skillsio 1.1.0 → 1.1.1

package/README.md

@@ -14,7 +14,7 @@ security gate so you can still move fast without running untrusted code.
 
 ## What It Does
 
-Every `skillsio add` command runs a local security scan **before** anything is installed. The scanner applies ~52 regex
+Every `skillsio add` command runs a local security scan **before** anything is installed. The scanner applies ~81 regex
 rules and a correlation engine derived from the Snyk and ClawHavoc research, organized into 8 threat categories:
 
 | Category | What it catches |
@@ -120,7 +120,7 @@ npx skillsio add owner/repo --rules ./my-rules.json
 npx skillsio add owner/repo --rules ./rules/
 ```
 
-External rules are applied **in addition to** the built-in ~52 rules — they never replace them. Findings from external
+External rules are applied **in addition to** the built-in ~81 rules — they never replace them. Findings from external
 rules follow the same severity-based prompt flow as built-in findings.
 
 See [docs/EXTERNAL-RULES.md](docs/EXTERNAL-RULES.md) for the full format reference, more examples, and tips for writing
@@ -289,8 +289,6 @@ The CLI automatically detects which coding agents you have installed.
 | --- | --- |
 | `VT_API_KEY` | VirusTotal API key for optional threat intelligence during security scans |
 | `INSTALL_INTERNAL_SKILLS` | Set to `1` to show and install skills marked as `internal: true` |
-| `DISABLE_TELEMETRY` | Disable anonymous usage telemetry |
-| `DO_NOT_TRACK` | Alternative way to disable telemetry |
 
 ## Development
 
@@ -305,7 +303,7 @@ pnpm format           # Format code with Prettier
 
 ### Scanner Architecture
 
-- `src/scanner.ts` — Rules engine. Defines ~52 regex rules across 8 threat categories, a correlation engine for
+- `src/scanner.ts` — Rules engine. Defines ~81 regex rules across 8 threat categories, a correlation engine for
   multi-signal detection, and optional deep taint analysis integration. Supports loading external rules from JSON
   files via `--rules`.
 - `src/scanner-ui.ts` — Presentation layer. Displays findings by severity, runs optional VT lookups, handles
@@ -320,6 +318,13 @@ pnpm format           # Format code with Prettier
 
 ## Changelog
 
+### 1.1.1
+
+- Removed anonymous usage telemetry inherited from the original Vercel `skills` CLI
+- The upstream tool sent events to `https://add-skill.vercel.sh/t` on every command (install, remove, find, check, update) — this has been completely stripped out
+- Removed `DISABLE_TELEMETRY` and `DO_NOT_TRACK` environment variables (no longer needed)
+- Added 12 more regex rules to the scanner
+
 ### 1.1.0
 
 - Added `--rules <path>` flag to load external scan rules from JSON files or directories
@@ -342,6 +347,14 @@ pnpm format           # Format code with Prettier
 - URL transparency: all external URLs in skill files are shown before installation
 - Scanner rules informed by Snyk and ClawHavoc research
 
+## Research
+
+The scanner rules are informed by the following research into malicious agent skills:
+
+- **Snyk (2025)** — [Analysis of 3,984 published agent skills](https://snyk.io/blog/), finding 76 confirmed malicious skills (13.4% of clawhub.ai had critical issues). Identified core attack taxonomy: data exfiltration, prompt injection, credential theft, and obfuscated payloads.
+- **Koi Security (2025)** — [ClawHavoc: 341 Malicious ClawedBot Skills](https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting). Documented AMOS stealer droppers, password-protected archives, base64 payloads, macOS quarantine bypasses, and reverse shells in the wild.
+- **arxiv 2602.06547v1 (2025)** — [Malicious Agent Skills at Scale](https://arxiv.org/abs/2602.06547v1). Large-scale analysis identifying attack taxonomies (E1-E3 exfiltration, P1-P4 prompt injection, SC1-SC3 supply chain, PE2-PE3 privilege escalation), MCP server abuse, agent hook interception, permission bypass flags, environment-gated sleeper patterns, invisible Unicode instruction smuggling, and the "industrial actor fingerprint" (credential access + remote execution, 97.6% sensitivity).
+
 ## Acknowledgments
 
 This project is a fork of [skills](https://github.com/vercel-labs/skills) by

package/dist/cli.mjs

@@ -29,14 +29,6 @@ function getOwnerRepo(parsed) {
 	} catch {}
 	return null;
 }
-function parseOwnerRepo(ownerRepo) {
-	const match = ownerRepo.match(/^([^/]+)\/([^/]+)$/);
-	if (match) return {
-		owner: match[1],
-		repo: match[2]
-	};
-	return null;
-}
 async function isRepoPrivate(owner, repo) {
 	try {
 		const res = await fetch(`https://api.github.com/repos/${owner}/${repo}`);
@@ -1357,27 +1349,6 @@ async function listInstalledSkills(options = {}) {
 	} catch {}
 	return Array.from(skillsMap.values());
 }
-const TELEMETRY_URL = "https://add-skill.vercel.sh/t";
-let cliVersion = null;
-function isCI() {
-	return !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.CIRCLECI || process.env.TRAVIS || process.env.BUILDKITE || process.env.JENKINS_URL || process.env.TEAMCITY_VERSION);
-}
-function isEnabled() {
-	return !process.env.DISABLE_TELEMETRY && !process.env.DO_NOT_TRACK;
-}
-function setVersion(version) {
-	cliVersion = version;
-}
-function track(data) {
-	if (!isEnabled()) return;
-	try {
-		const params = new URLSearchParams();
-		if (cliVersion) params.set("v", cliVersion);
-		if (isCI()) params.set("ci", "1");
-		for (const [key, value] of Object.entries(data)) if (value !== void 0 && value !== null) params.set(key, String(value));
-		fetch(`${TELEMETRY_URL}?${params.toString()}`).catch(() => {});
-	} catch {}
-}
 var ProviderRegistryImpl = class {
 	providers = [];
 	register(provider) {
@@ -2569,6 +2540,12 @@ const SCAN_RULES = [
 		description: "Base64 encoding piped to network command",
 		pattern: /base64\s.*\|\s*(?:curl|wget|fetch|nc|ncat)/i
 	},
+	{
+		id: "exfil-fs-enumeration",
+		severity: "high",
+		description: "Programmatic scanning of sensitive directories",
+		pattern: /(?:glob\.(?:glob|iglob)|os\.walk|os\.listdir|os\.scandir|pathlib\.Path\s*\([^)]*\)\.(?:glob|iterdir|rglob))\s*\(\s*['"].*(?:\.ssh|\.aws|\.gnupg|\.config|\.env|credential|secret|\.kube|\.docker)/i
+	},
 	{
 		id: "injection-ignore-instructions",
 		severity: "critical",
@@ -2599,6 +2576,24 @@ const SCAN_RULES = [
 		description: "Known jailbreak phrase (DAN)",
 		pattern: /\bDAN\b.*(?:do\s+anything\s+now|jailbreak|ignore\s+(?:all\s+)?(?:safety|rules))/i
 	},
+	{
+		id: "injection-markdown-comment",
+		severity: "high",
+		description: "Hidden instructions in markdown reference-link comment syntax",
+		pattern: /\[\/\/\]:\s*#\s*[\("']/i
+	},
+	{
+		id: "injection-coercive-language",
+		severity: "medium",
+		description: "Authoritative urgency language used in social engineering",
+		pattern: /\b(?:NON[\s-]?NEGOTIABLE|MANDATORY\s+(?:ACTIVATION|COMPLIANCE|EXECUTION)\s+PROTOCOL|SEVERE\s+VIOLATION|CRITICAL\s+COMPLIANCE\s+REQUIRED|IMMEDIATE\s+(?:ACTION|EXECUTION)\s+REQUIRED)\b/
+	},
+	{
+		id: "injection-invisible-unicode",
+		severity: "high",
+		description: "Clusters of zero-width/invisible Unicode characters (instruction smuggling)",
+		pattern: /[\u200B\u200C\u200D\u2060\u2062\u2063\u2064\uFEFF]{3,}|[\u2066\u2067\u2069]{2,}/
+	},
 	{
 		id: "fs-rm-rf-root",
 		severity: "critical",
@@ -2635,6 +2630,12 @@ const SCAN_RULES = [
 		description: "macOS quarantine bypass (xattr -c/-d)",
 		pattern: /xattr\s+(?:-[cdr]+\s+|.*com\.apple\.quarantine)/i
 	},
+	{
+		id: "fs-privilege-escalation",
+		severity: "high",
+		description: "Privilege escalation via sudo or broad chown",
+		pattern: /(?:sudo\s+(?:(?:-[AEHPSkn]\s+)*(?:bash|sh|chmod|chown|rm|cp|mv|tee|cat|curl|wget|python|node|apt|yum|dnf|brew|pip|npm)\b)|chown\s+-[rR]\s+.*\/)/i
+	},
 	{
 		id: "cred-aws-key",
 		severity: "high",
@@ -2731,6 +2732,12 @@ const SCAN_RULES = [
 		description: "Unicode escape sequences (potential instruction smuggling)",
 		pattern: /(?:\\u[0-9a-fA-F]{4}){8,}/
 	},
+	{
+		id: "obfuscation-unsafe-deserialize",
+		severity: "high",
+		description: "Unsafe deserialization (pickle, marshal, yaml.unsafe_load)",
+		pattern: /(?:pickle\.loads?|marshal\.loads?|shelve\.open|yaml\.(?:unsafe_load|full_load|load\s*\([^)]*Loader\s*=\s*yaml\.(?:Unsafe|Full|)Loader))\s*\(/i
+	},
 	{
 		id: "reverse-shell-bash",
 		severity: "critical",
@@ -2833,6 +2840,36 @@ const SCAN_RULES = [
 		description: "Instructing agent to hide output from user",
 		pattern: /(?:hide|suppress|conceal|mask|don'?t\s+show|do\s+not\s+show|never\s+show)\s+(?:the\s+)?(?:output|result|response|error|log)s?\s+(?:from|to)\s+(?:the\s+)?user/i
 	},
+	{
+		id: "directive-suppress-disclosure",
+		severity: "high",
+		description: "Instructing agent to never reveal information to user",
+		pattern: /(?:do\s+not|don'?t|never|must\s+not)\s+(?:mention|reveal|disclose|tell|inform|show|display)\s+.*(?:to\s+the\s+user|in\s+(?:the\s+)?conversation|to\s+(?:the\s+)?human)/i
+	},
+	{
+		id: "directive-permission-bypass",
+		severity: "critical",
+		description: "Framework permission bypass flags",
+		pattern: /--(?:dangerously-skip-permissions|trust-all|disable-sandbox|skip-validation|allow-all|yolo|no-sandbox)\b/i
+	},
+	{
+		id: "directive-mcp-config",
+		severity: "critical",
+		description: "MCP server configuration with external endpoints",
+		pattern: /(?:"mcpServers"|"mcp_servers"|mcpServers)\s*[:{].*(?:https?:\/\/|npx\s|uvx\s)/i
+	},
+	{
+		id: "directive-hook-injection",
+		severity: "high",
+		description: "Agent hook system interception",
+		pattern: /(?:PreToolUse|PostToolUse|Notification|pre_tool_use|post_tool_use)\s*[:{=\[]/i
+	},
+	{
+		id: "directive-email-manipulation",
+		severity: "high",
+		description: "BCC injection or email auto-forwarding",
+		pattern: /(?:(?:add|include|always\s+(?:add|include|append))\s+.*(?:bcc|cc)\s*[:=]|(?:forward|redirect)\s+.*(?:email|mail|message)\s+to\s+|auto[\s-]?forward\s+.*to\s+)/i
+	},
 	{
 		id: "directive-disable-safety",
 		severity: "critical",
@@ -2922,6 +2959,12 @@ const SCAN_RULES = [
 		severity: "high",
 		description: "Temp file write + execute chain",
 		pattern: /(?:\/tmp\/|%TEMP%|TMPDIR|\$TMPDIR|tempfile|mktemp).*(?:chmod\s+\+x|\.\/|python|node|bash|sh)\b/
+	},
+	{
+		id: "exec-environment-gated",
+		severity: "high",
+		description: "Environment/hostname/time-gated conditional execution (sleeper pattern)",
+		pattern: /(?:if\s+.*(?:hostname|socket\.gethostname|os\.uname|platform\.node|os\.getenv\s*\(\s*['"](?:ENV|ENVIRONMENT|NODE_ENV|DEPLOY|STAGE)|getpass\.getuser|os\.getuid)\s*.*(?:==|!=|in\s+|not\s+in))|(?:datetime|time)\..*(?:hour|weekday|isoweekday)\s*(?:\(\))?\s*(?:>=?|<=?|==|!=|in\s+|not\s+in)\s*(?:\d|[\[(])/i
 	}
 ];
 const CORRELATION_RULES = [
@@ -2990,6 +3033,28 @@ const CORRELATION_RULES = [
 			"obfuscation-base64-block"
 		] }]
 	},
+	{
+		id: "corr-credential-remote-exec",
+		severity: "critical",
+		description: "Credential access combined with remote script execution (industrial actor pattern)",
+		conditions: [{ anyOf: [
+			"cred-aws-key",
+			"cred-openai-key",
+			"cred-private-key",
+			"cred-github-token",
+			"cred-slack-token",
+			"cred-stripe-key",
+			"cred-anthropic-key",
+			"cred-agent-config-access",
+			"exfil-env-read"
+		] }, { anyOf: [
+			"download-curl-pipe-sh",
+			"download-pipe-python",
+			"download-exec-binary",
+			"download-curl-subshell",
+			"remote-instruction-load"
+		] }]
+	},
 	{
 		id: "corr-injection-exec",
 		severity: "critical",
@@ -2999,7 +3064,9 @@ const CORRELATION_RULES = [
 			"injection-new-persona",
 			"injection-hidden-html",
 			"injection-system-prompt",
-			"injection-do-anything-now"
+			"injection-do-anything-now",
+			"injection-markdown-comment",
+			"injection-invisible-unicode"
 		] }, { anyOf: [
 			"exec-python-os-system",
 			"exec-python-subprocess",
@@ -3016,7 +3083,8 @@ const CORRELATION_RULES = [
 		conditions: [{ anyOf: [
 			"directive-silent-exec",
 			"directive-hide-output",
-			"directive-no-confirm"
+			"directive-no-confirm",
+			"directive-suppress-disclosure"
 		] }, { anyOf: SCAN_RULES.filter((r) => /^(?:exec-|download-|fs-)/.test(r.id)).map((r) => r.id) }]
 	}
 ];
@@ -3335,16 +3403,7 @@ async function displayUrlsAndPrompt(urls, options) {
 	if (pD(confirmed) || !confirmed) return false;
 	return true;
 }
-var version$1 = "1.1.0";
 const isCancelled = (value) => typeof value === "symbol";
-async function isSourcePrivate(source) {
-	const ownerRepo = parseOwnerRepo(source);
-	if (!ownerRepo) return false;
-	return isRepoPrivate(ownerRepo.owner, ownerRepo.repo);
-}
-function initTelemetry(version) {
-	setVersion(version);
-}
 const _externalRulesCache = /* @__PURE__ */ new Map();
 function resolveExternalRules(options) {
 	if (!options.rules) return void 0;
@@ -3468,7 +3527,6 @@ async function selectAgentsInteractive(options) {
 	} catch {}
 	return selected;
 }
-setVersion(version$1);
 async function handleRemoteSkill(source, url, options, spinner) {
 	const provider = findProvider(url);
 	if (!provider) {
@@ -3648,15 +3706,6 @@ async function handleRemoteSkill(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	if (await isSourcePrivate(remoteSkill.sourceIdentifier) !== true) track({
-		event: "install",
-		source: remoteSkill.sourceIdentifier,
-		skills: remoteSkill.installName,
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify({ [remoteSkill.installName]: url }),
-		sourceType: remoteSkill.providerId
-	});
 	if (successful.length > 0 && installGlobally) try {
 		let skillFolderHash = "";
 		if (remoteSkill.providerId === "github") {
@@ -3927,19 +3976,8 @@ async function handleWellKnownSkills(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	const sourceIdentifier = wellKnownProvider.getSourceIdentifier(url);
-	const skillFiles = {};
-	for (const skill of selectedSkills) skillFiles[skill.installName] = skill.sourceUrl;
-	if (await isSourcePrivate(sourceIdentifier) !== true) track({
-		event: "install",
-		source: sourceIdentifier,
-		skills: selectedSkills.map((s) => s.installName).join(","),
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify(skillFiles),
-		sourceType: "well-known"
-	});
 	if (successful.length > 0 && installGlobally) {
+		const sourceIdentifier = wellKnownProvider.getSourceIdentifier(url);
 		const successfulSkillNames = new Set(successful.map((r) => r.skill));
 		for (const skill of selectedSkills) if (successfulSkillNames.has(skill.installName)) try {
 			await addSkillToLock(skill.installName, {
@@ -4150,15 +4188,6 @@ async function handleDirectUrlSkillLegacy(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	track({
-		event: "install",
-		source: "mintlify/com",
-		skills: remoteSkill.installName,
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify({ [remoteSkill.installName]: url }),
-		sourceType: "mintlify"
-	});
 	if (successful.length > 0 && installGlobally) try {
 		await addSkillToLock(remoteSkill.installName, {
 			source: `mintlify/${remoteSkill.installName}`,
@@ -4491,6 +4520,7 @@ async function runAdd(args, options = {}) {
 		console.log();
 		const successful = results.filter((r) => r.success);
 		const failed = results.filter((r) => !r.success);
+		const normalizedSource = getOwnerRepo(parsed);
 		const skillFiles = {};
 		for (const skill of selectedSkills) {
 			let relativePath;
@@ -4499,27 +4529,6 @@ async function runAdd(args, options = {}) {
 			else continue;
 			skillFiles[skill.name] = relativePath;
 		}
-		const normalizedSource = getOwnerRepo(parsed);
-		if (normalizedSource) {
-			const ownerRepo = parseOwnerRepo(normalizedSource);
-			if (ownerRepo) {
-				if (await isRepoPrivate(ownerRepo.owner, ownerRepo.repo) === false) track({
-					event: "install",
-					source: normalizedSource,
-					skills: selectedSkills.map((s) => s.name).join(","),
-					agents: targetAgents.join(","),
-					...installGlobally && { global: "1" },
-					skillFiles: JSON.stringify(skillFiles)
-				});
-			} else track({
-				event: "install",
-				source: normalizedSource,
-				skills: selectedSkills.map((s) => s.name).join(","),
-				agents: targetAgents.join(","),
-				...installGlobally && { global: "1" },
-				skillFiles: JSON.stringify(skillFiles)
-			});
-		}
 		if (successful.length > 0 && installGlobally && normalizedSource) {
 			const successfulSkillNames = new Set(successful.map((r) => r.skill));
 			for (const skill of selectedSkills) {
@@ -4848,11 +4857,6 @@ ${DIM$2}  1) npx skills find [query]${RESET$2}
 ${DIM$2}  2) npx skills add <owner/repo@skill>${RESET$2}`;
 	if (query) {
 		const results = await searchSkillsAPI(query);
-		track({
-			event: "find",
-			query,
-			resultCount: String(results.length)
-		});
 		if (results.length === 0) {
 			console.log(`${DIM$2}No skills found for "${query}"${RESET$2}`);
 			return;
@@ -4872,12 +4876,6 @@ ${DIM$2}  2) npx skills add <owner/repo@skill>${RESET$2}`;
 		console.log();
 	}
 	const selected = await runSearchPrompt();
-	track({
-		event: "find",
-		query: "",
-		resultCount: selected ? "1" : "0",
-		interactive: "1"
-	});
 	if (!selected) {
 		console.log(`${DIM$2}Search cancelled${RESET$2}`);
 		console.log();
@@ -5091,24 +5089,6 @@ async function removeCommand(skillNames, options) {
 	spinner.stop("Removal process complete");
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	if (successful.length > 0) {
-		const bySource = /* @__PURE__ */ new Map();
-		for (const r of successful) {
-			const source = r.source || "local";
-			const existing = bySource.get(source) || { skills: [] };
-			existing.skills.push(r.skill);
-			existing.sourceType = r.sourceType;
-			bySource.set(source, existing);
-		}
-		for (const [source, data] of bySource) track({
-			event: "remove",
-			source,
-			skills: data.skills.join(","),
-			agents: targetAgents.join(","),
-			...isGlobal && { global: "1" },
-			sourceType: data.sourceType
-		});
-	}
 	if (successful.length > 0) M.success(import_picocolors.default.green(`Successfully removed ${successful.length} skill(s)`));
 	if (failed.length > 0) {
 		M.error(import_picocolors.default.red(`Failed to remove ${failed.length} skill(s)`));
@@ -5152,7 +5132,6 @@ function getVersion() {
 	}
 }
 const VERSION = getVersion();
-initTelemetry(VERSION);
 const RESET = "\x1B[0m";
 const BOLD = "\x1B[1m";
 const DIM = "\x1B[38;5;102m";
@@ -5436,11 +5415,6 @@ async function runCheck(args = []) {
 		console.log();
 		console.log(`${DIM}Could not check ${errors.length} skill(s) (may need reinstall)${RESET}`);
 	}
-	track({
-		event: "check",
-		skillCount: String(totalSkills),
-		updatesAvailable: String(updates.length)
-	});
 	console.log();
 }
 async function runUpdate() {
@@ -5516,12 +5490,6 @@ async function runUpdate() {
 	console.log();
 	if (successCount > 0) console.log(`${TEXT}✓ Updated ${successCount} skill(s)${RESET}`);
 	if (failCount > 0) console.log(`${DIM}Failed to update ${failCount} skill(s)${RESET}`);
-	track({
-		event: "update",
-		skillCount: String(updates.length),
-		successCount: String(successCount),
-		failCount: String(failCount)
-	});
 	console.log();
 }
 async function main() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillsio",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "The SECURE open agent skills ecosystem",
   "type": "module",
   "bin": {