hackmyagent 0.11.10 → 0.11.12

package/README.md

@@ -5,7 +5,7 @@
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Tests](https://img.shields.io/badge/tests-1051%20passing-brightgreen)](https://github.com/opena2a-org/hackmyagent)
 
-**199 security checks for AI agents. Find what can go wrong before an attacker does.**
+**204 security checks for AI agents. Find what can go wrong before an attacker does.**
 
 Security scanner and red-team toolkit for Claude Code, Cursor, VS Code, and any MCP server setup.
 
@@ -31,7 +31,7 @@ npx opena2a-cli review
 
 **Attack testing** -- 115 adversarial payloads across 11 categories (prompt injection, data exfiltration, jailbreak, MCP exploitation, supply chain, memory weaponization, A2A protocol attacks, context window attacks).
 
-**Static analysis** -- 199 security checks across 60 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
+**Static analysis** -- 204 security checks across 60 categories covering credentials, MCP configs, OpenClaw/NemoClaw, Unicode steganography, CVE detection, governance, supply chain, memory poisoning, agent identity, and sandbox escape patterns.
 
 <details>
 <summary>Attack testing details (115 payloads)</summary>
@@ -49,7 +49,7 @@ npx opena2a-cli review
 </details>
 
 <details>
-<summary>Static analysis details (199 checks)</summary>
+<summary>Static analysis details (204 checks)</summary>
 
 - **Unicode steganography** -- invisible codepoints, zero-width chars, bidi attacks, homoglyph confusables, GlassWorm decoders ([real-world: os-info-checker-es6 npm attack, May 2025](https://thehackernews.com/2025/05/malicious-npm-package-leverages-unicode.html))
 - **Hardcoded credentials** -- API keys, tokens, and passwords in source or config files
@@ -65,7 +65,7 @@ npx opena2a-cli review
 
 </details>
 
-199 checks across 60 categories. 115 attack payloads. No flags needed.
+204 checks across 60 categories. 115 attack payloads. No flags needed.
 
 ---
 
@@ -88,7 +88,7 @@ npm install --save-dev hackmyagent
 ```
 
 ┌──────────────────────────────────────────┐
-│  HackMyAgent v0.11.5 — Security Scanner          │
+│  HackMyAgent v0.11.10 — Security Scanner         │
 │  Found: 3 critical · 5 high · 12 medium          │
 │                                                  │
 │  CRED-001  critical  Hardcoded API key in .env   │
@@ -107,7 +107,7 @@ npm install --save-dev hackmyagent
 
 Step-by-step guides for common workflows:
 
-- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 199 checks and auto-fix findings (5 min)
+- **[Scan my agent](docs/use-cases/scan-my-agent.md)** -- Run all 204 checks and auto-fix findings (5 min)
 - **[Red-team MCP servers](docs/use-cases/red-team-mcp.md)** -- Test MCP servers with adversarial payloads (10 min)
 - **[Secure OpenClaw](docs/use-cases/openclaw-security.md)** -- Auto-detected when OpenClaw files are present. Includes CVE detection and ClawHavoc IOC scanning (10 min)
 - **[CI/CD pipeline](docs/use-cases/ci-pipeline.md)** -- GitHub Actions with JSON/SARIF output (5 min)
@@ -281,7 +281,7 @@ hackmyagent harden-soul --dry-run         # preview without writing
 
 ### OpenClaw and NemoClaw Detection
 
-`hackmyagent secure` auto-detects OpenClaw and NemoClaw installations by looking for `.openclaw/`, `.moltbot/`, `.nemoclaw/`, `openclaw.json`, and `openclaw.plugin.json`. When detected, it automatically runs platform-specific checks (28 NemoClaw checks, 34 OpenClaw checks) alongside the standard 199 security checks. No separate commands needed.
+`hackmyagent secure` auto-detects OpenClaw and NemoClaw installations by looking for `.openclaw/`, `.moltbot/`, `.nemoclaw/`, `openclaw.json`, and `openclaw.plugin.json`. When detected, it automatically runs platform-specific checks (28 NemoClaw checks, 34 OpenClaw checks) alongside the standard 204 security checks. No separate commands needed.
 
 
 ---

package/dist/cli.js

@@ -118,7 +118,7 @@ program
     .name('hackmyagent')
     .description(`Find it. Break it. Fix it.
 
-The hacker's toolkit for AI agents. 199 security checks, 115 attack
+The hacker's toolkit for AI agents. 204 security checks, 115 attack
 payloads, auto-fix with rollback, and OASB benchmark compliance.
 
 Documentation: https://hackmyagent.com/docs
@@ -127,10 +127,10 @@ Updates (v${index_1.VERSION}):
   - NemoClaw sandbox scanner (28 installation checks)
   - 10 new static analysis patterns (NEMO series)
   - Community trust contributions
-  - 199 checks across 60 categories
+  - 204 checks across 60 categories
 
 Examples:
-  $ hackmyagent secure                         Find vulnerabilities (199 checks)
+  $ hackmyagent secure                         Find vulnerabilities (204 checks)
   $ hackmyagent attack --local                 Break it with 115 attack payloads
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
@@ -139,7 +139,7 @@ Examples:
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
 program.addHelpText('beforeAll', `
 Quick start:
-  $ hackmyagent secure              Scan current directory (199 checks)
+  $ hackmyagent secure              Scan current directory (204 checks)
   $ hackmyagent fix-all --with-aim  Auto-fix + create agent identity
   $ hackmyagent attack              Red-team your agent
 `);
@@ -1695,7 +1695,7 @@ program
     .command('secure')
     .description(`Scan and harden your agent setup
 
-Performs 199 security checks across 60 categories:
+Performs 204 security checks across 60 categories:
   • Credentials: API key exposure, secrets in configs
   • MCP: Server configs, tool permissions, secrets
   • Network: TLS, interface bindings, CORS
@@ -4303,7 +4303,7 @@ Examples:
         console.log(`\n  Detected: ${result.tool}\n`);
         console.log(`  Added HackMyAgent MCP server to ${result.configPath}\n`);
         console.log(`  Available tools in ${result.tool}:`);
-        console.log(`    hackmyagent_scan       — 199 checks + structural analysis`);
+        console.log(`    hackmyagent_scan       — 204 checks + structural analysis`);
         console.log(`    hackmyagent_deep_scan  — Full analysis with LLM reasoning`);
         console.log(`    hackmyagent_analyze_file — Analyze a single file`);
         console.log(`    hackmyagent_benchmark  — OASB-1 compliance assessment\n`);

package/dist/hardening/scanner.d.ts

@@ -123,7 +123,7 @@ export declare class HardeningScanner {
      */
     private findSkillFiles;
     /**
-     * OpenClaw skill security checks (SKILL-001 to SKILL-006)
+     * OpenClaw skill security checks (SKILL-001 to SKILL-024)
      */
     private checkOpenclawSkills;
     /**

package/dist/hardening/scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAwG3F,0CAA0C;AAC1C,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;OAKG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAoID,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CA2BlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAM7B;;OAEG;YACW,aAAa;IAa3B;;OAEG;IACH,OAAO,CAAC,aAAa;IASf,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YAkZvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAoGvB,aAAa;YAiDb,cAAc;YAiGd,oBAAoB;YAyDpB,gBAAgB;YAgJhB,oBAAoB;YAkFpB,gBAAgB;YA8IhB,mBAAmB;YA8EnB,iBAAiB;YA0CjB,iBAAiB;YAiEjB,wBAAwB;YA6FxB,wBAAwB;YAqExB,wBAAwB;YAyHxB,oBAAoB;YAmHpB,uBAAuB;YA4IvB,iBAAiB;YAkHjB,oBAAoB;YA0HpB,mBAAmB;YAqGnB,gBAAgB;YAwIhB,oBAAoB;YAwIpB,gBAAgB;YA6HhB,qBAAqB;YAmHrB,eAAe;IAqI7B;;OAEG;YACW,mBAAmB;IAkHjC;;OAEG;YACW,oBAAoB;IAqKlC;;OAEG;YACW,iBAAiB;IAgJ/B;;OAEG;YACW,oBAAoB;IA4IlC;;OAEG;YACW,eAAe;IAyJ7B;;OAEG;YACW,eAAe;IA2I7B;;OAEG;YACW,eAAe;IA6G7B;;OAEG;YACW,mBAAmB;IAuHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAmE1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IAwdjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IAkMpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAgWlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IA2WjC;;OAEG;YACW,wBAAwB;IAqPtC;;OAEG;YACW,gBAAgB;IAoK9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IAoKlC;;;OAGG;YACW,iBAAiB;IAiI/B;;;OAGG;YACW,kBAAkB;IAkFhC;;;OAGG;YACW,aAAa;IA0F3B;;OAEG;YACW,gBAAgB;IAiE9B;;;;OAIG;YACW,yBAAyB;IA0WvC;;;;;OAKG;YACW,qBAAqB;IAqnBnC;;;;OAIG;YACW,gBAAgB;IA2G9B;;;;OAIG;YACW,mBAAmB;IAmKjC;;;;OAIG;YACW,gBAAgB;IAkF9B;;;OAGG;YACW,iBAAiB;IA+C/B;;;;OAIG;YACW,yBAAyB;IA6FvC;;;OAGG;YACW,kBAAkB;IA8ChC;;;OAGG;YACW,mBAAmB;IA4CjC;;;OAGG;YACW,6BAA6B;IAiD3C;;;OAGG;YACW,oBAAoB;IA4ClC;;;OAGG;YACW,WAAW;IA4DzB;;;OAGG;YACW,aAAa;IAgD3B;;;OAGG;YACW,oBAAoB;IA6ClC;;;OAGG;YACW,YAAY;IAmD1B;;;OAGG;YACW,qBAAqB;IA+DnC;;;;OAIG;YACW,oBAAoB;IAyHlC;;;OAGG;YACW,iBAAiB;IA+F/B;;;OAGG;YACW,4BAA4B;IAqD1C;;;OAGG;YACW,8BAA8B;IAgE5C,+DAA+D;YACjD,YAAY;CA+B3B"}
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/hardening/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,UAAU,EAA0C,MAAM,kBAAkB,CAAC;AAwG3F,0CAA0C;AAC1C,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,2EAA2E;IAC3E,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;OAKG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,oDAAoD;IACpD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,mEAAmE;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAoID,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAiB;IAEhC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CA2BlC;IAEF;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAM7B;;OAEG;YACW,aAAa;IAa3B;;OAEG;IACH,OAAO,CAAC,aAAa;IASf,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;YAkZvC,cAAc;IAwE5B;;OAEG;YACW,iBAAiB;IA+F/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;YAeV,uBAAuB;YAoGvB,aAAa;YAiDb,cAAc;YAiGd,oBAAoB;YAyDpB,gBAAgB;YAgJhB,oBAAoB;YAkFpB,gBAAgB;YA8IhB,mBAAmB;YA8EnB,iBAAiB;YA0CjB,iBAAiB;YAiEjB,wBAAwB;YA6FxB,wBAAwB;YAqExB,wBAAwB;YAyHxB,oBAAoB;YAmHpB,uBAAuB;YA4IvB,iBAAiB;YAkHjB,oBAAoB;YA0HpB,mBAAmB;YAqGnB,gBAAgB;YAwIhB,oBAAoB;YAwIpB,gBAAgB;YA6HhB,qBAAqB;YAmHrB,eAAe;IAqI7B;;OAEG;YACW,mBAAmB;IAkHjC;;OAEG;YACW,oBAAoB;IAqKlC;;OAEG;YACW,iBAAiB;IAgJ/B;;OAEG;YACW,oBAAoB;IA4IlC;;OAEG;YACW,eAAe;IAyJ7B;;OAEG;YACW,eAAe;IA2I7B;;OAEG;YACW,eAAe;IA6G7B;;OAEG;YACW,mBAAmB;IAuHjC,OAAO,CAAC,cAAc;IAsBtB;;OAEG;YACW,YAAY;IAmE1B;;OAEG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DhD;;;OAGG;YACW,cAAc;IAgD5B;;OAEG;YACW,mBAAmB;IA6pBjC;;;OAGG;YACW,kBAAkB;IAgDhC;;OAEG;YACW,sBAAsB;IAkMpC;;OAEG;YACW,sBAAsB;IA+BpC;;OAEG;YACW,oBAAoB;IAgWlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA4B3B;;OAEG;YACW,iBAAiB;IA8D/B;;OAEG;YACW,mBAAmB;IA2WjC;;OAEG;YACW,wBAAwB;IAqPtC;;OAEG;YACW,gBAAgB;IAoK9B;;;OAGG;YACW,eAAe;IAoD7B;;;OAGG;YACW,aAAa;IAwC3B;;;OAGG;YACW,oBAAoB;IAoKlC;;;OAGG;YACW,iBAAiB;IAiI/B;;;OAGG;YACW,kBAAkB;IAkFhC;;;OAGG;YACW,aAAa;IA0F3B;;OAEG;YACW,gBAAgB;IAiE9B;;;;OAIG;YACW,yBAAyB;IA0WvC;;;;;OAKG;YACW,qBAAqB;IAqnBnC;;;;OAIG;YACW,gBAAgB;IA2G9B;;;;OAIG;YACW,mBAAmB;IAmKjC;;;;OAIG;YACW,gBAAgB;IAkF9B;;;OAGG;YACW,iBAAiB;IA+C/B;;;;OAIG;YACW,yBAAyB;IA6FvC;;;OAGG;YACW,kBAAkB;IA8ChC;;;OAGG;YACW,mBAAmB;IA4CjC;;;OAGG;YACW,6BAA6B;IAiD3C;;;OAGG;YACW,oBAAoB;IA4ClC;;;OAGG;YACW,WAAW;IA4DzB;;;OAGG;YACW,aAAa;IAgD3B;;;OAGG;YACW,oBAAoB;IA6ClC;;;OAGG;YACW,YAAY;IAmD1B;;;OAGG;YACW,qBAAqB;IA+DnC;;;;OAIG;YACW,oBAAoB;IAyHlC;;;OAGG;YACW,iBAAiB;IA+F/B;;;OAGG;YACW,4BAA4B;IAqD1C;;;OAGG;YACW,8BAA8B;IAgE5C,+DAA+D;YACjD,YAAY;CA+B3B"}

package/dist/hardening/scanner.js

@@ -4105,7 +4105,7 @@ dist/
         return skillFiles;
     }
     /**
-     * OpenClaw skill security checks (SKILL-001 to SKILL-006)
+     * OpenClaw skill security checks (SKILL-001 to SKILL-024)
      */
     async checkOpenclawSkills(targetDir, autoFix) {
         const findings = [];
@@ -4543,6 +4543,197 @@ dist/
                     }
                 }
             }
+            // SKILL-020: Missing/invalid frontmatter
+            const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+            if (!fmMatch) {
+                findings.push({
+                    checkId: 'SKILL-020',
+                    name: 'Missing YAML Frontmatter',
+                    description: 'Skill file lacks required YAML frontmatter for capability declaration',
+                    category: 'skill',
+                    severity: 'high',
+                    passed: false,
+                    message: `${relativePath}: Skill file lacks required YAML frontmatter (---). Add frontmatter with name, version, and capabilities fields.`,
+                    file: relativePath,
+                    fixable: true,
+                    fix: 'Add YAML frontmatter block with name, version, and capabilities fields',
+                    guidance: 'Skills without frontmatter cannot declare their capabilities, making permission validation impossible. Add a --- delimited YAML block at the top of the file.',
+                });
+            }
+            else {
+                const fmRaw = fmMatch[1];
+                const requiredFields = ['name', 'version', 'capabilities'];
+                const missingFields = requiredFields.filter(f => !new RegExp(`^${f}:`, 'm').test(fmRaw));
+                if (missingFields.length > 0) {
+                    findings.push({
+                        checkId: 'SKILL-020',
+                        name: 'Incomplete Frontmatter',
+                        description: 'Skill frontmatter is missing required fields',
+                        category: 'skill',
+                        severity: 'high',
+                        passed: false,
+                        message: `${relativePath}: Missing required frontmatter fields: ${missingFields.join(', ')}. These are needed for capability declaration and version tracking.`,
+                        file: relativePath,
+                        fixable: true,
+                        fix: `Add missing fields to frontmatter: ${missingFields.join(', ')}`,
+                        guidance: 'Incomplete frontmatter prevents proper capability validation. Every skill should declare name, version, and capabilities.',
+                    });
+                }
+                else {
+                    findings.push({
+                        checkId: 'SKILL-020',
+                        name: 'Valid Frontmatter',
+                        description: 'Skill file has valid YAML frontmatter with required fields',
+                        category: 'skill',
+                        severity: 'high',
+                        passed: true,
+                        message: 'Skill has valid frontmatter with name, version, and capabilities',
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'No action needed',
+                        guidance: 'Skill frontmatter is properly configured.',
+                    });
+                }
+            }
+            // SKILL-021: Overprivileged permissions (dangerous capability combinations)
+            const dangerousCombos = [
+                {
+                    combo: ['filesystem:*', 'network:outbound'],
+                    reason: 'filesystem:* + network:outbound enables data exfiltration',
+                },
+                {
+                    combo: ['credential:read', 'network:outbound'],
+                    reason: 'credential:read + network:outbound enables credential exfiltration',
+                },
+            ];
+            const capPatterns = content.match(/(?:filesystem|network|credential|tool):[a-z*]+/g) || [];
+            const allCaps = [...new Set(capPatterns)];
+            // Also include capabilities from frontmatter if parsed
+            const declaredCapsForPriv = (0, skill_capability_validator_1.parseDeclaredCapabilities)(content);
+            for (const dc of declaredCapsForPriv.capabilities) {
+                if (!allCaps.includes(dc))
+                    allCaps.push(dc);
+            }
+            for (const { combo, reason } of dangerousCombos) {
+                const matchCap = (actual, pattern) => {
+                    if (actual === pattern)
+                        return true;
+                    if (pattern.endsWith(':*'))
+                        return actual.startsWith(pattern.slice(0, -1));
+                    if (actual.endsWith(':*'))
+                        return pattern.startsWith(actual.slice(0, -1));
+                    return false;
+                };
+                const hasFirst = allCaps.some(c => matchCap(c, combo[0]));
+                const hasSecond = allCaps.some(c => matchCap(c, combo[1]));
+                if (hasFirst && hasSecond) {
+                    findings.push({
+                        checkId: 'SKILL-021',
+                        name: 'Overprivileged Permissions',
+                        description: 'Skill has dangerous capability combination that enables exfiltration',
+                        category: 'skill',
+                        severity: 'high',
+                        passed: false,
+                        message: `${relativePath}: ${reason}. Restrict filesystem access to specific paths or remove outbound network access.`,
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Restrict capabilities to minimum required permissions',
+                        guidance: 'Dangerous capability combinations can enable data or credential exfiltration. Follow the principle of least privilege.',
+                    });
+                }
+            }
+            // SKILL-022: Environment variable exfiltration
+            const envAccessPatterns = [
+                /process\.env/,
+                /os\.environ/,
+                /\$ENV\{/,
+                /System\.getenv/,
+                /printenv/,
+                /\$\(env\)/,
+                /\$\(printenv/,
+                /\$HOME\b/,
+                /\$\{[A-Z_]+\}/,
+            ];
+            const outboundPatterns = [
+                /network:outbound/,
+                /fetch\s*\(/,
+                /https?:\/\//,
+                /XMLHttpRequest/,
+                /\.send\s*\(/,
+                /curl\s/,
+                /wget\s/,
+            ];
+            const hasEnvAccess = envAccessPatterns.some(p => p.test(content));
+            const hasOutbound = outboundPatterns.some(p => p.test(content));
+            if (hasEnvAccess && hasOutbound) {
+                findings.push({
+                    checkId: 'SKILL-022',
+                    name: 'Environment Variable Exfiltration Risk',
+                    description: 'Skill accesses environment variables and has outbound network capability',
+                    category: 'skill',
+                    severity: 'critical',
+                    passed: false,
+                    message: `${relativePath}: Skill accesses environment variables AND has outbound network capability. This combination can exfiltrate secrets via network requests.`,
+                    file: relativePath,
+                    fixable: false,
+                    fix: 'Remove outbound network access or environment variable reads',
+                    guidance: 'Skills that read environment variables and send data externally can exfiltrate API keys, tokens, and other secrets stored in environment variables.',
+                });
+            }
+            // SKILL-023: Obfuscated code patterns
+            const obfuscationPatterns = [
+                { pattern: /atob\s*\(/, label: 'atob() base64 decode' },
+                { pattern: /Buffer\.from\s*\(/, label: 'Buffer.from() decode' },
+                { pattern: /eval\s*\(/, label: 'eval() dynamic execution' },
+                { pattern: /String\.fromCharCode/, label: 'String.fromCharCode obfuscation' },
+                { pattern: /\\x[0-9a-fA-F]{2}/, label: 'hex-encoded string' },
+                { pattern: /(?:atob|Buffer\.from)\s*\([^)]+\)[\s\S]*?eval\s*\(/, label: 'base64+eval combo' },
+                { pattern: /base64\s+-d/, label: 'shell base64 decode' },
+                { pattern: /eval\s+\$\(/, label: 'shell eval $(...)' },
+                { pattern: /\becho\s+['"][A-Za-z0-9+/=]{20,}['"]\s*\|\s*base64/, label: 'echo+base64 pipe' },
+                { pattern: /new\s+Function\s*\(/, label: 'new Function() dynamic execution' },
+            ];
+            for (const { pattern, label } of obfuscationPatterns) {
+                if (pattern.test(content)) {
+                    findings.push({
+                        checkId: 'SKILL-023',
+                        name: 'Obfuscated Code Pattern',
+                        description: 'Skill contains obfuscated code that may hide malicious behavior',
+                        category: 'skill',
+                        severity: 'high',
+                        passed: false,
+                        message: `${relativePath}: Detected ${label}. Obfuscated code in skills can hide malicious behavior and should be reviewed.`,
+                        file: relativePath,
+                        fixable: false,
+                        fix: 'Replace obfuscated code with readable equivalent',
+                        guidance: 'Obfuscated code (base64 decode, eval, hex-encoded strings) in skills is a strong indicator of hidden malicious behavior. Review and replace with transparent code.',
+                    });
+                    break; // One finding per file for obfuscation
+                }
+            }
+            // SKILL-024: Unbounded tool chaining
+            const hasToolChain = allCaps.some(c => c.includes('tool:chain'));
+            if (hasToolChain) {
+                const hasFm = !!fmMatch;
+                const fmContent = hasFm ? fmMatch[1] : '';
+                const hasMaxIterations = hasFm && (/maxIterations/i.test(fmContent) ||
+                    /iterationLimit/i.test(fmContent));
+                if (!hasMaxIterations) {
+                    findings.push({
+                        checkId: 'SKILL-024',
+                        name: 'Unbounded Tool Chaining',
+                        description: 'Skill declares tool:chain capability without iteration limits',
+                        category: 'skill',
+                        severity: 'medium',
+                        passed: false,
+                        message: `${relativePath}: Skill declares tool:chain capability without maxIterations or iterationLimit. Unbounded chaining can lead to infinite loops or resource exhaustion.`,
+                        file: relativePath,
+                        fixable: true,
+                        fix: 'Add maxIterations or iterationLimit to skill frontmatter',
+                        guidance: 'Tool chaining without iteration limits can cause infinite loops, resource exhaustion, or runaway costs. Set a reasonable maxIterations value in frontmatter.',
+                    });
+                }
+            }
         }
         return findings;
     }