ship-safe 6.3.0 → 7.0.0

package/cli/agents/memory-poisoning-agent.js

@@ -0,0 +1,304 @@
+/**
+ * Memory Poisoning Detection Agent
+ * ==================================
+ *
+ * Detects instruction injection in AI agent memory and context files.
+ *
+ * Memory poisoning occurs when an adversary implants false or malicious
+ * instructions into an agent's persistent storage — the agent "learns"
+ * the instruction and recalls it in future sessions.
+ *
+ * Targets:
+ *   - Claude Code memory files (.claude/memory/*.md, CLAUDE.md)
+ *   - Cursor rules (.cursorrules, .cursor/rules/*.mdc)
+ *   - Continue config (.continue/config.json, .continue/rules/*.md)
+ *   - Windsurf rules (.windsurfrules)
+ *   - Cody config (.cody/)
+ *   - Gemini CLI (.gemini/)
+ *   - Project docs that agents ingest (README, CONTRIBUTING, docs/)
+ *
+ * Attack vectors detected:
+ *   1. Direct instruction injection — "ignore previous instructions"
+ *   2. Hidden directives in markdown — invisible chars, HTML comments
+ *   3. Exfiltration instructions — "send", "upload", "POST to"
+ *   4. Tool abuse instructions — "run bash", "write to", "delete"
+ *   5. Persona hijacking — "you are now", "your new role"
+ *   6. Memory persistence — instructions designed to survive context resets
+ *
+ * Maps to: OWASP Agentic ASI01 (Agent Goal Hijacking),
+ *          ASI05 (Memory/Context Poisoning)
+ */
+
+import path from 'path';
+import fg from 'fast-glob';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// MEMORY / CONTEXT FILES TO SCAN
+// =============================================================================
+
+const MEMORY_GLOBS = [
+  // Claude Code
+  '.claude/memory/*.md',
+  '.claude/commands/*.md',
+  'CLAUDE.md',
+  // Cursor
+  '.cursorrules',
+  '.cursor/rules/*.mdc',
+  '.cursor/rules/*.md',
+  // Windsurf
+  '.windsurfrules',
+  // Continue
+  '.continue/config.json',
+  '.continue/rules/*.md',
+  // Cody
+  '.cody/*.md',
+  '.cody/config.json',
+  // Gemini CLI
+  '.gemini/*.md',
+  '.gemini/settings.json',
+  // Copilot
+  '.github/copilot-instructions.md',
+  // Aider
+  '.aider.conf.yml',
+];
+
+// Project docs that agents commonly ingest as context
+const DOC_GLOBS = [
+  'README.md',
+  'CONTRIBUTING.md',
+  'docs/**/*.md',
+  'AGENTS.md',
+  '.github/PULL_REQUEST_TEMPLATE.md',
+  '.github/ISSUE_TEMPLATE/*.md',
+];
+
+// =============================================================================
+// DETECTION PATTERNS
+// =============================================================================
+
+const INJECTION_PATTERNS = [
+  {
+    regex: /(?:ignore|disregard|forget|override)\s+(?:all\s+)?(?:previous|prior|above|earlier|system)\s+(?:instructions?|rules?|prompts?|constraints?|guidelines?)/gi,
+    rule: 'MEMORY_POISON_OVERRIDE',
+    title: 'Instruction Override in Agent Memory',
+    severity: 'critical',
+    description: 'File contains instructions to override previous agent rules. This is a classic prompt injection pattern that persists in agent memory.',
+    owasp: 'ASI01',
+    cwe: 'CWE-74',
+    fix: 'Remove the override instruction. If intentional, use the agent\'s official configuration mechanism instead.',
+  },
+  {
+    regex: /(?:you\s+are\s+now|your\s+new\s+(?:role|persona|identity)|from\s+now\s+on\s+you\s+(?:are|will|must|should))\s+/gi,
+    rule: 'MEMORY_POISON_PERSONA',
+    title: 'Persona Hijacking in Agent Memory',
+    severity: 'high',
+    description: 'File attempts to redefine the agent\'s persona or role. If this file is ingested as context, the agent may adopt the injected persona in future sessions.',
+    owasp: 'ASI01',
+    cwe: 'CWE-74',
+    fix: 'Remove the persona redefinition. Use the agent\'s system prompt or official configuration to set roles.',
+  },
+  {
+    regex: /(?:send|upload|post|transmit|exfiltrate|forward)\s+(?:all|any|the|this)?\s*(?:code|data|files?|contents?|secrets?|keys?|tokens?|credentials?|env|environment)\s+(?:to|via|using|through)\s+/gi,
+    rule: 'MEMORY_POISON_EXFILTRATE',
+    title: 'Exfiltration Instruction in Agent Memory',
+    severity: 'critical',
+    description: 'File instructs an agent to exfiltrate data to an external destination. If persisted in memory, the agent may execute this across sessions.',
+    owasp: 'ASI01',
+    cwe: 'CWE-200',
+    fix: 'Remove the exfiltration instruction immediately. Audit agent memory for other injected directives.',
+  },
+  {
+    regex: /(?:do\s+not|don'?t|never)\s+(?:tell|inform|show|reveal|display|mention|report|log)\s+(?:the\s+user|anyone|them)/gi,
+    rule: 'MEMORY_POISON_SUPPRESS',
+    title: 'Output Suppression Instruction',
+    severity: 'critical',
+    description: 'File instructs the agent to hide actions from the user. This matches the ToxicSkills "output suppression" pattern — the agent does something harmful but doesn\'t report it.',
+    owasp: 'ASI01',
+    cwe: 'CWE-200',
+    fix: 'Remove the suppression instruction. Agents should always report their actions transparently.',
+  },
+  {
+    regex: /(?:whenever|every\s+time|always|each\s+time)\s+(?:you|the\s+agent)\s+(?:start|begin|open|run|execute|encounter)/gi,
+    rule: 'MEMORY_POISON_PERSISTENT',
+    title: 'Persistent Trigger Instruction',
+    severity: 'high',
+    description: 'File contains instructions designed to trigger on every session or action — a hallmark of persistent memory poisoning. Unlike a one-time injection, this survives context resets.',
+    owasp: 'ASI05',
+    cwe: 'CWE-74',
+    fix: 'Remove the persistent trigger. If you need recurring behavior, configure it through the agent\'s official hook or startup mechanism.',
+  },
+  {
+    regex: /(?:run|execute|invoke|call|use)\s+(?:bash|shell|terminal|cmd|system|exec|subprocess|os\.system|child_process)/gi,
+    rule: 'MEMORY_POISON_TOOL_ABUSE',
+    title: 'Shell Execution Instruction in Memory',
+    severity: 'high',
+    description: 'File instructs the agent to execute shell commands. If persisted in memory, this enables remote code execution via prompt injection.',
+    owasp: 'ASI02',
+    cwe: 'CWE-78',
+    fix: 'Remove direct shell execution instructions. Use the agent\'s sandboxed tool API instead.',
+  },
+  {
+    regex: /(?:fetch|curl|wget|http\.get|axios\.get|request)\s*\(\s*['"`]https?:\/\//gi,
+    rule: 'MEMORY_POISON_NETWORK',
+    title: 'Network Request Instruction in Memory',
+    severity: 'high',
+    description: 'File instructs the agent to make network requests to hardcoded URLs. A poisoned memory file can use this to phone home or exfiltrate context.',
+    owasp: 'ASI01',
+    cwe: 'CWE-918',
+    fix: 'Remove the hardcoded network request. If the agent needs to fetch data, configure it through approved MCP servers or tools.',
+  },
+];
+
+// Hidden content patterns (invisible chars, encoded payloads)
+const HIDDEN_CONTENT_PATTERNS = [
+  {
+    // Unicode zero-width chars used to hide instructions
+    regex: /[\u200B\u200C\u200D\u2060\uFEFF]{3,}/g,
+    rule: 'MEMORY_HIDDEN_UNICODE',
+    title: 'Hidden Unicode Content in Agent File',
+    severity: 'critical',
+    description: 'File contains clusters of zero-width Unicode characters. These are invisible to humans but may encode hidden instructions that the agent processes.',
+    owasp: 'ASI01',
+    cwe: 'CWE-116',
+    fix: 'Strip all zero-width characters from this file. Use a hex editor to inspect for hidden content.',
+  },
+  {
+    // HTML comments in markdown that could contain injected instructions
+    regex: /<!--[\s\S]*?(?:ignore|override|system|role|always|execute|send\s+to|curl|bash)[\s\S]*?-->/gi,
+    rule: 'MEMORY_HIDDEN_COMMENT',
+    title: 'Suspicious HTML Comment in Agent File',
+    severity: 'high',
+    description: 'An HTML comment contains what appears to be an injected instruction. Some agents process HTML comments as context, making this a viable injection vector.',
+    owasp: 'ASI05',
+    cwe: 'CWE-74',
+    fix: 'Remove the suspicious HTML comment or move the content to a visible location.',
+  },
+  {
+    // Base64 encoded content in markdown/config files
+    regex: /(?:^|[\s"':=])([A-Za-z0-9+/]{60,}={0,2})(?:[\s"',]|$)/gm,
+    rule: 'MEMORY_HIDDEN_BASE64',
+    title: 'Base64-Encoded Content in Agent File',
+    severity: 'medium',
+    description: 'File contains a long base64-encoded string. This could hide instructions or payloads that the agent decodes and executes.',
+    owasp: 'ASI05',
+    cwe: 'CWE-116',
+    confidence: 'medium',
+    fix: 'Decode the base64 content and verify it is benign. Remove if it contains instructions or executable content.',
+  },
+];
+
+// =============================================================================
+// AGENT
+// =============================================================================
+
+export class MemoryPoisoningAgent extends BaseAgent {
+  constructor() {
+    super(
+      'MemoryPoisoningAgent',
+      'Detects instruction injection in AI agent memory and context files',
+      'agentic'
+    );
+  }
+
+  shouldRun() {
+    return true; // Always run — memory poisoning applies to any project
+  }
+
+  async analyze(context) {
+    const { rootPath } = context;
+    const findings = [];
+
+    // Discover all memory/context files
+    const memoryFiles = await fg(MEMORY_GLOBS, {
+      cwd: rootPath,
+      absolute: true,
+      dot: true,
+    });
+
+    const docFiles = await fg(DOC_GLOBS, {
+      cwd: rootPath,
+      absolute: true,
+      dot: true,
+    });
+
+    // Scan memory files with higher severity (direct agent context)
+    for (const file of memoryFiles) {
+      findings.push(...this._scanFile(file, true));
+    }
+
+    // Scan doc files with slightly lower confidence (indirect context)
+    for (const file of docFiles) {
+      findings.push(...this._scanFile(file, false));
+    }
+
+    return findings;
+  }
+
+  _scanFile(filePath, isDirectMemory) {
+    const content = this.readFile(filePath);
+    if (!content) return [];
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    // Check injection patterns
+    for (const pattern of INJECTION_PATTERNS) {
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (this.isSuppressed(line)) continue;
+
+        pattern.regex.lastIndex = 0;
+        const match = pattern.regex.exec(line);
+        if (match) {
+          findings.push(createFinding({
+            file: filePath,
+            line: i + 1,
+            severity: pattern.severity,
+            category: 'agentic',
+            rule: pattern.rule,
+            title: pattern.title,
+            description: pattern.description + (isDirectMemory
+              ? ' This file is directly loaded into agent context.'
+              : ' This file may be ingested by agents as project context.'),
+            matched: match[0],
+            confidence: isDirectMemory ? 'high' : 'medium',
+            cwe: pattern.cwe,
+            owasp: pattern.owasp,
+            fix: pattern.fix,
+          }));
+        }
+      }
+    }
+
+    // Check hidden content patterns (full content, not per-line)
+    for (const pattern of HIDDEN_CONTENT_PATTERNS) {
+      pattern.regex.lastIndex = 0;
+      const match = pattern.regex.exec(content);
+      if (match) {
+        // Find approximate line number
+        const beforeMatch = content.slice(0, match.index);
+        const lineNum = (beforeMatch.match(/\n/g) || []).length + 1;
+
+        findings.push(createFinding({
+          file: filePath,
+          line: lineNum,
+          severity: pattern.severity,
+          category: 'agentic',
+          rule: pattern.rule,
+          title: pattern.title,
+          description: pattern.description,
+          matched: match[0].slice(0, 100),
+          confidence: pattern.confidence || (isDirectMemory ? 'high' : 'medium'),
+          cwe: pattern.cwe,
+          owasp: pattern.owasp,
+          fix: pattern.fix,
+        }));
+      }
+    }
+
+    return findings;
+  }
+}
+
+export default MemoryPoisoningAgent;

package/cli/agents/scoring-engine.js

@@ -11,7 +11,7 @@
 
 import fs from 'fs';
 import path from 'path';
-import { getComplianceSummary } from '../utils/compliance-map.js';
+import { getComplianceSummary, getAgenticSummary, enrichAgenticRisk } from '../utils/compliance-map.js';
 
 // =============================================================================
 // SCORING CONFIGURATION
@@ -49,6 +49,7 @@ const FALLBACK_CATEGORY_MAP = {
   'vibe': 'injection',        // Vibe coding findings → Code Vulnerabilities
   'exception': 'injection',   // OWASP A10:2025 — Mishandling of Exceptional Conditions
   'agent-config': 'llm',      // Agent config security → AI/LLM category
+  'memory-poisoning': 'llm',  // Memory poisoning → AI/LLM category
   'recon': null,               // skip recon findings
 };
 
@@ -87,6 +88,11 @@ export class ScoringEngine {
       };
     }
 
+    // ── Enrich findings with OWASP Agentic AI Top 10 metadata ──────────────
+    for (const finding of findings) {
+      enrichAgenticRisk(finding);
+    }
+
     // ── Classify findings into categories ─────────────────────────────────────
     for (const finding of findings) {
       const cat = this.resolveCategory(finding.category);
@@ -146,6 +152,14 @@ export class ScoringEngine {
       compliance = null;
     }
 
+    // ── OWASP Agentic AI Top 10 summary ──────────────────────────────────
+    let agenticSummary;
+    try {
+      agenticSummary = getAgenticSummary(findings);
+    } catch {
+      agenticSummary = null;
+    }
+
     return {
       score,
       grade,
@@ -153,6 +167,7 @@ export class ScoringEngine {
       totalFindings: findings.length,
       totalDepVulns: depVulns.length,
       compliance,
+      agenticSummary,
     };
   }
 

package/cli/agents/supply-chain-agent.js

@@ -582,7 +582,8 @@ export class SupplyChainAudit extends BaseAgent {
       }));
     }
 
-    // ── 9. Blockchain C2 indicators (CanisterWorm / ICP) ──────────────────────
+    // ── 9. Trojanized package behavioral signatures ───────────────────────────
+    //    Patterns from Axios 1.8.2, LiteLLM 1.82.7, TeamPCP campaign (Mar 2026)
     if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
       try {
         const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
@@ -590,7 +591,132 @@ export class SupplyChainAudit extends BaseAgent {
           ...(pkg.dependencies || {}),
           ...(pkg.devDependencies || {}),
         };
-        for (const depName of Object.keys(allDeps)) {
+
+        for (const depName of Object.keys(allDeps).slice(0, 80)) {
+          const depDir = path.join(rootPath, 'node_modules', depName);
+          const depPkgPath = path.join(depDir, 'package.json');
+          if (!fs.existsSync(depPkgPath)) continue;
+
+          try {
+            const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf-8'));
+
+            // 9a. Hidden dependencies added by attacker
+            //     Axios 1.8.2 injected a hidden malicious dep that wasn't in the legitimate version.
+            //     Check for deps that only exist in certain version ranges.
+            const depDeps = depPkg.dependencies || {};
+            for (const [subDep, subVer] of Object.entries(depDeps)) {
+              // Packages with very high download counts that suddenly gain unknown subdependencies
+              if (/^[a-z]+-[a-z0-9]+-[a-z0-9]+$/.test(subDep) && typeof subVer === 'string' && subVer.startsWith('git+')) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_HIDDEN_DEP',
+                  title: `Suspicious Hidden Dependency in ${depName}: ${subDep}`,
+                  description: `"${depName}" depends on "${subDep}" via a git URL. This matches the Axios/TeamPCP trojanization pattern where attackers inject a malicious dependency into a popular package.`,
+                  matched: `${subDep}: ${subVer}`,
+                  fix: `Compare this version's dependencies against the official release. If "${subDep}" was not in the previous version, this package may be trojanized.`,
+                }));
+              }
+            }
+
+            // 9b. Install scripts that read and exfiltrate env vars
+            //     LiteLLM 1.82.7 harvested AWS/GCP/Azure tokens + SSH keys
+            const scripts = depPkg.scripts || {};
+            for (const hook of ['preinstall', 'install', 'postinstall']) {
+              const cmd = scripts[hook];
+              if (!cmd) continue;
+
+              // Environment variable harvesting
+              if (/process\.env|os\.environ|ENV\[|getenv/i.test(cmd) &&
+                  /https?:|fetch|request|axios|curl|wget|net\./i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_ENV_EXFIL',
+                  title: `Credential Harvesting in ${hook}: ${depName}`,
+                  description: `"${depName}" reads environment variables and makes network requests during ${hook}. This is the exact pattern used in the LiteLLM/TeamPCP attack to steal cloud credentials.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately. Rotate any credentials (AWS, GCP, Azure tokens, SSH keys) that may have been exfiltrated.',
+                }));
+              }
+
+              // SSH key / credential file access in install scripts
+              if (/\.ssh|\.aws|\.azure|\.gcp|\.kube|\.docker|credentials|\.npmrc|\.pypirc/i.test(cmd)) {
+                findings.push(createFinding({
+                  file: depPkgPath,
+                  line: 0,
+                  severity: 'critical',
+                  category: 'supply-chain',
+                  rule: 'TROJAN_CREDENTIAL_ACCESS',
+                  title: `Credential File Access in ${hook}: ${depName}`,
+                  description: `"${depName}" accesses credential files (.ssh, .aws, .kube, etc.) during ${hook}. This matches the TeamPCP credential theft pattern.`,
+                  matched: cmd.slice(0, 200),
+                  fix: 'Remove this package immediately and rotate all credentials in the accessed directories.',
+                }));
+              }
+            }
+
+            // 9c. Scan actual JS entry files for runtime exfiltration patterns
+            const main = depPkg.main || 'index.js';
+            const entryPath = path.join(depDir, main);
+            if (fs.existsSync(entryPath)) {
+              try {
+                const entryContent = fs.readFileSync(entryPath, 'utf-8');
+                if (entryContent.length < 500_000) {
+                  // DNS-based exfiltration (encode data in subdomain)
+                  if (/dns\.resolve|dns\.lookup/i.test(entryContent) &&
+                      /process\.env|os\.hostname/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'high',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_DNS_EXFIL',
+                      title: `DNS Exfiltration Pattern: ${depName}`,
+                      description: `"${depName}" combines DNS lookups with system/env data reads — a known technique for exfiltrating data via DNS subdomains to bypass firewalls.`,
+                      matched: 'dns.resolve + process.env',
+                      confidence: 'medium',
+                      fix: 'Inspect the DNS usage. Legitimate packages rarely combine DNS with environment variable reading.',
+                    }));
+                  }
+
+                  // WebSocket-based C2
+                  if (/new\s+WebSocket/i.test(entryContent) &&
+                      /process\.env|child_process|exec/i.test(entryContent)) {
+                    findings.push(createFinding({
+                      file: entryPath,
+                      line: 1,
+                      severity: 'critical',
+                      category: 'supply-chain',
+                      rule: 'TROJAN_WEBSOCKET_C2',
+                      title: `WebSocket C2 Pattern: ${depName}`,
+                      description: `"${depName}" opens WebSocket connections combined with system command execution — consistent with a Remote Access Trojan.`,
+                      matched: 'WebSocket + child_process',
+                      fix: 'Remove this package immediately. Scan for persistence mechanisms (cron jobs, startup scripts).',
+                    }));
+                  }
+                }
+              } catch { /* skip */ }
+            }
+
+          } catch { /* skip */ }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── 10. Blockchain C2 indicators (CanisterWorm / ICP) ────────────────────
+    if (fs.existsSync(path.join(rootPath, 'node_modules'))) {
+      try {
+        const pkg2 = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const allDeps2 = {
+          ...(pkg2.dependencies || {}),
+          ...(pkg2.devDependencies || {}),
+        };
+        for (const depName of Object.keys(allDeps2)) {
           const depPkgPath = path.join(rootPath, 'node_modules', depName, 'package.json');
           if (!fs.existsSync(depPkgPath)) continue;
           try {

package/cli/bin/ship-safe.js

@@ -42,10 +42,12 @@ import { vibeCheckCommand } from '../commands/vibe-check.js';
 import { benchmarkCommand } from '../commands/benchmark.js';
 import { openclawCommand } from '../commands/openclaw.js';
 import { scanSkillCommand } from '../commands/scan-skill.js';
+import { scanMcpCommand } from '../commands/scan-mcp.js';
 import { abomCommand } from '../commands/abom.js';
 import { updateIntelCommand } from '../commands/update-intel.js';
 import { hooksCommand } from '../commands/hooks.js';
 import { legalCommand } from '../commands/legal.js';
+import { runLiveAdvisories } from '../commands/live-advisories.js';
 import { ABOMGenerator } from '../agents/abom-generator.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
@@ -267,8 +269,60 @@ program
   .description('Continuous monitoring: watch files for security issues in real-time')
   .option('--poll', 'Use polling mode (for network drives)')
   .option('--configs', 'Watch only agent config files (openclaw.json, .cursorrules, mcp.json, etc.)')
+  .option('--deep', 'Run full agent scanning on changes (not just pattern matching)')
+  .option('--status', 'Show current watch status and exit')
+  .option('--threshold <score>', 'Alert when score drops below threshold', parseInt)
+  .option('--debounce <ms>', 'Debounce interval in ms (default: 1500)', parseInt)
   .action(watchCommand);
 
+// -----------------------------------------------------------------------------
+// ADVISORIES COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('advisories [path]')
+  .description('Check dependencies against live advisory feeds (OSV.dev, GitHub Advisories)')
+  .option('--ecosystem <type>', 'Filter by ecosystem (npm, PyPI)')
+  .option('--json', 'Output as JSON')
+  .action(async (targetPath = '.', options) => {
+    const { resolve } = await import('path');
+    const absolutePath = resolve(targetPath);
+    try {
+      const result = await runLiveAdvisories(absolutePath, options);
+      if (options.json) {
+        console.log(JSON.stringify(result, null, 2));
+        return;
+      }
+      console.log();
+      console.log(chalk.cyan.bold('  Ship Safe — Live Advisories'));
+      console.log(chalk.gray(`  Checked ${result.checked} dependencies against OSV.dev`));
+      console.log();
+      if (result.advisories.length === 0) {
+        console.log(chalk.green('  ✔ No known advisories for your current dependency versions.\n'));
+      } else {
+        const malware = result.advisories.filter(a => a.isMalware);
+        const vulns = result.advisories.filter(a => !a.isMalware);
+        if (malware.length > 0) {
+          console.log(chalk.red.bold(`  !! ${malware.length} MALWARE ADVISORY(S) FOUND`));
+          for (const a of malware) {
+            console.log(chalk.red(`     ${a.package}@${a.version} — ${a.id}: ${a.summary.slice(0, 80)}`));
+          }
+          console.log();
+        }
+        if (vulns.length > 0) {
+          console.log(chalk.yellow(`  ${vulns.length} vulnerability advisory(s):`));
+          for (const a of vulns) {
+            const sev = a.severity === 'critical' ? chalk.red.bold(a.severity) : a.severity === 'high' ? chalk.yellow(a.severity) : chalk.blue(a.severity);
+            console.log(`    ${sev} ${a.package}@${a.version} — ${a.id}`);
+          }
+          console.log();
+        }
+      }
+    } catch (err) {
+      console.error(chalk.red(`  Error: ${err.message}\n`));
+      process.exit(1);
+    }
+  });
+
 // -----------------------------------------------------------------------------
 // SBOM COMMAND
 // -----------------------------------------------------------------------------
@@ -364,6 +418,15 @@ program
   .option('--json', 'Output results as JSON')
   .action(scanSkillCommand);
 
+// -----------------------------------------------------------------------------
+// SCAN-MCP COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('scan-mcp [target]')
+  .description('Analyze an MCP server\'s tool manifest for security issues before connecting')
+  .option('--json', 'Output results as JSON')
+  .action(scanMcpCommand);
+
 // -----------------------------------------------------------------------------
 // ABOM COMMAND
 // -----------------------------------------------------------------------------
@@ -439,6 +502,7 @@ if (process.argv.length === 2) {
   console.log(chalk.white('  npx ship-safe watch .       ') + chalk.gray('# Continuous monitoring mode'));
   console.log(chalk.white('  npx ship-safe openclaw .    ') + chalk.gray('# OpenClaw & agent config security scan'));
   console.log(chalk.white('  npx ship-safe scan-skill <u>') + chalk.gray('# Vet a skill before installing'));
+  console.log(chalk.white('  npx ship-safe scan-mcp <url> ') + chalk.gray('# Vet an MCP server before connecting'));
   console.log(chalk.white('  npx ship-safe abom .        ') + chalk.gray('# Agent Bill of Materials (CycloneDX)'));
   console.log(chalk.white('  npx ship-safe sbom .        ') + chalk.gray('# Generate CycloneDX SBOM (CRA-ready)'));
   console.log(chalk.white('  npx ship-safe legal .        ') + chalk.gray('# Legal risk audit: DMCA, leaked source, IP disputes'));