skill-checker 0.1.4 → 0.1.5

package/README.md

@@ -4,7 +4,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Features
 
-- **52 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
+- **53 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
 - **Scoring system**: Grade A–F with 0–100 score
 - **Dual entry**: CLI tool + PreToolUse hook for automatic interception
 - **Configurable policies**: strict / balanced / permissive approval strategies
@@ -14,7 +14,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Security Standard & Benchmark
 
-Skill Checker's 52 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
+Skill Checker's 53 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
 
 See [docs/SECURITY_BENCHMARK.md](docs/SECURITY_BENCHMARK.md) for the full rule mapping matrix, benchmark methodology, scoring model, and known limitations.
 
@@ -153,7 +153,7 @@ Config is resolved in order: CLI `--config` flag → project directory (walks up
 | Structural (STRUCT) | 8 | Missing SKILL.md, invalid frontmatter, binary files |
 | Content (CONT) | 7 | Placeholder text, lorem ipsum, promotional content |
 | Injection (INJ) | 9 | Zero-width chars, prompt override, tag injection, encoded payloads |
-| Code Safety (CODE) | 12 | eval/exec, shell execution, rm -rf, obfuscation |
+| Code Safety (CODE) | 13 | eval/exec, shell execution, API key leakage, rm -rf, obfuscation |
 | Supply Chain (SUPPLY) | 10 | Unknown MCP servers, suspicious domains, malicious hashes, typosquat |
 | Resource Abuse (RES) | 6 | Unrestricted tool access, disable safety checks, ignore project rules |
 

package/dist/cli.js

@@ -1084,6 +1084,55 @@ var DYNAMIC_CODE_PATTERNS = [
   /\brequire\s*\(\s*[^"'`\s]/,
   /\b__import__\s*\(/
 ];
+var PROVIDER_CREDENTIAL_PATTERNS = [
+  {
+    pattern: /\bsk-ant-api03-[A-Za-z0-9_-]{20,}\b/,
+    title: "Anthropic API key exposure"
+  },
+  {
+    pattern: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/,
+    title: "OpenAI project key exposure"
+  },
+  {
+    pattern: /\bxox[bps]-[A-Za-z0-9-]{20,}\b/,
+    title: "Slack token exposure"
+  },
+  {
+    pattern: /\bAKIA[0-9A-Z]{16}\b/,
+    title: "AWS access key exposure"
+  },
+  {
+    pattern: /\bgh[op]_[A-Za-z0-9]{20,}\b/,
+    title: "GitHub token exposure"
+  },
+  {
+    pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/,
+    title: "GitHub fine-grained token exposure"
+  }
+];
+var OPENAI_SK_FALLBACK_PATTERN = /\bsk-[A-Za-z0-9_-]{20,}\b/;
+var CREDENTIAL_NAME_TOKENS = /* @__PURE__ */ new Set([
+  "api",
+  "key",
+  "token",
+  "secret",
+  "password",
+  "credential"
+]);
+var CREDENTIAL_COMPOUND_NAMES = /* @__PURE__ */ new Set([
+  "apikey",
+  "apitoken",
+  "accesskey",
+  "accesstoken",
+  "secretkey",
+  "secrettoken"
+]);
+var CREDENTIAL_EQUALS_PATTERN = /\b([A-Za-z0-9_-]+)\b\s*=\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_KEY_VALUE_PATTERN = /^\s*["'`]?([A-Za-z0-9_-]+)["'`]?\s*:\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var AUTHORIZATION_BEARER_PATTERN = /\bAuthorization\b\s*:\s*Bearer\s+([A-Za-z0-9._~+/=\-]{20,})/i;
+var X_API_KEY_PATTERN = /\bx-api-key\b\s*:\s*([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_MIN_LENGTH = 20;
+var CREDENTIAL_MIN_ENTROPY = 4.5;
 var PERMISSION_PATTERNS = [
   /\bchmod\s+[+0-9]/,
   /\bchown\b/,
@@ -1158,6 +1207,19 @@ var codeSafetyChecks = {
           source,
           codeBlockCtx: cbCtx
         });
+        const credentialLeak = detectCredentialLeak(line);
+        if (credentialLeak) {
+          results.push({
+            id: "CODE-013",
+            category: "CODE",
+            severity: credentialLeak.severity,
+            title: credentialLeak.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
         checkPatterns(results, line, DYNAMIC_CODE_PATTERNS, {
           id: "CODE-010",
           severity: "HIGH",
@@ -1213,6 +1275,82 @@ function checkPatterns(results, line, patterns, opts) {
     }
   }
 }
+function detectCredentialLeak(line) {
+  for (const provider of PROVIDER_CREDENTIAL_PATTERNS) {
+    if (provider.pattern.test(line)) {
+      return {
+        severity: "CRITICAL",
+        title: provider.title
+      };
+    }
+  }
+  if (OPENAI_SK_FALLBACK_PATTERN.test(line) && isCredentialAssignmentContext(line)) {
+    return {
+      severity: "CRITICAL",
+      title: "OpenAI-style API key exposure"
+    };
+  }
+  const assignmentMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (assignmentMatch?.[1] && assignmentMatch[2] && hasCredentialNameToken(assignmentMatch[1]) && isHighEntropyCredential(assignmentMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2] && hasCredentialNameToken(keyValueMatch[1]) && isHighEntropyCredential(keyValueMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const bearerMatch = line.match(AUTHORIZATION_BEARER_PATTERN);
+  if (bearerMatch?.[1] && isHighEntropyCredential(bearerMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "Authorization bearer credential exposure"
+    };
+  }
+  const xApiKeyMatch = line.match(X_API_KEY_PATTERN);
+  if (xApiKeyMatch?.[1] && isHighEntropyCredential(xApiKeyMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "X-API-Key credential exposure"
+    };
+  }
+  return null;
+}
+function isCredentialAssignmentContext(line) {
+  if (/\bAuthorization\b\s*:\s*Bearer\s+sk-/i.test(line)) {
+    return true;
+  }
+  if (/\bx-api-key\b\s*:\s*sk-/i.test(line)) {
+    return true;
+  }
+  const equalsMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (equalsMatch?.[1] && equalsMatch[2]) {
+    return hasCredentialNameToken(equalsMatch[1]) && equalsMatch[2].startsWith("sk-");
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2]) {
+    return hasCredentialNameToken(keyValueMatch[1]) && keyValueMatch[2].startsWith("sk-");
+  }
+  return false;
+}
+function hasCredentialNameToken(name) {
+  const normalized = name.replace(/([a-z])([A-Z])/g, "$1_$2").replace(/([A-Za-z])([0-9])/g, "$1_$2").replace(/([0-9])([A-Za-z])/g, "$1_$2").toLowerCase();
+  const tokens = normalized.split(/[_-]+/).map((token) => token.trim()).filter(Boolean);
+  if (tokens.some((token) => CREDENTIAL_NAME_TOKENS.has(token))) {
+    return true;
+  }
+  return tokens.length === 1 && CREDENTIAL_COMPOUND_NAMES.has(tokens[0]);
+}
+function isHighEntropyCredential(value) {
+  if (value.length < CREDENTIAL_MIN_LENGTH) {
+    return false;
+  }
+  return shannonEntropy(value) > CREDENTIAL_MIN_ENTROPY;
+}
 function getTextSources(skill) {
   const sources = [
     { text: skill.body, source: "SKILL.md" }