer = {};
+      collectingArgs = false;
+      continue;
+    }
+    if (collectingArgs && indent > argsIndent) {
+      const argVal = trimmed.match(/^\s*-\s+(.+)/);
+      if (argVal) {
+        if (!currentServer.args) currentServer.args = [];
+        currentServer.args.push(argVal[1].replace(/^["']|["']$/g, ''));
+        continue;
+      }
+    }
+    if (collectingArgs && indent <= argsIndent) collectingArgs = false;
+    if (!currentName) continue;
+    const kvMatch = trimmed.match(/^\s+(command|cmd|type|url):\s*(.+)/);
+    if (kvMatch) {
+      collectingArgs = false;
+      const key = kvMatch[1] === 'cmd' ? 'command' : kvMatch[1];
+      currentServer[key] = kvMatch[2].replace(/^["']|["']$/g, '');
+      continue;
+    }
+    const argsMatch = trimmed.match(/^\s+(args):\s*(.*)/);
+    if (argsMatch) {
+      const inlineArr = argsMatch[2].match(/^\[(.+)\]$/);
+      if (inlineArr) {
+        currentServer.args = inlineArr[1].split(',').map(s => s.trim().replace(/^["']|["']$/g, ''));
+        collectingArgs = false;
+      } else {
+        collectingArgs = true;
+        argsIndent = indent;
+        currentServer.args = [];
+      }
+      continue;
+    }
+  }
+  if (currentName) result.mcpServers[currentName] = currentServer;
+  return result;
+}
+/**
+ * Minimal TOML parser — extracts [mcp_servers.xxx] sections
+ * from OpenAI Codex CLI config. Zero dependencies.
+ */
+function parseSimpleToml(text) {
+  const result = { mcpServers: {} };
+  const lines = text.split('\n');
+  let currentName = null;
+  let currentServer = {};
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === '' || trimmed.startsWith('#')) continue;
+    const sectionMatch = trimmed.match(/^\[mcp_servers\.(.+)\]$/);
+    if (sectionMatch) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = sectionMatch[1];
+      currentServer = {};
+      continue;
+    }
+    if (trimmed.startsWith('[') && !trimmed.startsWith('[mcp_servers.')) {
+      if (currentName) result.mcpServers[currentName] = currentServer;
+      currentName = null;
+      continue;
+    }
+    if (!currentName) continue;
+    const strMatch = trimmed.match(/^(command|url)\s*=\s*"(.+?)"/);
+    if (strMatch) { currentServer[strMatch[1]] = strMatch[2]; continue; }
+    const argsMatch = trimmed.match(/^args\s*=\s*\[(.+)\]/);
+    if (argsMatch) {
+      currentServer.args = argsMatch[1].split(',').map(s => s.trim().replace(/^["']|["']$/g, ''));
+      continue;
+    }
+    const boolMatch = trimmed.match(/^enabled\s*=\s*(true|false)/);
+    if (boolMatch && boolMatch[1] === 'false') currentServer.disabled = true;
+  }
+  if (currentName) result.mcpServers[currentName] = currentServer;
+  return result;
+}
+/**
+ * Comprehensive MCP config discovery across all major AI editors & tools.
+ *
+ * Supports: Claude Desktop, Claude Code, Cursor, Windsurf, VS Code,
+ * Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose,
+ * OpenAI Codex CLI, Visual Studio — global + project-level configs.
+ */
 function findMcpConfigs() {
   const home = process.env.HOME || process.env.USERPROFILE || '';
   const platform = process.platform;
-  // All known MCP config locations
+  const cwd = process.cwd();
+  const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
+  // Platform-specific app data directory
+  // macOS: ~/Library/Application Support, Windows: ~/AppData/Roaming, Linux: ~/.config
+  const appData = platform === 'darwin'
+    ? path.join(home, 'Library', 'Application Support')
+    : platform === 'win32'
+    ? path.join(home, 'AppData', 'Roaming')
+    : xdgConfig;
+  // Each candidate: { name, path, format: 'json'|'yaml'|'toml', key: top-level key }
   const candidates = [
-    // Claude Desktop
-    { name: 'Claude Desktop', path: path.join(home, '.claude', 'mcp.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, '.config', 'claude', 'claude_desktop_config.json') },
-    // Cursor
-    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
-    // Windsurf / Codeium
-    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
-    // VS Code
-    { name: 'VS Code', path: path.join(home, '.vscode', 'mcp.json') },
-    // Continue.dev
-    { name: 'Continue', path: path.join(home, '.continue', 'config.json') },
+    // ── Claude Desktop ──
+    ...(platform === 'darwin' ? [{ name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Claude Desktop', path: path.join(xdgConfig, 'Claude', 'claude_desktop_config.json'), format: 'json', key: 'mcpServers' }] : []),
+    // ── Claude Code ──
+    { name: 'Claude Code', path: path.join(home, '.claude.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Claude Code', path: path.join(home, '.claude', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    // ── Cursor (global) ──
+    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    // ── Windsurf / Codeium ──
+    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json'), format: 'json', key: 'mcpServers' },
+    // ── VS Code (global mcp.json — uses 'servers' key) ──
+    ...(platform === 'darwin' ? [{ name: 'VS Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'VS Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'VS Code', path: path.join(xdgConfig, 'Code', 'User', 'mcp.json'), format: 'json', key: 'servers' }] : []),
+    // ── VS Code settings.json (mcp.servers nested key) ──
+    ...(platform === 'darwin' ? [{ name: 'VS Code (settings)', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'VS Code (settings)', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'VS Code (settings)', path: path.join(xdgConfig, 'Code', 'User', 'settings.json'), format: 'json', key: 'mcp.servers' }] : []),
+    // ── Cline (VS Code extension) ──
+    ...(platform === 'darwin' ? [{ name: 'Cline', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Cline', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Cline', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    // ── Roo Code (VS Code extension) ──
+    ...(platform === 'darwin' ? [{ name: 'Roo Code', path: path.join(home, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'win32'  ? [{ name: 'Roo Code', path: path.join(home, 'AppData', 'Roaming', 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Roo Code', path: path.join(xdgConfig, 'Code', 'User', 'globalStorage', 'rooveterinaryinc.roo-cline', 'settings', 'mcp_settings.json'), format: 'json', key: 'mcpServers' }] : []),
+    // ── Amazon Q Developer ──
+    { name: 'Amazon Q', path: path.join(home, '.aws', 'amazonq', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Amazon Q (IDE)', path: path.join(home, '.aws', 'amazonq', 'default.json'), format: 'json', key: 'mcpServers' },
+    // ── Gemini CLI ──
+    { name: 'Gemini CLI', path: path.join(home, '.gemini', 'settings.json'), format: 'json', key: 'mcpServers' },
+    // ── Zed (macOS + Linux only, uses 'context_servers' key) ──
+    ...(platform === 'darwin' ? [{ name: 'Zed', path: path.join(home, '.zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+    ...(platform === 'linux'  ? [{ name: 'Zed', path: path.join(xdgConfig, 'zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+    // ── Continue.dev ──
+    { name: 'Continue', path: path.join(home, '.continue', 'config.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Continue', path: path.join(home, '.continue', 'config.yaml'), format: 'yaml', key: 'mcpServers' },
+    // ── Goose (Block/Square) ──
+    { name: 'Goose', path: path.join(xdgConfig, 'goose', 'config.yaml'), format: 'yaml', key: 'extensions' },
+    // ── OpenAI Codex CLI ──
+    { name: 'Codex CLI', path: path.join(home, '.codex', 'config.toml'), format: 'toml', key: 'mcp_servers' },
+    // ── Visual Studio (Windows only) ──
+    ...(platform === 'win32' ? [{ name: 'Visual Studio', path: path.join(home, '.mcp.json'), format: 'json', key: 'mcpServers' }] : []),
+    // ── Project-level configs (cwd) ──
+    { name: 'Claude Code (project)', path: path.join(cwd, '.mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json'), format: 'json', key: 'servers' },
+    { name: 'Roo Code (project)', path: path.join(cwd, '.roo', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Amazon Q (project)', path: path.join(cwd, '.amazonq', 'mcp.json'), format: 'json', key: 'mcpServers' },
+    { name: 'Gemini CLI (project)', path: path.join(cwd, '.gemini', 'settings.json'), format: 'json', key: 'mcpServers' },
+    ...(platform !== 'win32' ? [{ name: 'Zed (project)', path: path.join(cwd, '.zed', 'settings.json'), format: 'json', key: 'context_servers' }] : []),
+    { name: 'Codex CLI (project)', path: path.join(cwd, '.codex', 'config.toml'), format: 'toml', key: 'mcp_servers' },
   ];
-  // Also check AGENTAUDIT_TEST_CONFIG env for testing
+  // Test config override
   if (process.env.AGENTAUDIT_TEST_CONFIG) {
-    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG });
+    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG, format: 'json', key: 'mcpServers' });
   }
-  // Also scan workspace .cursor/mcp.json, .vscode/mcp.json in cwd
-  const cwd = process.cwd();
-  candidates.push(
-    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json') },
-    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json') },
-  );
+  // Continue.dev mcpServers drop-in directory (individual JSON files)
+  const continueDropIn = path.join(home, '.continue', 'mcpServers');
+  try {
+    if (fs.existsSync(continueDropIn)) {
+      for (const f of fs.readdirSync(continueDropIn)) {
+        if (f.endsWith('.json')) {
+          candidates.push({ name: 'Continue (drop-in)', path: path.join(continueDropIn, f), format: 'json', key: 'mcpServers' });
+        }
+      }
+    }
+  } catch {}
+  // Project-level Continue.dev drop-ins
+  const cwdContinueDropIn = path.join(cwd, '.continue', 'mcpServers');
+  try {
+    if (fs.existsSync(cwdContinueDropIn)) {
+      for (const f of fs.readdirSync(cwdContinueDropIn)) {
+        if (f.endsWith('.json')) {
+          candidates.push({ name: 'Continue (project drop-in)', path: path.join(cwdContinueDropIn, f), format: 'json', key: 'mcpServers' });
+        }
+      }
+    }
+  } catch {}
   const found = [];
+  const seenPaths = new Set();
   for (const c of candidates) {
-    if (fs.existsSync(c.path)) {
-      try {
-        const content = JSON.parse(fs.readFileSync(c.path, 'utf8'));
-        found.push({ ...c, content });
-      } catch {}
+    const resolved = path.resolve(c.path);
+    if (seenPaths.has(resolved)) continue;
+    if (!fs.existsSync(c.path)) continue;
+    seenPaths.add(resolved);
+    try {
+      const raw = fs.readFileSync(c.path, 'utf8');
+      let content;
+      if (c.format === 'yaml') {
+        content = parseSimpleYaml(raw, c.key);
+      } else if (c.format === 'toml') {
+        content = parseSimpleToml(raw);
+      } else {
+        content = JSON.parse(raw);
+        // Normalize different JSON key structures to mcpServers
+        if (c.key === 'mcp.servers' && content.mcp?.servers) {
+          content = { mcpServers: content.mcp.servers };
+        } else if (c.key === 'context_servers' && content.context_servers) {
+          // Zed: normalize nested { command: { path, args } } → { command, args }
+          const normalized = {};
+          for (const [name, cfg] of Object.entries(content.context_servers)) {
+            if (cfg.command && typeof cfg.command === 'object') {
+              normalized[name] = { command: cfg.command.path || cfg.command.command, args: cfg.command.args || [], env: cfg.command.env || {} };
+            } else {
+              normalized[name] = cfg;
+            }
+          }
+          content = { mcpServers: normalized };
+        } else if (c.key === 'servers' && content.servers && !content.mcpServers) {
+          content = { mcpServers: content.servers };
+        }
+      }
+      // Only include configs that actually have servers
+      const servers = content?.mcpServers || content?.servers || {};
+      if (Object.keys(servers).length > 0) {
+        found.push({ name: c.name, path: c.path, content });
+      }
+    } catch {}
+  }
+  return found;
+}
+// ── Skill Discovery & Validation ─────────────────────────
+/**
+ * Parse YAML frontmatter from a SKILL.md file.
+ * Returns { meta: {...}, body: string, errors: string[] }
+ */
+function parseSkillFrontmatter(content) {
+  const errors = [];
+  const lines = content.split('\n');
+  // Must start with ---
+  if (lines[0].trim() !== '---') {
+    return { meta: null, body: content, errors: ['Missing YAML frontmatter (file must start with ---)'] };
+  }
+  // Find closing ---
+  let endIdx = -1;
+  for (let i = 1; i < lines.length; i++) {
+    if (lines[i].trim() === '---') { endIdx = i; break; }
+  }
+  if (endIdx === -1) {
+    return { meta: null, body: content, errors: ['Unclosed frontmatter (missing closing ---)'] };
+  }
+  // Parse YAML-like key: value pairs
+  const meta = {};
+  const yamlLines = lines.slice(1, endIdx);
+  for (let i = 0; i < yamlLines.length; i++) {
+    const line = yamlLines[i];
+    if (line.trim() === '' || line.trim().startsWith('#')) continue;
+    // Check for tabs
+    if (line.includes('\t')) {
+      errors.push(`Line ${i + 2}: Tab character found (use spaces)`);
     }
+    const match = line.match(/^([a-z][a-z0-9_-]*):\s*(.*)/i);
+    if (!match) {
+      // Could be a continuation line (YAML multiline)
+      continue;
+    }
+    const key = match[1].toLowerCase();
+    let value = match[2].trim();
+    // Handle YAML lists on next lines
+    if (value === '' && i + 1 < yamlLines.length && yamlLines[i + 1].match(/^\s+-\s/)) {
+      const items = [];
+      let j = i + 1;
+      while (j < yamlLines.length && yamlLines[j].match(/^\s+-\s/)) {
+        items.push(yamlLines[j].replace(/^\s+-\s*/, '').trim());
+        j++;
+      }
+      value = items;
+    }
+    // Strip surrounding quotes
+    if (typeof value === 'string' && ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'")))) {
+      value = value.slice(1, -1);
+    }
+    meta[key] = value;
   }
+  const body = lines.slice(endIdx + 1).join('\n').trim();
+  return { meta, body, errors };
+}
+/**
+ * Validate a parsed skill against the Claude Code SKILL.md spec.
+ * Returns { errors: [...], warnings: [...], info: {...} }
+ */
+function validateSkill(parsed) {
+  const { meta, body, errors: parseErrors } = parsed;
+  const errors = [...parseErrors];
+  const warnings = [];
+  const info = {};
+  if (!meta) return { errors, warnings, info };
+  // Known fields
+  const knownFields = new Set([
+    'name', 'description', 'allowed-tools', 'user-invocable', 'user-invokable',
+    'disable-model-invocation', 'license', 'metadata', 'argument-hint',
+    'compatibility', 'version', 'author',
+  ]);
+  // Check for unknown fields
+  for (const key of Object.keys(meta)) {
+    if (!knownFields.has(key)) {
+      warnings.push(`Unknown frontmatter field: "${key}"`);
+    }
+  }
+  // Required: name
+  if (!meta.name) {
+    errors.push('Missing required field: name');
+  } else {
+    info.name = meta.name;
+    if (meta.name.length > 64) errors.push(`name exceeds 64 chars (${meta.name.length})`);
+    if (/<[^>]+>/.test(meta.name)) errors.push('name contains XML/HTML tags');
+  }
+  // Required: description
+  if (!meta.description) {
+    errors.push('Missing required field: description');
+  } else {
+    info.description = typeof meta.description === 'string' ? meta.description.slice(0, 120) : String(meta.description).slice(0, 120);
+    if (typeof meta.description === 'string' && meta.description.length > 1024) {
+      warnings.push(`description is ${meta.description.length} chars (recommended max: 1024)`);
+    }
+    if (/<[^>]+>/.test(meta.description)) warnings.push('description contains XML/HTML tags');
+  }
+  // Security: allowed-tools
+  if (!meta['allowed-tools']) {
+    warnings.push('No allowed-tools set — skill has access to ALL tools (security risk)');
+    info.allowedTools = null;
+  } else {
+    const tools = typeof meta['allowed-tools'] === 'string'
+      ? meta['allowed-tools'].split(',').map(t => t.trim()).filter(Boolean)
+      : Array.isArray(meta['allowed-tools']) ? meta['allowed-tools'] : [];
+    info.allowedTools = tools;
+    // Check for wildcard/dangerous patterns
+    if (tools.some(t => t === '*' || t === 'Bash' || t === 'Bash(*)')) {
+      warnings.push('allowed-tools includes unrestricted Bash access');
+    }
+  }
+  // Boolean fields
+  for (const boolField of ['user-invocable', 'user-invokable', 'disable-model-invocation']) {
+    if (meta[boolField] !== undefined) {
+      const val = String(meta[boolField]).toLowerCase();
+      if (!['true', 'false'].includes(val)) {
+        errors.push(`${boolField} must be true or false (got: "${meta[boolField]}")`);
+      }
+    }
+  }
+  // Typo detection
+  if (meta['user-invokable'] && !meta['user-invocable']) {
+    warnings.push('Using "user-invokable" (known typo variant) — both spellings work');
+  }
+  // Body checks
+  if (body) {
+    const bodyLines = body.split('\n').length;
+    info.bodyLines = bodyLines;
+    if (bodyLines > 500) warnings.push(`Body is ${bodyLines} lines (recommended max: 500)`);
+    // Check for potential prompt injection patterns in body
+    const injectionPatterns = [
+      { pattern: /ignore\s+(all\s+)?previous\s+(instructions|rules)/i, label: 'Prompt injection pattern' },
+      { pattern: /<IMPORTANT>/i, label: 'Suspicious <IMPORTANT> tag' },
+      { pattern: /system\s*:\s*you\s+are/i, label: 'System prompt override attempt' },
+    ];
+    for (const { pattern, label } of injectionPatterns) {
+      if (pattern.test(body)) {
+        warnings.push(`${label} detected in body`);
+      }
+    }
+  }
+  // Extract MCP tool references
+  const mcpRefs = [];
+  const mcpPattern = /mcp__([a-z0-9_-]+)__([a-z0-9_]+)/gi;
+  const fullText = (meta.description || '') + ' ' + (typeof meta['allowed-tools'] === 'string' ? meta['allowed-tools'] : '') + ' ' + (body || '');
+  let mcpMatch;
+  while ((mcpMatch = mcpPattern.exec(fullText)) !== null) {
+    mcpRefs.push({ server: mcpMatch[1], tool: mcpMatch[2] });
+  }
+  info.mcpRefs = mcpRefs;
+  // Deduplicate MCP server names
+  info.mcpServers = [...new Set(mcpRefs.map(r => r.server))];
+  return { errors, warnings, info };
+}
+/**
+ * Find all SKILL.md files in known skill directories.
+ */
+function findSkills() {
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  const cwd = process.cwd();
+  const found = [];
+  const skillDirs = [
+    // Global skill dirs
+    { name: 'Claude Code (global)', base: path.join(home, '.claude', 'skills') },
+    { name: 'Cursor (global)', base: path.join(home, '.cursor', 'skills') },
+    { name: 'Antigravity (global)', base: path.join(home, '.agent', 'skills') },
+    // Project-level skill dirs
+    { name: 'Claude Code (project)', base: path.join(cwd, '.claude', 'skills') },
+    { name: 'Cursor (project)', base: path.join(cwd, '.cursor', 'skills') },
+    { name: 'GitHub Skills (project)', base: path.join(cwd, '.github', 'skills') },
+    { name: 'Antigravity (project)', base: path.join(cwd, '.agent', 'skills') },
+  ];
+  for (const dir of skillDirs) {
+    if (!fs.existsSync(dir.base)) continue;
+    try {
+      const entries = fs.readdirSync(dir.base, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
+        const skillPath = path.join(dir.base, entry.name, 'SKILL.md');
+        if (!fs.existsSync(skillPath)) continue;
+        try {
+          const content = fs.readFileSync(skillPath, 'utf8');
+          const parsed = parseSkillFrontmatter(content);
+          const validation = validateSkill(parsed);
+          found.push({
+            source: dir.name,
+            dir: path.join(dir.base, entry.name),
+            path: skillPath,
+            dirName: entry.name,
+            parsed,
+            validation,
+            isSymlink: entry.isSymbolicLink(),
+          });
+        } catch {}
+      }
+    } catch {}
+  }
   return found;
 }
+// ── Server Config Extraction ─────────────────────────────
 function extractServersFromConfig(config) {
   // Handle both { mcpServers: {...} } and { servers: {...} } formats
   const servers = config.mcpServers || config.servers || {};
@@ -1336,7 +1872,10 @@ function extractServersFromConfig(config) {
         }
       } catch {}
     }
+    // Resolve local installation directory
+    info.localDir = resolveLocalDir(info);
     result.push(info);
   }
   return result;
@@ -1349,6 +1888,196 @@ function serverSlug(server) {
   return server.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
 }
+/**
+ * Resolve the local installation directory for a discovered MCP server.
+ * Returns an absolute path or null if not found.
+ */
+function resolveLocalDir(server) {
+  const home = os.homedir();
+  const isWin = process.platform === 'win32';
+  // node /path/to/file → walk up to project root (package.json or .git)
+  const allArgs = [server.command, ...server.args].filter(Boolean).join(' ');
+  const nodePathMatch = allArgs.match(/node\s+["']?([^"'\s]+)/);
+  if (nodePathMatch) {
+    let dir = path.dirname(path.resolve(nodePathMatch[1]));
+    for (let i = 0; i < 5; i++) {
+      if (fs.existsSync(path.join(dir, 'package.json')) || fs.existsSync(path.join(dir, '.git'))) return dir;
+      const parent = path.dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+    // Fallback: use the script's directory
+    return path.dirname(path.resolve(nodePathMatch[1]));
+  }
+  // python /path/to/file → same approach
+  const pyPathMatch = allArgs.match(/python[3]?\s+["']?([^"'\s]+\.py)/);
+  if (pyPathMatch) {
+    let dir = path.dirname(path.resolve(pyPathMatch[1]));
+    for (let i = 0; i < 5; i++) {
+      if (fs.existsSync(path.join(dir, 'pyproject.toml')) || fs.existsSync(path.join(dir, 'setup.py')) || fs.existsSync(path.join(dir, '.git'))) return dir;
+      const parent = path.dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+    return path.dirname(path.resolve(pyPathMatch[1]));
+  }
+  // npm/npx package → check global node_modules
+  if (server.npmPackage) {
+    const pkgName = server.npmPackage.replace(/@latest$/, '').replace(/@[\d.]+$/, '');
+    const candidates = [];
+    // Global npm
+    try {
+      const globalRoot = execFileSync('npm', ['root', '-g'], { timeout: 5000, stdio: 'pipe' }).toString().trim();
+      candidates.push(path.join(globalRoot, pkgName));
+    } catch {}
+    // Local node_modules (cwd)
+    candidates.push(path.join(process.cwd(), 'node_modules', pkgName));
+    for (const dir of candidates) {
+      if (fs.existsSync(dir)) return dir;
+    }
+  }
+  // uvx/pip package → check uv tools cache and site-packages
+  if (server.pyPackage) {
+    const pkgName = server.pyPackage.replace(/@latest$/, '').replace(/@[\d.]+$/, '');
+    const candidates = [];
+    if (isWin) {
+      const localAppData = process.env.LOCALAPPDATA || path.join(home, 'AppData', 'Local');
+      candidates.push(path.join(localAppData, 'uv', 'tools', pkgName));
+    } else {
+      candidates.push(path.join(home, '.local', 'share', 'uv', 'tools', pkgName));
+    }
+    // Also try pip show
+    try {
+      const pipOut = execFileSync('pip', ['show', pkgName, '-f'], { timeout: 5000, stdio: 'pipe' }).toString();
+      const locMatch = pipOut.match(/Location:\s*(.+)/);
+      if (locMatch) {
+        const normalized = pkgName.replace(/-/g, '_');
+        const pkgDir = path.join(locMatch[1].trim(), normalized);
+        if (fs.existsSync(pkgDir)) candidates.push(pkgDir);
+      }
+    } catch {}
+    for (const dir of candidates) {
+      if (fs.existsSync(dir)) return dir;
+    }
+  }
+  return null;
+}
+/**
+ * Scan a local directory (like scanRepo but without cloning).
+ */
+async function scanLocalDir(localDir, serverName) {
+  const start = Date.now();
+  const slug = serverName.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
+  if (!jsonMode) process.stdout.write(`${icons.scan}  Scanning ${c.bold}${slug}${c.reset} ${c.dim}(local)${c.reset} ${c.dim}...${c.reset}`);
+  // Collect files from local dir
+  const files = collectFiles(localDir);
+  if (files.length === 0) {
+    if (!jsonMode) process.stdout.write(`  ${c.yellow}no scannable files found${c.reset}\n`);
+    return null;
+  }
+  // Detect info
+  const info = detectPackageInfo(localDir, files);
+  // Quick checks
+  const findings = quickChecks(files);
+  // Registry lookup
+  const registryData = await checkRegistry(slug);
+  const duration = elapsed(start);
+  if (!jsonMode) {
+    process.stdout.write('\r\x1b[K');
+    printScanResult(`local://${localDir}`, info, files, findings, registryData, duration);
+  }
+  return { slug, url: `local://${localDir}`, info, files: files.length, findings, registryData, duration };
+}
+/**
+ * Download package source from PyPI or npm to a temp dir and scan it.
+ * Used as last resort when git clone fails and no local install exists.
+ */
+async function downloadAndScan(server) {
+  const start = Date.now();
+  const slug = server.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-pkg-'));
+  try {
+    if (server.pyPackage) {
+      const pkgName = server.pyPackage.replace(/@latest$/, '').replace(/@[\d.]+$/, '');
+      if (!jsonMode) process.stdout.write(`${icons.scan}  Downloading ${c.bold}${pkgName}${c.reset} ${c.dim}from PyPI...${c.reset}`);
+      // Download sdist/wheel without installing
+      execFileSync('pip', ['download', '--no-deps', '-d', tmpDir, pkgName], { timeout: 30000, stdio: 'pipe' });
+      // Extract any .tar.gz or .whl (zip) files
+      const downloaded = fs.readdirSync(tmpDir);
+      const extractDir = path.join(tmpDir, 'src');
+      fs.mkdirSync(extractDir, { recursive: true });
+      for (const f of downloaded) {
+        const fp = path.join(tmpDir, f);
+        if (f.endsWith('.whl') || f.endsWith('.zip')) {
+          execFileSync('python', ['-m', 'zipfile', '-e', fp, extractDir], { timeout: 10000, stdio: 'pipe' });
+        } else if (f.endsWith('.tar.gz') || f.endsWith('.tgz')) {
+          execFileSync('tar', ['xzf', fp, '-C', extractDir], { timeout: 10000, stdio: 'pipe' });
+        }
+      }
+      const files = collectFiles(extractDir);
+      if (files.length === 0) return null;
+      const info = detectPackageInfo(extractDir, files);
+      const findings = quickChecks(files);
+      const registryData = await checkRegistry(slug);
+      const duration = elapsed(start);
+      if (!jsonMode) {
+        process.stdout.write('\r\x1b[K');
+        printScanResult(`pypi://${pkgName}`, info, files, findings, registryData, duration);
+      }
+      return { slug, url: `pypi://${pkgName}`, info, files: files.length, findings, registryData, duration };
+    }
+    if (server.npmPackage) {
+      const pkgName = server.npmPackage.replace(/@latest$/, '').replace(/@[\d.]+$/, '');
+      if (!jsonMode) process.stdout.write(`${icons.scan}  Downloading ${c.bold}${pkgName}${c.reset} ${c.dim}from npm...${c.reset}`);
+      // npm pack downloads tarball without installing
+      execFileSync('npm', ['pack', pkgName, '--pack-destination', tmpDir], { timeout: 30000, stdio: 'pipe' });
+      const tarballs = fs.readdirSync(tmpDir).filter(f => f.endsWith('.tgz'));
+      if (tarballs.length === 0) return null;
+      const extractDir = path.join(tmpDir, 'src');
+      fs.mkdirSync(extractDir, { recursive: true });
+      execFileSync('tar', ['xzf', path.join(tmpDir, tarballs[0]), '-C', extractDir], { timeout: 10000, stdio: 'pipe' });
+      const files = collectFiles(extractDir);
+      if (files.length === 0) return null;
+      const info = detectPackageInfo(extractDir, files);
+      const findings = quickChecks(files);
+      const registryData = await checkRegistry(slug);
+      const duration = elapsed(start);
+      if (!jsonMode) {
+        process.stdout.write('\r\x1b[K');
+        printScanResult(`npm://${pkgName}`, info, files, findings, registryData, duration);
+      }
+      return { slug, url: `npm://${pkgName}`, info, files: files.length, findings, registryData, duration };
+    }
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write('\r\x1b[K');
+      process.stdout.write(`${icons.scan}  ${c.bold}${slug}${c.reset}  ${c.yellow}download failed${c.reset}\n`);
+      const msg = err.stderr?.toString().trim().split('\n')[0] || err.message?.split('\n')[0] || '';
+      if (msg) console.log(`    ${c.dim}${msg}${c.reset}`);
+    }
+  } finally {
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+  }
+  return null;
+}
 async function searchGitHub(query) {
   try {
     const res = await fetch(`https://api.github.com/search/repositories?q=${encodeURIComponent(query)}&per_page=1`, {
@@ -1450,7 +2179,7 @@ async function discoverCommand(options = {}) {
   const interactiveAudit = options.audit || false;
   if (!jsonMode) {
-    console.log(`  ${c.bold}Discovering MCP servers in your AI editors...${c.reset}`);
+    console.log(`  ${c.bold}Discovering MCP servers across all AI tools...${c.reset}`);
     console.log();
   }
@@ -1458,13 +2187,16 @@ async function discoverCommand(options = {}) {
   if (configs.length === 0) {
     console.log(`  ${c.yellow}No MCP configurations found.${c.reset}`);
-    console.log(`  ${c.dim}Searched: Claude Desktop, Cursor, Windsurf, VS Code${c.reset}`);
+    console.log(`  ${c.dim}Searched 15+ tools: Claude Desktop, Claude Code, Cursor, Windsurf, VS Code,${c.reset}`);
+    console.log(`  ${c.dim}Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose, Codex CLI${c.reset}`);
     console.log();
-    console.log(`  ${c.dim}MCP config locations:${c.reset}`);
-    console.log(`  ${c.dim}  Claude:   ~/.claude/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Cursor:   ~/.cursor/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Windsurf: ~/.codeium/windsurf/mcp_config.json${c.reset}`);
-    console.log(`  ${c.dim}  VS Code:  ~/.vscode/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}Common MCP config locations:${c.reset}`);
+    console.log(`  ${c.dim}  Claude Desktop:  ~/Library/Application Support/Claude/claude_desktop_config.json${c.reset}`);
+    console.log(`  ${c.dim}  Claude Code:     ~/.claude.json${c.reset}`);
+    console.log(`  ${c.dim}  Cursor:          ~/.cursor/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Windsurf:        ~/.codeium/windsurf/mcp_config.json${c.reset}`);
+    console.log(`  ${c.dim}  VS Code:         (platform)/Code/User/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Project-level:   .mcp.json / .cursor/mcp.json / .vscode/mcp.json${c.reset}`);
     console.log();
     return;
   }
@@ -1527,15 +2259,18 @@ async function discoverCommand(options = {}) {
         const riskScore = regData.risk_score ?? regData.latest_risk_score ?? 0;
         const hasOfficial = regData.has_official_audit;
         console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
-        console.log(`${pipe}  ${riskBadge(riskScore)} Risk ${riskScore}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
-        if (resolvedUrl) allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: true, regData });
+        console.log(`${pipe}  ${riskBadge(riskScore)}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/packages/${slug}${c.reset}`);
+        if (resolvedUrl || server.localDir || server.pyPackage || server.npmPackage) allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, localDir: server.localDir, pyPackage: server.pyPackage, npmPackage: server.npmPackage, hasAudit: true, regData });
       } else {
         unauditedServers++;
         console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
         if (resolvedUrl) {
           console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Run: ${c.cyan}agentaudit audit ${resolvedUrl}${c.reset}`);
           unauditedWithUrls.push({ name: server.name, sourceUrl: resolvedUrl });
-          allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: false });
+          allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, localDir: server.localDir, pyPackage: server.pyPackage, npmPackage: server.npmPackage, hasAudit: false });
+        } else if (server.localDir || server.pyPackage || server.npmPackage) {
+          console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}${server.localDir ? 'local install found' : 'package registry available'} — will scan${c.reset}`);
+          allServersWithUrls.push({ name: server.name, sourceUrl: null, localDir: server.localDir, pyPackage: server.pyPackage, npmPackage: server.npmPackage, hasAudit: false });
         } else {
           console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Source URL unknown — check the package's GitHub/npm page${c.reset}`);
         }
@@ -1550,43 +2285,131 @@ async function discoverCommand(options = {}) {
   }
   // Summary
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`);
+  console.log(sectionHeader(`Summary — ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`));
   console.log();
   if (auditedServers > 0) console.log(`  ${icons.safe}  ${c.green}${auditedServers} audited${c.reset}`);
   if (unauditedServers > 0) console.log(`  ${icons.caution}  ${c.yellow}${unauditedServers} not audited${c.reset}`);
+  if (totalServers > 0) {
+    console.log();
+    console.log(`  ${coverageBar(auditedServers, totalServers)}`);
+  }
   console.log();
-  // --scan: automatically scan all servers with resolved source URLs (git-cloneable only)
+  // ── Skill Discovery ──────────────────────────────────
+  const skills = findSkills();
+  if (skills.length > 0) {
+    console.log(sectionHeader(`Skills — ${skills.length} found`));
+    console.log();
+    // Group by source
+    const bySource = {};
+    for (const skill of skills) {
+      (bySource[skill.source] || (bySource[skill.source] = [])).push(skill);
+    }
+    for (const [source, sourceSkills] of Object.entries(bySource)) {
+      console.log(`${icons.bullet}  ${c.bold}${source}${c.reset}`);
+      console.log();
+      for (let i = 0; i < sourceSkills.length; i++) {
+        const skill = sourceSkills[i];
+        const isLast = i === sourceSkills.length - 1;
+        const branch = isLast ? icons.treeLast : icons.tree;
+        const pipe = isLast ? '   ' : `${icons.pipe}  `;
+        const { errors, warnings, info } = skill.validation;
+        const name = info.name || skill.dirName;
+        const hasErrors = errors.length > 0;
+        const hasWarnings = warnings.length > 0;
+        // Status indicator
+        let status;
+        if (hasErrors) status = `${c.red}✖ ${errors.length} error${errors.length !== 1 ? 's' : ''}${c.reset}`;
+        else if (hasWarnings) status = `${c.yellow}⚠ ${warnings.length} warning${warnings.length !== 1 ? 's' : ''}${c.reset}`;
+        else status = `${c.green}✔ valid${c.reset}`;
+        console.log(`${branch}  ${c.bold}${name}${c.reset}    ${status}`);
+        // Description (truncated)
+        if (info.description) {
+          const desc = info.description.length > 70 ? info.description.slice(0, 67) + '...' : info.description;
+          console.log(`${pipe}  ${c.dim}${desc}${c.reset}`);
+        }
+        // MCP tool references
+        if (info.mcpServers && info.mcpServers.length > 0) {
+          const serverList = info.mcpServers.map(s => `${c.cyan}${s}${c.reset}`).join(', ');
+          console.log(`${pipe}  ${c.dim}uses MCP:${c.reset} ${serverList}`);
+        }
+        // Allowed tools summary
+        if (info.allowedTools === null) {
+          console.log(`${pipe}  ${c.yellow}⚠ no allowed-tools — unrestricted access${c.reset}`);
+        } else if (info.allowedTools && info.allowedTools.length > 0) {
+          const toolCount = info.allowedTools.length;
+          console.log(`${pipe}  ${c.dim}${toolCount} allowed tool${toolCount !== 1 ? 's' : ''}${c.reset}`);
+        }
+        // Show errors/warnings inline
+        if (hasErrors) {
+          for (const err of errors.slice(0, 3)) {
+            console.log(`${pipe}  ${c.red}  ✖ ${err}${c.reset}`);
+          }
+        }
+        if (hasWarnings && !hasErrors) {
+          for (const warn of warnings.slice(0, 2)) {
+            console.log(`${pipe}  ${c.yellow}  ⚠ ${warn}${c.reset}`);
+          }
+        }
+      }
+      console.log();
+    }
+  }
+  // --scan: automatically scan all servers (git clone + local fallback)
   if (autoScan) {
     const isCloneable = (url) => /^https?:\/\/(github\.com|gitlab\.com|bitbucket\.org)\//i.test(url);
-    const scanTargets = allServersWithUrls.filter(s => s.sourceUrl && isCloneable(s.sourceUrl));
-    // Deduplicate by sourceUrl
+    // Include servers that are cloneable OR have a local dir OR a known package
+    const scanTargets = allServersWithUrls.filter(s =>
+      (s.sourceUrl && isCloneable(s.sourceUrl)) || s.localDir || s.pyPackage || s.npmPackage
+    );
+    // Deduplicate by sourceUrl or localDir
     const seen = new Set();
     const dedupedTargets = scanTargets.filter(s => {
-      if (seen.has(s.sourceUrl)) return false;
-      seen.add(s.sourceUrl);
+      const key = (s.sourceUrl && isCloneable(s.sourceUrl)) ? s.sourceUrl : s.localDir;
+      if (!key || seen.has(key)) return false;
+      seen.add(key);
       return true;
     });
-    const skipped = allServersWithUrls.filter(s => s.sourceUrl && !isCloneable(s.sourceUrl));
+    const skippedCount = allServersWithUrls.length - scanTargets.length;
     if (dedupedTargets.length > 0) {
-      console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-      console.log(`  ${c.bold}${icons.scan}  Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}...${c.reset}`);
-      if (skipped.length > 0) {
-        console.log(`  ${c.dim}(${skipped.length} skipped — no cloneable source URL)${c.reset}`);
+      console.log(sectionHeader(`Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}`));
+      console.log(`  ${c.bold}${icons.scan}  Starting scans...${c.reset}`);
+      if (skippedCount > 0) {
+        console.log(`  ${c.dim}(${skippedCount} skipped — remote-only, no local source)${c.reset}`);
       }
       console.log();
       const scanResults = [];
       for (const target of dedupedTargets) {
-        const result = await scanRepo(target.sourceUrl);
+        let result = null;
+        // Try git clone first if URL is cloneable
+        if (target.sourceUrl && isCloneable(target.sourceUrl)) {
+          result = await scanRepo(target.sourceUrl);
+        }
+        // Fallback 1: scan local installation
+        if (!result && target.localDir) {
+          result = await scanLocalDir(target.localDir, target.name);
+        }
+        // Fallback 2: download from PyPI/npm and scan
+        if (!result && (target.pyPackage || target.npmPackage)) {
+          result = await downloadAndScan(target);
+        }
         if (result) scanResults.push({ ...result, serverName: target.name });
       }
       if (scanResults.length > 1) {
         // Print combined scan summary
-        console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-        console.log(`  ${c.bold}Scan Summary${c.reset}  ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`);
+        console.log(sectionHeader(`Scan Summary — ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`));
         console.log();
         let totalFindings = 0;
@@ -1673,7 +2496,7 @@ async function discoverCommand(options = {}) {
   }
   if (!autoScan && !interactiveAudit && !jsonMode) {
-    console.log(`  ${c.dim}Looking for general package scanning? Try ${c.cyan}pip audit${c.dim} or ${c.cyan}npm audit${c.dim}.${c.reset}`);
+    console.log(`  ${c.dim}Run ${c.cyan}agentaudit discover --quick${c.dim} to auto-scan all servers${c.reset}`);
     console.log();
   }
 }
@@ -1695,7 +2518,7 @@ async function auditRepo(url) {
   console.log();
   // Step 1: Clone
-  process.stdout.write(`  ${c.dim}[1/4]${c.reset} Cloning repository...`);
+  process.stdout.write(`  ${stepProgress(1, 4)} Cloning repository...`);
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
   const repoPath = path.join(tmpDir, 'repo');
   try {
@@ -1710,12 +2533,12 @@ async function auditRepo(url) {
   }
   // Step 2: Collect files
-  process.stdout.write(`  ${c.dim}[2/4]${c.reset} Collecting source files...`);
+  process.stdout.write(`  ${stepProgress(2, 4)} Collecting source files...`);
   const files = collectFiles(repoPath);
   console.log(` ${c.green}${files.length} files${c.reset}`);
   // Step 3: Build audit payload
-  process.stdout.write(`  ${c.dim}[3/4]${c.reset} Preparing audit payload...`);
+  process.stdout.write(`  ${stepProgress(3, 4)} Preparing audit payload...`);
   const auditPrompt = loadAuditPrompt();
   let codeBlock = '';
@@ -1788,7 +2611,7 @@ async function auditRepo(url) {
   // We have an API key — run LLM audit
   const modelLabel = modelOverride ? `${activeProvider} → ${activeLlm.model}` : activeProvider;
-  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${modelLabel})${c.reset}...`);
+  process.stdout.write(`  ${stepProgress(4, 4)} Running LLM analysis ${c.dim}(${modelLabel})${c.reset}...`);
   const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
   const userMessage = [
@@ -2002,17 +2825,26 @@ async function auditRepo(url) {
   // Display results
   console.log();
   const riskScore = report.risk_score || 0;
-  console.log(`  ${riskBadge(riskScore)} Risk ${riskScore}/100  ${c.bold}${report.result || 'unknown'}${c.reset}`);
+  console.log(sectionHeader('Result'));
+  console.log(`  ${riskBadge(riskScore)}`);
   console.log();
   if (report.findings && report.findings.length > 0) {
-    console.log(`  ${c.bold}Findings (${report.findings.length})${c.reset}`);
+    console.log(sectionHeader(`Findings (${report.findings.length})`));
     console.log();
     for (const f of report.findings) {
       const sc = severityColor(f.severity);
-      console.log(`  ${severityIcon(f.severity)} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      if (f.file) console.log(`    ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
-      if (f.description) console.log(`    ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
+      console.log(`  ${sc}┃${c.reset} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset}  ${c.bold}${f.title}${c.reset}`);
+      if (f.file) console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
+      if (f.description) console.log(`  ${sc}┃${c.reset}           ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
+      console.log();
+    }
+    // Severity histogram
+    const histLines = severityHistogram(report.findings);
+    if (histLines.length > 1) {
+      console.log(sectionHeader('Severity'));
+      for (const line of histLines) console.log(line);
       console.log();
     }
   } else {
@@ -2247,7 +3079,7 @@ function renderLeaderboardTab(data, width, opts = {}) {
   }
   const maxPts = leaderboard[0]?.total_points || 1;
-  const medals = ['🥇', '🥈', '🥉'];
+  const medals = [`${c.yellow}★${c.reset}`, `${c.cyan}★${c.reset}`, `${c.magenta}★${c.reset}`];
   for (let i = 0; i < leaderboard.length; i++) {
     const entry = leaderboard[i];
@@ -2289,20 +3121,22 @@ function renderBenchmarkTab(data, width) {
   lines.push(`  ${c.bold}${fmtNum(benchmark.models.length)}${c.reset} models ${c.dim}│${c.reset} ${c.bold}${fmtNum(overview.total_reports || 0)}${c.reset} audits ${c.dim}│${c.reset} ${c.bold}${fmtNum(overview.total_findings || 0)}${c.reset} findings`);
   lines.push('');
-  // Header
-  const nameW = 28;
-  const hdr = `  ${padRight(`${c.bold}Model${c.reset}`, nameW + 9)}  ${padRight('Audits', 7)} ${padRight('Risk', 5)} ${padRight('Detection', 16)}  Severity`;
-  lines.push(hdr);
+  // Header — fixed column widths for alignment
+  const nameW = 30;
+  const auditsW = 6;
+  const riskW = 5;
+  const hdr = `  ${padRight('Model', nameW)}  ${padLeft('Audits', auditsW)}  ${padLeft('Risk', riskW)}  ${'Detection'.padEnd(14)}  Severity`;
+  lines.push(`  ${c.bold}${stripAnsi(hdr).trim()}${c.reset}`);
   lines.push(`  ${c.dim}${'─'.repeat(Math.min(width - 4, 86))}${c.reset}`);
   for (const m of benchmark.models) {
     const name = (m.audit_model || 'unknown').slice(0, nameW - 2);
-    const audits = padLeft(fmtNum(m.total_audits), 5);
+    const audits = padLeft(fmtNum(m.total_audits), auditsW);
     const riskVal = parseFloat(m.avg_risk_score) || 0;
     const riskColor = riskVal <= 20 ? c.green : riskVal <= 40 ? c.yellow : c.red;
-    const risk = `${riskColor}${padLeft(String(Math.round(riskVal)), 3)}${c.reset}`;
+    const risk = `${riskColor}${padLeft(String(Math.round(riskVal)), riskW)}${c.reset}`;
     const detection = renderGauge(m.detection_rate || 0, 100, 10);
-    // Severity as compact text instead of dots
+    // Severity as compact text
     const sev = m.severity_breakdown || {};
     const sevParts = [];
     if (sev.critical) sevParts.push(`${c.red}${sev.critical}C${c.reset}`);
@@ -2310,7 +3144,7 @@ function renderBenchmarkTab(data, width) {
     if (sev.medium) sevParts.push(`${c.yellow}${sev.medium}M${c.reset}`);
     if (sev.low) sevParts.push(`${c.blue}${sev.low}L${c.reset}`);
     const sevStr = sevParts.length > 0 ? sevParts.join(' ') : `${c.dim}—${c.reset}`;
-    lines.push(`  ${padRight(name, nameW)} ${audits}  ${risk}  ${detection}  ${sevStr}`);
+    lines.push(`  ${padRight(name, nameW)}  ${audits}  ${risk}  ${detection}  ${sevStr}`);
   }
   // Vulnerability landscape
@@ -2651,7 +3485,7 @@ async function leaderboardCommand(args) {
   }
   const maxPts = data[0]?.total_points || 1;
-  const medals = ['🥇', '🥈', '🥉'];
+  const medals = [`${c.yellow}★${c.reset}`, `${c.cyan}★${c.reset}`, `${c.magenta}★${c.reset}`];
   const barW = 24;
   for (let i = 0; i < data.length; i++) {
@@ -2997,7 +3831,9 @@ async function main() {
     discover: [
       `${c.bold}agentaudit discover${c.reset} [options]`,
       ``,
-      `Find MCP servers configured in your AI editors (Cursor, Claude Desktop, VS Code, Windsurf).`,
+      `Find MCP servers across 15+ AI tools (Claude Desktop, Claude Code, Cursor, VS Code,`,
+      `Windsurf, Cline, Roo Code, Amazon Q, Gemini CLI, Zed, Continue.dev, Goose, Codex CLI).`,
+      `Checks global + project-level configs on macOS, Windows, and Linux.`,
       ``,
       `${c.bold}Options:${c.reset}`,
       `  --quick, -s    Auto-scan all discovered servers (regex-based)`,
@@ -3185,6 +4021,21 @@ async function main() {
       `  agentaudit find fastmcp`,
     ],
     find: null, // alias → search
+    profile: [
+      `${c.bold}agentaudit profile${c.reset}`,
+      ``,
+      `Show your AgentAudit profile — rank, points, audit stats,`,
+      `and a link to your public profile on agentaudit.dev.`,
+      ``,
+      `Requires being logged in (run ${c.cyan}agentaudit setup${c.reset} first).`,
+      ``,
+      `${c.bold}Options:${c.reset}`,
+      `  --json          Machine-readable JSON output`,
+      ``,
+      `${c.bold}Examples:${c.reset}`,
+      `  agentaudit profile`,
+      `  agentaudit profile --json`,
+    ],
   };
   // Show subcommand help: `agentaudit help <cmd>` or `agentaudit <cmd> --help`
@@ -3231,9 +4082,10 @@ async function main() {
     console.log(`    agentaudit <command> [options]`);
     console.log();
     console.log(`  ${c.bold}SCAN & AUDIT${c.reset}`);
-    console.log(`    ${c.cyan}discover${c.reset}              Find MCP servers in your AI editors`);
+    console.log(`    ${c.cyan}discover${c.reset}              Find MCP servers & skills in your AI tools`);
     console.log(`    ${c.cyan}scan${c.reset} <url> [url...]   Quick static scan (regex, ~2s)`);
     console.log(`    ${c.cyan}audit${c.reset} <url> [url...]  Deep LLM-powered security audit (~30s)`);
+    console.log(`    ${c.cyan}validate${c.reset} [path]       Validate SKILL.md format & security`);
     console.log(`    ${c.cyan}lookup${c.reset} <name>         Look up package in registry`);
     console.log();
     console.log(`  ${c.bold}COMMUNITY${c.reset}`);
@@ -3247,6 +4099,7 @@ async function main() {
     console.log(`    ${c.cyan}model${c.reset}                 Configure LLM provider + model`);
     console.log(`    ${c.cyan}setup${c.reset}                 Log in to agentaudit.dev (for report uploads)`);
     console.log(`    ${c.cyan}status${c.reset}                Show current config + auth status`);
+    console.log(`    ${c.cyan}profile${c.reset}               Your profile — rank, points, audit stats`);
     console.log();
     console.log(`  ${c.bold}FLAGS${c.reset}`);
     console.log(`    ${c.dim}--json             Machine-readable JSON output${c.reset}`);
@@ -3405,6 +4258,103 @@ async function main() {
     return;
   }
+  if (command === 'profile') {
+    const creds = loadCredentials();
+    if (!creds) {
+      console.log(`  ${c.yellow}Not logged in.${c.reset}`);
+      console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to link your API key.${c.reset}`);
+      console.log();
+      return;
+    }
+    const agentName = creds.agent_name || 'unknown';
+    console.log(`  ${c.bold}Profile${c.reset}  ${c.cyan}${agentName}${c.reset}`);
+    console.log();
+    try {
+      process.stdout.write(`  ${c.dim}Fetching profile data...${c.reset}`);
+      const [agentRes, lbRes] = await Promise.all([
+        fetch(`${REGISTRY_URL}/api/agents/${encodeURIComponent(agentName)}`, {
+          headers: { 'Authorization': `Bearer ${creds.api_key}` },
+          signal: AbortSignal.timeout(10_000),
+        }).then(r => r.ok ? r.json() : null),
+        fetch(`${REGISTRY_URL}/api/leaderboard?limit=100`, {
+          signal: AbortSignal.timeout(10_000),
+        }).then(r => r.ok ? r.json() : null),
+      ]);
+      process.stdout.write('\r\x1b[K');
+      if (!agentRes) {
+        console.log(`  ${c.yellow}Could not fetch profile data.${c.reset}`);
+        console.log(`  ${c.dim}Your account may not have submitted any audits yet.${c.reset}`);
+        console.log();
+        console.log(`  ${c.dim}Web profile: ${c.cyan}${REGISTRY_URL}/profile${c.reset}`);
+        console.log();
+        return;
+      }
+      let rank = null;
+      if (Array.isArray(lbRes)) {
+        const idx = lbRes.findIndex(e => e.agent_name === agentName);
+        if (idx >= 0) rank = idx + 1;
+      }
+      // Update cache
+      saveProfileCache({
+        agent_name: agentName,
+        rank,
+        total_points: agentRes.total_points || 0,
+        total_reports: agentRes.total_reports || 0,
+      });
+      if (jsonMode) {
+        console.log(JSON.stringify({
+          agent_name: agentName,
+          rank: rank ? { position: rank, total: lbRes?.length || 0 } : null,
+          total_points: agentRes.total_points || 0,
+          total_reports: agentRes.total_reports || 0,
+          total_findings_submitted: agentRes.total_findings_submitted || 0,
+          total_findings_confirmed: agentRes.total_findings_confirmed || 0,
+          profile_url: `${REGISTRY_URL}/profile`,
+        }, null, 2));
+        return;
+      }
+      const boxW = 44;
+      const rankStr = rank ? `#${rank} of ${lbRes.length}` : '—';
+      const pts = agentRes.total_points || 0;
+      const audits = agentRes.total_reports || 0;
+      const findingsSubmitted = agentRes.total_findings_submitted || 0;
+      const findingsConfirmed = agentRes.total_findings_confirmed || 0;
+      const ptsBar = renderBar(pts, Math.max(pts, 1000), boxW - 16);
+      const contentLines = [
+        '',
+        `${c.bold}${c.cyan}${agentName}${c.reset}${' '.repeat(Math.max(1, boxW - 6 - agentName.length - rankStr.length))}${c.bold}${rankStr}${c.reset}`,
+        '',
+        `Points      ${c.bold}${padLeft(fmtNum(pts), 8)}${c.reset}`,
+        `Audits      ${c.bold}${padLeft(fmtNum(audits), 8)}${c.reset}`,
+        `Findings    ${c.bold}${padLeft(fmtNum(findingsSubmitted), 8)}${c.reset}  ${c.dim}(${fmtNum(findingsConfirmed)} confirmed)${c.reset}`,
+        '',
+        ptsBar,
+        '',
+        `${c.dim}${REGISTRY_URL}/profile${c.reset}`,
+        `${c.dim}Key: ${creds.api_key.slice(0, 12)}...${c.reset}`,
+        '',
+      ];
+      const boxLines = drawBox('Profile', contentLines, boxW + 4);
+      for (const line of boxLines) console.log(line);
+      console.log();
+    } catch (err) {
+      process.stdout.write('\r\x1b[K');
+      console.log(`  ${c.yellow}Failed to fetch profile: ${err.message}${c.reset}`);
+      console.log();
+      console.log(`  ${c.dim}Web profile: ${c.cyan}${REGISTRY_URL}/profile${c.reset}`);
+      console.log();
+    }
+    return;
+  }
   if (command === 'model') {
     const newModel = targets.filter(t => !t.startsWith('--'))[0];
     const config = loadLlmConfig();
@@ -3568,6 +4518,124 @@ async function main() {
     return;
   }
+  if (command === 'validate') {
+    const paths = targets.filter(t => !t.startsWith('--'));
+    // If no path given, find all skills and validate them
+    if (paths.length === 0) {
+      const skills = findSkills();
+      if (skills.length === 0) {
+        console.log(`  ${c.yellow}No SKILL.md files found${c.reset}`);
+        console.log(`  ${c.dim}Searched: ~/.claude/skills/, ~/.cursor/skills/, .claude/skills/, .cursor/skills/${c.reset}`);
+        console.log();
+        console.log(`  ${c.dim}Usage: ${c.cyan}agentaudit validate [path/to/SKILL.md]${c.reset}`);
+        return;
+      }
+      console.log(`  ${c.bold}Validating ${skills.length} skill${skills.length !== 1 ? 's' : ''}${c.reset}`);
+      console.log();
+      let totalErrors = 0;
+      let totalWarnings = 0;
+      for (const skill of skills) {
+        const { errors, warnings, info } = skill.validation;
+        totalErrors += errors.length;
+        totalWarnings += warnings.length;
+        const name = info.name || skill.dirName;
+        const hasErrors = errors.length > 0;
+        const hasWarnings = warnings.length > 0;
+        if (hasErrors) {
+          console.log(`  ${c.red}✖${c.reset} ${c.bold}${name}${c.reset}  ${c.dim}${skill.path}${c.reset}`);
+          for (const err of errors) console.log(`    ${c.red}✖ ${err}${c.reset}`);
+          for (const warn of warnings) console.log(`    ${c.yellow}⚠ ${warn}${c.reset}`);
+        } else if (hasWarnings) {
+          console.log(`  ${c.yellow}⚠${c.reset} ${c.bold}${name}${c.reset}  ${c.dim}${skill.path}${c.reset}`);
+          for (const warn of warnings) console.log(`    ${c.yellow}⚠ ${warn}${c.reset}`);
+        } else {
+          console.log(`  ${c.green}✔${c.reset} ${c.bold}${name}${c.reset}  ${c.dim}${skill.path}${c.reset}`);
+        }
+        // Show MCP references
+        if (info.mcpServers && info.mcpServers.length > 0) {
+          console.log(`    ${c.dim}MCP servers: ${info.mcpServers.join(', ')}${c.reset}`);
+        }
+        if (info.allowedTools === null) {
+          console.log(`    ${c.yellow}⚠ no allowed-tools — unrestricted tool access${c.reset}`);
+        }
+        console.log();
+      }
+      // Summary
+      console.log(sectionHeader('Validation Summary'));
+      console.log();
+      if (totalErrors === 0 && totalWarnings === 0) {
+        console.log(`  ${c.green}✔ All ${skills.length} skills valid${c.reset}`);
+      } else {
+        if (totalErrors > 0) console.log(`  ${c.red}✖ ${totalErrors} error${totalErrors !== 1 ? 's' : ''}${c.reset}`);
+        if (totalWarnings > 0) console.log(`  ${c.yellow}⚠ ${totalWarnings} warning${totalWarnings !== 1 ? 's' : ''}${c.reset}`);
+      }
+      console.log();
+      if (jsonMode) {
+        console.log(JSON.stringify(skills.map(s => ({
+          name: s.validation.info.name || s.dirName,
+          path: s.path,
+          source: s.source,
+          errors: s.validation.errors,
+          warnings: s.validation.warnings,
+          mcpServers: s.validation.info.mcpServers,
+          allowedTools: s.validation.info.allowedTools,
+        })), null, 2));
+      }
+      process.exitCode = totalErrors > 0 ? 1 : 0;
+      return;
+    }
+    // Validate specific file(s)
+    for (const p of paths) {
+      const resolved = path.resolve(p);
+      if (!fs.existsSync(resolved)) {
+        console.log(`  ${c.red}✖ File not found: ${p}${c.reset}`);
+        process.exitCode = 1;
+        continue;
+      }
+      const content = fs.readFileSync(resolved, 'utf8');
+      const parsed = parseSkillFrontmatter(content);
+      const { errors, warnings, info } = validateSkill(parsed);
+      const name = info.name || path.basename(path.dirname(resolved));
+      console.log(`  ${c.bold}${name}${c.reset}  ${c.dim}${resolved}${c.reset}`);
+      console.log();
+      if (errors.length === 0 && warnings.length === 0) {
+        console.log(`  ${c.green}✔ Valid skill format${c.reset}`);
+      }
+      for (const err of errors) console.log(`  ${c.red}✖ ${err}${c.reset}`);
+      for (const warn of warnings) console.log(`  ${c.yellow}⚠ ${warn}${c.reset}`);
+      if (info.name) console.log(`  ${c.dim}name:${c.reset} ${info.name}`);
+      if (info.description) console.log(`  ${c.dim}description:${c.reset} ${info.description.slice(0, 80)}${info.description.length > 80 ? '...' : ''}`);
+      if (info.allowedTools) console.log(`  ${c.dim}allowed-tools:${c.reset} ${info.allowedTools.join(', ')}`);
+      else if (info.allowedTools === null) console.log(`  ${c.yellow}allowed-tools: none (unrestricted)${c.reset}`);
+      if (info.mcpServers?.length > 0) console.log(`  ${c.dim}MCP servers:${c.reset} ${info.mcpServers.join(', ')}`);
+      if (info.bodyLines) console.log(`  ${c.dim}body:${c.reset} ${info.bodyLines} lines`);
+      console.log();
+      if (jsonMode) {
+        console.log(JSON.stringify({ name: info.name, path: resolved, errors, warnings, info }, null, 2));
+      }
+      process.exitCode = errors.length > 0 ? 1 : 0;
+    }
+    return;
+  }
   if (command === 'discover') {
     const scanFlag = targets.includes('--quick') || targets.includes('--scan') || targets.includes('-s');
     const auditFlag = targets.includes('--deep') || targets.includes('--audit') || targets.includes('-a');