claude-skill-antivirus 2.0.0 → 2.1.2

package/README.md

@@ -1,7 +1,18 @@
 # Claude Skill Antivirus
 
+[![npm version](https://img.shields.io/npm/v/claude-skill-antivirus.svg)](https://www.npmjs.com/package/claude-skill-antivirus)
+[![CI](https://github.com/claude-world/claude-skill-antivirus/actions/workflows/ci.yml/badge.svg)](https://github.com/claude-world/claude-skill-antivirus/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org/)
+[![Claude Code](https://img.shields.io/badge/Claude_Code-Opus_4.6-blueviolet.svg)](https://docs.anthropic.com/en/docs/claude-code)
+
+<!-- TODO: Replace with actual GIF -->
+<img src="assets/demo.gif" alt="Claude Skill Antivirus scanning a CLAUDE.md file for prompt injection" title="Demo shows: trigger scan → detect patterns → show results" />
+
 A security scanner and safe installer for Claude Code Skills. Detects malicious patterns, data exfiltration attempts, and dangerous operations before installing third-party skills.
 
+Compatible with Claude Code using Opus 4.6, Sonnet 4.6, and Haiku 4.5 models.
+
 [繁體中文說明](./README.zh-TW.md) | [SkillsMP Scan Report](./SCAN-REPORT.md)
 
 ## SkillsMP Platform Scan Results
@@ -327,6 +338,31 @@ claude-skill-antivirus/
 └── README.md
 ```
 
+## Latest Updates
+
+### v2.1.0 (2026-03-13)
+- Verified compatibility with Claude Code Opus 4.6
+- Updated documentation and metadata
+
+### v2.0.1
+- Separated capability warnings from actual threats in permission scanner
+- Fixed array format handling in `allowed-tools`
+
+### v2.0.0
+- Added 4 new scanning engines: MCP Security, SSRF, Dependency, and Sub-agent scanners (total: 9 engines)
+- Added i18n support (English + Traditional Chinese)
+- Added batch scanner for SkillsMP platform
+- Scanned all 71,577 skills on SkillsMP
+
+### v1.0.0
+- Initial release with 5 core scanning engines
+- CLI installer with interactive prompts
+
+## Related Projects
+
+- [cf-browser](https://github.com/claude-world/cf-browser) - Open-source Cloudflare Browser Rendering proxy with 9 MCP tools for Claude Code
+- [claude-world.com](https://claude-world.com) - Claude Code advanced usage community
+
 ## Contributing
 
 Contributions are welcome! Please feel free to submit issues and pull requests.
@@ -350,4 +386,5 @@ Lucas Wang <support@claude-world.com>
 ## Links
 
 - [GitHub Repository](https://github.com/claude-world/claude-skill-antivirus)
+- [npm Package](https://www.npmjs.com/package/claude-skill-antivirus)
 - [Report Issues](https://github.com/claude-world/claude-skill-antivirus/issues)

package/README.zh-TW.md

@@ -1,9 +1,17 @@
 # Claude Skill Antivirus
 
+[![npm version](https://img.shields.io/npm/v/claude-skill-antivirus.svg)](https://www.npmjs.com/package/claude-skill-antivirus)
+[![CI](https://github.com/claude-world/claude-skill-antivirus/actions/workflows/ci.yml/badge.svg)](https://github.com/claude-world/claude-skill-antivirus/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org/)
+[![Claude Code](https://img.shields.io/badge/Claude_Code-Opus_4.6-blueviolet.svg)](https://docs.anthropic.com/en/docs/claude-code)
+
 一個安全的 Claude Skills 安裝器，內建完整的惡意行為偵測引擎。
 
 **Skills Installer + Antivirus for Claude**
 
+支援 Claude Code Opus 4.6、Sonnet 4.6、Haiku 4.5 模型。
+
 [English](./README.md) | [SkillsMP 掃描報告](./SCAN-REPORT.md)
 
 ## SkillsMP 平台掃描結果
@@ -320,6 +328,31 @@ claude-skill-antivirus/
 └── README.md
 ```
 
+## 更新紀錄
+
+### v2.1.0 (2026-03-13)
+- 確認相容 Claude Code Opus 4.6
+- 更新文件與中繼資料
+
+### v2.0.1
+- 權限掃描器分離能力警告與實際威脅
+- 修復 `allowed-tools` 的陣列格式處理
+
+### v2.0.0
+- 新增 4 個掃描引擎：MCP 安全、SSRF、依賴、Sub-agent 偵測（共 9 個引擎）
+- 新增多語言支援（英文 + 繁體中文）
+- 新增 SkillsMP 批次掃描功能
+- 掃描 SkillsMP 上所有 71,577 個技能
+
+### v1.0.0
+- 首次發布，包含 5 個核心掃描引擎
+- CLI 安裝器，含互動式提示
+
+## 相關專案
+
+- [cf-browser](https://github.com/claude-world/cf-browser) - 開源 Cloudflare 瀏覽器渲染代理，提供 9 個 MCP 工具給 Claude Code 使用
+- [claude-world.com](https://claude-world.com) - Claude Code 進階使用社群
+
 ## 貢獻
 
 歡迎貢獻！請隨時提交 issues 和 pull requests。
@@ -343,4 +376,5 @@ Lucas Wang <support@claude-world.com>
 ## 連結
 
 - [GitHub Repository](https://github.com/claude-world/claude-skill-antivirus)
+- [npm 套件](https://www.npmjs.com/package/claude-skill-antivirus)
 - [回報問題](https://github.com/claude-world/claude-skill-antivirus/issues)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-skill-antivirus",
-  "version": "2.0.0",
+  "version": "2.1.2",
   "description": "A secure Claude Skills installer with comprehensive malicious operation detection - Skills 安裝器 + 防毒軟體",
   "main": "src/index.js",
   "type": "module",
@@ -39,7 +39,7 @@
   ],
   "dependencies": {
     "chalk": "^5.3.0",
-    "commander": "^12.0.0",
+    "commander": "^14.0.3",
     "ora": "^8.0.1",
     "inquirer": "^9.2.12",
     "node-fetch": "^3.3.2",

package/src/index.js

@@ -14,7 +14,7 @@ const program = new Command();
 program
   .name('skill-install')
   .description('A secure Claude Skills installer with malicious operation detection')
-  .version('2.0.0');
+  .version('2.1.1');
 
 program
   .argument('<source>', 'Skill URL (SkillsMP link) or local path')

package/src/scanner/permissions.js

@@ -3,47 +3,86 @@
  */
 export class PermissionScanner {
   constructor() {
-    // Define tool risk levels
+    // Bash-specific risk patterns (checked in order, first match wins)
+    // Note: These are CAPABILITY warnings only. Actual malicious commands
+    // are detected by DangerousCommandScanner with higher severity.
+    this.bashRiskPatterns = [
+      // HIGH - Unrestricted (capability warning)
+      { pattern: /^Bash\(\*\)$/i, risk: 'high', desc: 'Unrestricted shell access (capability)' },
+
+      // MEDIUM - Potentially dangerous operations (capability warning)
+      { pattern: /^Bash\(rm[\s:]/i, risk: 'medium', desc: 'Delete operations (capability)' },
+      { pattern: /^Bash\(sudo[\s:]/i, risk: 'medium', desc: 'Sudo operations (capability)' },
+      { pattern: /^Bash\(chmod[\s:]/i, risk: 'medium', desc: 'Permission changes (capability)' },
+      { pattern: /^Bash\(chown[\s:]/i, risk: 'medium', desc: 'Ownership changes (capability)' },
+      { pattern: /^Bash\(curl[\s:]/i, risk: 'medium', desc: 'Network requests (capability)' },
+      { pattern: /^Bash\(wget[\s:]/i, risk: 'medium', desc: 'Network requests (capability)' },
+      { pattern: /^Bash\(nc[\s:]/i, risk: 'medium', desc: 'Netcat operations (capability)' },
+      { pattern: /^Bash\(ssh[\s:]/i, risk: 'medium', desc: 'SSH operations (capability)' },
+      { pattern: /^Bash\(scp[\s:]/i, risk: 'medium', desc: 'SCP operations (capability)' },
+
+      // LOW - Common dev tools with wildcards
+      { pattern: /^Bash\(git:\*\)$/i, risk: 'low', desc: 'Git operations (all)' },
+      { pattern: /^Bash\(npm:\*\)$/i, risk: 'low', desc: 'NPM operations (all)' },
+      { pattern: /^Bash\(pnpm:\*\)$/i, risk: 'low', desc: 'PNPM operations (all)' },
+      { pattern: /^Bash\(yarn:\*\)$/i, risk: 'low', desc: 'Yarn operations (all)' },
+      { pattern: /^Bash\(pip:\*\)$/i, risk: 'low', desc: 'PIP operations (all)' },
+      { pattern: /^Bash\(gh:\*\)$/i, risk: 'low', desc: 'GitHub CLI (all)' },
+      { pattern: /^Bash\(docker:\*\)$/i, risk: 'low', desc: 'Docker operations (all)' },
+      { pattern: /^Bash\(make:\*\)$/i, risk: 'low', desc: 'Make operations (all)' },
+
+      // INFO - Specific safe commands (just informational)
+      { pattern: /^Bash\(git\s+status\)/i, risk: 'info', desc: 'Git status (read-only)' },
+      { pattern: /^Bash\(git\s+log\)/i, risk: 'info', desc: 'Git log (read-only)' },
+      { pattern: /^Bash\(git\s+diff\)/i, risk: 'info', desc: 'Git diff (read-only)' },
+      { pattern: /^Bash\(git\s+branch\)/i, risk: 'info', desc: 'Git branch (read-only)' },
+      { pattern: /^Bash\(npm\s+test\)/i, risk: 'info', desc: 'NPM test' },
+      { pattern: /^Bash\(npm\s+run\)/i, risk: 'info', desc: 'NPM run script' },
+      { pattern: /^Bash\(ls[\s\)]/i, risk: 'info', desc: 'List directory' },
+      { pattern: /^Bash\(pwd\)/i, risk: 'info', desc: 'Print working directory' },
+      { pattern: /^Bash\(echo[\s\)]/i, risk: 'info', desc: 'Echo command' },
+      { pattern: /^Bash\(cat[\s\)]/i, risk: 'info', desc: 'Cat file (read)' },
+
+      // LOW - Other Bash with specific scope (has parentheses but not matched above)
+      { pattern: /^Bash\([^)]+\)$/i, risk: 'low', desc: 'Bash with specific scope' },
+
+      // MEDIUM - Bare "Bash" without scope (unspecified)
+      { pattern: /^Bash$/i, risk: 'medium', desc: 'Unscoped Bash access (capability)' },
+    ];
+
+    // Define tool risk levels (non-Bash tools)
+    // Note: These are CAPABILITY warnings only - lower severity than actual malicious content
     this.toolRiskLevels = {
-      // Critical risk tools - can execute arbitrary code
-      critical: [
-        'Bash(*)',           // Unrestricted bash access
-        'Bash',              // General bash (depends on context)
-        'Execute',
-        'Shell',
-        'Terminal'
-      ],
+      // Critical - reserved for actual malicious content (not capabilities)
+      critical: [],
 
-      // High risk tools - can access sensitive data or make changes
+      // High risk capabilities - unrestricted execution
       high: [
+        'Execute',           // Arbitrary code execution
+        'Shell',             // Shell access
+        'Terminal'           // Terminal access
+      ],
+
+      // Medium risk capabilities - can make changes
+      medium: [
         'Write',             // Can write to any file
         'Edit',              // Can modify any file
-        'Delete',
-        'Bash(rm:*)',        // Delete operations
-        'Bash(chmod:*)',     // Permission changes
-        'Bash(chown:*)',     // Ownership changes
-        'Bash(sudo:*)',      // Sudo operations
-        'Bash(curl:*)',      // Network requests
-        'Bash(wget:*)',      // Download operations
+        'Delete',            // Can delete files
         'WebFetch',          // External web requests
         'mcp_*'              // MCP tools (depends on implementation)
       ],
 
-      // Medium risk tools - limited but notable access
-      medium: [
+      // Low risk capabilities - read/discover
+      low: [
         'Read',              // Can read files
         'Glob',              // Can discover files
         'Grep',              // Can search file contents
-        'Bash(git:*)',       // Git operations
-        'Bash(npm:*)',       // NPM operations
-        'Bash(pip:*)',       // PIP operations
-        'Bash(gh:*)',        // GitHub CLI
         'Task',              // Can spawn sub-agents
         'TodoWrite'          // Task management
       ],
 
-      // Low risk tools
-      low: [
+      // Info - safe tools
+      info: [
         'Read(*)',           // Read with specific patterns
         'Glob(*)',           // Limited glob patterns
         'AskUser',
@@ -51,49 +90,49 @@ export class PermissionScanner {
       ]
     };
 
-    // Dangerous tool combinations
+    // Dangerous tool combinations (capability warnings - not actual threats)
     this.dangerousCombinations = [
       {
         tools: ['Bash', 'Write'],
-        risk: 'high',
-        reason: 'Can execute commands and persist malicious files'
+        risk: 'medium',
+        reason: 'Can execute commands and persist files (capability)'
       },
       {
         tools: ['Read', 'WebFetch'],
-        risk: 'high',
-        reason: 'Can read sensitive data and exfiltrate via network'
+        risk: 'medium',
+        reason: 'Can read data and send via network (capability)'
       },
       {
         tools: ['Bash(curl:*)', 'Bash'],
-        risk: 'critical',
-        reason: 'Can download and execute remote code'
+        risk: 'high',
+        reason: 'Can download and execute remote code (capability)'
       },
       {
         tools: ['Glob', 'Read', 'Bash(curl:*)'],
-        risk: 'high',
-        reason: 'Can discover, read, and exfiltrate files'
+        risk: 'medium',
+        reason: 'Can discover, read, and send files (capability)'
       }
     ];
 
-    // Overly permissive patterns
+    // Overly permissive patterns (capability warnings)
     this.overlyPermissivePatterns = [
       {
         pattern: /Bash\(\*\)/i,
-        risk: 'critical',
-        title: 'Unrestricted Bash access',
-        description: 'Skill has unrestricted shell access - can execute any command'
+        risk: 'high',
+        title: 'Unrestricted Bash access (capability)',
+        description: 'Skill declares unrestricted shell access'
       },
       {
         pattern: /Bash\([^)]*\*[^)]*\)/i,
-        risk: 'high',
-        title: 'Wildcard Bash permissions',
-        description: 'Bash permissions use wildcards - overly broad access'
+        risk: 'medium',
+        title: 'Wildcard Bash permissions (capability)',
+        description: 'Bash permissions use wildcards'
       },
       {
         pattern: /\*/g,
-        risk: 'medium',
+        risk: 'low',
         title: 'Wildcard in tool permissions',
-        description: 'Wildcards in permissions may grant broader access than necessary'
+        description: 'Wildcards in permissions may grant broader access'
       }
     ];
   }
@@ -173,16 +212,58 @@ export class PermissionScanner {
   }
 
   parseToolString(toolStr) {
-    return toolStr
-      .split(/[,;]/)
-      .map(t => t.trim())
-      .filter(t => t.length > 0);
+    // Handle undefined/null
+    if (!toolStr) {
+      return [];
+    }
+
+    // Handle array format (YAML list)
+    if (Array.isArray(toolStr)) {
+      return toolStr
+        .flatMap(t => typeof t === 'string' ? t.split(/[,;]/) : [])
+        .map(t => t.trim())
+        .filter(t => t.length > 0);
+    }
+
+    // Handle string format
+    if (typeof toolStr === 'string') {
+      return toolStr
+        .split(/[,;]/)
+        .map(t => t.trim())
+        .filter(t => t.length > 0);
+    }
+
+    // Unknown format, return empty
+    return [];
   }
 
   analyzeToolRisk(tool, findings) {
     const normalizedTool = tool.trim();
 
-    // Check each risk level
+    // Special handling for Bash tools - use pattern matching
+    if (normalizedTool.toLowerCase().startsWith('bash')) {
+      for (const { pattern, risk, desc } of this.bashRiskPatterns) {
+        if (pattern.test(normalizedTool)) {
+          findings[risk].push({
+            title: `${risk.toUpperCase()} risk tool: ${normalizedTool}`,
+            description: desc,
+            location: 'allowed-tools',
+            scanner: 'PermissionScanner'
+          });
+          return; // First match wins
+        }
+      }
+      // No pattern matched - treat as medium (unknown Bash variant)
+      findings.medium.push({
+        title: `MEDIUM risk tool: ${normalizedTool}`,
+        description: 'Bash tool with unknown scope',
+        location: 'allowed-tools',
+        scanner: 'PermissionScanner'
+      });
+      return;
+    }
+
+    // Non-Bash tools - check each risk level
     for (const [riskLevel, tools] of Object.entries(this.toolRiskLevels)) {
       for (const riskTool of tools) {
         if (this.toolMatches(normalizedTool, riskTool)) {
@@ -200,8 +281,10 @@ export class PermissionScanner {
             findings.high.push(finding);
           } else if (riskLevel === 'medium') {
             findings.medium.push(finding);
-          } else {
+          } else if (riskLevel === 'low') {
             findings.low.push(finding);
+          } else {
+            findings.info.push(finding);
           }
           return; // Found the risk level, stop checking
         }

package/src/utils/downloader.js

@@ -171,6 +171,22 @@ ${description}
   }
 
   async fetchFromGitHub(url) {
+    // If URL points to a repo root (no file path), try SKILL.md on default branch
+    const repoRootMatch = url.match(/^https?:\/\/github\.com\/([^/]+)\/([^/]+)\/?$/);
+    if (repoRootMatch) {
+      const [, owner, repo] = repoRootMatch;
+      // Try common default branches
+      for (const branch of ['main', 'master']) {
+        const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/SKILL.md`;
+        const response = await fetch(rawUrl);
+        if (response.ok) {
+          const content = await response.text();
+          return this.parseSkillMd(content, url);
+        }
+      }
+      throw new Error(`No SKILL.md found at ${url} (tried main and master branches)`);
+    }
+
     // Convert GitHub URL to raw content URL
     const rawUrl = this.convertToGitHubRaw(url);