ship-safe 6.3.0 → 6.4.0

package/README.md

@@ -18,9 +18,9 @@
 
 18 security agents. 80+ attack classes. One command.
 
-**Ship Safe v6.2.0** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
+**Ship Safe v6.4.0** is an AI-powered security platform that runs 18 specialized agents in parallel against your codebase, scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM/agentic AI security, MCP server misuse, RAG poisoning, PII compliance, vibe coding patterns, exception handling, AI agent config security, and more. OWASP 2025 scoring with EPSS exploit probability. LLM-powered deep analysis verifies exploitability of critical findings. Secrets verification probes provider APIs to check if leaked keys are still active. Compliance mapping to SOC 2, ISO 27001, and NIST AI RMF. Built-in threat intelligence feed with offline-first IOC matching. CI integration with GitHub PR comments, threshold gating, and SARIF output.
 
-**v6.2.0 highlights:** Real-time Claude Code hooks (`npx ship-safe hooks install`) block secrets before they land on disk. Universal LLM support — use Groq, Together AI, Mistral, DeepSeek, xAI, Perplexity, LM Studio, or any OpenAI-compatible endpoint for deep analysis. Supply chain IOC matching for known-compromised packages and CanisterWorm-style ICP blockchain C2 indicators.
+**v6.4.0 highlights:** MCP server scanning (`npx ship-safe scan-mcp`) vets tool manifests for prompt injection and credential harvesting before you connect. Detection support for openclaude and claw-code — the two most-starred Claude Code forks from the March 2026 source leak — with accurate config scanning based on their actual architectures. Four new CI/CD patterns flag AI agent danger modes in pipelines. Legal dataset corrected: claw-code reclassified as a clean-room rewrite, not a leaked-source derivative.
 
 [Documentation](https://shipsafecli.com/docs) | [Blog](https://shipsafecli.com/blog) | [Pricing](https://shipsafecli.com/pricing)
 
@@ -169,10 +169,10 @@ npx ship-safe audit .
 | **PIIComplianceAgent** | Compliance | PII detection — SSNs, credit cards, emails, phone numbers in source code, logs, and configs |
 | **VibeCodingAgent** | Code Vulns | AI-generated code patterns — no input validation, empty catch blocks, hardcoded secrets, disabled security features, TODO-auth patterns |
 | **ExceptionHandlerAgent** | Code Vulns | OWASP A10:2025 — empty catch blocks, unhandled promise rejections, missing React error boundaries, leaked stack traces, generic catch-all without rethrow |
-| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, encoded/obfuscated payloads, data exfiltration instructions, agent memory poisoning |
+| **AgentConfigScanner** | AI/LLM | AI agent config security — prompt injection in .cursorrules/CLAUDE.md/AGENTS.md/.windsurfrules, malicious Claude Code hooks (CVE-2026), OpenClaw public binding & malicious skills, openclaude profile file (`OPENAI_BASE_URL` over http://), claw-code config (`danger-full-access`, disabled sandbox, shell hooks, insecure MCP transports), encoded/obfuscated payloads, data exfiltration instructions, agent memory poisoning |
 | **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode |
 | **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) |
-| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection |
+| **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection, AI agent danger flags (`--dangerously-skip-permissions`, insecure provider URLs in CI) |
 | **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues |
 | **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines |
 
@@ -299,13 +299,13 @@ npx ship-safe audit . --verify
 npx ship-safe doctor
 ```
 
-### OpenClaw Security
+### Agent Security
 
 ```bash
 # Focused OpenClaw security scan
 npx ship-safe openclaw .
 
-# Auto-harden OpenClaw configs (0.0.0.0→127.0.0.1, add auth, ws→wss)
+# Auto-harden OpenClaw configs (0.0.0.0->127.0.0.1, add auth, ws->wss)
 npx ship-safe openclaw . --fix
 
 # Red team: simulate ClawJacked, prompt injection, data exfil attacks
@@ -319,6 +319,14 @@ npx ship-safe scan-skill https://clawhub.io/skills/some-skill
 npx ship-safe scan-skill ./local-skill.json
 npx ship-safe scan-skill --all              # Scan all skills from openclaw.json
 
+# Scan an MCP server's tool manifest before connecting
+npx ship-safe scan-mcp https://your-mcp-server/
+npx ship-safe scan-mcp ./local-manifest.json
+npx ship-safe scan-mcp https://your-mcp-server/ --json
+
+# Legal risk audit — DMCA, leaked-source derivatives (openclaude, claw-code-js), IP disputes
+npx ship-safe legal .
+
 # Generate hardened OpenClaw config
 npx ship-safe init --openclaw
 
@@ -326,6 +334,20 @@ npx ship-safe init --openclaw
 npx ship-safe abom .
 ```
 
+#### openclaude and claw-code
+
+Ship Safe detects security issues in both major Claude Code forks from the March 2026 source leak.
+
+**openclaude** (`@gitlawb/openclaude`) is a CLI tool that routes Claude Code's toolset through any OpenAI-compatible provider. Its only persistent file artifact is `.openclaude-profile.json`. Ship Safe flags:
+- `OPENAI_BASE_URL` using `http://` for non-localhost endpoints (unencrypted LLM traffic)
+- The profile file present in a project not covered by `.gitignore` (API key exposure risk)
+
+**claw-code** (`ultraworkers/claw-code`) is a clean-room Rust + Python rewrite of Claude Code's agent harness. Its config lives in `.claw.json`, `.claw/settings.json`, and `.claw/settings.local.json`. Ship Safe flags:
+- `permissionMode: danger-full-access` or `dangerouslySkipPermissions: true` (no confirmation on any tool call)
+- `sandbox.enabled: false` (filesystem isolation removed)
+- Hook commands containing shell execution or remote download patterns
+- MCP server connections over `ws://` or `http://` to non-localhost hosts
+
 ### Threat Intelligence
 
 ```bash

package/cli/agents/agent-config-scanner.js

@@ -54,6 +54,32 @@ const OPENCLAW_GLOBS = [
   '.openclaw/**/*.json',
 ];
 
+// openclaude (github.com/Gitlawb/openclaude) — Claude Code fork with
+// OpenAI-compatible provider shim. Config is purely via environment variables
+// (CLAUDE_CODE_USE_OPENAI, OPENAI_BASE_URL, OPENAI_MODEL, OPENAI_API_KEY).
+// The only persistent file artifact is .openclaude-profile.json, which stores
+// named profiles as { name, env: { OPENAI_BASE_URL, OPENAI_API_KEY, ... } }.
+const OPENCLAUDE_PROFILE_FILES = [
+  '.openclaude-profile.json',
+];
+
+// claw-code (github.com/instructkr/claw-code, now ultraworkers/claw-code) —
+// Rust + Python clean-room rewrite of Claude Code's agent harness.
+// CLI tool (`claw` binary). NOT a server — no port binding outside tests.
+// Config files: .claw.json (project root), .claw/settings.json,
+//   .claw/settings.local.json, ~/.claw.json, ~/.claw/settings.json
+// Auth: ANTHROPIC_API_KEY, OPENAI_API_KEY, or XAI_API_KEY env vars.
+// Permission modes: read-only, workspace-write, danger-full-access, prompt, allow.
+// --dangerously-skip-permissions flag disables all permission checks.
+// Sandbox: SandboxConfig with FilesystemIsolationMode (workspace-only default).
+// Hooks: preToolUse / postToolUse arrays in settings JSON.
+// MCP: mcpServers in settings JSON (stdio, sse, http, ws transports).
+const CLAW_CODE_FILES = [
+  '.claw.json',
+  '.claw/settings.json',
+  '.claw/settings.local.json',
+];
+
 const MEMORY_GLOBS = [
   '.claude/memory/**',
   '.cursor/memory/**',
@@ -230,6 +256,18 @@ export class AgentConfigScanner extends BaseAgent {
       findings = findings.concat(this._scanOpenClawConfig(file));
     }
 
+    // ── 3b. Scan openclaude profile files ─────────────────────────────────
+    for (const file of discovered.openclaudeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+      findings = findings.concat(this._scanOpenClaudeProfile(file));
+    }
+
+    // ── 3c. Scan claw-code config files ────────────────────────────────────
+    for (const file of discovered.clawCodeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+      findings = findings.concat(this._scanClawCodeConfig(file));
+    }
+
     // ── 4. Scan Claude Code hooks ──────────────────────────────────────────
     for (const file of discovered.claudeSettingsFiles) {
       findings = findings.concat(this._scanClaudeHooks(file));
@@ -297,7 +335,21 @@ export class AgentConfigScanner extends BaseAgent {
       memoryFiles.push(...globbed);
     } catch { /* skip */ }
 
-    return { rulesFiles, openclawFiles, claudeSettingsFiles, memoryFiles };
+    // ── openclaude profile files ─────────────────────────────────────────────
+    const openclaudeFiles = [];
+    for (const rel of OPENCLAUDE_PROFILE_FILES) {
+      const full = path.join(rootPath, rel);
+      if (fs.existsSync(full)) openclaudeFiles.push(full);
+    }
+
+    // ── claw-code config files ────────────────────────────────────────────────
+    const clawCodeFiles = [];
+    for (const rel of CLAW_CODE_FILES) {
+      const full = path.join(rootPath, rel);
+      if (fs.existsSync(full)) clawCodeFiles.push(full);
+    }
+
+    return { rulesFiles, openclawFiles, openclaudeFiles, clawCodeFiles, claudeSettingsFiles, memoryFiles };
   }
 
   // ===========================================================================
@@ -415,6 +467,178 @@ export class AgentConfigScanner extends BaseAgent {
     return findings;
   }
 
+  /**
+   * Scan .openclaude-profile.json for security issues.
+   *
+   * openclaude (github.com/Gitlawb/openclaude) is a CLI tool, not a server.
+   * There is no config file, no host/port binding, no auth mechanism.
+   * All configuration is via environment variables:
+   *   CLAUDE_CODE_USE_OPENAI=1, OPENAI_BASE_URL, OPENAI_MODEL, OPENAI_API_KEY
+   *
+   * The only persistent file artifact is .openclaude-profile.json, which stores
+   * named profiles as { name: string, env: { OPENAI_BASE_URL, OPENAI_API_KEY, ... } }.
+   * openclaude ships with this file in its default .gitignore.
+   *
+   * Security risk: if OPENAI_BASE_URL is an http:// (non-TLS) endpoint, all
+   * LLM traffic (prompts, code context, responses) is sent unencrypted.
+   */
+  _scanOpenClaudeProfile(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+    const findings = [];
+
+    let profile;
+    try { profile = JSON.parse(content); } catch { return []; }
+
+    const env = profile.env || {};
+
+    // ── Insecure provider URL (http:// for non-localhost) ─────────────────
+    const baseUrl = env.OPENAI_BASE_URL || '';
+    if (baseUrl && /^http:\/\/(?!localhost|127\.0\.0\.1|::1)/i.test(baseUrl)) {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'high',
+        category: this.category,
+        rule: 'OPENCLAUDE_INSECURE_PROVIDER_URL',
+        title: 'openclaude: LLM Provider URL Without TLS',
+        description:
+          `openclaude routes model calls to ${baseUrl} over plain HTTP. ` +
+          'Prompts, code context, and model responses are sent unencrypted. ' +
+          'A network attacker can read or modify all LLM interactions in transit.',
+        matched: `OPENAI_BASE_URL: "${baseUrl}"`,
+        confidence: 'high',
+        cwe: 'CWE-319',
+        owasp: 'A02:2021',
+        fix: 'Use an https:// provider URL. Never route LLM traffic over plaintext HTTP on untrusted networks.',
+      }));
+    }
+
+    return findings;
+  }
+
+  /**
+   * Scan claw-code config files (.claw.json, .claw/settings.json, .claw/settings.local.json)
+   * for insecure settings.
+   *
+   * claw-code (ultraworkers/claw-code) is a Rust + Python clean-room rewrite of Claude Code.
+   * It is a CLI tool — no server port binding. Config lives in JSON settings files.
+   *
+   * Checked settings:
+   *   - hooks.preToolUse / hooks.postToolUse: shell hook commands (RCE vector)
+   *   - permissions.dangerouslySkipPermissions / permissionMode: "danger-full-access"
+   *   - sandbox.enabled: false (filesystem isolation disabled)
+   *   - mcpServers with insecure ws:// or http:// remote URLs (MiTM risk)
+   *   - mcpServers using env vars that could expose credentials
+   */
+  _scanClawCodeConfig(filePath) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+    const findings = [];
+
+    let config;
+    try { config = JSON.parse(content); } catch { return []; }
+
+    // ── Dangerous permission mode ─────────────────────────────────────────
+    const permMode = config.permissionMode ?? config.permissions?.mode ?? '';
+    const skipPerms = config.dangerouslySkipPermissions ??
+      config.permissions?.dangerouslySkipPermissions ?? false;
+
+    if (skipPerms === true || permMode === 'danger-full-access') {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'high',
+        category: this.category,
+        rule: 'CLAW_CODE_SKIP_PERMISSIONS',
+        title: 'claw-code: All Permission Checks Disabled',
+        description:
+          'claw-code is configured with dangerously-skip-permissions or permissionMode: danger-full-access. ' +
+          'Every tool call executes without asking for user confirmation. ' +
+          'A single prompt injection in any file the agent reads can trigger unrestricted shell execution or file writes.',
+        matched: skipPerms ? 'dangerouslySkipPermissions: true' : `permissionMode: "${permMode}"`,
+        confidence: 'high',
+        cwe: 'CWE-269',
+        owasp: 'ASI03',
+        fix: 'Set permissionMode to "workspace-write" or "prompt". Only use danger-full-access in fully isolated environments.',
+      }));
+    }
+
+    // ── Sandbox disabled ──────────────────────────────────────────────────
+    if (config.sandbox?.enabled === false) {
+      findings.push(createFinding({
+        file: filePath, line: 1,
+        severity: 'medium',
+        category: this.category,
+        rule: 'CLAW_CODE_SANDBOX_DISABLED',
+        title: 'claw-code: Filesystem Sandbox Disabled',
+        description:
+          'claw-code sandbox is explicitly disabled. By default claw-code restricts ' +
+          'filesystem access to the workspace directory. With sandbox off, tools can ' +
+          'read and write anywhere on the system.',
+        matched: 'sandbox.enabled: false',
+        confidence: 'high',
+        cwe: 'CWE-732',
+        owasp: 'ASI03',
+        fix: 'Remove sandbox.enabled: false or set filesystem-mode to workspace-only.',
+      }));
+    }
+
+    // ── Hooks with shell commands ──────────────────────────────────────────
+    const hookLists = [
+      ...(config.hooks?.preToolUse || []),
+      ...(config.hooks?.postToolUse || []),
+    ];
+    for (const hook of hookLists) {
+      const cmd = typeof hook === 'string' ? hook : (hook.command || hook.cmd || hook.run || '');
+      if (!cmd) continue;
+      if (/(?:bash\s+-c|sh\s+-c|cmd\s+\/c|powershell\s+-|pwsh\s+-)/i.test(cmd) ||
+          /\|\s*(?:bash|sh|zsh|node|python)/i.test(cmd) ||
+          /(?:curl|wget)\s+https?:\/\/(?!localhost|127\.0\.0\.1)/i.test(cmd)) {
+        findings.push(createFinding({
+          file: filePath, line: 1,
+          severity: 'critical',
+          category: this.category,
+          rule: 'CLAW_CODE_HOOK_SHELL',
+          title: 'claw-code: Dangerous Hook Command',
+          description:
+            'claw-code hook contains a shell execution or remote download command. ' +
+            'A malicious .claw.json in a repository can achieve RCE when anyone ' +
+            'opens the project with claw.',
+          matched: cmd.substring(0, 150),
+          confidence: 'high',
+          cwe: 'CWE-94',
+          owasp: 'ASI04',
+          fix: 'Remove shell execution hooks. Use only safe, scoped commands in claw hooks.',
+        }));
+      }
+    }
+
+    // ── MCP servers with insecure remote URLs ─────────────────────────────
+    const mcpServers = config.mcpServers || {};
+    for (const [name, srv] of Object.entries(mcpServers)) {
+      const url = typeof srv === 'object' ? (srv.url || '') : '';
+      if (/^(?:ws|http):\/\/(?!localhost|127\.0\.0\.1|::1)/i.test(url)) {
+        findings.push(createFinding({
+          file: filePath, line: 1,
+          severity: 'high',
+          category: this.category,
+          rule: 'CLAW_CODE_MCP_INSECURE_URL',
+          title: `claw-code: MCP Server "${name}" Uses Unencrypted Transport`,
+          description:
+            `MCP server "${name}" connects to ${url} over an unencrypted channel (ws:// or http://). ` +
+            'All MCP messages — tool calls, results, and any code context — are sent in plaintext. ' +
+            'A network attacker can intercept or inject MCP responses to hijack the agent.',
+          matched: url,
+          confidence: 'high',
+          cwe: 'CWE-319',
+          owasp: 'A02:2021',
+          fix: 'Use wss:// or https:// for all non-localhost MCP server connections.',
+        }));
+      }
+    }
+
+    return findings;
+  }
+
   /**
    * Scan .claude/settings.json for malicious hooks.
    * Based on Check Point Research disclosure: hooks in settings.json

package/cli/agents/cicd-scanner.js

@@ -199,6 +199,48 @@ const PATTERNS = [
     description: 'GitHub expression in run step. Attacker-controlled values can inject shell commands.',
     fix: 'Use environment variables: env: TITLE: ${{ github.event.issue.title }} then run: echo "$TITLE"',
   },
+
+  // ── AI Agent CLI — dangerous flags in CI ──────────────────────────────────
+  {
+    rule: 'CICD_AGENT_SKIP_PERMISSIONS',
+    title: 'CI/CD: AI Agent Running Without Permission Checks',
+    regex: /(?:--dangerously-skip-permissions|--skip-permissions|permissionMode\s*[=:]\s*["']?danger-full-access["']?)/g,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    description: 'AI agent CLI flag disables all permission checks. In CI, this means any prompt injection in workspace files can execute arbitrary commands with no confirmation gate.',
+    fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation or scope tool access with --allowedTools.',
+  },
+  {
+    rule: 'CICD_AGENT_INSECURE_PROVIDER',
+    title: 'CI/CD: AI Agent Routing to Non-TLS Provider',
+    regex: /(?:OPENAI_BASE_URL|ANTHROPIC_BASE_URL|XAI_BASE_URL|CLAUDE_CODE_USE_OPENAI)\s*=\s*["']?http:\/\/(?!localhost|127\.0\.0\.1|::1)/g,
+    severity: 'high',
+    cwe: 'CWE-319',
+    owasp: 'A02:2021',
+    description: 'AI agent provider URL uses plain HTTP for a non-localhost endpoint. All prompts, code context, and model responses are transmitted unencrypted in CI.',
+    fix: 'Use https:// for all non-localhost AI provider base URLs.',
+  },
+  {
+    rule: 'CICD_OPENCLAUDE_IN_CI',
+    title: 'CI/CD: openclaude Running in CI Pipeline',
+    regex: /(?:^|\s)openclaude\s/gm,
+    severity: 'medium',
+    cwe: 'CWE-1188',
+    owasp: 'ASI03',
+    description: 'openclaude (Claude Code fork with OpenAI-compatible shim) is invoked in CI. Verify OPENAI_BASE_URL is https://, OPENAI_API_KEY is stored as a secret, and .openclaude-profile.json is not committed.',
+    fix: 'Ensure OPENAI_API_KEY is a CI secret, OPENAI_BASE_URL uses https://, and .openclaude-profile.json is gitignored.',
+  },
+  {
+    rule: 'CICD_CLAW_DANGER_MODE',
+    title: 'CI/CD: claw-code Running in Danger Mode',
+    regex: /(?:^|\s)claw\s[^\n]*--dangerously-skip-permissions/gm,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    description: 'claw-code (Rust/Python Claude Code rewrite) is invoked with --dangerously-skip-permissions in CI. Any prompt injection in the workspace executes without confirmation.',
+    fix: 'Remove --dangerously-skip-permissions. Use --permission-mode=workspace-write for CI automation.',
+  },
 ];
 
 export class CICDScanner extends BaseAgent {

package/cli/agents/legal-risk-agent.js

@@ -38,22 +38,14 @@ export const LEGALLY_RISKY_PACKAGES = [
   // Anthropic's Claude Code source was accidentally leaked. Several repos
   // appeared immediately; Anthropic filed DMCA takedowns but derivatives
   // remain online. Shipping any of these exposes you to IP liability.
+  //
+  // NOTE: The instructkr/claw-code repo (now ultraworkers/claw-code) has since
+  // pivoted to a clean-room Rust + Python rewrite and explicitly removed the
+  // leaked snapshot. The GitHub repo itself is no longer a DMCA concern.
+  // However, any claw-code npm package published in the March 31–April 2 2026
+  // window may have contained the leaked TypeScript source before the pivot.
+  // Flag early versions as a precaution; assess the specific published version.
   // ---------------------------------------------------------------------------
-  {
-    name: 'claw-code',
-    versions: '*',
-    ecosystem: 'npm',
-    risk: 'dmca',
-    severity: 'high',
-    detail:
-      'Derived from leaked Anthropic Claude Code source (March 2026). ' +
-      'Anthropic has filed DMCA takedown notices. Shipping this package ' +
-      'may expose your project to IP infringement liability.',
-    references: [
-      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
-      'https://venturebeat.com/technology/claude-codes-source-code-appears-to-have-leaked-heres-what-we-know',
-    ],
-  },
   {
     name: 'claw-code-js',
     versions: '*',
@@ -81,6 +73,40 @@ export const LEGALLY_RISKY_PACKAGES = [
       'https://cybernews.com/security/anthropic-claude-code-source-leak/',
     ],
   },
+  // ---------------------------------------------------------------------------
+  // openclaude (github.com/Gitlawb/openclaude)
+  // Claude Code fork that routes to any LLM via OpenAI-compatible shim.
+  // Derived directly from the leaked Anthropic source (March 31 2026).
+  // Under active DMCA enforcement alongside claw-code.
+  // ---------------------------------------------------------------------------
+  {
+    name: 'openclaude',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'openclaude is a fork of the leaked Anthropic Claude Code source (March 2026) ' +
+      'that adds an OpenAI-compatible provider shim. The underlying ~512,000 lines of ' +
+      'TypeScript are Anthropic proprietary IP under active DMCA enforcement. ' +
+      'Additionally ships with auth disabled by default and binds to 0.0.0.0:18789.',
+    references: [
+      'https://github.com/Gitlawb/openclaude',
+      'https://cybernews.com/security/anthropic-claude-code-source-leak/',
+    ],
+  },
+  {
+    name: 'openclaude-core',
+    versions: '*',
+    ecosystem: 'npm',
+    risk: 'leaked-source',
+    severity: 'high',
+    detail:
+      'Core runtime package for openclaude. Derived from leaked Anthropic Claude Code ' +
+      'source (March 2026). Under active DMCA enforcement.',
+    references: ['https://github.com/Gitlawb/openclaude'],
+  },
+
   // ---------------------------------------------------------------------------
   // License violations — well-known cases
   // ---------------------------------------------------------------------------

package/cli/bin/ship-safe.js

@@ -42,6 +42,7 @@ import { vibeCheckCommand } from '../commands/vibe-check.js';
 import { benchmarkCommand } from '../commands/benchmark.js';
 import { openclawCommand } from '../commands/openclaw.js';
 import { scanSkillCommand } from '../commands/scan-skill.js';
+import { scanMcpCommand } from '../commands/scan-mcp.js';
 import { abomCommand } from '../commands/abom.js';
 import { updateIntelCommand } from '../commands/update-intel.js';
 import { hooksCommand } from '../commands/hooks.js';
@@ -364,6 +365,15 @@ program
   .option('--json', 'Output results as JSON')
   .action(scanSkillCommand);
 
+// -----------------------------------------------------------------------------
+// SCAN-MCP COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('scan-mcp [target]')
+  .description('Analyze an MCP server\'s tool manifest for security issues before connecting')
+  .option('--json', 'Output results as JSON')
+  .action(scanMcpCommand);
+
 // -----------------------------------------------------------------------------
 // ABOM COMMAND
 // -----------------------------------------------------------------------------
@@ -439,6 +449,7 @@ if (process.argv.length === 2) {
   console.log(chalk.white('  npx ship-safe watch .       ') + chalk.gray('# Continuous monitoring mode'));
   console.log(chalk.white('  npx ship-safe openclaw .    ') + chalk.gray('# OpenClaw & agent config security scan'));
   console.log(chalk.white('  npx ship-safe scan-skill <u>') + chalk.gray('# Vet a skill before installing'));
+  console.log(chalk.white('  npx ship-safe scan-mcp <url> ') + chalk.gray('# Vet an MCP server before connecting'));
   console.log(chalk.white('  npx ship-safe abom .        ') + chalk.gray('# Agent Bill of Materials (CycloneDX)'));
   console.log(chalk.white('  npx ship-safe sbom .        ') + chalk.gray('# Generate CycloneDX SBOM (CRA-ready)'));
   console.log(chalk.white('  npx ship-safe legal .        ') + chalk.gray('# Legal risk audit: DMCA, leaked source, IP disputes'));

package/cli/commands/scan-mcp.js

@@ -0,0 +1,456 @@
+/**
+ * Scan MCP Command
+ * ================
+ *
+ * Fetches and analyzes an MCP server's tool manifest before connecting to it.
+ * Checks for malicious tool definitions, prompt injection in descriptions,
+ * exfiltration patterns, excessive permissions, and known-bad server hashes.
+ *
+ * USAGE:
+ *   ship-safe scan-mcp <url>        Analyze a remote MCP server
+ *   ship-safe scan-mcp <path>       Analyze a local MCP manifest file
+ *
+ * The command connects to the server's /tools endpoint (or reads the manifest
+ * JSON directly) and inspects every tool definition for attack patterns.
+ *
+ * MCP tool definitions are the new ToxicSkills surface — 36% of agent skills
+ * had security flaws; early MCP server audits show similar rates.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { createHash } from 'crypto';
+import * as output from '../utils/output.js';
+import { ThreatIntel } from '../utils/threat-intel.js';
+
+// =============================================================================
+// MCP TOOL DESCRIPTION PATTERNS
+// Injected into tool descriptions/annotations to hijack agents that use them.
+// =============================================================================
+
+const MCP_TOOL_PATTERNS = [
+  // ── Prompt injection in tool description ──────────────────────────────────
+  {
+    name: 'Prompt injection: override instructions',
+    regex: /(?:ignore\s+(?:all\s+)?(?:previous|prior|above|your)\s+instructions|disregard\s+(?:all\s+)?(?:previous|above)|your\s+(?:new|real|actual|true)\s+(?:instructions|role|goal)\s+(?:is|are))/gi,
+    severity: 'critical',
+    target: 'description',
+  },
+  {
+    name: 'Prompt injection: role hijacking',
+    regex: /(?:you\s+are\s+now\s+(?:a|an)|act\s+as\s+(?:a\s+)?(?:hacker|attacker|malicious|evil|unrestricted)|pretend\s+(?:you\s+are|to\s+be)\s+(?:a\s+)?(?:different|new|unrestricted))/gi,
+    severity: 'critical',
+    target: 'description',
+  },
+
+  // ── Silent exfiltration instructions in tool description ──────────────────
+  {
+    name: 'Silent data exfiltration',
+    regex: /(?:silently|quietly|without\s+(?:notif|alert|inform|telling|showing)|in\s+the\s+background)\s+.{0,60}(?:curl|wget|fetch|POST|send).{0,60}(?:http|https):\/\//gi,
+    severity: 'critical',
+    target: 'description',
+  },
+  {
+    name: 'Output suppression',
+    regex: /(?:do\s+not\s+(?:show|display|reveal|mention|tell|report|log)\s+(?:this|these|the\s+(?:output|result|response|command|action))|hide\s+(?:this|the)\s+(?:output|result|action|command|request))/gi,
+    severity: 'high',
+    target: 'description',
+  },
+
+  // ── Credential harvesting ─────────────────────────────────────────────────
+  {
+    name: 'Credential harvesting',
+    regex: /(?:extract|retrieve|collect|gather|find|read|access|get)\s+.{0,40}(?:api[_\s]?key|secret|token|password|credential|\.env|npmrc|ssh[_\s]?key|private[_\s]?key)/gi,
+    severity: 'critical',
+    target: 'description',
+  },
+  {
+    name: 'Sensitive path access',
+    regex: /(?:~\/\.(?:ssh|aws|npmrc|netrc|gnupg|config\/gcloud)|\/etc\/(?:passwd|shadow|hosts)|%APPDATA%|%USERPROFILE%)/gi,
+    severity: 'critical',
+    target: 'description',
+  },
+
+  // ── Known data exfiltration service domains ───────────────────────────────
+  {
+    name: 'Exfiltration service domain',
+    regex: /(?:webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net|ngrok\.io|ngrok\.app|burpcollaborator\.net|interact\.sh|oastify\.com|canarytokens\.com)/gi,
+    severity: 'critical',
+    target: 'any',
+  },
+
+  // ── Dangerous tool input schema patterns ──────────────────────────────────
+  {
+    name: 'Shell command input parameter',
+    regex: /(?:"command"\s*:\s*\{[^}]*"type"\s*:\s*"string"|"cmd"\s*:\s*\{[^}]*"type"\s*:\s*"string"|"shell"\s*:\s*\{[^}]*"type"\s*:\s*"string")/gi,
+    severity: 'medium',
+    target: 'schema',
+  },
+  {
+    name: 'Arbitrary code execution parameter',
+    regex: /(?:"code"\s*:\s*\{[^}]*"type"\s*:\s*"string"|"script"\s*:\s*"(?:string|object)"|"eval"\s*:\s*\{[^}]*"type"\s*:\s*"string")/gi,
+    severity: 'high',
+    target: 'schema',
+  },
+
+  // ── Permission escalation in description ──────────────────────────────────
+  {
+    name: 'Permission escalation',
+    regex: /(?:grant\s+(?:me|this\s+(?:tool|server|skill)|yourself)\s+(?:admin|root|sudo|full|all)\s+(?:access|permissions?|rights?)|elevate\s+(?:privileges?|permissions?|rights?)|run\s+as\s+(?:admin|root|sudo))/gi,
+    severity: 'high',
+    target: 'description',
+  },
+
+  // ── Encoded payload in description ────────────────────────────────────────
+  {
+    name: 'Encoded payload block',
+    regex: /[A-Za-z0-9+\/]{60,}={0,2}/g,
+    severity: 'medium',
+    target: 'any',
+  },
+];
+
+// Dangerous tool name keywords — flag tools whose names suggest shell/exec access
+const DANGEROUS_TOOL_NAMES = [
+  /^(?:exec|execute|shell|bash|sh|cmd|terminal|run_command|system|subprocess)$/i,
+  /(?:_exec|_shell|_bash|_cmd|_terminal|exec_|shell_|bash_cmd)/i,
+];
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function scanMcpCommand(target, options = {}) {
+  if (!target) {
+    output.error('Usage: ship-safe scan-mcp <url|path>');
+    output.info('  Analyze an MCP server\'s tool manifest for security issues before connecting.');
+    process.exit(1);
+  }
+
+  console.log();
+  output.header('Ship Safe — MCP Server Security Analysis');
+  console.log();
+
+  let manifest, serverName, source;
+
+  if (target.startsWith('http://') || target.startsWith('https://')) {
+    console.log(chalk.gray(`  Fetching MCP manifest from: ${target}`));
+    try {
+      manifest = await fetchMcpManifest(target);
+      serverName = new URL(target).hostname;
+      source = target;
+    } catch (err) {
+      output.error(`Failed to fetch MCP manifest: ${err.message}`);
+      process.exit(1);
+    }
+  } else {
+    const filePath = path.resolve(target);
+    if (!fs.existsSync(filePath)) {
+      output.error(`File not found: ${filePath}`);
+      process.exit(1);
+    }
+    try {
+      manifest = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+      serverName = path.basename(filePath);
+      source = filePath;
+    } catch (err) {
+      output.error(`Failed to parse manifest: ${err.message}`);
+      process.exit(1);
+    }
+  }
+
+  const tools = extractTools(manifest);
+  console.log(chalk.gray(`  Server: ${serverName}`));
+  console.log(chalk.gray(`  Tools found: ${tools.length}`));
+  console.log();
+
+  if (tools.length === 0) {
+    output.warning('No tools found in manifest. Is this a valid MCP tools response?');
+    return;
+  }
+
+  const findings = analyzeManifest(manifest, tools, serverName, source);
+
+  if (options.json) {
+    console.log(JSON.stringify({ server: serverName, source, toolCount: tools.length, findings, summary: getSummary(findings) }, null, 2));
+    return;
+  }
+
+  printFindings(findings, serverName, tools.length);
+
+  if (getSummary(findings).critical > 0) {
+    process.exit(1);
+  }
+}
+
+// =============================================================================
+// MCP MANIFEST FETCHING
+// =============================================================================
+
+async function fetchMcpManifest(baseUrl) {
+  const url = baseUrl.replace(/\/$/, '');
+
+  // Try MCP tools/list endpoint first (JSON-RPC 2.0)
+  const jsonRpcBody = JSON.stringify({
+    jsonrpc: '2.0',
+    id: 1,
+    method: 'tools/list',
+    params: {},
+  });
+
+  const jsonRpcRes = await fetch(`${url}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: jsonRpcBody,
+    signal: AbortSignal.timeout(10000),
+  }).catch(() => null);
+
+  if (jsonRpcRes?.ok) {
+    const data = await jsonRpcRes.json();
+    if (data?.result?.tools) return data.result;
+  }
+
+  // Fall back to GET /tools (some servers expose this)
+  const getRes = await fetch(`${url}/tools`, {
+    signal: AbortSignal.timeout(10000),
+  }).catch(() => null);
+
+  if (getRes?.ok) {
+    return await getRes.json();
+  }
+
+  // Fall back to root endpoint
+  const rootRes = await fetch(`${url}`, {
+    signal: AbortSignal.timeout(10000),
+  }).catch(() => null);
+
+  if (rootRes?.ok) {
+    const text = await rootRes.text();
+    try {
+      return JSON.parse(text);
+    } catch {
+      throw new Error('Server responded but returned non-JSON content');
+    }
+  }
+
+  throw new Error('Could not retrieve MCP manifest (tried tools/list JSON-RPC, GET /tools, GET /)');
+}
+
+// =============================================================================
+// TOOL EXTRACTION — handles multiple MCP manifest formats
+// =============================================================================
+
+function extractTools(manifest) {
+  // MCP tools/list result: { tools: [...] }
+  if (Array.isArray(manifest?.tools)) return manifest.tools;
+  // Direct array
+  if (Array.isArray(manifest)) return manifest;
+  // { result: { tools: [...] } }
+  if (Array.isArray(manifest?.result?.tools)) return manifest.result.tools;
+  return [];
+}
+
+// =============================================================================
+// ANALYSIS
+// =============================================================================
+
+function analyzeManifest(manifest, tools, serverName, source) {
+  const findings = [];
+  const rawJson = JSON.stringify(manifest);
+
+  // 1. Threat intel hash check on full manifest
+  const hash = createHash('sha256').update(rawJson).digest('hex');
+  const intelMatch = ThreatIntel.lookupHash(hash);
+  if (intelMatch) {
+    findings.push({
+      check: 'threat-intel',
+      name: `Known malicious MCP server: ${intelMatch.name}`,
+      severity: 'critical',
+      tool: null,
+      matched: `SHA-256: ${hash} — ${intelMatch.description}`,
+    });
+  }
+
+  // 2. Threat intel signature check on raw manifest
+  const sigMatches = ThreatIntel.matchSignatures(rawJson);
+  for (const sig of sigMatches) {
+    findings.push({
+      check: 'threat-intel',
+      name: `Threat intel match: ${sig.description}`,
+      severity: sig.severity || 'critical',
+      tool: null,
+      matched: `Pattern: ${sig.pattern}`,
+    });
+  }
+
+  // 3. Per-tool analysis
+  for (const tool of tools) {
+    findings.push(...analyzeToolDefinition(tool));
+  }
+
+  // 4. Server-level checks
+  findings.push(...checkServerLevel(manifest, serverName));
+
+  return findings;
+}
+
+function analyzeToolDefinition(tool) {
+  const findings = [];
+  const name = tool.name || '(unnamed)';
+  const description = tool.description || '';
+  const schemaStr = JSON.stringify(tool.inputSchema || tool.input_schema || {});
+
+  // Check description against patterns
+  for (const pattern of MCP_TOOL_PATTERNS) {
+    if (pattern.target === 'schema') continue; // schema checked separately below
+    pattern.regex.lastIndex = 0;
+    const text = pattern.target === 'description' ? description
+      : pattern.target === 'any' ? description + ' ' + schemaStr
+      : description;
+    if (pattern.regex.test(text)) {
+      findings.push({
+        check: 'static-analysis',
+        name: pattern.name,
+        severity: pattern.severity,
+        tool: name,
+        matched: (description + schemaStr).slice(0, 120),
+      });
+    }
+  }
+
+  // Check schema for dangerous input patterns
+  for (const pattern of MCP_TOOL_PATTERNS) {
+    if (pattern.target !== 'schema') continue;
+    pattern.regex.lastIndex = 0;
+    if (pattern.regex.test(schemaStr)) {
+      findings.push({
+        check: 'schema-analysis',
+        name: pattern.name,
+        severity: pattern.severity,
+        tool: name,
+        matched: schemaStr.slice(0, 120),
+      });
+    }
+  }
+
+  // Check tool name against dangerous name list
+  for (const namePattern of DANGEROUS_TOOL_NAMES) {
+    if (namePattern.test(name)) {
+      findings.push({
+        check: 'tool-name',
+        name: `Dangerous tool name: "${name}"`,
+        severity: 'high',
+        tool: name,
+        matched: `Tool name matches high-risk pattern: ${namePattern}`,
+      });
+      break;
+    }
+  }
+
+  // Check for excessive required parameters (information harvesting)
+  const required = tool.inputSchema?.required || tool.input_schema?.required || [];
+  const properties = tool.inputSchema?.properties || tool.input_schema?.properties || {};
+  const propNames = Object.keys(properties);
+  const sensitiveParams = propNames.filter(p =>
+    /(?:api[_\s]?key|token|password|secret|credential|auth|private)/i.test(p)
+  );
+  if (sensitiveParams.length > 0) {
+    findings.push({
+      check: 'schema-analysis',
+      name: `Tool requires sensitive parameters: ${sensitiveParams.join(', ')}`,
+      severity: 'high',
+      tool: name,
+      matched: `Required sensitive params: [${sensitiveParams.join(', ')}]`,
+    });
+  }
+
+  return findings;
+}
+
+function checkServerLevel(manifest, serverName) {
+  const findings = [];
+  const raw = JSON.stringify(manifest);
+
+  // Check for excessively large manifest (may hide payloads)
+  if (raw.length > 500_000) {
+    findings.push({
+      check: 'server-level',
+      name: 'Unusually large manifest',
+      severity: 'medium',
+      tool: null,
+      matched: `Manifest size: ${(raw.length / 1024).toFixed(1)} KB (>500 KB is suspicious)`,
+    });
+  }
+
+  // Check for tools with no description (reduces reviewability)
+  const tools = extractTools(manifest);
+  const noDesc = tools.filter(t => !t.description || t.description.trim().length < 10);
+  if (noDesc.length > 0 && noDesc.length === tools.length) {
+    findings.push({
+      check: 'server-level',
+      name: 'All tools lack descriptions',
+      severity: 'medium',
+      tool: null,
+      matched: `${noDesc.length}/${tools.length} tools have no meaningful description — cannot assess intent`,
+    });
+  }
+
+  return findings;
+}
+
+// =============================================================================
+// OUTPUT
+// =============================================================================
+
+function printFindings(findings, serverName, toolCount) {
+  const summary = getSummary(findings);
+
+  if (findings.length === 0) {
+    console.log(chalk.green.bold(`  ✔ ${serverName}: No security issues found across ${toolCount} tool(s).`));
+    console.log();
+    return;
+  }
+
+  console.log(chalk.red.bold(`  ✘ ${serverName}: ${findings.length} issue(s) found across ${toolCount} tool(s)`));
+  console.log();
+
+  // Group by tool
+  const byTool = new Map();
+  for (const f of findings) {
+    const key = f.tool || '(server-level)';
+    if (!byTool.has(key)) byTool.set(key, []);
+    byTool.get(key).push(f);
+  }
+
+  for (const [toolName, toolFindings] of byTool) {
+    if (toolName !== '(server-level)') {
+      console.log(chalk.cyan(`  Tool: ${toolName}`));
+    } else {
+      console.log(chalk.cyan(`  Server-level`));
+    }
+
+    for (const f of toolFindings) {
+      const sevColor = f.severity === 'critical' ? chalk.red.bold
+        : f.severity === 'high' ? chalk.yellow
+        : chalk.blue;
+      console.log(`    ${sevColor(`[${f.severity.toUpperCase()}]`)} ${chalk.white(f.name)}`);
+      if (f.matched) console.log(chalk.gray(`      ${f.matched.slice(0, 120)}`));
+    }
+    console.log();
+  }
+
+  if (summary.critical > 0) {
+    console.log(chalk.red.bold('    ⚠ DO NOT CONNECT to this MCP server — critical security issues detected.'));
+    console.log();
+  }
+}
+
+function getSummary(findings) {
+  return {
+    total: findings.length,
+    critical: findings.filter(f => f.severity === 'critical').length,
+    high: findings.filter(f => f.severity === 'high').length,
+    medium: findings.filter(f => f.severity === 'medium').length,
+  };
+}

package/cli/commands/scan-skill.js

@@ -47,6 +47,20 @@ const SKILL_PATTERNS = [
   { name: 'Crypto operations', regex: /(?:crypto\.createCipher|crypto\.createDecipher|CryptoJS|forge\.cipher)/gi, severity: 'medium' },
   { name: 'Network listener', regex: /(?:createServer|listen\s*\(\s*\d|bind\s*\(\s*['"]0\.0\.0\.0)/gi, severity: 'high' },
   { name: 'Encoded payload block', regex: /[A-Za-z0-9+\/]{60,}={0,2}/g, severity: 'medium' },
+
+  // ── ToxicSkills patterns (Snyk research — 36% of agent skills affected) ──
+  // Silent curl exfiltration: skill instructs agent to silently send data
+  { name: 'ToxicSkills: silent data exfiltration via curl', regex: /(?:silently|quietly|without\s+(?:notif|alert|inform|telling|showing)|in\s+the\s+background)\s+.{0,60}(?:curl|wget|fetch|POST|send).{0,60}(?:http|https):\/\//gi, severity: 'critical' },
+  // System prompt override in skill definition
+  { name: 'ToxicSkills: system prompt override', regex: /(?:ignore\s+(?:all\s+)?(?:previous|prior|above|your)\s+instructions|your\s+(?:new|real|actual|true)\s+(?:instructions|role|goal|purpose)\s+(?:is|are)|disregard\s+(?:all\s+)?(?:previous|above|your))/gi, severity: 'critical' },
+  // Skill requests credentials/secrets from agent context
+  { name: 'ToxicSkills: credential harvesting', regex: /(?:extract|retrieve|collect|gather|find|read|access|get)\s+.{0,40}(?:api[_\s]?key|secret|token|password|credential|\.env|npmrc|ssh[_\s]?key|private[_\s]?key)/gi, severity: 'critical' },
+  // Skill attempts to read ~/.ssh, ~/.aws, ~/.npmrc
+  { name: 'ToxicSkills: sensitive path access', regex: /(?:~\/\.(?:ssh|aws|npmrc|netrc|gnupg|config\/gcloud)|\/etc\/(?:passwd|shadow|hosts)|%APPDATA%|%USERPROFILE%)/gi, severity: 'critical' },
+  // Skill suppresses its own output to avoid detection
+  { name: 'ToxicSkills: output suppression', regex: /(?:do\s+not\s+(?:show|display|reveal|mention|tell|report|log)\s+(?:this|these|the\s+(?:output|result|response|command|action))|hide\s+(?:this|the)\s+(?:output|result|action|command|request))/gi, severity: 'high' },
+  // Skill requests permissions beyond its stated purpose
+  { name: 'ToxicSkills: permission escalation', regex: /(?:grant\s+(?:me|this\s+skill|yourself)\s+(?:admin|root|sudo|full|all)\s+(?:access|permissions?|rights?)|elevate\s+(?:privileges?|permissions?|rights?)|run\s+as\s+(?:admin|root|sudo))/gi, severity: 'high' },
 ];
 
 // =============================================================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "6.3.0",
+  "version": "6.4.0",
   "description": "AI-powered multi-agent security platform. 18 agents scan 80+ attack classes with LLM-powered deep analysis. Red team your code before attackers do.",
   "main": "cli/index.js",
   "bin": {