npm - promptgraph-mcp - Versions diffs - 1.5.6 → 1.5.8 - Mend

promptgraph-mcp 1.5.6 → 1.5.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/index.js CHANGED Viewed

@@ -15,9 +15,12 @@ import boxen from 'boxen';
 import chalk from 'chalk';
 const args = process.argv.slice(2);
-const bin = process.argv[1]?.split(/[\\/]/).pop()?.replace(/\.js$/, '') || 'pg';
+// argv[1] is the resolved index.js path (esp. on Windows global installs),
+// so derive a friendly name instead of showing "index".
+const rawBin = process.argv[1]?.split(/[\\/]/).pop()?.replace(/\.js$/, '');
+const bin = (rawBin && rawBin !== 'index') ? rawBin : 'pg';
-const KNOWN_COMMANDS = new Set(['init', 'reindex', 'import', 'setup', 'help', '--help', '-h']);
+const KNOWN_COMMANDS = new Set(['init', 'reindex', 'import', 'setup', 'validate', 'marketplace', 'help', '--help', '-h']);
 function showHelp() {
   console.log(
@@ -32,6 +35,8 @@ function showHelp() {
     ['init',                'First-time setup + index all skills'],
     ['reindex',             'Re-index all skills'],
     ['import <owner/repo>', 'Import skills from GitHub'],
+    ['marketplace [page]',  'Browse the community skill registry'],
+    ['validate <file.md>',  'Validate a skill before publishing'],
     ['setup <platform>',    'Register MCP in platform config'],
     ['help',                'Show this help'],
   ];
@@ -53,6 +58,71 @@ if (!KNOWN_COMMANDS.has(args[0])) {
   process.exit(1);
 }
+if (args[0] === 'marketplace') {
+  const { browseMarketplace } = await import('./marketplace.js');
+  const PER_PAGE = 10;
+  const page = Math.max(1, parseInt(args[1]) || 1);
+  const spin = (await import('./cli.js')).spinner('Fetching registry...');
+  spin.start();
+  const all = await browseMarketplace(1000);
+  spin.stop();
+  if (all?.error) {
+    error(all.error);
+    process.exit(1);
+  }
+  if (!all.length) {
+    info('Registry is empty. Be the first to contribute!');
+    console.log(chalk.gray('  github.com/NeiP4n/promptgraph-registry\n'));
+    process.exit(0);
+  }
+  const totalPages = Math.ceil(all.length / PER_PAGE);
+  const slice = all.slice((page - 1) * PER_PAGE, page * PER_PAGE);
+  console.log(
+    boxen(
+      chalk.hex('#7C3AED').bold('Marketplace') + '  ' +
+      chalk.gray(`page ${page}/${totalPages}  ·  ${all.length} skills`),
+      { padding: { top: 0, bottom: 0, left: 2, right: 2 }, borderStyle: 'round', borderColor: '#7C3AED', dimBorder: true }
+    )
+  );
+  console.log();
+  for (const s of slice) {
+    const stars = s.stars ? chalk.yellow('★ ' + s.stars) : chalk.gray('★ 0');
+    console.log('  ' + chalk.white.bold(s.id) + '  ' + stars);
+    console.log('  ' + chalk.gray((s.description || '').slice(0, 80)));
+    if (s.tags?.length) console.log('  ' + chalk.hex('#7C3AED')(s.tags.map(t => '#' + t).join(' ')));
+    console.log();
+  }
+  if (totalPages > 1) {
+    const nav = [];
+    if (page > 1) nav.push(`${bin} marketplace ${page - 1}`);
+    if (page < totalPages) nav.push(`${bin} marketplace ${page + 1}`);
+    console.log(chalk.gray('  ' + nav.join('   ·   ')));
+  }
+  console.log(chalk.gray('\n  To install or publish, ask your AI assistant — it uses the pg_marketplace_* tools.\n'));
+  process.exit(0);
+}
+if (args[0] === 'validate') {
+  const { validateSkill } = await import('./validator.js');
+  const file = args[1];
+  if (!file) { error('Usage: ' + bin + ' validate <skill.md>'); process.exit(1); }
+  const result = validateSkill(file);
+  result.warnings.forEach(w => console.log(chalk.yellow('⚠') + '  ' + chalk.gray(w)));
+  if (result.ok) {
+    success('Skill is valid');
+    process.exit(0);
+  } else {
+    error('Validation failed:');
+    result.errors.forEach(e => console.log('   ' + chalk.red('•') + ' ' + e));
+    process.exit(1);
+  }
+}
 if (args[0] === 'import') {
   await importFromGitHub(args[1]);
   process.exit(0);

package/marketplace.js CHANGED Viewed

@@ -3,6 +3,7 @@ import path from 'path';
 import os from 'os';
 import { spawnSync } from 'child_process';
 import { getDb } from './db.js';
+import { validateSkill } from './validator.js';
 const REGISTRY_URL = 'https://raw.githubusercontent.com/NeiP4n/promptgraph-registry/main/registry.json';
 const SKILLS_DIR = path.join(os.homedir(), '.claude', 'skills-store', 'marketplace');
@@ -47,7 +48,12 @@ export async function installSkill(skillId) {
 export async function publishSkill(filePath) {
   if (!fs.existsSync(filePath)) return { error: `File not found: ${filePath}` };
-  const content = fs.readFileSync(filePath, 'utf8');
+  // validate before publishing — block junk and malicious skills
+  const validation = validateSkill(filePath);
+  if (!validation.ok) {
+    return { error: 'Validation failed', issues: validation.errors, warnings: validation.warnings };
+  }
   const name = path.basename(filePath, '.md');
   try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "promptgraph-mcp",
-  "version": "1.5.6",
+  "version": "1.5.8",
   "main": "index.js",
   "type": "module",
   "bin": {

package/validator.js ADDED Viewed

@@ -0,0 +1,110 @@
+import fs from 'fs';
+import matter from 'gray-matter';
+// patterns that indicate malicious or junk skills
+const DANGEROUS_PATTERNS = [
+  { re: /curl\s+[^\n|]*\|\s*(ba)?sh/i, msg: 'pipes remote content to shell (curl | sh)' },
+  { re: /wget\s+[^\n|]*\|\s*(ba)?sh/i, msg: 'pipes remote content to shell (wget | sh)' },
+  { re: /rm\s+-rf\s+[~/]/i, msg: 'destructive rm -rf on home/root' },
+  { re: /\b(eval|exec)\s*\(\s*(atob|base64|fromCharCode)/i, msg: 'obfuscated code execution' },
+  { re: /(AWS|SECRET|PRIVATE|API)_?KEY\s*=\s*["'][A-Za-z0-9/+]{16,}/i, msg: 'hardcoded credential' },
+  { re: /process\.env\.[A-Z_]+\s*[^\n]{0,40}(fetch|http|post|curl)/i, msg: 'reads env vars and exfiltrates over network' },
+  { re: /\b(ignore|disregard|forget)\s+(all\s+)?(previous|prior|above)\s+(instructions|prompts?|rules)/i, msg: 'prompt injection attempt' },
+  { re: /\b(reveal|print|output|show)\s+(your\s+)?(system\s+prompt|instructions|api\s*key)/i, msg: 'prompt extraction attempt' },
+  { re: /\.ssh\/id_rsa|\.aws\/credentials|\.env\b.*(cat|read|cp|mv)/i, msg: 'accesses sensitive credential files' },
+];
+const MIN_CONTENT_LENGTH = 200;       // chars of actual instruction
+const MAX_CONTENT_LENGTH = 100000;    // 100KB cap
+const MIN_DESCRIPTION_LENGTH = 15;
+const NAME_RE = /^[a-z0-9][a-z0-9-]{1,63}$/;
+export function validateSkill(filePath) {
+  const errors = [];
+  const warnings = [];
+  if (!fs.existsSync(filePath)) {
+    return { ok: false, errors: ['File does not exist'], warnings: [] };
+  }
+  const raw = fs.readFileSync(filePath, 'utf8');
+  // size checks
+  if (raw.length < MIN_CONTENT_LENGTH) {
+    errors.push(`Too short (${raw.length} chars, min ${MIN_CONTENT_LENGTH}). Likely not a real skill.`);
+  }
+  if (raw.length > MAX_CONTENT_LENGTH) {
+    errors.push(`Too large (${raw.length} chars, max ${MAX_CONTENT_LENGTH}).`);
+  }
+  // frontmatter
+  let data, content;
+  try {
+    const parsed = matter(raw);
+    data = parsed.data;
+    content = parsed.content;
+  } catch (e) {
+    errors.push(`Invalid frontmatter: ${e.message}`);
+    return { ok: false, errors, warnings };
+  }
+  // name
+  if (!data.name) {
+    errors.push('Missing required field: name');
+  } else if (typeof data.name !== 'string') {
+    errors.push('Field "name" must be a string');
+  } else if (!NAME_RE.test(data.name)) {
+    errors.push(`Invalid name "${data.name}". Use lowercase, digits, hyphens (2-64 chars).`);
+  }
+  // description
+  if (!data.description) {
+    errors.push('Missing required field: description');
+  } else if (typeof data.description !== 'string') {
+    errors.push('Field "description" must be a string');
+  } else if (data.description.trim().length < MIN_DESCRIPTION_LENGTH) {
+    errors.push(`Description too short (min ${MIN_DESCRIPTION_LENGTH} chars).`);
+  }
+  // body must have real instruction content
+  if (content && content.trim().length < MIN_CONTENT_LENGTH) {
+    warnings.push('Body is very short — may lack actionable instructions.');
+  }
+  // security scan over the whole file
+  for (const { re, msg } of DANGEROUS_PATTERNS) {
+    if (re.test(raw)) {
+      errors.push(`Security: ${msg}`);
+    }
+  }
+  // junk filename heuristic
+  const base = filePath.split(/[\\/]/).pop().toLowerCase();
+  if (['readme.md', 'changelog.md', 'license.md', 'contributing.md'].includes(base)) {
+    warnings.push('Filename looks like a docs file, not a skill.');
+  }
+  return { ok: errors.length === 0, errors, warnings };
+}
+// CLI: node validator.js <file>
+if (import.meta.url === `file://${process.argv[1]}`) {
+  const file = process.argv[2];
+  if (!file) {
+    console.error('Usage: node validator.js <skill.md>');
+    process.exit(1);
+  }
+  const result = validateSkill(file);
+  if (result.warnings.length) {
+    console.log('⚠ Warnings:');
+    result.warnings.forEach(w => console.log('  - ' + w));
+  }
+  if (result.ok) {
+    console.log('✓ Skill is valid');
+    process.exit(0);
+  } else {
+    console.log('✗ Validation failed:');
+    result.errors.forEach(e => console.log('  - ' + e));
+    process.exit(1);
+  }
+}