skill-checker 0.1.7 → 0.1.8

package/dist/index.js

@@ -206,15 +206,12 @@ ${tailContent}` : headContent;
 // src/checks/structural.ts
 var HYPHEN_CASE_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
 var MAX_NAME_LENGTH = 64;
-var EXECUTABLE_EXTENSIONS = /* @__PURE__ */ new Set([
-  ".exe",
-  ".bat",
-  ".cmd",
+var SCRIPT_EXTENSIONS = /* @__PURE__ */ new Set([
   ".sh",
   ".bash",
   ".ps1",
-  ".com",
-  ".msi"
+  ".bat",
+  ".cmd"
 ]);
 var BINARY_EXTENSIONS2 = /* @__PURE__ */ new Set([
   ".exe",
@@ -226,6 +223,10 @@ var BINARY_EXTENSIONS2 = /* @__PURE__ */ new Set([
   ".class",
   ".pyc"
 ]);
+var INSTALLER_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".com",
+  ".msi"
+]);
 var structuralChecks = {
   name: "Structural Validity",
   category: "STRUCT",
@@ -279,7 +280,7 @@ var structuralChecks = {
     }
     for (const file of skill.files) {
       const ext = file.extension.toLowerCase();
-      if (BINARY_EXTENSIONS2.has(ext) || EXECUTABLE_EXTENSIONS.has(ext)) {
+      if (BINARY_EXTENSIONS2.has(ext) || INSTALLER_EXTENSIONS.has(ext)) {
         results.push({
           id: "STRUCT-006",
           category: "STRUCT",
@@ -288,6 +289,15 @@ var structuralChecks = {
           message: `Found unexpected file: ${file.path} (${ext})`,
           source: file.path
         });
+      } else if (SCRIPT_EXTENSIONS.has(ext)) {
+        results.push({
+          id: "STRUCT-006",
+          category: "STRUCT",
+          severity: "LOW",
+          title: "Script file present",
+          message: `Found script file: ${file.path} (${ext}). Content is scanned separately.`,
+          source: file.path
+        });
       }
     }
     const name = skill.frontmatter.name;
@@ -372,6 +382,15 @@ function isInDocumentationContext(lines, lineIndex) {
   }
   return false;
 }
+function isNearDocumentationHeader(lines, lineIndex) {
+  for (let i = lineIndex; i >= Math.max(0, lineIndex - 15); i--) {
+    const l = lines[i];
+    if (/^#{1,4}\s+.*(install|setup|prerequisite|requirement|depend|getting\s+started|quickstart)/i.test(l)) {
+      return true;
+    }
+  }
+  return false;
+}
 function isLicenseFile(filePath) {
   const name = filePath.split("/").pop()?.toUpperCase() ?? "";
   const base = name.replace(/\.[^.]+$/, "");
@@ -1715,14 +1734,58 @@ var supplyChainChecks = {
       if (NPM_INSTALL_PATTERN.test(line) || PIP_INSTALL_PATTERN.test(line)) {
         const allLines = getAllLines(skill);
         const globalIdx = findGlobalLineIndex(allLines, source, lineNum);
-        const isDoc = globalIdx >= 0 && isInDocumentationContext(
+        const isDoc = source === "SKILL.md" && globalIdx >= 0 && isInDocumentationContext(
           allLines.map((l) => l.line),
           globalIdx
         );
-        if (!isDoc) {
+        const srcLines = getLinesForSource(skill, source);
+        const localIdx = getLocalIndex(source, lineNum, skill.bodyStartLine);
+        const inCodeBlock = localIdx >= 0 && isInCodeBlock(srcLines, localIdx);
+        if (isDoc && !inCodeBlock) {
+        } else {
           let severity = "HIGH";
           let reducedFrom;
           let msgSuffix = "";
+          if (inCodeBlock) {
+            const isNearDoc = source === "SKILL.md" && globalIdx >= 0 && isNearDocumentationHeader(
+              allLines.map((l) => l.line),
+              globalIdx
+            );
+            if (isNearDoc) {
+              severity = "LOW";
+              reducedFrom = "HIGH";
+              msgSuffix = " [reduced: in code block within documentation]";
+            } else {
+              const r = reduceSeverity(severity, "in code block");
+              severity = r.severity;
+              reducedFrom = r.reducedFrom;
+              msgSuffix = ` ${r.annotation}`;
+            }
+          }
+          results.push({
+            id: "SUPPLY-003",
+            category: "SUPPLY",
+            severity,
+            title: "Package installation command",
+            message: `${source}:${lineNum}: Installs packages. Verify package names are legitimate.${msgSuffix}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source,
+            reducedFrom
+          });
+        }
+      }
+      if (GIT_CLONE_PATTERN.test(line)) {
+        const allLines = getAllLines(skill);
+        const globalIdx = findGlobalLineIndex(allLines, source, lineNum);
+        const isDoc = source === "SKILL.md" && globalIdx >= 0 && isInDocumentationContext(
+          allLines.map((l) => l.line),
+          globalIdx
+        );
+        if (!isDoc) {
+          let severity = "MEDIUM";
+          let reducedFrom;
+          let msgSuffix = "";
           const srcLines = getLinesForSource(skill, source);
           const localIdx = getLocalIndex(source, lineNum, skill.bodyStartLine);
           if (localIdx >= 0 && isInCodeBlock(srcLines, localIdx)) {
@@ -1732,11 +1795,11 @@ var supplyChainChecks = {
             msgSuffix = ` ${r.annotation}`;
           }
           results.push({
-            id: "SUPPLY-003",
+            id: "SUPPLY-006",
             category: "SUPPLY",
             severity,
-            title: "Package installation command",
-            message: `${source}:${lineNum}: Installs packages. Verify package names are legitimate.${msgSuffix}`,
+            title: "git clone command",
+            message: `${source}:${lineNum}: Clones a git repository. Verify the source.${msgSuffix}`,
             line: lineNum,
             snippet: line.trim().slice(0, 120),
             source,
@@ -1744,18 +1807,6 @@ var supplyChainChecks = {
           });
         }
       }
-      if (GIT_CLONE_PATTERN.test(line)) {
-        results.push({
-          id: "SUPPLY-006",
-          category: "SUPPLY",
-          severity: "MEDIUM",
-          title: "git clone command",
-          message: `${source}:${lineNum}: Clones a git repository. Verify the source.`,
-          line: lineNum,
-          snippet: line.trim().slice(0, 120),
-          source
-        });
-      }
       const urls = line.match(URL_PATTERN) || [];
       for (const url of urls) {
         if (url.startsWith("http://")) {