guard-scanner 1.0.0 → 1.1.1

package/README.md

@@ -2,17 +2,25 @@
   <h1 align="center">🛡️ guard-scanner</h1>
   <p align="center">
     <strong>Static security scanner for AI agent skills</strong><br>
-    Detect prompt injection, credential theft, exfiltration, identity hijacking, and 14 more threat categories.
+    Detect prompt injection, credential theft, exfiltration, identity hijacking, and 17 more threat categories.<br>
+    <sub>Runtime Guard hook included — pending <a href="https://github.com/openclaw/openclaw/issues/18677">OpenClaw hook API adoption</a></sub>
   </p>
   <p align="center">
     <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="MIT License"></a>
     <img src="https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen" alt="Node.js 18+">
     <img src="https://img.shields.io/badge/dependencies-0-success" alt="Zero Dependencies">
-    <img src="https://img.shields.io/badge/tests-45%2F45-brightgreen" alt="Tests Passing">
-    <img src="https://img.shields.io/badge/patterns-170%2B-orange" alt="170+ Patterns">
+    <img src="https://img.shields.io/badge/tests-55%2F55-brightgreen" alt="Tests Passing">
+    <img src="https://img.shields.io/badge/patterns-186-orange" alt="186 Patterns">
+    <img src="https://img.shields.io/badge/categories-20-blueviolet" alt="20 Categories">
   </p>
 </p>
 
+<p align="center">
+  <img src="docs/html-report-preview.png" alt="guard-scanner HTML Report Preview" width="800">
+  <br>
+  <em>Dark Glassmorphism Dashboard — Risk gauges, severity distribution, interactive skill cards</em>
+</p>
+
 ---
 
 ## Why This Exists
@@ -32,11 +40,14 @@ The AI agent skill ecosystem has the same supply-chain security problem that npm
 
 | Feature | Description |
 |---|---|
-| **17 Threat Categories** | Snyk ToxicSkills taxonomy + OWASP MCP Top 10 + Identity Hijacking |
-| **170+ Detection Patterns** | Regex-based static analysis covering code, docs, and data files |
+| **20 Threat Categories** | Snyk ToxicSkills + OWASP MCP Top 10 + Identity Hijacking + Sandbox/Complexity/Config |
+| **186 Detection Patterns** | Regex-based static analysis covering code, docs, and data files |
 | **IoC Database** | Known malicious IPs, domains, URLs, usernames, and typosquat names |
 | **Data Flow Analysis** | Lightweight JS analysis: secret reads → network calls → exec chains |
 | **Cross-File Analysis** | Phantom references, base64 fragment assembly, multi-file exfil detection |
+| **Manifest Validation** | SKILL.md frontmatter analysis for dangerous capabilities |
+| **Code Complexity** | File length, nesting depth, eval/exec density analysis |
+| **Config Impact** | Detects modifications to OpenClaw configuration files |
 | **Shannon Entropy** | High-entropy string detection for leaked secrets and API keys |
 | **Dependency Chain Scan** | Risky packages, lifecycle scripts, wildcard versions, git dependencies |
 | **4 Output Formats** | Terminal (with colors), JSON, [SARIF 2.1.0](https://sarifweb.azurewebsites.net), HTML dashboard |
@@ -80,11 +91,13 @@ openclaw skill install guard-scanner
 guard-scanner ~/.openclaw/workspace/skills/ --self-exclude --verbose
 ```
 
+> **⚠️ Runtime Guard (handler.ts)** — The real-time `before_tool_call` hook requires OpenClaw's Hook API ([Issue #18677](https://github.com/openclaw/openclaw/issues/18677)). The hook is registered and runs on `agent:before_tool_call` events, but OpenClaw's `InternalHookEvent` does not yet expose a cancel/veto mechanism — so **detections are warned but not blocked**. The static scanner (`npx guard-scanner`) works fully and independently.
+
 ---
 
 ## Threat Categories
 
-guard-scanner covers **17 threat categories** derived from three taxonomies:
+guard-scanner covers **20 threat categories** derived from three taxonomies:
 
 | # | Category | Based On | Severity | What It Detects |
 |---|----------|----------|----------|----------------|
@@ -105,8 +118,11 @@ guard-scanner covers **17 threat categories** derived from three taxonomies:
 | 15 | **CVE Patterns** | CVE Database | CRITICAL | CVE-2026-25253 `gatewayUrl` injection, sandbox disabling, xattr Gatekeeper bypass, WebSocket origin bypass |
 | 16 | **MCP Security** | OWASP MCP Top 10 | CRITICAL | Tool poisoning (`<IMPORTANT>`), schema poisoning (malicious defaults), token leaks, shadow server registration, SSRF metadata endpoints |
 | 17 | **Identity Hijacking** | Original Research | CRITICAL | SOUL.md/IDENTITY.md overwrite/redirect/sed/echo/Python/Node.js writes, persona swap instructions, memory wipe, name override |
+| 18 | **Sandbox Validation** | v1.1 | HIGH | Dangerous binary requirements in SKILL.md, overly broad file scope, sensitive env vars, exec/network declarations |
+| 19 | **Code Complexity** | v1.1 | MEDIUM | Excessive file length (>1000 lines), deep nesting (>5 levels), high eval/exec density |
+| 20 | **Config Impact** | v1.1 | CRITICAL | `openclaw.json` writes, exec approval bypass, exec host gateway, internal hooks modification, network wildcard |
 
-> **Category 17 (Identity Hijacking)** is unique to guard-scanner. It was developed from direct experience with a real attack where an agent's identity files were silently replaced. Detection patterns are open-source; verification logic remains private.
+> **Categories 17–20** are unique to guard-scanner. Category 17 (Identity Hijacking) was developed from a real attack. Categories 18–20 were added in v1.1.0 based on community feedback.
 
 ---
 
@@ -115,7 +131,7 @@ guard-scanner covers **17 threat categories** derived from three taxonomies:
 ### Terminal (Default)
 
 ```
-🛡️  guard-scanner v1.0.0
+🛡️  guard-scanner v1.1.0
 ══════════════════════════════════════════════════════
 📂 Scanning: ./skills/
 📦 Skills found: 22
@@ -197,6 +213,9 @@ Certain combinations multiply the base score:
 | Persistence + (malicious\|credential\|memory) | **×1.5** | Survives session restart |
 | Identity hijacking | **×2** | Core identity compromise |
 | Identity hijacking + Persistence | **min 90** | Full agent takeover |
+| Config impact | **×2** | OpenClaw configuration tampering |
+| Config impact + Sandbox violation | **min 70** | Combined config + capability abuse |
+| Complexity + Malicious code/Obfuscation | **×1.5** | Complex code hiding threats |
 | Known IoC (IP/URL/typosquat) | **= 100** | Confirmed malicious |
 
 ### Verdict Thresholds
@@ -369,13 +388,16 @@ Options:
 ```
 guard-scanner/
 ├── src/
-│   ├── scanner.js      # GuardScanner class — core scan engine
-│   ├── patterns.js     # 170+ threat detection patterns (Cat 1–17)
+│   ├── scanner.js      # GuardScanner class — core scan engine (20 checks)
+│   ├── patterns.js     # 186 threat detection patterns (Cat 1–20)
 │   ├── ioc-db.js       # Indicators of Compromise database
 │   └── cli.js          # CLI entry point and argument parser
+├── hooks/
+│   └── guard-scanner/
+│       └── handler.ts  # Runtime Guard — before_tool_call hook (experimental, pending OpenClaw API)
 ├── test/
-│   ├── scanner.test.js # 45 tests across 10 sections
-│   └── fixtures/       # Malicious + clean skill samples
+│   ├── scanner.test.js # 55 tests across 13 sections
+│   └── fixtures/       # Malicious, clean, complex, config-changer samples
 ├── package.json        # Zero dependencies, node --test
 ├── CHANGELOG.md
 ├── LICENSE             # MIT
@@ -499,11 +521,11 @@ console.log(scanner.toHTML());    // HTML string
 ## Test Results
 
 ```
-ℹ tests 45
-ℹ suites 10
-ℹ pass 45
+ℹ tests 55
+ℹ suites 13
+ℹ pass 55
 ℹ fail 0
-ℹ duration_ms 83ms
+ℹ duration_ms 115ms
 ```
 
 | Suite | Tests | Coverage |
@@ -518,6 +540,9 @@ console.log(scanner.toHTML());    // HTML string
 | Shannon Entropy | 2 | Low entropy, high entropy |
 | Ignore Functionality | 1 | Pattern exclusion |
 | Plugin API | 1 | Plugin loading + custom rule injection |
+| **Manifest Validation (v1.1)** | 4 | Dangerous bins, broad files, sensitive env, clean negatives |
+| **Complexity Metrics (v1.1)** | 2 | Deep nesting, clean negatives |
+| **Config Impact (v1.1)** | 4 | openclaw.json write, exec approval, gateway host, clean negatives |
 
 ---
 
@@ -537,7 +562,7 @@ console.log(scanner.toHTML());    // HTML string
 2. Create a feature branch (`git checkout -b feature/new-pattern`)
 3. Add your pattern to `src/patterns.js` with the required fields
 4. Add a test case in `test/fixtures/` and `test/scanner.test.js`
-5. Run `npm test` — all 45+ tests must pass
+5. Run `npm test` — all 55+ tests must pass
 6. Submit a Pull Request
 
 ### Adding a New Detection Pattern
@@ -574,6 +599,39 @@ We built one.
 
 ---
 
+## 🔒 Need More? — GuavaSuite
+
+guard-scanner catches threats **before** installation. But what happens **after** a skill is running?
+
+[**GuavaSuite**](https://github.com/koatora20) extends guard-scanner with real-time protection for production agent deployments:
+
+| | guard-scanner (OSS) | GuavaSuite (Private) |
+|---|---|---|
+| Static scan | ✅ 20 categories | ✅ 20 categories |
+| Runtime blocking | ⚠️ Warn only (cancel API pending) | ✅ Real-time `before_tool_call` guard |
+| SOUL.md integrity | Pattern detection only | ✅ SHA-256 hash watchdog |
+| On-chain verification | — | ✅ SoulChain (Polygon) |
+| Identity recovery | — | ✅ Automatic rollback |
+
+guard-scanner is and always will be **free, open-source, and zero-dependency**. If your agent handles production workloads and you want defense-in-depth, [reach out](https://github.com/koatora20).
+
+---
+
+## 💜 Sponsor This Project
+
+If guard-scanner helps protect your agents, consider sponsoring continued development:
+
+<p align="center">
+  <a href="https://github.com/sponsors/koatora20">💜 Sponsor on GitHub</a>
+</p>
+
+Sponsors help fund:
+- 🔬 New threat research and pattern updates
+- 📝 Academic paper on ASI-human coexistence security
+- 🌍 Community-driven security for the agent ecosystem
+
+---
+
 ## License
 
 MIT — see [LICENSE](LICENSE)

package/SKILL.md

@@ -3,7 +3,8 @@ name: guard-scanner
 description: >
   Security scanner for AI agent skills. Use BEFORE installing or running any new skill
   from ClawHub or external sources. Detects prompt injection, credential theft,
-  exfiltration, identity hijacking, and 14 more threat categories.
+  exfiltration, identity hijacking, sandbox violations, code complexity, config impact,
+  and 17 more threat categories.
   Includes a Runtime Guard hook that blocks dangerous tool calls in real-time.
 homepage: https://github.com/koatora20/guard-scanner
 metadata:
@@ -28,7 +29,7 @@ metadata:
 # guard-scanner 🛡️
 
 Static + runtime security scanner for AI agent skills.
-**170+ threat patterns** across **17 categories** — zero dependencies.
+**186+ threat patterns** across **20 categories** — zero dependencies.
 
 ## When To Use This Skill
 
@@ -53,7 +54,9 @@ Scan a specific skill:
 node skills/guard-scanner/src/cli.js /path/to/new-skill/ --strict --verbose
 ```
 
-### 2. Runtime Guard (Real-time Protection)
+### 2. Runtime Guard (Real-time Protection) — ⚠️ Experimental
+
+> **Note:** Requires the OpenClaw Hook API ([Issue #18677](https://github.com/openclaw/openclaw/issues/18677)), which has not been officially adopted yet. The handler is included for early testing and will be updated once the API is finalized.
 
 Install the hook to block dangerous tool calls before execution:
 
@@ -82,11 +85,13 @@ openclaw hooks enable guard-scanner
 
 Set in `openclaw.json` → `hooks.internal.entries.guard-scanner.mode`:
 
-| Mode | Behavior |
-|------|----------|
-| `monitor` | Log all, never block |
-| `enforce` (default) | Block CRITICAL threats |
-| `strict` | Block HIGH + CRITICAL |
+| Mode | Intended Behavior | Current Status |
+|------|-------------------|----------------|
+| `monitor` | Log all, never block | ✅ Fully working |
+| `enforce` (default) | Block CRITICAL threats | ⚠️ Warn only (cancel API pending) |
+| `strict` | Block HIGH + CRITICAL | ⚠️ Warn only (cancel API pending) |
+
+> **Note:** OpenClaw's `InternalHookEvent` does not yet expose a `cancel`/`veto` mechanism. All detections are currently logged and warned via `event.messages`, but tool execution cannot be blocked. Blocking will be enabled when the cancel API is added.
 
 ## Threat Categories
 
@@ -109,6 +114,9 @@ Set in `openclaw.json` → `hooks.internal.entries.guard-scanner.mode`:
 | 15 | CVE Patterns | Known agent vulnerabilities |
 | 16 | MCP Security | Tool/schema poisoning, SSRF |
 | 17 | Identity Hijacking | SOUL.md/IDENTITY.md tampering |
+| 18 | Sandbox Validation | Dangerous binaries, broad file scope, sensitive env |
+| 19 | Code Complexity | Excessive file length, deep nesting, eval density |
+| 20 | Config Impact | openclaw.json writes, exec approval bypass |
 
 ## External Endpoints
 
@@ -139,7 +147,7 @@ an AI agent's SOUL.md personality file, and no existing tool could detect it.
 
 - **Open source**: Full source code available at https://github.com/koatora20/guard-scanner
 - **Zero dependencies**: Nothing to audit, no transitive risks
-- **Test suite**: 45 tests across 10 sections, 100% pass rate
+- **Test suite**: 55 tests across 13 sections, 100% pass rate
 - **Taxonomy**: Based on Snyk ToxicSkills (Feb 2026), OWASP MCP Top 10, and original research
 - **Complementary to VirusTotal**: Detects prompt injection and LLM-specific attacks
   that VirusTotal's signature-based scanning cannot catch

package/hooks/guard-scanner/handler.ts

@@ -1,26 +1,69 @@
-import type { HookHandler } from "../../src/hooks/hooks.js";
-import { appendFileSync, mkdirSync } from "fs";
-import { join } from "path";
-import { homedir } from "os";
-
 /**
- * guard-scanner Runtime Guard — before_tool_call Hook Handler
- * 
- * Intercepts tool executions in real-time and checks against
- * threat intelligence patterns. Zero dependencies.
- * 
- * Modes:
- *   monitor  — log only
- *   enforce  — block CRITICAL (default)
- *   strict   — block HIGH+CRITICAL, log MEDIUM+
- * 
+ * guard-scanner Runtime Guard — Hook Handler
+ *
+ * Intercepts agent tool calls and checks arguments against
+ * runtime threat intelligence patterns. Zero dependencies.
+ *
+ * Registered for event: agent:before_tool_call
+ *
+ * Current limitation:
+ *   The OpenClaw InternalHookEvent interface does not yet expose a
+ *   `cancel` / `veto` mechanism. This handler can WARN via
+ *   event.messages but cannot block tool execution.
+ *   When a cancel API is introduced, this handler will be updated
+ *   to actually block CRITICAL/HIGH threats.
+ *
+ * Modes (for future blocking behaviour):
+ *   monitor  — log only (current effective behaviour for all modes)
+ *   enforce  — will block CRITICAL when cancel API is available
+ *   strict   — will block HIGH+CRITICAL when cancel API is available
+ *
  * @author Guava 🍈 & Dee
- * @version 1.0.0
+ * @version 1.1.0
  * @license MIT
  */
 
+import { appendFileSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+
+// ── OpenClaw Hook Types (from openclaw/src/hooks/internal-hooks.ts) ──
+// Inline types to avoid broken relative-path imports.
+// These match the official InternalHookEvent / InternalHookHandler
+// from OpenClaw v2026.2.15.
+
+type InternalHookEventType = "command" | "session" | "agent" | "gateway";
+
+interface InternalHookEvent {
+    /** The type of event */
+    type: InternalHookEventType;
+    /** The specific action within the type (e.g., "before_tool_call") */
+    action: string;
+    /** The session key this event relates to */
+    sessionKey: string;
+    /** Additional context specific to the event */
+    context: Record<string, unknown>;
+    /** Timestamp when the event occurred */
+    timestamp: Date;
+    /** Messages to send back to the user (hooks can push to this array) */
+    messages: string[];
+}
+
+type InternalHookHandler = (event: InternalHookEvent) => Promise<void> | void;
+
+// Re-export as the public types for compatibility
+type HookHandler = InternalHookHandler;
+type HookEvent = InternalHookEvent;
+
 // ── Runtime threat patterns (12 checks) ──
-const RUNTIME_CHECKS = [
+interface RuntimeCheck {
+    id: string;
+    severity: "CRITICAL" | "HIGH" | "MEDIUM";
+    desc: string;
+    test: (s: string) => boolean;
+}
+
+const RUNTIME_CHECKS: RuntimeCheck[] = [
     {
         id: 'RT_REVSHELL', severity: 'CRITICAL', desc: 'Reverse shell attempt',
         test: (s: string) => /\/dev\/tcp\/|nc\s+-e|ncat\s+-e|bash\s+-i\s+>&|socat\s+TCP/i.test(s)
@@ -78,11 +121,11 @@ const RUNTIME_CHECKS = [
 const AUDIT_DIR = join(homedir(), ".openclaw", "guard-scanner");
 const AUDIT_FILE = join(AUDIT_DIR, "audit.jsonl");
 
-function ensureAuditDir() {
+function ensureAuditDir(): void {
     try { mkdirSync(AUDIT_DIR, { recursive: true }); } catch { }
 }
 
-function logAudit(entry: Record<string, unknown>) {
+function logAudit(entry: Record<string, unknown>): void {
     ensureAuditDir();
     const line = JSON.stringify({ ...entry, ts: new Date().toISOString() }) + '\n';
     try { appendFileSync(AUDIT_FILE, line); } catch { }
@@ -90,16 +133,21 @@ function logAudit(entry: Record<string, unknown>) {
 
 // ── Main Handler ──
 const handler: HookHandler = async (event) => {
-    // Only handle before_tool_call
+    // Only handle agent:before_tool_call events
     if (event.type !== "agent" || event.action !== "before_tool_call") return;
 
-    const { toolName, toolArgs } = (event as any).context || {};
+    const { toolName, toolArgs } = event.context as {
+        toolName?: string;
+        toolArgs?: Record<string, unknown>;
+    };
     if (!toolName || !toolArgs) return;
 
-    // Get mode from config
-    const mode = (event as any).context?.cfg?.hooks?.internal?.entries?.['guard-scanner']?.mode || 'enforce';
+    // Get mode from context config (if available)
+    const cfg = event.context.cfg as Record<string, unknown> | undefined;
+    const hookEntries = (cfg as any)?.hooks?.internal?.entries?.['guard-scanner'] as Record<string, unknown> | undefined;
+    const mode = (hookEntries?.mode as string) || 'enforce';
 
-    // Only check dangerous tools
+    // Only check tools that can cause damage
     const dangerousTools = new Set(['exec', 'write', 'edit', 'browser', 'web_fetch', 'message']);
     if (!dangerousTools.has(toolName)) return;
 
@@ -113,35 +161,39 @@ const handler: HookHandler = async (event) => {
                 severity: check.severity,
                 desc: check.desc,
                 mode,
-                action: 'allowed' as string,
-                session: (event as any).sessionKey,
+                action: 'warned' as string,
+                session: event.sessionKey,
             };
 
-            if (mode === 'strict' && (check.severity === 'CRITICAL' || check.severity === 'HIGH')) {
-                entry.action = 'blocked';
-                logAudit(entry);
-                event.messages.push(`🛡️ guard-scanner BLOCKED: ${check.desc} [${check.id}]`);
-                event.cancel = true;
-                console.warn(`[guard-scanner] 🚨 BLOCKED: ${check.desc} [${check.id}]`);
-                return;
-            }
-
-            if (mode === 'enforce' && check.severity === 'CRITICAL') {
-                entry.action = 'blocked';
-                logAudit(entry);
-                event.messages.push(`🛡️ guard-scanner BLOCKED: ${check.desc} [${check.id}]`);
-                event.cancel = true;
-                console.warn(`[guard-scanner] 🚨 BLOCKED: ${check.desc} [${check.id}]`);
-                return;
-            }
-
-            // Monitor mode or non-critical: log only
-            entry.action = 'logged';
+            // NOTE: OpenClaw InternalHookEvent does not currently support
+            // a cancel/veto mechanism. When it does, uncomment the blocking
+            // logic below. For now, all detections are warnings only.
+            //
+            // if (mode === 'strict' && (check.severity === 'CRITICAL' || check.severity === 'HIGH')) {
+            //     entry.action = 'blocked';
+            //     logAudit(entry);
+            //     event.messages.push(`🛡️ guard-scanner BLOCKED: ${check.desc} [${check.id}]`);
+            //     event.cancel = true;  // Not yet in the public API
+            //     return;
+            // }
+            //
+            // if (mode === 'enforce' && check.severity === 'CRITICAL') {
+            //     entry.action = 'blocked';
+            //     logAudit(entry);
+            //     event.messages.push(`🛡️ guard-scanner BLOCKED: ${check.desc} [${check.id}]`);
+            //     event.cancel = true;  // Not yet in the public API
+            //     return;
+            // }
+
+            // Current behaviour: warn and log for all modes
             logAudit(entry);
 
             if (check.severity === 'CRITICAL') {
                 event.messages.push(`🛡️ guard-scanner WARNING: ${check.desc} [${check.id}]`);
                 console.warn(`[guard-scanner] ⚠️ WARNING: ${check.desc} [${check.id}]`);
+            } else if (check.severity === 'HIGH') {
+                event.messages.push(`🛡️ guard-scanner NOTICE: ${check.desc} [${check.id}]`);
+                console.warn(`[guard-scanner] ℹ️ NOTICE: ${check.desc} [${check.id}]`);
             }
         }
     }

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "guard-scanner",
-    "version": "1.0.0",
-    "description": "Agent skill security scanner — detect prompt injection, malicious code, credential leaks, and 17 threat categories in AI agent skills",
+    "version": "1.1.1",
+    "description": "Agent skill security scanner — detect prompt injection, malicious code, credential leaks, and 20 threat categories in AI agent skills",
     "main": "src/scanner.js",
     "bin": {
         "guard-scanner": "src/cli.js"

package/src/html-template.js

@@ -0,0 +1,239 @@
+/**
+ * guard-scanner — HTML Report Template
+ * Dark Glassmorphism + Conic-gradient Risk Gauges
+ * Zero dependencies. Pure CSS animations.
+ */
+
+'use strict';
+
+function generateHTML(version, stats, findings) {
+    const safetyRate = stats.scanned > 0 ? Math.round(((stats.clean + stats.low) / stats.scanned) * 100) : 100;
+
+    // ── Risk gauge (conic-gradient donut) ──
+    const riskGauge = (risk) => {
+        const angle = (risk / 100) * 360;
+        const color = risk >= 80 ? '#ef4444' : risk >= 30 ? '#f59e0b' : '#22c55e';
+        return `<div class="risk-gauge" style="--risk-angle:${angle}deg;--risk-color:${color}"><span class="risk-val">${risk}</span></div>`;
+    };
+
+    // ── Aggregate severity + category counts ──
+    const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+    const catCounts = {};
+    for (const sr of findings) {
+        for (const f of sr.findings) {
+            sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+            catCounts[f.cat] = (catCounts[f.cat] || 0) + 1;
+        }
+    }
+    const total = Object.values(sevCounts).reduce((a, b) => a + b, 0);
+
+    // ── Severity distribution bars ──
+    const sevColors = { CRITICAL: '#ef4444', HIGH: '#f97316', MEDIUM: '#eab308', LOW: '#22c55e' };
+    const sevBars = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].map(s => {
+        const c = sevCounts[s], pct = total > 0 ? ((c / total) * 100).toFixed(1) : 0;
+        return `<div class="bar-row"><span class="bar-label" style="color:${sevColors[s]}">${s}</span><div class="bar-track"><div class="bar-fill" style="width:${pct}%;background:${sevColors[s]}"></div></div><span class="bar-ct">${c}</span></div>`;
+    }).join('\n');
+
+    // ── Top 8 categories ──
+    const topCats = Object.entries(catCounts).sort((a, b) => b[1] - a[1]).slice(0, 8);
+    const catBars = topCats.map(([cat, c]) => {
+        const pct = total > 0 ? ((c / total) * 100).toFixed(0) : 0;
+        return `<div class="bar-row"><span class="bar-label cat-lbl">${cat}</span><div class="bar-track"><div class="bar-fill cat-fill" style="width:${pct}%"></div></div><span class="bar-ct">${c}</span></div>`;
+    }).join('\n');
+
+    // ── Skill cards ──
+    let cards = '';
+    for (const sr of findings) {
+        const vc = sr.verdict === 'MALICIOUS' ? 'mal' : sr.verdict === 'SUSPICIOUS' ? 'sus' : sr.verdict === 'LOW RISK' ? 'low' : 'ok';
+        const icon = sr.verdict === 'MALICIOUS' ? '💀' : sr.verdict === 'SUSPICIOUS' ? '⚡' : sr.verdict === 'LOW RISK' ? '⚠️' : '✅';
+        const rows = sr.findings.map(f => {
+            const sc = f.severity.toLowerCase();
+            return `<tr class="f-row"><td><span class="pill ${sc}">${f.severity}</span></td><td class="mono dim">${f.cat}</td><td>${f.desc}</td><td class="mono muted">${f.file}${f.line ? ':' + f.line : ''}</td></tr>`;
+        }).join('\n');
+
+        cards += `
+<details class="card card-${vc}" ${(vc === 'mal' || vc === 'sus') ? 'open' : ''}>
+  <summary class="card-head">
+    <div class="card-info"><span class="card-icon">${icon}</span><span class="card-name">${sr.skill}</span><span class="v-pill v-${vc}">${sr.verdict}</span></div>
+    ${riskGauge(sr.risk)}
+  </summary>
+  <div class="card-body">
+    <table class="ftable"><thead><tr><th>Severity</th><th>Category</th><th>Description</th><th>Location</th></tr></thead><tbody>${rows}</tbody></table>
+  </div>
+</details>`;
+    }
+
+    // ── Full HTML ──
+    return `<!DOCTYPE html>
+<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>guard-scanner v${version} — Security Report</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700;800&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
+<style>
+/* ===== Tokens ===== */
+:root{
+  --bg:#06070d;--sf:rgba(15,18,35,.7);--cd:rgba(20,24,50,.55);--ch:rgba(28,33,65,.65);
+  --bdr:rgba(100,120,255,.08);--glow:rgba(100,140,255,.15);
+  --t1:#e8eaf6;--t2:#8b92b3;--t3:#5a6180;
+  --blue:#6c8cff;--purple:#a78bfa;--cyan:#22d3ee;--green:#22c55e;--yellow:#eab308;--orange:#f97316;--red:#ef4444;
+  --sans:'Inter',system-ui,-apple-system,sans-serif;--mono:'JetBrains Mono','SF Mono',monospace;
+  --r:12px;
+}
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+html{scroll-behavior:smooth}
+body{font-family:var(--sans);background:var(--bg);color:var(--t1);min-height:100vh;overflow-x:hidden;line-height:1.6}
+
+/* ===== Ambient BG ===== */
+body::before{content:'';position:fixed;inset:0;z-index:-1;
+  background:radial-gradient(ellipse 80% 60% at 20% 10%,rgba(108,140,255,.08) 0%,transparent 50%),
+  radial-gradient(ellipse 60% 50% at 80% 90%,rgba(167,139,250,.06) 0%,transparent 50%),
+  radial-gradient(ellipse 50% 40% at 50% 50%,rgba(34,211,238,.04) 0%,transparent 50%);
+  animation:pulse 12s ease-in-out infinite alternate}
+@keyframes pulse{0%{opacity:.6;transform:scale(1)}100%{opacity:1;transform:scale(1.05)}}
+
+.wrap{max-width:1200px;margin:0 auto;padding:32px 24px}
+
+/* ===== Header ===== */
+.hdr{text-align:center;margin-bottom:36px;animation:fadeD .6s ease-out}
+.hdr h1{font-size:2.2em;font-weight:800;letter-spacing:-.03em;
+  background:linear-gradient(135deg,var(--blue),var(--purple),var(--cyan));
+  -webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text}
+.hdr .sub{color:var(--t2);font-size:.95em;margin-top:4px}
+.hdr .ts{color:var(--t3);font-family:var(--mono);font-size:.78em;margin-top:2px}
+
+/* ===== Stat Grid ===== */
+.sg{display:grid;grid-template-columns:repeat(auto-fit,minmax(155px,1fr));gap:14px;margin-bottom:28px;animation:fadeU .7s ease-out}
+.sc{background:var(--cd);backdrop-filter:blur(20px) saturate(1.5);-webkit-backdrop-filter:blur(20px) saturate(1.5);
+  border:1px solid var(--bdr);border-radius:var(--r);padding:18px;text-align:center;
+  transition:all .3s cubic-bezier(.4,0,.2,1);position:relative;overflow:hidden}
+.sc::before{content:'';position:absolute;top:0;left:0;right:0;height:2px;
+  background:linear-gradient(90deg,transparent,var(--ac,var(--blue)),transparent);opacity:0;transition:opacity .3s}
+.sc:hover{transform:translateY(-3px);border-color:var(--glow)}.sc:hover::before{opacity:1}
+.sn{font-size:2.2em;font-weight:800;letter-spacing:-.04em;line-height:1.1}
+.sl{color:var(--t2);font-size:.78em;font-weight:500;margin-top:3px;text-transform:uppercase;letter-spacing:.06em}
+.sc.g{--ac:var(--green)}.sc.g .sn{color:var(--green)}
+.sc.l{--ac:#86efac}.sc.l .sn{color:#86efac}
+.sc.s{--ac:var(--yellow)}.sc.s .sn{color:var(--yellow)}
+.sc.m{--ac:var(--red)}.sc.m .sn{color:var(--red)}
+.sc.r{--ac:var(--cyan)}.sc.r .sn{color:var(--cyan)}
+
+/* ===== Analysis Panels ===== */
+.ag{display:grid;grid-template-columns:1fr 1fr;gap:18px;margin-bottom:28px;animation:fadeU .8s ease-out}
+@media(max-width:768px){.ag{grid-template-columns:1fr}}
+.pn{background:var(--cd);backdrop-filter:blur(20px) saturate(1.5);-webkit-backdrop-filter:blur(20px) saturate(1.5);
+  border:1px solid var(--bdr);border-radius:var(--r);padding:22px}
+.pn h2{font-size:.88em;font-weight:600;color:var(--t2);text-transform:uppercase;letter-spacing:.08em;margin-bottom:14px}
+
+/* Bars */
+.bar-row{display:flex;align-items:center;gap:8px;margin-bottom:8px}
+.bar-label{font-family:var(--mono);font-size:.72em;font-weight:600;width:68px;text-align:right}
+.cat-lbl{font-family:var(--sans);font-weight:500;color:var(--t2);width:110px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+.bar-track{flex:1;height:5px;background:rgba(255,255,255,.04);border-radius:3px;overflow:hidden}
+.bar-fill{height:100%;border-radius:3px;transition:width 1.2s cubic-bezier(.4,0,.2,1)}
+.cat-fill{background:linear-gradient(90deg,var(--blue),var(--purple))}
+.bar-ct{font-family:var(--mono);font-size:.76em;color:var(--t3);width:28px}
+
+/* ===== Skill Cards ===== */
+.sec-title{font-size:1.05em;font-weight:700;margin-bottom:14px}
+.card{background:var(--cd);backdrop-filter:blur(16px) saturate(1.4);-webkit-backdrop-filter:blur(16px) saturate(1.4);
+  border:1px solid var(--bdr);border-radius:var(--r);margin-bottom:10px;overflow:hidden;
+  transition:all .3s ease;animation:fadeU .5s ease-out both}
+.card:hover{border-color:var(--glow)}
+.card-mal{border-left:3px solid var(--red)}
+.card-sus{border-left:3px solid var(--yellow)}
+.card-low{border-left:3px solid #86efac}
+.card-ok{border-left:3px solid var(--green)}
+
+.card-head{display:flex;align-items:center;justify-content:space-between;padding:14px 18px;cursor:pointer;list-style:none}
+.card-head::-webkit-details-marker{display:none}
+.card-info{display:flex;align-items:center;gap:8px;flex:1;min-width:0}
+.card-icon{font-size:1.15em}
+.card-name{font-weight:600;font-size:.92em;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+.v-pill{font-family:var(--mono);font-size:.66em;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.04em}
+.v-mal{background:rgba(239,68,68,.15);color:var(--red)}
+.v-sus{background:rgba(234,179,8,.15);color:var(--yellow)}
+.v-low{background:rgba(134,239,172,.15);color:#86efac}
+.v-ok{background:rgba(34,197,94,.15);color:var(--green)}
+
+/* Risk Gauge */
+.risk-gauge{width:44px;height:44px;border-radius:50%;flex-shrink:0;display:flex;align-items:center;justify-content:center;position:relative;
+  background:conic-gradient(var(--risk-color) 0deg,var(--risk-color) var(--risk-angle),rgba(255,255,255,.05) var(--risk-angle),rgba(255,255,255,.05) 360deg)}
+.risk-gauge::after{content:'';position:absolute;inset:5px;border-radius:50%;background:var(--bg)}
+.risk-val{position:relative;z-index:1;font-family:var(--mono);font-size:.68em;font-weight:700}
+
+/* Findings Table */
+.card-body{padding:0 18px 14px}
+.ftable{width:100%;border-collapse:collapse;font-size:.82em}
+.ftable th{text-align:left;font-size:.72em;font-weight:600;color:var(--t3);text-transform:uppercase;letter-spacing:.06em;padding:7px 9px;border-bottom:1px solid rgba(255,255,255,.04)}
+.ftable td{padding:7px 9px;border-bottom:1px solid rgba(255,255,255,.025)}
+.f-row{transition:background .2s}.f-row:hover{background:rgba(255,255,255,.02)}
+.pill{font-family:var(--mono);font-size:.7em;font-weight:600;padding:2px 5px;border-radius:3px;letter-spacing:.03em}
+.critical{background:rgba(239,68,68,.15);color:var(--red)}
+.high{background:rgba(249,115,22,.15);color:var(--orange)}
+.medium{background:rgba(234,179,8,.15);color:var(--yellow)}
+.low{background:rgba(34,197,94,.15);color:var(--green)}
+.mono{font-family:var(--mono);font-size:.9em}
+.dim{color:var(--t2)}.muted{color:var(--t3);white-space:nowrap}
+
+/* Empty */
+.empty{text-align:center;padding:48px 20px;background:var(--cd);backdrop-filter:blur(20px);border:1px solid var(--bdr);border-radius:var(--r)}
+.empty .ei{font-size:2.8em;margin-bottom:10px}
+.empty p{color:var(--green);font-size:1.05em;font-weight:600}
+.empty .es{color:var(--t3);font-size:.82em;margin-top:3px}
+
+/* Footer */
+.ft{text-align:center;margin-top:40px;padding-top:20px;border-top:1px solid rgba(255,255,255,.04);color:var(--t3);font-size:.78em}
+.ft a{color:var(--blue);text-decoration:none}.ft a:hover{text-decoration:underline}
+
+/* Animations */
+@keyframes fadeD{from{opacity:0;transform:translateY(-18px)}to{opacity:1;transform:translateY(0)}}
+@keyframes fadeU{from{opacity:0;transform:translateY(14px)}to{opacity:1;transform:translateY(0)}}
+
+/* Responsive */
+@media(max-width:640px){
+  .sg{grid-template-columns:repeat(2,1fr)}.sn{font-size:1.7em}.hdr h1{font-size:1.5em}
+  .ftable{font-size:.74em}
+}
+
+/* Print */
+@media print{
+  body{background:#fff;color:#111}body::before{display:none}
+  .sc,.pn,.card{background:#f8f8f8;backdrop-filter:none;border-color:#ddd}
+  .sn{color:#111!important}.card{break-inside:avoid}
+}
+</style></head><body>
+<div class="wrap">
+<div class="hdr">
+  <h1>🛡️ guard-scanner v${version}</h1>
+  <div class="sub">Security Scan Report</div>
+  <div class="ts">${new Date().toISOString()}</div>
+</div>
+
+<div class="sg">
+  <div class="sc"><div class="sn">${stats.scanned}</div><div class="sl">Scanned</div></div>
+  <div class="sc g"><div class="sn">${stats.clean}</div><div class="sl">Clean</div></div>
+  <div class="sc l"><div class="sn">${stats.low}</div><div class="sl">Low Risk</div></div>
+  <div class="sc s"><div class="sn">${stats.suspicious}</div><div class="sl">Suspicious</div></div>
+  <div class="sc m"><div class="sn">${stats.malicious}</div><div class="sl">Malicious</div></div>
+  <div class="sc r"><div class="sn">${safetyRate}%</div><div class="sl">Safety Rate</div></div>
+</div>
+
+${total > 0 ? `<div class="ag">
+  <div class="pn"><h2>Severity Distribution</h2>${sevBars}</div>
+  <div class="pn"><h2>Top Categories</h2>${catBars}</div>
+</div>` : ''}
+
+<div>
+  <div class="sec-title">Skill Analysis</div>
+  ${cards || `<div class="empty"><div class="ei">✅</div><p>All Clear — No Threats Detected</p><div class="es">${stats.scanned} skill(s) scanned, 0 findings</div></div>`}
+</div>
+
+<div class="ft">
+  guard-scanner v${version} &mdash; Zero dependencies. Zero compromises. 🛡️<br>
+  Built by <a href="https://github.com/koatora20">Guava 🍈 &amp; Dee</a>
+</div>
+</div>
+</body></html>`;
+}
+
+module.exports = { generateHTML };

package/src/patterns.js

@@ -177,6 +177,14 @@ const PATTERNS = [
     { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true },
     { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true },
     { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true },
+
+    // ── Category 18: Config Impact Analysis ──
+    { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true },
+    { id: 'CFG_EXEC_APPROVALS_OFF', cat: 'config-impact', regex: /(?:exec\.approvals?|approvals?)\s*[:=]\s*['"](off|false|disabled|none)['"]/gi, severity: 'CRITICAL', desc: 'Disable exec approvals via config', all: true },
+    { id: 'CFG_HOOKS_MODIFY', cat: 'config-impact', regex: /hooks\.internal\.entries\s*[:=]|hooks\.internal\s*[:=]\s*\{/gi, severity: 'HIGH', desc: 'Modify hooks.internal configuration', codeOnly: true },
+    { id: 'CFG_EXEC_HOST_GW', cat: 'config-impact', regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'Set exec host to gateway (bypass sandbox)', all: true },
+    { id: 'CFG_SANDBOX_OFF', cat: 'config-impact', regex: /(?:sandbox|sandboxed|containerized)\s*[:=]\s*(?:false|off|none|disabled|0)/gi, severity: 'CRITICAL', desc: 'Disable sandbox via configuration', all: true },
+    { id: 'CFG_TOOL_OVERRIDE', cat: 'config-impact', regex: /(?:tools|capabilities)\s*\.\s*(?:exec|write|browser|web_fetch)\s*[:=]\s*\{[^}]*(?:enabled|allowed|host)/gi, severity: 'HIGH', desc: 'Override tool security settings', codeOnly: true },
 ];
 
 module.exports = { PATTERNS };

package/src/scanner.js

@@ -12,7 +12,7 @@
  *   purpose: Static analysis of agent skill files for threat patterns
  *
  * Based on GuavaGuard v9.0.0 (OSS extraction)
- * 17 threat categories • Snyk ToxicSkills + OWASP MCP Top 10
+ * 20 threat categories • Snyk ToxicSkills + OWASP MCP Top 10
  * Zero dependencies • CLI + JSON + SARIF + HTML output
  * Plugin API for custom detection rules
  *
@@ -27,9 +27,10 @@ const os = require('os');
 
 const { PATTERNS } = require('./patterns.js');
 const { KNOWN_MALICIOUS } = require('./ioc-db.js');
+const { generateHTML } = require('./html-template.js');
 
 // ===== CONFIGURATION =====
-const VERSION = '1.0.0';
+const VERSION = '1.1.0';
 
 const THRESHOLDS = {
     normal: { suspicious: 30, malicious: 80 },
@@ -266,6 +267,15 @@ class GuardScanner {
         // Check 6: Cross-file analysis
         this.checkCrossFile(skillPath, skillName, skillFindings);
 
+        // Check 7: Skill manifest validation (v1.1)
+        this.checkSkillManifest(skillPath, skillName, skillFindings);
+
+        // Check 8: Code complexity metrics (v1.1)
+        this.checkComplexity(skillPath, skillName, skillFindings);
+
+        // Check 9: Config impact analysis (v1.1)
+        this.checkConfigImpact(skillPath, skillName, skillFindings);
+
         // Filter ignored patterns
         const filteredFindings = skillFindings.filter(f => !this.ignoredPatterns.has(f.id));
 
@@ -474,6 +484,226 @@ class GuardScanner {
         }
     }
 
+    // ── v1.1: Skill Manifest Validation ──
+    // Checks SKILL.md frontmatter for dangerous tool declarations,
+    // overly broad file scope, and sensitive env requirements
+    checkSkillManifest(skillPath, skillName, findings) {
+        const skillMd = path.join(skillPath, 'SKILL.md');
+        if (!fs.existsSync(skillMd)) return;
+
+        let content;
+        try { content = fs.readFileSync(skillMd, 'utf-8'); } catch { return; }
+
+        // Parse YAML frontmatter (lightweight, no dependency)
+        const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);
+        if (!fmMatch) return;
+        const fm = fmMatch[1];
+
+        // Check 1: Dangerous binary requirements
+        const DANGEROUS_BINS = new Set([
+            'sudo', 'rm', 'rmdir', 'chmod', 'chown', 'kill', 'pkill',
+            'curl', 'wget', 'nc', 'ncat', 'socat', 'ssh', 'scp',
+            'dd', 'mkfs', 'fdisk', 'mount', 'umount',
+            'iptables', 'ufw', 'firewall-cmd',
+            'docker', 'kubectl', 'systemctl',
+        ]);
+        const binsMatch = fm.match(/bins:\s*\n((?:\s+-\s+[^\n]+\n?)*)/i);
+        if (binsMatch) {
+            const bins = binsMatch[1].match(/- ([^\n]+)/g) || [];
+            for (const binLine of bins) {
+                const bin = binLine.replace(/^-\s*/, '').trim().toLowerCase();
+                if (DANGEROUS_BINS.has(bin)) {
+                    findings.push({
+                        severity: 'HIGH', id: 'MANIFEST_DANGEROUS_BIN',
+                        cat: 'sandbox-validation',
+                        desc: `SKILL.md requires dangerous binary: ${bin}`,
+                        file: 'SKILL.md'
+                    });
+                }
+            }
+        }
+
+        // Check 2: Overly broad file scope
+        const filesMatch = fm.match(/files:\s*\[([^\]]+)\]/i) || fm.match(/files:\s*\n((?:\s+-\s+[^\n]+\n?)*)/i);
+        if (filesMatch) {
+            const filesStr = filesMatch[1];
+            if (/\*\*\/\*|\*\.\*|\"\*\"/i.test(filesStr)) {
+                findings.push({
+                    severity: 'HIGH', id: 'MANIFEST_BROAD_FILES',
+                    cat: 'sandbox-validation',
+                    desc: 'SKILL.md declares overly broad file scope (e.g. **/*)',
+                    file: 'SKILL.md'
+                });
+            }
+        }
+
+        // Check 3: Sensitive env requirements
+        const SENSITIVE_ENV_PATTERNS = /(?:SECRET|PASSWORD|CREDENTIAL|PRIVATE_KEY|AWS_SECRET|GITHUB_TOKEN)/i;
+        const envMatch = fm.match(/env:\s*\n((?:\s+-\s+[^\n]+\n?)*)/i);
+        if (envMatch) {
+            const envVars = envMatch[1].match(/- ([^\n]+)/g) || [];
+            for (const envLine of envVars) {
+                const envVar = envLine.replace(/^-\s*/, '').trim();
+                if (SENSITIVE_ENV_PATTERNS.test(envVar)) {
+                    findings.push({
+                        severity: 'HIGH', id: 'MANIFEST_SENSITIVE_ENV',
+                        cat: 'sandbox-validation',
+                        desc: `SKILL.md requires sensitive env var: ${envVar}`,
+                        file: 'SKILL.md'
+                    });
+                }
+            }
+        }
+
+        // Check 4: exec or network declared without justification
+        if (/exec:\s*(?:true|yes|enabled|'\*'|"\*")/i.test(fm)) {
+            findings.push({
+                severity: 'MEDIUM', id: 'MANIFEST_EXEC_DECLARED',
+                cat: 'sandbox-validation',
+                desc: 'SKILL.md declares exec capability',
+                file: 'SKILL.md'
+            });
+        }
+        if (/network:\s*(?:true|yes|enabled|'\*'|"\*"|all|any)/i.test(fm)) {
+            findings.push({
+                severity: 'MEDIUM', id: 'MANIFEST_NETWORK_DECLARED',
+                cat: 'sandbox-validation',
+                desc: 'SKILL.md declares unrestricted network access',
+                file: 'SKILL.md'
+            });
+        }
+    }
+
+    // ── v1.1: Code Complexity Metrics ──
+    // Detects excessive file length, deep nesting, and eval/exec density
+    checkComplexity(skillPath, skillName, findings) {
+        const files = this.getFiles(skillPath);
+        const MAX_LINES = 1000;
+        const MAX_NESTING = 5;
+        const MAX_EVAL_DENSITY = 0.02; // 2% of lines
+
+        for (const file of files) {
+            const ext = path.extname(file).toLowerCase();
+            if (!CODE_EXTENSIONS.has(ext)) continue;
+
+            const relFile = path.relative(skillPath, file);
+            if (relFile.includes('node_modules') || relFile.startsWith('.git')) continue;
+
+            let content;
+            try { content = fs.readFileSync(file, 'utf-8'); } catch { continue; }
+
+            const lines = content.split('\n');
+
+            // Check 1: Excessive file length
+            if (lines.length > MAX_LINES) {
+                findings.push({
+                    severity: 'MEDIUM', id: 'COMPLEXITY_LONG_FILE',
+                    cat: 'complexity',
+                    desc: `File exceeds ${MAX_LINES} lines (${lines.length} lines)`,
+                    file: relFile
+                });
+            }
+
+            // Check 2: Deep nesting (brace tracking)
+            let maxDepth = 0;
+            let currentDepth = 0;
+            let deepestLine = 0;
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                // Count opening/closing braces outside strings (simplified)
+                for (const ch of line) {
+                    if (ch === '{') currentDepth++;
+                    if (ch === '}') currentDepth = Math.max(0, currentDepth - 1);
+                }
+                if (currentDepth > maxDepth) {
+                    maxDepth = currentDepth;
+                    deepestLine = i + 1;
+                }
+            }
+            if (maxDepth > MAX_NESTING) {
+                findings.push({
+                    severity: 'MEDIUM', id: 'COMPLEXITY_DEEP_NESTING',
+                    cat: 'complexity',
+                    desc: `Deep nesting detected: ${maxDepth} levels (max recommended: ${MAX_NESTING})`,
+                    file: relFile, line: deepestLine
+                });
+            }
+
+            // Check 3: eval/exec density
+            const evalPattern = /\b(?:eval|exec|execSync|spawn|Function)\s*\(/g;
+            const evalMatches = content.match(evalPattern) || [];
+            const density = lines.length > 0 ? evalMatches.length / lines.length : 0;
+            if (density > MAX_EVAL_DENSITY && evalMatches.length >= 3) {
+                findings.push({
+                    severity: 'HIGH', id: 'COMPLEXITY_EVAL_DENSITY',
+                    cat: 'complexity',
+                    desc: `High eval/exec density: ${evalMatches.length} calls in ${lines.length} lines (${(density * 100).toFixed(1)}%)`,
+                    file: relFile
+                });
+            }
+        }
+    }
+
+    // ── v1.1: Config Impact Analysis ──
+    // Detects modifications to openclaw.json and dangerous configuration changes
+    checkConfigImpact(skillPath, skillName, findings) {
+        const files = this.getFiles(skillPath);
+
+        for (const file of files) {
+            const ext = path.extname(file).toLowerCase();
+            if (!CODE_EXTENSIONS.has(ext) && ext !== '.json') continue;
+
+            const relFile = path.relative(skillPath, file);
+            if (relFile.includes('node_modules') || relFile.startsWith('.git')) continue;
+
+            let content;
+            try { content = fs.readFileSync(file, 'utf-8'); } catch { continue; }
+
+            // Check 1: openclaw.json reference + write operation in same file
+            // Handles both direct and variable-based patterns (e.g. writeFileSync(configPath))
+            const hasConfigRef = /openclaw\.json/i.test(content);
+            const hasWriteOp = /(?:writeFileSync|writeFile|fs\.write)\s*\(/i.test(content);
+            if (hasConfigRef && hasWriteOp) {
+                // Find the write line for location info
+                const clines = content.split('\n');
+                let writeLine = 0;
+                for (let i = 0; i < clines.length; i++) {
+                    if (/(?:writeFileSync|writeFile|fs\.write)\s*\(/i.test(clines[i])) {
+                        writeLine = i + 1;
+                        break;
+                    }
+                }
+                findings.push({
+                    severity: 'CRITICAL', id: 'CFG_WRITE_DETECTED',
+                    cat: 'config-impact',
+                    desc: 'Code writes to openclaw.json',
+                    file: relFile, line: writeLine,
+                    sample: writeLine > 0 ? clines[writeLine - 1].trim().substring(0, 80) : ''
+                });
+            }
+
+            // Check 2: Dangerous config key modifications
+            const DANGEROUS_CONFIG_KEYS = [
+                { regex: /exec\.approvals?\s*[:=]\s*['"]?(off|false|disabled|none)/gi, id: 'CFG_EXEC_APPROVAL_OFF', desc: 'Disables exec approval requirement', severity: 'CRITICAL' },
+                { regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, id: 'CFG_EXEC_HOST_GATEWAY', desc: 'Sets exec host to gateway (bypasses sandbox)', severity: 'CRITICAL' },
+                { regex: /hooks\s*\.\s*internal\s*\.\s*entries\s*[:=]/gi, id: 'CFG_HOOKS_INTERNAL', desc: 'Modifies internal hook entries', severity: 'HIGH' },
+                { regex: /network\.allowedDomains\s*[:=]\s*\[?\s*['"]\*['"]/gi, id: 'CFG_NET_WILDCARD', desc: 'Sets network allowedDomains to wildcard', severity: 'HIGH' },
+            ];
+
+            for (const check of DANGEROUS_CONFIG_KEYS) {
+                check.regex.lastIndex = 0;
+                if (check.regex.test(content)) {
+                    findings.push({
+                        severity: check.severity, id: check.id,
+                        cat: 'config-impact',
+                        desc: check.desc,
+                        file: relFile
+                    });
+                }
+            }
+        }
+    }
+
     checkHiddenFiles(skillPath, skillName, findings) {
         try {
             const entries = fs.readdirSync(skillPath);
@@ -631,6 +861,11 @@ class GuardScanner {
         if (cats.has('identity-hijack') && (cats.has('persistence') || cats.has('memory-poisoning'))) score = Math.max(score, 90);
         if (ids.has('IOC_IP') || ids.has('IOC_URL') || ids.has('KNOWN_TYPOSQUAT')) score = 100;
 
+        // v1.1 categories
+        if (cats.has('config-impact')) score = Math.round(score * 2);
+        if (cats.has('config-impact') && cats.has('sandbox-validation')) score = Math.max(score, 70);
+        if (cats.has('complexity') && (cats.has('malicious-code') || cats.has('obfuscation'))) score = Math.round(score * 1.5);
+
         return Math.min(100, score);
     }
 
@@ -701,6 +936,9 @@ class GuardScanner {
             if (cats.has('persistence')) skillRecs.push('⏰ PERSISTENCE: Creates scheduled tasks.');
             if (cats.has('cve-patterns')) skillRecs.push('🚨 CVE PATTERN: Matches known exploits.');
             if (cats.has('identity-hijack')) skillRecs.push('🔒 IDENTITY HIJACK: Agent soul file tampering. DO NOT INSTALL.');
+            if (cats.has('sandbox-validation')) skillRecs.push('🔒 SANDBOX: Skill requests dangerous capabilities.');
+            if (cats.has('complexity')) skillRecs.push('🧩 COMPLEXITY: Excessive code complexity may hide malicious behavior.');
+            if (cats.has('config-impact')) skillRecs.push('⚙️ CONFIG IMPACT: Modifies OpenClaw configuration. DO NOT INSTALL.');
 
             if (skillRecs.length > 0) recommendations.push({ skill: skillResult.skill, actions: skillRecs });
         }
@@ -754,54 +992,7 @@ class GuardScanner {
     }
 
     toHTML() {
-        const stats = this.stats;
-        const sevColors = { CRITICAL: '#dc2626', HIGH: '#ea580c', MEDIUM: '#ca8a04', LOW: '#65a30d' };
-
-        let skillRows = '';
-        for (const sr of this.findings) {
-            const findingRows = sr.findings.map(f => {
-                const color = sevColors[f.severity] || '#666';
-                return `<tr><td style="color:${color};font-weight:bold">${f.severity}</td><td>${f.cat}</td><td>${f.desc}</td><td>${f.file}${f.line ? ':' + f.line : ''}</td></tr>`;
-            }).join('\n');
-
-            const verdictColor = sr.verdict === 'MALICIOUS' ? '#dc2626' : sr.verdict === 'SUSPICIOUS' ? '#ca8a04' : '#65a30d';
-            skillRows += `
-        <div class="skill-card">
-          <h3>${sr.skill} <span style="color:${verdictColor}">[${sr.verdict}]</span> <small>Risk: ${sr.risk}</small></h3>
-          <table><thead><tr><th>Severity</th><th>Category</th><th>Description</th><th>Location</th></tr></thead>
-          <tbody>${findingRows}</tbody></table>
-        </div>`;
-        }
-
-        return `<!DOCTYPE html>
-<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>guard-scanner v${VERSION} Report</title>
-<style>
-  body{font-family:system-ui,sans-serif;max-width:1000px;margin:0 auto;padding:20px;background:#0f172a;color:#e2e8f0}
-  h1{color:#4ade80}h2{color:#86efac;border-bottom:1px solid #334155;padding-bottom:8px}h3{margin:0}
-  .stats{display:grid;grid-template-columns:repeat(5,1fr);gap:12px;margin:20px 0}
-  .stat{background:#1e293b;border-radius:8px;padding:16px;text-align:center}
-  .stat .num{font-size:2em;font-weight:bold}.stat .label{color:#94a3b8;font-size:0.85em}
-  .stat.clean .num{color:#4ade80}.stat.low .num{color:#86efac}.stat.suspicious .num{color:#fbbf24}.stat.malicious .num{color:#ef4444}
-  .skill-card{background:#1e293b;border-radius:8px;padding:16px;margin:12px 0;border-left:4px solid #334155}
-  table{width:100%;border-collapse:collapse;margin-top:8px;font-size:0.9em}
-  th,td{padding:6px 10px;text-align:left;border-bottom:1px solid #334155}
-  th{color:#94a3b8;font-weight:600}small{color:#64748b;margin-left:8px}
-  .footer{color:#475569;text-align:center;margin-top:40px;font-size:0.8em}
-</style></head><body>
-<h1>🛡️ guard-scanner v${VERSION}</h1>
-<p>Scan completed: ${new Date().toISOString()}</p>
-<div class="stats">
-  <div class="stat"><div class="num">${stats.scanned}</div><div class="label">Scanned</div></div>
-  <div class="stat clean"><div class="num">${stats.clean}</div><div class="label">Clean</div></div>
-  <div class="stat low"><div class="num">${stats.low}</div><div class="label">Low Risk</div></div>
-  <div class="stat suspicious"><div class="num">${stats.suspicious}</div><div class="label">Suspicious</div></div>
-  <div class="stat malicious"><div class="num">${stats.malicious}</div><div class="label">Malicious</div></div>
-</div>
-<h2>Findings</h2>
-${skillRows || '<p style="color:#4ade80">✅ No threats detected.</p>'}
-<div class="footer">guard-scanner v${VERSION} — Zero dependencies. Zero compromises. 🛡️</div>
-</body></html>`;
+        return generateHTML(VERSION, this.stats, this.findings);
     }
 }