agentaudit 3.10.4 → 3.10.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/cli.mjs +15 -2
  2. package/package.json +1 -1
package/cli.mjs CHANGED
@@ -1796,8 +1796,9 @@ async function auditRepo(url) {
1796
1796
  `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
1797
1797
  `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
1798
1798
  ` "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
1799
- ` "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
1800
- ` "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
1799
+ ` "findings_count": <n>, "findings": [{ "pattern_id": "CMD_INJECT_001", "title": "...", "severity": "...", "category": "...",`,
1800
+ ` "cwe_id": "CWE-78", "description": "...", "file": "...", "line": <n>, "content": "...", "remediation": "...",`,
1801
+ ` "confidence": "high|medium|low", "by_design": false, "score_impact": -15 }] }`,
1801
1802
  ``,
1802
1803
  `## Source Code`,
1803
1804
  codeBlock,
@@ -1965,6 +1966,13 @@ async function auditRepo(url) {
1965
1966
  return null;
1966
1967
  }
1967
1968
 
1969
+ // Force slug from URL — never trust LLM-provided skill_slug
1970
+ report.skill_slug = slug;
1971
+
1972
+ // Add scan metadata for benchmarking
1973
+ report.audit_duration_ms = Date.now() - start;
1974
+ report.files_scanned = files.length;
1975
+
1968
1976
  // Display results
1969
1977
  console.log();
1970
1978
  const riskScore = report.risk_score || 0;
@@ -2008,7 +2016,12 @@ async function auditRepo(url) {
2008
2016
  console.log(` ${c.green}done${c.reset}`);
2009
2017
  console.log(` ${c.dim}Report: ${REGISTRY_URL}/skills/${slug}${c.reset}`);
2010
2018
  } else {
2019
+ let errBody = '';
2020
+ try { errBody = await res.text(); } catch {}
2011
2021
  console.log(` ${c.yellow}failed (HTTP ${res.status})${c.reset}`);
2022
+ if (errBody && process.argv.includes('--debug')) {
2023
+ console.log(` ${c.dim}Server: ${errBody.slice(0, 300)}${c.reset}`);
2024
+ }
2012
2025
  }
2013
2026
  } catch (err) {
2014
2027
  console.log(` ${c.yellow}failed${c.reset}`);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentaudit",
3
- "version": "3.10.4",
3
+ "version": "3.10.6",
4
4
  "description": "Security scanner for AI packages — MCP server + CLI",
5
5
  "type": "module",
6
6
  "bin": {