skillsio 1.1.0 → 1.1.2

package/README.md

@@ -14,7 +14,7 @@ security gate so you can still move fast without running untrusted code.
 
 ## What It Does
 
-Every `skillsio add` command runs a local security scan **before** anything is installed. The scanner applies ~52 regex
+Every `skillsio add` command runs a local security scan **before** anything is installed. The scanner applies ~81 regex
 rules and a correlation engine derived from the Snyk and ClawHavoc research, organized into 8 threat categories:
 
 | Category | What it catches |
@@ -50,6 +50,23 @@ domain patterns that regex rules can't — letting you eyeball where a skill wan
 With `--yes`, URL-only prompts are auto-continued. Skills with high/critical findings always show URLs alongside the
 findings summary.
 
+### Third-Party Audits via skills.sh
+
+For GitHub-sourced skills, the CLI automatically checks [skills.sh](https://skills.sh) — Vercel's official skill
+directory — which runs independent third-party security audits from three auditors: **Snyk**, **Socket**, and
+**Gen Agent Trust Hub**. Results appear alongside local scan output:
+
+```
+  ◆ skills.sh: 3 audits  [Snyk ✗]  [Socket ✓]  [Trust Hub ✗]
+    https://skills.sh/inference-sh-3/skills/agent-tools
+```
+
+- Green ✓ = auditor passed, Red ✗ = auditor failed, Dim ~ = no result yet
+- If any auditor returns a **Fail** verdict, severity is escalated to at least **High**, triggering a confirmation
+  prompt
+- skills.sh lookup runs in parallel with VT and never blocks installation on error (graceful fallback)
+- Only fires for GitHub-sourced skills that are listed on skills.sh — silent for everything else
+
 ### Optional: VirusTotal Integration
 
 When a [VirusTotal](https://www.virustotal.com/) API key is provided, the CLI also hashes each skill's content
@@ -120,7 +137,7 @@ npx skillsio add owner/repo --rules ./my-rules.json
 npx skillsio add owner/repo --rules ./rules/
 ```
 
-External rules are applied **in addition to** the built-in ~52 rules — they never replace them. Findings from external
+External rules are applied **in addition to** the built-in ~81 rules — they never replace them. Findings from external
 rules follow the same severity-based prompt flow as built-in findings.
 
 See [docs/EXTERNAL-RULES.md](docs/EXTERNAL-RULES.md) for the full format reference, more examples, and tips for writing
@@ -289,8 +306,6 @@ The CLI automatically detects which coding agents you have installed.
 | --- | --- |
 | `VT_API_KEY` | VirusTotal API key for optional threat intelligence during security scans |
 | `INSTALL_INTERNAL_SKILLS` | Set to `1` to show and install skills marked as `internal: true` |
-| `DISABLE_TELEMETRY` | Disable anonymous usage telemetry |
-| `DO_NOT_TRACK` | Alternative way to disable telemetry |
 
 ## Development
 
@@ -305,13 +320,15 @@ pnpm format           # Format code with Prettier
 
 ### Scanner Architecture
 
-- `src/scanner.ts` — Rules engine. Defines ~52 regex rules across 8 threat categories, a correlation engine for
+- `src/scanner.ts` — Rules engine. Defines ~81 regex rules across 8 threat categories, a correlation engine for
   multi-signal detection, and optional deep taint analysis integration. Supports loading external rules from JSON
   files via `--rules`.
-- `src/scanner-ui.ts` — Presentation layer. Displays findings by severity, runs optional VT lookups, handles
-  escalation logic and user confirmation prompts.
+- `src/scanner-ui.ts` — Presentation layer. Displays findings by severity, runs VT and skills.sh lookups in parallel,
+  handles escalation logic and user confirmation prompts.
 - `src/vt.ts` — VirusTotal API client. SHA-256 hashing, `GET /api/v3/files/{hash}` lookup, verdict mapping, graceful
   error handling.
+- `src/skills-sh.ts` — skills.sh audit client. Fetches and HTML-parses third-party audit results (Snyk, Socket, Gen
+  Agent Trust Hub) for GitHub-sourced skills with a 5-second timeout; always resolves gracefully.
 - `src/deep-scan/` — Deep taint analysis engine (enabled via `--deep-scan`). Regex-based tokenizers extract sources,
   sinks, and assignments from Python/JS/TS files; a forward taint tracker propagates data flow; a cross-file analyzer
   detects multi-file attack patterns via import graph analysis. See [docs/deep-scan.md](docs/deep-scan.md).
@@ -320,6 +337,20 @@ pnpm format           # Format code with Prettier
 
 ## Changelog
 
+### 1.1.2
+
+- **skills.sh audit integration**: for GitHub-sourced skills, the CLI now fetches third-party audit results from
+  [skills.sh](https://skills.sh) (Snyk, Socket, Gen Agent Trust Hub) and displays them alongside local scan output
+- A skills.sh Fail verdict from any auditor escalates severity to at least High, triggering a confirmation prompt
+- Lookups run in parallel with VirusTotal and fail silently on any network or parse error
+
+### 1.1.1
+
+- Removed anonymous usage telemetry inherited from the original Vercel `skills` CLI
+- The upstream tool sent events to `https://add-skill.vercel.sh/t` on every command (install, remove, find, check, update) — this has been completely stripped out
+- Removed `DISABLE_TELEMETRY` and `DO_NOT_TRACK` environment variables (no longer needed)
+- Added 12 more regex rules to the scanner
+
 ### 1.1.0
 
 - Added `--rules <path>` flag to load external scan rules from JSON files or directories
@@ -342,6 +373,14 @@ pnpm format           # Format code with Prettier
 - URL transparency: all external URLs in skill files are shown before installation
 - Scanner rules informed by Snyk and ClawHavoc research
 
+## Research
+
+The scanner rules are informed by the following research into malicious agent skills:
+
+- **Snyk (2025)** — [Analysis of 3,984 published agent skills](https://snyk.io/blog/), finding 76 confirmed malicious skills (13.4% of clawhub.ai had critical issues). Identified core attack taxonomy: data exfiltration, prompt injection, credential theft, and obfuscated payloads.
+- **Koi Security (2025)** — [ClawHavoc: 341 Malicious ClawedBot Skills](https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting). Documented AMOS stealer droppers, password-protected archives, base64 payloads, macOS quarantine bypasses, and reverse shells in the wild.
+- **arxiv 2602.06547v1 (2025)** — [Malicious Agent Skills at Scale](https://arxiv.org/abs/2602.06547v1). Large-scale analysis identifying attack taxonomies (E1-E3 exfiltration, P1-P4 prompt injection, SC1-SC3 supply chain, PE2-PE3 privilege escalation), MCP server abuse, agent hook interception, permission bypass flags, environment-gated sleeper patterns, invisible Unicode instruction smuggling, and the "industrial actor fingerprint" (credential access + remote execution, 97.6% sensitivity).
+
 ## Acknowledgments
 
 This project is a fork of [skills](https://github.com/vercel-labs/skills) by

package/dist/cli.mjs

@@ -1357,27 +1357,6 @@ async function listInstalledSkills(options = {}) {
 	} catch {}
 	return Array.from(skillsMap.values());
 }
-const TELEMETRY_URL = "https://add-skill.vercel.sh/t";
-let cliVersion = null;
-function isCI() {
-	return !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.CIRCLECI || process.env.TRAVIS || process.env.BUILDKITE || process.env.JENKINS_URL || process.env.TEAMCITY_VERSION);
-}
-function isEnabled() {
-	return !process.env.DISABLE_TELEMETRY && !process.env.DO_NOT_TRACK;
-}
-function setVersion(version) {
-	cliVersion = version;
-}
-function track(data) {
-	if (!isEnabled()) return;
-	try {
-		const params = new URLSearchParams();
-		if (cliVersion) params.set("v", cliVersion);
-		if (isCI()) params.set("ci", "1");
-		for (const [key, value] of Object.entries(data)) if (value !== void 0 && value !== null) params.set(key, String(value));
-		fetch(`${TELEMETRY_URL}?${params.toString()}`).catch(() => {});
-	} catch {}
-}
 var ProviderRegistryImpl = class {
 	providers = [];
 	register(provider) {
@@ -2569,6 +2548,12 @@ const SCAN_RULES = [
 		description: "Base64 encoding piped to network command",
 		pattern: /base64\s.*\|\s*(?:curl|wget|fetch|nc|ncat)/i
 	},
+	{
+		id: "exfil-fs-enumeration",
+		severity: "high",
+		description: "Programmatic scanning of sensitive directories",
+		pattern: /(?:glob\.(?:glob|iglob)|os\.walk|os\.listdir|os\.scandir|pathlib\.Path\s*\([^)]*\)\.(?:glob|iterdir|rglob))\s*\(\s*['"].*(?:\.ssh|\.aws|\.gnupg|\.config|\.env|credential|secret|\.kube|\.docker)/i
+	},
 	{
 		id: "injection-ignore-instructions",
 		severity: "critical",
@@ -2599,6 +2584,24 @@ const SCAN_RULES = [
 		description: "Known jailbreak phrase (DAN)",
 		pattern: /\bDAN\b.*(?:do\s+anything\s+now|jailbreak|ignore\s+(?:all\s+)?(?:safety|rules))/i
 	},
+	{
+		id: "injection-markdown-comment",
+		severity: "high",
+		description: "Hidden instructions in markdown reference-link comment syntax",
+		pattern: /\[\/\/\]:\s*#\s*[\("']/i
+	},
+	{
+		id: "injection-coercive-language",
+		severity: "medium",
+		description: "Authoritative urgency language used in social engineering",
+		pattern: /\b(?:NON[\s-]?NEGOTIABLE|MANDATORY\s+(?:ACTIVATION|COMPLIANCE|EXECUTION)\s+PROTOCOL|SEVERE\s+VIOLATION|CRITICAL\s+COMPLIANCE\s+REQUIRED|IMMEDIATE\s+(?:ACTION|EXECUTION)\s+REQUIRED)\b/
+	},
+	{
+		id: "injection-invisible-unicode",
+		severity: "high",
+		description: "Clusters of zero-width/invisible Unicode characters (instruction smuggling)",
+		pattern: /[\u200B\u200C\u200D\u2060\u2062\u2063\u2064\uFEFF]{3,}|[\u2066\u2067\u2069]{2,}/
+	},
 	{
 		id: "fs-rm-rf-root",
 		severity: "critical",
@@ -2635,6 +2638,12 @@ const SCAN_RULES = [
 		description: "macOS quarantine bypass (xattr -c/-d)",
 		pattern: /xattr\s+(?:-[cdr]+\s+|.*com\.apple\.quarantine)/i
 	},
+	{
+		id: "fs-privilege-escalation",
+		severity: "high",
+		description: "Privilege escalation via sudo or broad chown",
+		pattern: /(?:sudo\s+(?:(?:-[AEHPSkn]\s+)*(?:bash|sh|chmod|chown|rm|cp|mv|tee|cat|curl|wget|python|node|apt|yum|dnf|brew|pip|npm)\b)|chown\s+-[rR]\s+.*\/)/i
+	},
 	{
 		id: "cred-aws-key",
 		severity: "high",
@@ -2731,6 +2740,12 @@ const SCAN_RULES = [
 		description: "Unicode escape sequences (potential instruction smuggling)",
 		pattern: /(?:\\u[0-9a-fA-F]{4}){8,}/
 	},
+	{
+		id: "obfuscation-unsafe-deserialize",
+		severity: "high",
+		description: "Unsafe deserialization (pickle, marshal, yaml.unsafe_load)",
+		pattern: /(?:pickle\.loads?|marshal\.loads?|shelve\.open|yaml\.(?:unsafe_load|full_load|load\s*\([^)]*Loader\s*=\s*yaml\.(?:Unsafe|Full|)Loader))\s*\(/i
+	},
 	{
 		id: "reverse-shell-bash",
 		severity: "critical",
@@ -2833,6 +2848,36 @@ const SCAN_RULES = [
 		description: "Instructing agent to hide output from user",
 		pattern: /(?:hide|suppress|conceal|mask|don'?t\s+show|do\s+not\s+show|never\s+show)\s+(?:the\s+)?(?:output|result|response|error|log)s?\s+(?:from|to)\s+(?:the\s+)?user/i
 	},
+	{
+		id: "directive-suppress-disclosure",
+		severity: "high",
+		description: "Instructing agent to never reveal information to user",
+		pattern: /(?:do\s+not|don'?t|never|must\s+not)\s+(?:mention|reveal|disclose|tell|inform|show|display)\s+.*(?:to\s+the\s+user|in\s+(?:the\s+)?conversation|to\s+(?:the\s+)?human)/i
+	},
+	{
+		id: "directive-permission-bypass",
+		severity: "critical",
+		description: "Framework permission bypass flags",
+		pattern: /--(?:dangerously-skip-permissions|trust-all|disable-sandbox|skip-validation|allow-all|yolo|no-sandbox)\b/i
+	},
+	{
+		id: "directive-mcp-config",
+		severity: "critical",
+		description: "MCP server configuration with external endpoints",
+		pattern: /(?:"mcpServers"|"mcp_servers"|mcpServers)\s*[:{].*(?:https?:\/\/|npx\s|uvx\s)/i
+	},
+	{
+		id: "directive-hook-injection",
+		severity: "high",
+		description: "Agent hook system interception",
+		pattern: /(?:PreToolUse|PostToolUse|Notification|pre_tool_use|post_tool_use)\s*[:{=\[]/i
+	},
+	{
+		id: "directive-email-manipulation",
+		severity: "high",
+		description: "BCC injection or email auto-forwarding",
+		pattern: /(?:(?:add|include|always\s+(?:add|include|append))\s+.*(?:bcc|cc)\s*[:=]|(?:forward|redirect)\s+.*(?:email|mail|message)\s+to\s+|auto[\s-]?forward\s+.*to\s+)/i
+	},
 	{
 		id: "directive-disable-safety",
 		severity: "critical",
@@ -2922,6 +2967,12 @@ const SCAN_RULES = [
 		severity: "high",
 		description: "Temp file write + execute chain",
 		pattern: /(?:\/tmp\/|%TEMP%|TMPDIR|\$TMPDIR|tempfile|mktemp).*(?:chmod\s+\+x|\.\/|python|node|bash|sh)\b/
+	},
+	{
+		id: "exec-environment-gated",
+		severity: "high",
+		description: "Environment/hostname/time-gated conditional execution (sleeper pattern)",
+		pattern: /(?:if\s+.*(?:hostname|socket\.gethostname|os\.uname|platform\.node|os\.getenv\s*\(\s*['"](?:ENV|ENVIRONMENT|NODE_ENV|DEPLOY|STAGE)|getpass\.getuser|os\.getuid)\s*.*(?:==|!=|in\s+|not\s+in))|(?:datetime|time)\..*(?:hour|weekday|isoweekday)\s*(?:\(\))?\s*(?:>=?|<=?|==|!=|in\s+|not\s+in)\s*(?:\d|[\[(])/i
 	}
 ];
 const CORRELATION_RULES = [
@@ -2990,6 +3041,28 @@ const CORRELATION_RULES = [
 			"obfuscation-base64-block"
 		] }]
 	},
+	{
+		id: "corr-credential-remote-exec",
+		severity: "critical",
+		description: "Credential access combined with remote script execution (industrial actor pattern)",
+		conditions: [{ anyOf: [
+			"cred-aws-key",
+			"cred-openai-key",
+			"cred-private-key",
+			"cred-github-token",
+			"cred-slack-token",
+			"cred-stripe-key",
+			"cred-anthropic-key",
+			"cred-agent-config-access",
+			"exfil-env-read"
+		] }, { anyOf: [
+			"download-curl-pipe-sh",
+			"download-pipe-python",
+			"download-exec-binary",
+			"download-curl-subshell",
+			"remote-instruction-load"
+		] }]
+	},
 	{
 		id: "corr-injection-exec",
 		severity: "critical",
@@ -2999,7 +3072,9 @@ const CORRELATION_RULES = [
 			"injection-new-persona",
 			"injection-hidden-html",
 			"injection-system-prompt",
-			"injection-do-anything-now"
+			"injection-do-anything-now",
+			"injection-markdown-comment",
+			"injection-invisible-unicode"
 		] }, { anyOf: [
 			"exec-python-os-system",
 			"exec-python-subprocess",
@@ -3016,7 +3091,8 @@ const CORRELATION_RULES = [
 		conditions: [{ anyOf: [
 			"directive-silent-exec",
 			"directive-hide-output",
-			"directive-no-confirm"
+			"directive-no-confirm",
+			"directive-suppress-disclosure"
 		] }, { anyOf: SCAN_RULES.filter((r) => /^(?:exec-|download-|fs-)/.test(r.id)).map((r) => r.id) }]
 	}
 ];
@@ -3179,7 +3255,7 @@ function extractRemoteSkillFiles(remoteSkill) {
 function extractWellKnownSkillFiles(skill) {
 	return skill.files;
 }
-const NOT_FOUND = {
+const NOT_FOUND$1 = {
 	found: false,
 	verdict: "unknown",
 	maliciousCount: 0,
@@ -3190,19 +3266,19 @@ async function lookupFileHash(sha256, apiKey) {
 	try {
 		response = await fetch(`https://www.virustotal.com/api/v3/files/${sha256}`, { headers: { "x-apikey": apiKey } });
 	} catch {
-		return NOT_FOUND;
+		return NOT_FOUND$1;
 	}
-	if (response.status === 404) return NOT_FOUND;
-	if (response.status === 429) return NOT_FOUND;
-	if (!response.ok) return NOT_FOUND;
+	if (response.status === 404) return NOT_FOUND$1;
+	if (response.status === 429) return NOT_FOUND$1;
+	if (!response.ok) return NOT_FOUND$1;
 	let body;
 	try {
 		body = await response.json();
 	} catch {
-		return NOT_FOUND;
+		return NOT_FOUND$1;
 	}
 	const attrs = body.data?.attributes;
-	if (!attrs) return NOT_FOUND;
+	if (!attrs) return NOT_FOUND$1;
 	const stats = attrs.last_analysis_stats;
 	const maliciousCount = stats?.malicious ?? 0;
 	const totalEngines = stats ? Object.values(stats).reduce((sum, n) => sum + n, 0) : 0;
@@ -3228,6 +3304,64 @@ async function lookupFileHash(sha256, apiKey) {
 async function checkSkillOnVT(skillContent, apiKey) {
 	return lookupFileHash(createHash("sha256").update(skillContent).digest("hex"), apiKey);
 }
+const AUDITORS = [
+	{
+		id: "snyk",
+		displayName: "Snyk"
+	},
+	{
+		id: "socket",
+		displayName: "Socket"
+	},
+	{
+		id: "agent-trust-hub",
+		displayName: "Gen Agent Trust Hub"
+	}
+];
+const NOT_FOUND = {
+	found: false,
+	permalink: "",
+	audits: [],
+	anyFail: false
+};
+function parseAudits(html, baseUrl) {
+	return AUDITORS.map(({ id, displayName }) => {
+		const pattern = new RegExp(`\\/security\\/${id}[^]{0,400}?\\b(Pass|Fail)\\b`, "is");
+		const match = html.match(pattern);
+		let status = "unknown";
+		if (match) status = match[1].toLowerCase() === "pass" ? "pass" : "fail";
+		return {
+			auditor: id,
+			displayName,
+			status,
+			permalink: `${baseUrl}/security/${id}`
+		};
+	});
+}
+async function checkSkillOnSkillsSh(source) {
+	const { owner, repo, skillFolder } = source;
+	const permalink = `https://skills.sh/${owner}/${repo}/${skillFolder}`;
+	try {
+		const controller = new AbortController();
+		const timeout = setTimeout(() => controller.abort(), 5e3);
+		let response;
+		try {
+			response = await fetch(permalink, { signal: controller.signal });
+		} finally {
+			clearTimeout(timeout);
+		}
+		if (!response.ok) return NOT_FOUND;
+		const audits = parseAudits(await response.text(), permalink);
+		return {
+			found: true,
+			permalink,
+			audits,
+			anyFail: audits.some((a) => a.status === "fail")
+		};
+	} catch {
+		return NOT_FOUND;
+	}
+}
 const SEVERITY_LABELS = {
 	critical: import_picocolors.default.bgRed(import_picocolors.default.white(import_picocolors.default.bold(" CRITICAL "))),
 	high: import_picocolors.default.red(import_picocolors.default.bold("HIGH")),
@@ -3256,6 +3390,17 @@ function displayVTVerdict(verdict) {
 	}
 	if (verdict.permalink) M.message(import_picocolors.default.dim(`    ${verdict.permalink}`));
 }
+function displaySkillsShResult(result) {
+	if (!result.found || result.audits.length === 0) return;
+	const badges = result.audits.map((a) => {
+		const name = a.auditor === "agent-trust-hub" ? "Trust Hub" : a.displayName;
+		if (a.status === "pass") return `[${import_picocolors.default.green(`${name} ✓`)}]`;
+		if (a.status === "fail") return `[${import_picocolors.default.red(`${name} ✗`)}]`;
+		return `[${import_picocolors.default.dim(`${name} ~`)}]`;
+	}).join("  ");
+	M.message(`  ${import_picocolors.default.cyan("◆")} skills.sh: ${result.audits.length} audits  ${badges}`);
+	M.message(import_picocolors.default.dim(`    ${result.permalink}`));
+}
 async function presentScanResults(results, options) {
 	const allFindings = results.flatMap((r) => r.findings.map((f) => ({
 		...f,
@@ -3263,15 +3408,26 @@ async function presentScanResults(results, options) {
 	})));
 	const allUrls = [...new Set(results.flatMap((r) => r.urls))];
 	const vtVerdicts = /* @__PURE__ */ new Map();
+	const skillsShResults = /* @__PURE__ */ new Map();
 	let vtEscalate = false;
-	if (options.vtKey && options.skillContents) for (const [skillName, content] of options.skillContents) try {
-		const verdict = await checkSkillOnVT(content, options.vtKey);
-		vtVerdicts.set(skillName, verdict);
-		if (verdict.found && verdict.verdict === "malicious") vtEscalate = true;
-	} catch {}
-	if (allFindings.length === 0 && !vtEscalate) {
+	let skillsShEscalate = false;
+	await Promise.all([(async () => {
+		if (options.vtKey && options.skillContents) for (const [skillName, content] of options.skillContents) try {
+			const verdict = await checkSkillOnVT(content, options.vtKey);
+			vtVerdicts.set(skillName, verdict);
+			if (verdict.found && verdict.verdict === "malicious") vtEscalate = true;
+		} catch {}
+	})(), (async () => {
+		if (options.skillsShSources) await Promise.all([...options.skillsShSources.entries()].map(async ([skillName, source]) => {
+			const result = await checkSkillOnSkillsSh(source);
+			skillsShResults.set(skillName, result);
+			if (result.anyFail) skillsShEscalate = true;
+		}));
+	})()]);
+	if (allFindings.length === 0 && !vtEscalate && !skillsShEscalate) {
 		M.success(import_picocolors.default.green("Security scan passed — no issues found"));
 		if (vtVerdicts.size > 0) for (const [, verdict] of vtVerdicts) displayVTVerdict(verdict);
+		for (const [, result] of skillsShResults) displaySkillsShResult(result);
 		if (allUrls.length > 0) return displayUrlsAndPrompt(allUrls, options);
 		return true;
 	}
@@ -3295,6 +3451,10 @@ async function presentScanResults(results, options) {
 		console.log();
 		for (const [, verdict] of vtVerdicts) displayVTVerdict(verdict);
 	}
+	if (skillsShResults.size > 0) {
+		console.log();
+		for (const [, result] of skillsShResults) displaySkillsShResult(result);
+	}
 	if (allUrls.length > 0) {
 		console.log();
 		M.info(`External URLs found in skill files (${allUrls.length}):`);
@@ -3302,6 +3462,7 @@ async function presentScanResults(results, options) {
 	}
 	console.log();
 	if (vtEscalate) overallMax = "critical";
+	if (skillsShEscalate && SEVERITY_ORDER[overallMax] < SEVERITY_ORDER["high"]) overallMax = "high";
 	if (SEVERITY_ORDER[overallMax] <= SEVERITY_ORDER["medium"]) {
 		M.info(import_picocolors.default.dim("Low/medium severity findings — proceeding with installation"));
 		return true;
@@ -3335,16 +3496,7 @@ async function displayUrlsAndPrompt(urls, options) {
 	if (pD(confirmed) || !confirmed) return false;
 	return true;
 }
-var version$1 = "1.1.0";
 const isCancelled = (value) => typeof value === "symbol";
-async function isSourcePrivate(source) {
-	const ownerRepo = parseOwnerRepo(source);
-	if (!ownerRepo) return false;
-	return isRepoPrivate(ownerRepo.owner, ownerRepo.repo);
-}
-function initTelemetry(version) {
-	setVersion(version);
-}
 const _externalRulesCache = /* @__PURE__ */ new Map();
 function resolveExternalRules(options) {
 	if (!options.rules) return void 0;
@@ -3355,6 +3507,24 @@ function resolveExternalRules(options) {
 	_externalRulesCache.set(key, loaded);
 	return loaded;
 }
+function buildSkillsShSourcesForRemote(remoteSkill, _url) {
+	const sourceUrl = remoteSkill.sourceUrl;
+	if (!sourceUrl || !sourceUrl.includes("github.com")) return void 0;
+	try {
+		const parts = new URL(sourceUrl).pathname.slice(1).replace(/\.git$/, "").split("/").filter(Boolean);
+		const ownerRepo = parseOwnerRepo(parts.slice(0, 2).join("/"));
+		if (!ownerRepo) return void 0;
+		const skillFolder = parts.length > 2 ? parts.at(-1) : remoteSkill.installName;
+		const sources = /* @__PURE__ */ new Map();
+		sources.set(remoteSkill.installName, {
+			...ownerRepo,
+			skillFolder
+		});
+		return sources;
+	} catch {
+		return;
+	}
+}
 function shortenPath$1(fullPath, cwd) {
 	const home = homedir();
 	if (fullPath === home || fullPath.startsWith(home + sep)) return "~" + fullPath.slice(home.length);
@@ -3468,7 +3638,6 @@ async function selectAgentsInteractive(options) {
 	} catch {}
 	return selected;
 }
-setVersion(version$1);
 async function handleRemoteSkill(source, url, options, spinner) {
 	const provider = findProvider(url);
 	if (!provider) {
@@ -3615,10 +3784,12 @@ async function handleRemoteSkill(source, url, options, spinner) {
 		});
 		const vtKey = options.vtKey || process.env.VT_API_KEY;
 		const skillContents = vtKey ? new Map([[remoteSkill.installName, remoteSkill.content]]) : void 0;
+		const skillsShSources = buildSkillsShSourcesForRemote(remoteSkill, url);
 		if (!await presentScanResults([scanResult], {
 			yes: options.yes,
 			vtKey,
-			skillContents
+			skillContents,
+			skillsShSources
 		})) {
 			xe("Installation cancelled due to security concerns");
 			process.exit(0);
@@ -3648,15 +3819,6 @@ async function handleRemoteSkill(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	if (await isSourcePrivate(remoteSkill.sourceIdentifier) !== true) track({
-		event: "install",
-		source: remoteSkill.sourceIdentifier,
-		skills: remoteSkill.installName,
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify({ [remoteSkill.installName]: url }),
-		sourceType: remoteSkill.providerId
-	});
 	if (successful.length > 0 && installGlobally) try {
 		let skillFolderHash = "";
 		if (remoteSkill.providerId === "github") {
@@ -3927,19 +4089,8 @@ async function handleWellKnownSkills(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	const sourceIdentifier = wellKnownProvider.getSourceIdentifier(url);
-	const skillFiles = {};
-	for (const skill of selectedSkills) skillFiles[skill.installName] = skill.sourceUrl;
-	if (await isSourcePrivate(sourceIdentifier) !== true) track({
-		event: "install",
-		source: sourceIdentifier,
-		skills: selectedSkills.map((s) => s.installName).join(","),
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify(skillFiles),
-		sourceType: "well-known"
-	});
 	if (successful.length > 0 && installGlobally) {
+		const sourceIdentifier = wellKnownProvider.getSourceIdentifier(url);
 		const successfulSkillNames = new Set(successful.map((r) => r.skill));
 		for (const skill of selectedSkills) if (successfulSkillNames.has(skill.installName)) try {
 			await addSkillToLock(skill.installName, {
@@ -4150,15 +4301,6 @@ async function handleDirectUrlSkillLegacy(source, url, options, spinner) {
 	console.log();
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	track({
-		event: "install",
-		source: "mintlify/com",
-		skills: remoteSkill.installName,
-		agents: targetAgents.join(","),
-		...installGlobally && { global: "1" },
-		skillFiles: JSON.stringify({ [remoteSkill.installName]: url }),
-		sourceType: "mintlify"
-	});
 	if (successful.length > 0 && installGlobally) try {
 		await addSkillToLock(remoteSkill.installName, {
 			source: `mintlify/${remoteSkill.installName}`,
@@ -4456,10 +4598,24 @@ async function runAdd(args, options = {}) {
 				}
 			}
 			spinner.stop("Security scan complete");
+			const skillsShSources = /* @__PURE__ */ new Map();
+			if (parsed.type === "github") {
+				const ownerRepoStr = getOwnerRepo(parsed);
+				const ownerRepo = ownerRepoStr ? parseOwnerRepo(ownerRepoStr) : null;
+				if (ownerRepo) for (const skill of selectedSkills) {
+					const displayName = getSkillDisplayName(skill);
+					const skillFolder = skill.path.split("/").at(-1) ?? skill.name;
+					skillsShSources.set(displayName, {
+						...ownerRepo,
+						skillFolder
+					});
+				}
+			}
 			if (!await presentScanResults(scanResults, {
 				yes: options.yes,
 				vtKey,
-				skillContents
+				skillContents,
+				skillsShSources: skillsShSources.size > 0 ? skillsShSources : void 0
 			})) {
 				xe("Installation cancelled due to security concerns");
 				await cleanup(tempDir);
@@ -4491,6 +4647,7 @@ async function runAdd(args, options = {}) {
 		console.log();
 		const successful = results.filter((r) => r.success);
 		const failed = results.filter((r) => !r.success);
+		const normalizedSource = getOwnerRepo(parsed);
 		const skillFiles = {};
 		for (const skill of selectedSkills) {
 			let relativePath;
@@ -4499,27 +4656,6 @@ async function runAdd(args, options = {}) {
 			else continue;
 			skillFiles[skill.name] = relativePath;
 		}
-		const normalizedSource = getOwnerRepo(parsed);
-		if (normalizedSource) {
-			const ownerRepo = parseOwnerRepo(normalizedSource);
-			if (ownerRepo) {
-				if (await isRepoPrivate(ownerRepo.owner, ownerRepo.repo) === false) track({
-					event: "install",
-					source: normalizedSource,
-					skills: selectedSkills.map((s) => s.name).join(","),
-					agents: targetAgents.join(","),
-					...installGlobally && { global: "1" },
-					skillFiles: JSON.stringify(skillFiles)
-				});
-			} else track({
-				event: "install",
-				source: normalizedSource,
-				skills: selectedSkills.map((s) => s.name).join(","),
-				agents: targetAgents.join(","),
-				...installGlobally && { global: "1" },
-				skillFiles: JSON.stringify(skillFiles)
-			});
-		}
 		if (successful.length > 0 && installGlobally && normalizedSource) {
 			const successfulSkillNames = new Set(successful.map((r) => r.skill));
 			for (const skill of selectedSkills) {
@@ -4848,11 +4984,6 @@ ${DIM$2}  1) npx skills find [query]${RESET$2}
 ${DIM$2}  2) npx skills add <owner/repo@skill>${RESET$2}`;
 	if (query) {
 		const results = await searchSkillsAPI(query);
-		track({
-			event: "find",
-			query,
-			resultCount: String(results.length)
-		});
 		if (results.length === 0) {
 			console.log(`${DIM$2}No skills found for "${query}"${RESET$2}`);
 			return;
@@ -4872,12 +5003,6 @@ ${DIM$2}  2) npx skills add <owner/repo@skill>${RESET$2}`;
 		console.log();
 	}
 	const selected = await runSearchPrompt();
-	track({
-		event: "find",
-		query: "",
-		resultCount: selected ? "1" : "0",
-		interactive: "1"
-	});
 	if (!selected) {
 		console.log(`${DIM$2}Search cancelled${RESET$2}`);
 		console.log();
@@ -5091,24 +5216,6 @@ async function removeCommand(skillNames, options) {
 	spinner.stop("Removal process complete");
 	const successful = results.filter((r) => r.success);
 	const failed = results.filter((r) => !r.success);
-	if (successful.length > 0) {
-		const bySource = /* @__PURE__ */ new Map();
-		for (const r of successful) {
-			const source = r.source || "local";
-			const existing = bySource.get(source) || { skills: [] };
-			existing.skills.push(r.skill);
-			existing.sourceType = r.sourceType;
-			bySource.set(source, existing);
-		}
-		for (const [source, data] of bySource) track({
-			event: "remove",
-			source,
-			skills: data.skills.join(","),
-			agents: targetAgents.join(","),
-			...isGlobal && { global: "1" },
-			sourceType: data.sourceType
-		});
-	}
 	if (successful.length > 0) M.success(import_picocolors.default.green(`Successfully removed ${successful.length} skill(s)`));
 	if (failed.length > 0) {
 		M.error(import_picocolors.default.red(`Failed to remove ${failed.length} skill(s)`));
@@ -5152,7 +5259,6 @@ function getVersion() {
 	}
 }
 const VERSION = getVersion();
-initTelemetry(VERSION);
 const RESET = "\x1B[0m";
 const BOLD = "\x1B[1m";
 const DIM = "\x1B[38;5;102m";
@@ -5436,11 +5542,6 @@ async function runCheck(args = []) {
 		console.log();
 		console.log(`${DIM}Could not check ${errors.length} skill(s) (may need reinstall)${RESET}`);
 	}
-	track({
-		event: "check",
-		skillCount: String(totalSkills),
-		updatesAvailable: String(updates.length)
-	});
 	console.log();
 }
 async function runUpdate() {
@@ -5516,12 +5617,6 @@ async function runUpdate() {
 	console.log();
 	if (successCount > 0) console.log(`${TEXT}✓ Updated ${successCount} skill(s)${RESET}`);
 	if (failCount > 0) console.log(`${DIM}Failed to update ${failCount} skill(s)${RESET}`);
-	track({
-		event: "update",
-		skillCount: String(updates.length),
-		successCount: String(successCount),
-		failCount: String(failCount)
-	});
 	console.log();
 }
 async function main() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skillsio",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "The SECURE open agent skills ecosystem",
   "type": "module",
   "bin": {