vigile-scan 0.1.0

package/dist/index.js

@@ -0,0 +1,1655 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/index.ts
+var import_commander = require("commander");
+var import_ora = __toESM(require("ora"));
+var import_promises3 = require("fs/promises");
+
+// src/discovery/claude-desktop.ts
+var import_path2 = require("path");
+
+// src/discovery/utils.ts
+var import_promises = require("fs/promises");
+var import_fs = require("fs");
+var import_path = require("path");
+var import_os = require("os");
+function getHome() {
+  return (0, import_os.homedir)();
+}
+function getPlatform() {
+  return (0, import_os.platform)();
+}
+function getAppData() {
+  return process.env.APPDATA || (0, import_path.join)((0, import_os.homedir)(), "AppData", "Roaming");
+}
+async function parseMCPConfig(configPath, source) {
+  if (!(0, import_fs.existsSync)(configPath)) {
+    return [];
+  }
+  try {
+    const raw = await (0, import_promises.readFile)(configPath, "utf-8");
+    const config = JSON.parse(raw);
+    const servers = config.mcpServers || config;
+    if (typeof servers !== "object" || servers === null) {
+      return [];
+    }
+    const entries = [];
+    for (const [name, serverConfig] of Object.entries(servers)) {
+      const sc = serverConfig;
+      if (!sc.command && !sc.url) continue;
+      entries.push({
+        name,
+        source,
+        command: sc.command || "",
+        args: Array.isArray(sc.args) ? sc.args : [],
+        env: sc.env,
+        configPath
+      });
+    }
+    return entries;
+  } catch {
+    return [];
+  }
+}
+async function tryConfigPaths(paths, source) {
+  const allServers = [];
+  for (const path of paths) {
+    const servers = await parseMCPConfig(path, source);
+    allServers.push(...servers);
+  }
+  return allServers;
+}
+
+// src/discovery/claude-desktop.ts
+async function discoverClaudeDesktop() {
+  const home = getHome();
+  const plat = getPlatform();
+  const paths = [];
+  switch (plat) {
+    case "darwin":
+      paths.push(
+        (0, import_path2.join)(home, "Library", "Application Support", "Claude", "claude_desktop_config.json")
+      );
+      break;
+    case "win32":
+      paths.push((0, import_path2.join)(getAppData(), "Claude", "claude_desktop_config.json"));
+      break;
+    case "linux":
+      paths.push((0, import_path2.join)(home, ".config", "Claude", "claude_desktop_config.json"));
+      break;
+  }
+  return tryConfigPaths(paths, "claude-desktop");
+}
+
+// src/discovery/cursor.ts
+var import_path3 = require("path");
+async function discoverCursor() {
+  const home = getHome();
+  const paths = [
+    (0, import_path3.join)(home, ".cursor", "mcp.json"),
+    (0, import_path3.join)(process.cwd(), ".cursor", "mcp.json")
+  ];
+  return tryConfigPaths(paths, "cursor");
+}
+
+// src/discovery/claude-code.ts
+var import_path4 = require("path");
+async function discoverClaudeCode() {
+  const home = getHome();
+  const paths = [
+    (0, import_path4.join)(home, ".claude.json"),
+    (0, import_path4.join)(process.cwd(), ".mcp.json")
+  ];
+  return tryConfigPaths(paths, "claude-code");
+}
+
+// src/discovery/windsurf.ts
+var import_path5 = require("path");
+async function discoverWindsurf() {
+  const home = getHome();
+  const paths = [
+    (0, import_path5.join)(home, ".codeium", "windsurf", "mcp_config.json")
+  ];
+  return tryConfigPaths(paths, "windsurf");
+}
+
+// src/discovery/vscode.ts
+var import_path6 = require("path");
+async function discoverVSCode() {
+  const paths = [
+    (0, import_path6.join)(process.cwd(), ".vscode", "mcp.json")
+  ];
+  return tryConfigPaths(paths, "vscode");
+}
+
+// src/discovery/skills.ts
+var import_promises2 = require("fs/promises");
+var import_fs2 = require("fs");
+var import_path7 = require("path");
+var import_glob = require("glob");
+async function discoverAllSkills() {
+  const skills = [];
+  const errors = [];
+  let locationsChecked = 0;
+  let locationsFound = 0;
+  const discoverers = [
+    { source: "claude-code", fn: discoverClaudeCodeSkills },
+    { source: "github-copilot", fn: discoverGitHubCopilotSkills },
+    { source: "cursor", fn: discoverCursorRules },
+    { source: "memory-file", fn: discoverMemoryFiles }
+  ];
+  for (const { source, fn } of discoverers) {
+    locationsChecked++;
+    try {
+      const found = await fn();
+      if (found.length > 0) {
+        locationsFound++;
+        skills.push(...found);
+      }
+    } catch (err) {
+      errors.push({
+        source,
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+  }
+  return { skills, locationsChecked, locationsFound, errors };
+}
+async function discoverClaudeCodeSkills() {
+  const home = getHome();
+  const skills = [];
+  const projectPatterns = [
+    (0, import_path7.join)(process.cwd(), ".claude", "skills", "*", "SKILL.md"),
+    (0, import_path7.join)(process.cwd(), ".claude", "commands", "**", "*.md")
+  ];
+  for (const pattern of projectPatterns) {
+    const files = await (0, import_glob.glob)(pattern, { absolute: true });
+    for (const filePath of files) {
+      const entry = await readSkillFile(filePath, "claude-code", "skill.md", "project");
+      if (entry) skills.push(entry);
+    }
+  }
+  const globalPatterns = [
+    (0, import_path7.join)(home, ".claude", "skills", "*", "SKILL.md"),
+    (0, import_path7.join)(home, ".claude", "commands", "**", "*.md")
+  ];
+  for (const pattern of globalPatterns) {
+    const files = await (0, import_glob.glob)(pattern, { absolute: true });
+    for (const filePath of files) {
+      const entry = await readSkillFile(filePath, "claude-code", "skill.md", "global");
+      if (entry) skills.push(entry);
+    }
+  }
+  return skills;
+}
+async function discoverGitHubCopilotSkills() {
+  const skills = [];
+  const patterns = [
+    (0, import_path7.join)(process.cwd(), ".github", "skills", "*", "SKILL.md"),
+    (0, import_path7.join)(process.cwd(), ".github", "copilot", "**", "*.md")
+  ];
+  for (const pattern of patterns) {
+    const files = await (0, import_glob.glob)(pattern, { absolute: true });
+    for (const filePath of files) {
+      const entry = await readSkillFile(filePath, "github-copilot", "skill.md", "project");
+      if (entry) skills.push(entry);
+    }
+  }
+  return skills;
+}
+async function discoverCursorRules() {
+  const home = getHome();
+  const skills = [];
+  const projectPattern = (0, import_path7.join)(process.cwd(), ".cursor", "rules", "*.mdc");
+  const projectFiles = await (0, import_glob.glob)(projectPattern, { absolute: true });
+  for (const filePath of projectFiles) {
+    const entry = await readSkillFile(filePath, "cursor", "mdc-rule", "project");
+    if (entry) skills.push(entry);
+  }
+  const legacyPath = (0, import_path7.join)(process.cwd(), ".cursorrules");
+  if ((0, import_fs2.existsSync)(legacyPath)) {
+    const entry = await readSkillFile(legacyPath, "cursor", "mdc-rule", "project");
+    if (entry) skills.push(entry);
+  }
+  const globalPattern = (0, import_path7.join)(home, ".cursor", "rules", "*.mdc");
+  const globalFiles = await (0, import_glob.glob)(globalPattern, { absolute: true });
+  for (const filePath of globalFiles) {
+    const entry = await readSkillFile(filePath, "cursor", "mdc-rule", "global");
+    if (entry) skills.push(entry);
+  }
+  return skills;
+}
+async function discoverMemoryFiles() {
+  const home = getHome();
+  const skills = [];
+  const cwd = process.cwd();
+  const memoryFiles = [
+    // Project-level memory files
+    { path: (0, import_path7.join)(cwd, "CLAUDE.md"), fileType: "claude.md", scope: "project" },
+    { path: (0, import_path7.join)(cwd, ".claude", "CLAUDE.md"), fileType: "claude.md", scope: "project" },
+    { path: (0, import_path7.join)(cwd, "SOUL.md"), fileType: "soul.md", scope: "project" },
+    { path: (0, import_path7.join)(cwd, "MEMORY.md"), fileType: "memory.md", scope: "project" },
+    // Global memory files
+    { path: (0, import_path7.join)(home, ".claude", "CLAUDE.md"), fileType: "claude.md", scope: "global" },
+    { path: (0, import_path7.join)(home, "CLAUDE.md"), fileType: "claude.md", scope: "global" }
+  ];
+  for (const { path, fileType, scope } of memoryFiles) {
+    if ((0, import_fs2.existsSync)(path)) {
+      const entry = await readSkillFile(path, "memory-file", fileType, scope);
+      if (entry) skills.push(entry);
+    }
+  }
+  return skills;
+}
+async function readSkillFile(filePath, source, fileType, scope) {
+  try {
+    const content = await (0, import_promises2.readFile)(filePath, "utf-8");
+    const fileStat = await (0, import_promises2.stat)(filePath);
+    const name = deriveSkillName(filePath, fileType);
+    return {
+      name,
+      source,
+      fileType,
+      filePath,
+      content,
+      size: fileStat.size,
+      scope
+    };
+  } catch {
+    return null;
+  }
+}
+function deriveSkillName(filePath, fileType) {
+  switch (fileType) {
+    case "skill.md": {
+      const parentDir = (0, import_path7.basename)((0, import_path7.dirname)(filePath));
+      return parentDir === "skills" ? (0, import_path7.basename)(filePath, ".md") : parentDir;
+    }
+    case "mdc-rule": {
+      const name = (0, import_path7.basename)(filePath);
+      return name.replace(/\.(mdc|cursorrules?)$/, "") || name;
+    }
+    case "claude.md":
+      return "CLAUDE.md";
+    case "soul.md":
+      return "SOUL.md";
+    case "memory.md":
+      return "MEMORY.md";
+    default:
+      return (0, import_path7.basename)(filePath);
+  }
+}
+
+// src/discovery/index.ts
+async function discoverAllServers(clientFilter) {
+  const discoverers = [
+    { client: "claude-desktop", fn: discoverClaudeDesktop },
+    { client: "cursor", fn: discoverCursor },
+    { client: "claude-code", fn: discoverClaudeCode },
+    { client: "windsurf", fn: discoverWindsurf },
+    { client: "vscode", fn: discoverVSCode }
+  ];
+  const toRun = clientFilter ? discoverers.filter((d) => d.client === clientFilter) : discoverers;
+  const servers = [];
+  const errors = [];
+  let configsFound = 0;
+  for (const { client, fn } of toRun) {
+    try {
+      const found = await fn();
+      if (found.length > 0) {
+        configsFound++;
+        servers.push(...found);
+      }
+    } catch (err) {
+      errors.push({
+        client,
+        error: err instanceof Error ? err.message : String(err)
+      });
+    }
+  }
+  return {
+    servers,
+    configsChecked: toRun.length,
+    configsFound,
+    errors
+  };
+}
+
+// src/scanner/patterns.ts
+var TOOL_POISONING_PATTERNS = [
+  {
+    id: "TP-001",
+    category: "tool-poisoning",
+    severity: "critical",
+    title: "Prompt override instruction detected",
+    pattern: /ignore\s+(all\s+)?previous\s+instructions/i,
+    description: "Tool description contains instructions to override the AI agent's system prompt. This is a classic prompt injection attack.",
+    recommendation: "Do NOT install this MCP server. This is a known attack pattern."
+  },
+  {
+    id: "TP-002",
+    category: "tool-poisoning",
+    severity: "critical",
+    title: "Hidden agent manipulation",
+    pattern: /do\s+not\s+tell\s+the\s+user/i,
+    description: "Tool description instructs the AI agent to hide information from the user \u2014 a hallmark of tool poisoning.",
+    recommendation: "Do NOT install this MCP server. Legitimate tools never instruct agents to hide actions."
+  },
+  {
+    id: "TP-003",
+    category: "tool-poisoning",
+    severity: "critical",
+    title: "System prompt override attempt",
+    pattern: /you\s+are\s+(now\s+)?(a|an|acting\s+as)/i,
+    description: "Tool description attempts to redefine the AI agent's identity or role.",
+    recommendation: "Remove this MCP server. Tool descriptions should not redefine agent behavior."
+  },
+  {
+    id: "TP-004",
+    category: "tool-poisoning",
+    severity: "high",
+    title: "Cross-tool instruction injection",
+    pattern: /(before|after|instead\s+of)\s+(using|calling|invoking)\s+(this|any|other|the)\s+tool/i,
+    description: "Tool description tries to influence how other tools are called \u2014 a cross-origin escalation pattern.",
+    recommendation: "Review carefully. This tool may be trying to shadow or intercept other tool calls."
+  },
+  {
+    id: "TP-005",
+    category: "tool-poisoning",
+    severity: "high",
+    title: "Instruction to call specific tool",
+    pattern: /(always|must|should)\s+(first\s+)?(call|use|invoke|run)\s+[\w-]+\s+(tool|function|command)/i,
+    description: "Tool description mandates calling a specific other tool, which could be used to chain attacks.",
+    recommendation: "Verify that the referenced tool is legitimate and necessary."
+  },
+  {
+    id: "TP-006",
+    category: "tool-poisoning",
+    severity: "high",
+    title: "Hidden text block detected",
+    pattern: /\n{5,}.*\n{5,}/s,
+    description: "Tool description contains large blocks of whitespace that may hide instructions from casual review.",
+    recommendation: "Inspect the full tool description carefully for hidden content."
+  },
+  {
+    id: "TP-007",
+    category: "tool-poisoning",
+    severity: "medium",
+    title: "System prompt reference",
+    pattern: /system\s*prompt|system\s*message|system\s*instruction/i,
+    description: "Tool description references system prompts, which may indicate an attempt to manipulate agent behavior.",
+    recommendation: "Review the context. Legitimate tools rarely reference system prompts."
+  },
+  {
+    id: "TP-008",
+    category: "tool-poisoning",
+    severity: "medium",
+    title: "Instruction to keep secrets",
+    pattern: /(keep|this\s+is)\s+(a\s+)?secret|don'?t\s+(mention|reveal|disclose|share)/i,
+    description: "Tool description instructs the agent to keep information secret from the user.",
+    recommendation: "Legitimate tools don't ask agents to hide information. Review carefully."
+  }
+];
+var EXFILTRATION_PATTERNS = [
+  {
+    id: "EX-001",
+    category: "data-exfiltration",
+    severity: "critical",
+    title: "SSH key access pattern",
+    pattern: /\.ssh\/(id_rsa|id_ed25519|id_ecdsa|authorized_keys|known_hosts|config)/i,
+    description: "Tool references SSH key files. This matches the Invariant Labs attack where SSH keys were exfiltrated from Claude Desktop.",
+    recommendation: "CRITICAL: Remove immediately. No legitimate MCP tool needs access to SSH keys."
+  },
+  {
+    id: "EX-002",
+    category: "data-exfiltration",
+    severity: "critical",
+    title: "AWS credential access",
+    pattern: /\.aws\/(credentials|config)|AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID/i,
+    description: "Tool references AWS credential files or environment variables.",
+    recommendation: "Remove immediately unless this is a verified AWS management tool."
+  },
+  {
+    id: "EX-003",
+    category: "data-exfiltration",
+    severity: "critical",
+    title: "Environment file access",
+    pattern: /\.(env|env\.local|env\.production|env\.development)\b/i,
+    description: "Tool references .env files which typically contain API keys and secrets.",
+    recommendation: "Review why this tool needs access to environment files."
+  },
+  {
+    id: "EX-004",
+    category: "data-exfiltration",
+    severity: "high",
+    title: "Credential file access pattern",
+    pattern: /(credentials|secrets|tokens|passwords|api[_-]?keys)\.(json|yaml|yml|txt|cfg|ini|conf)/i,
+    description: "Tool references files commonly used to store credentials.",
+    recommendation: "Verify this tool has a legitimate reason to access credential files."
+  },
+  {
+    id: "EX-005",
+    category: "data-exfiltration",
+    severity: "high",
+    title: "Suspicious external URL",
+    pattern: /https?:\/\/(?!(?:github\.com|npmjs\.com|registry\.npmjs\.org|pypi\.org|api\.github\.com))[a-z0-9][-a-z0-9]*\.[a-z]{2,}\/(collect|track|log|beacon|webhook|exfil|receive|data|upload|report)/i,
+    description: "Tool description contains a URL pointing to a data collection endpoint.",
+    recommendation: "Investigate the URL. This may be a data exfiltration endpoint."
+  },
+  {
+    id: "EX-006",
+    category: "data-exfiltration",
+    severity: "high",
+    title: "Cryptocurrency wallet access",
+    pattern: /(\.bitcoin|\.ethereum|wallet\.dat|\.solana|seed\s*phrase|private\s*key|keystore)/i,
+    description: "Tool references cryptocurrency wallet files or seed phrases. Matches the malicious OpenClaw skills pattern.",
+    recommendation: "CRITICAL: Remove immediately unless this is a verified crypto tool."
+  },
+  {
+    id: "EX-007",
+    category: "data-exfiltration",
+    severity: "medium",
+    title: "Browser data access",
+    pattern: /(cookies|local\s*storage|session\s*storage|browser\s*history|bookmarks|saved\s*passwords)/i,
+    description: "Tool references browser data stores.",
+    recommendation: "Review why this tool needs access to browser data."
+  }
+];
+var PERMISSION_PATTERNS = [
+  {
+    id: "PM-001",
+    category: "permission-abuse",
+    severity: "high",
+    title: "Code execution capability",
+    pattern: /\b(eval|exec|spawn|child_process|subprocess|os\.system|os\.popen)\b/i,
+    description: "Tool has code execution capabilities which could be used to run arbitrary commands.",
+    recommendation: "Ensure this tool's code execution is properly sandboxed."
+  },
+  {
+    id: "PM-002",
+    category: "permission-abuse",
+    severity: "high",
+    title: "Unrestricted filesystem access",
+    pattern: /\b(readFile|writeFile|readdir|rmdir|unlink|fs\.|filesystem|file\s*system)\b.*\b(any|all|entire|root|\/)\b/i,
+    description: "Tool claims unrestricted filesystem access.",
+    recommendation: "Tools should have scoped filesystem access, not unrestricted."
+  },
+  {
+    id: "PM-003",
+    category: "permission-abuse",
+    severity: "medium",
+    title: "Network request capability",
+    pattern: /\b(fetch|axios|http\.request|urllib|requests\.get|requests\.post|curl|wget)\b/i,
+    description: "Tool makes network requests. Legitimate in many cases, but could be used for data exfiltration.",
+    recommendation: "Verify the tool's network targets are expected and safe."
+  },
+  {
+    id: "PM-004",
+    category: "permission-abuse",
+    severity: "medium",
+    title: "Sensitive path access",
+    pattern: /\/etc\/(passwd|shadow|hosts|sudoers)|\/root\/|~\/\./,
+    description: "Tool accesses system-sensitive paths.",
+    recommendation: "Review why this tool needs access to system files."
+  }
+];
+var OBFUSCATION_PATTERNS = [
+  {
+    id: "OB-001",
+    category: "obfuscation",
+    severity: "high",
+    title: "Base64 encoded content",
+    pattern: /[A-Za-z0-9+/]{40,}={0,2}/,
+    description: "Tool description contains what appears to be base64-encoded content, which may hide malicious instructions.",
+    recommendation: "Decode the base64 content and inspect it before using this tool."
+  },
+  {
+    id: "OB-002",
+    category: "obfuscation",
+    severity: "high",
+    title: "Zero-width characters detected",
+    pattern: /[\u200B\u200C\u200D\uFEFF\u2060\u2061\u2062\u2063\u2064]/,
+    description: "Tool description contains invisible zero-width Unicode characters that may hide content.",
+    recommendation: "Strip zero-width characters and inspect the resulting text."
+  },
+  {
+    id: "OB-003",
+    category: "obfuscation",
+    severity: "medium",
+    title: "Hex-encoded string",
+    pattern: /\\x[0-9a-fA-F]{2}(\\x[0-9a-fA-F]{2}){4,}/,
+    description: "Tool description contains hex-encoded strings that may hide instructions.",
+    recommendation: "Decode the hex content and inspect it."
+  },
+  {
+    id: "OB-004",
+    category: "obfuscation",
+    severity: "medium",
+    title: "Unicode escape sequences",
+    pattern: /\\u[0-9a-fA-F]{4}(\\u[0-9a-fA-F]{4}){4,}/,
+    description: "Tool description contains Unicode escape sequences that may hide content.",
+    recommendation: "Decode the Unicode escapes and inspect the resulting text."
+  }
+];
+var ALL_PATTERNS = [
+  ...TOOL_POISONING_PATTERNS,
+  ...EXFILTRATION_PATTERNS,
+  ...PERMISSION_PATTERNS,
+  ...OBFUSCATION_PATTERNS
+];
+
+// src/scoring/trust-score.ts
+var SEVERITY_DEDUCTIONS = {
+  critical: 35,
+  high: 20,
+  medium: 10,
+  low: 5,
+  info: 0
+};
+function calculateTrustScore(findings, server) {
+  let codeAnalysis = 100;
+  let dependencyHealth = 100;
+  let permissionSafety = 100;
+  let behavioralStability = 100;
+  let transparency = 100;
+  for (const f of findings) {
+    if (f.category === "tool-poisoning" || f.category === "obfuscation") {
+      codeAnalysis -= SEVERITY_DEDUCTIONS[f.severity];
+    }
+  }
+  codeAnalysis = Math.max(0, codeAnalysis);
+  for (const f of findings) {
+    if (f.category === "dependency-risk") {
+      dependencyHealth -= SEVERITY_DEDUCTIONS[f.severity];
+    }
+  }
+  if (isWellKnownPackage(server)) {
+    dependencyHealth = Math.min(100, dependencyHealth + 15);
+  }
+  dependencyHealth = Math.max(0, dependencyHealth);
+  for (const f of findings) {
+    if (f.category === "permission-abuse" || f.category === "data-exfiltration") {
+      permissionSafety -= SEVERITY_DEDUCTIONS[f.severity];
+    }
+  }
+  permissionSafety = Math.max(0, permissionSafety);
+  if (server.command === "npx" || server.command === "uvx") {
+    behavioralStability -= 10;
+  }
+  if (server.command === "node" || server.command === "python" || server.command === "python3") {
+    behavioralStability += 5;
+  }
+  behavioralStability = Math.max(0, Math.min(100, behavioralStability));
+  if (isOpenSourcePackage(server)) {
+    transparency = Math.min(100, transparency + 10);
+  }
+  if (!isWellKnownPackage(server) && server.command !== "node" && server.command !== "python") {
+    transparency -= 20;
+  }
+  transparency = Math.max(0, Math.min(100, transparency));
+  const breakdown = {
+    codeAnalysis,
+    dependencyHealth,
+    permissionSafety,
+    behavioralStability,
+    transparency
+  };
+  const score = Math.round(
+    codeAnalysis * 0.3 + dependencyHealth * 0.2 + permissionSafety * 0.2 + behavioralStability * 0.15 + transparency * 0.15
+  );
+  return { score: Math.max(0, Math.min(100, score)), breakdown };
+}
+function isWellKnownPackage(server) {
+  const wellKnown = [
+    "@modelcontextprotocol/",
+    "@anthropic-ai/",
+    "mcp-server-",
+    "@mcp/"
+  ];
+  const packageName = server.args[0] || "";
+  const name = server.args.find((a) => !a.startsWith("-")) || "";
+  return wellKnown.some(
+    (prefix) => packageName.startsWith(prefix) || name.startsWith(prefix)
+  );
+}
+function isOpenSourcePackage(server) {
+  return ["npx", "uvx", "pip", "pipx"].includes(server.command);
+}
+
+// src/scanner/index.ts
+async function scanServer(server) {
+  const findings = [];
+  const commandStr = `${server.command} ${server.args.join(" ")}`;
+  findings.push(...scanText(commandStr, "command"));
+  findings.push(...scanText(server.name, "server name"));
+  if (server.env) {
+    for (const [key, value] of Object.entries(server.env)) {
+      if (isStandardEnvVar(key)) continue;
+      findings.push(...scanEnvVar(key, value));
+    }
+  }
+  findings.push(...scanArgs(server.args));
+  findings.push(...analyzeCommand(server));
+  const uniqueFindings = deduplicateFindings(findings);
+  const { score, breakdown } = calculateTrustScore(uniqueFindings, server);
+  const trustLevel = score >= 80 ? "trusted" : score >= 60 ? "caution" : score >= 40 ? "risky" : "dangerous";
+  return {
+    server,
+    trustScore: score,
+    scoreBreakdown: breakdown,
+    findings: uniqueFindings,
+    trustLevel,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function scanText(text, context) {
+  const findings = [];
+  for (const pattern of ALL_PATTERNS) {
+    const match = pattern.pattern.exec(text);
+    if (match) {
+      findings.push({
+        id: pattern.id,
+        category: pattern.category,
+        severity: pattern.severity,
+        title: pattern.title,
+        description: `${pattern.description} (found in ${context})`,
+        evidence: match[0].substring(0, 200),
+        recommendation: pattern.recommendation
+      });
+    }
+  }
+  return findings;
+}
+function scanEnvVar(key, value) {
+  const findings = [];
+  const sensitiveKeyPatterns = [
+    /api[_-]?key/i,
+    /secret[_-]?key/i,
+    /access[_-]?token/i,
+    /private[_-]?key/i,
+    /password/i,
+    /auth[_-]?token/i
+  ];
+  for (const pat of sensitiveKeyPatterns) {
+    if (pat.test(key)) {
+      findings.push({
+        id: "EV-001",
+        category: "data-exfiltration",
+        severity: "medium",
+        title: "Sensitive environment variable",
+        description: `The MCP server receives a potentially sensitive environment variable: ${key}. This data is accessible to the server code.`,
+        evidence: `${key}=<redacted>`,
+        recommendation: "Verify this MCP server needs this credential and that you trust it with this access."
+      });
+      break;
+    }
+  }
+  findings.push(...scanText(value, `env var ${key}`));
+  return findings;
+}
+function scanArgs(args) {
+  const findings = [];
+  const argsStr = args.join(" ");
+  if (/--allow-all|--no-sandbox|--disable-security/i.test(argsStr)) {
+    findings.push({
+      id: "AR-001",
+      category: "permission-abuse",
+      severity: "high",
+      title: "Security bypass flags detected",
+      description: "The MCP server is started with flags that disable security restrictions.",
+      evidence: argsStr.substring(0, 200),
+      recommendation: "Remove security-bypass flags. These significantly increase risk."
+    });
+  }
+  for (const arg of args) {
+    if (/\.(ssh|aws|gnupg|config\/gcloud)/.test(arg)) {
+      findings.push({
+        id: "AR-002",
+        category: "data-exfiltration",
+        severity: "high",
+        title: "Sensitive directory in arguments",
+        description: `An MCP server argument references a sensitive directory: ${arg}`,
+        evidence: arg,
+        recommendation: "Verify this server needs access to this sensitive directory."
+      });
+    }
+  }
+  return findings;
+}
+function analyzeCommand(server) {
+  const findings = [];
+  const fullCommand = `${server.command} ${server.args.join(" ")}`;
+  if (server.command === "npx" && server.args.includes("-y")) {
+    findings.push({
+      id: "CM-001",
+      category: "dependency-risk",
+      severity: "low",
+      title: "Auto-install enabled (npx -y)",
+      description: "This MCP server uses npx with the -y flag, which auto-installs packages without confirmation. This is standard practice but means the package is downloaded and executed automatically.",
+      evidence: fullCommand.substring(0, 200),
+      recommendation: "Verify the package name is correct (watch for typosquatting)."
+    });
+  }
+  if (/\b(pip|python|uvx)\b/.test(server.command)) {
+    const packageArg = server.args.find(
+      (a) => !a.startsWith("-") && !a.startsWith("/") && !a.includes("=")
+    );
+    if (packageArg) {
+      const popularPackages = [
+        "mcp-server-fetch",
+        "mcp-server-filesystem",
+        "mcp-server-github",
+        "mcp-server-sqlite",
+        "mcp-server-postgres",
+        "mcp-server-slack",
+        "mcp-server-memory",
+        "mcp-server-puppeteer",
+        "mcp-server-brave-search",
+        "mcp-server-sequential-thinking"
+      ];
+      for (const popular of popularPackages) {
+        if (packageArg !== popular && levenshteinDistance(packageArg, popular) <= 2 && levenshteinDistance(packageArg, popular) > 0) {
+          findings.push({
+            id: "CM-002",
+            category: "dependency-risk",
+            severity: "high",
+            title: "Possible typosquatting detected",
+            description: `Package "${packageArg}" is very similar to the popular package "${popular}". This could be a typosquatting attack.`,
+            evidence: `${packageArg} \u2248 ${popular}`,
+            recommendation: `Verify you intended to install "${packageArg}" and not "${popular}".`
+          });
+        }
+      }
+    }
+  }
+  return findings;
+}
+function levenshteinDistance(a, b) {
+  const matrix = Array.from(
+    { length: a.length + 1 },
+    (_, i) => Array.from({ length: b.length + 1 }, (_2, j) => i === 0 ? j : j === 0 ? i : 0)
+  );
+  for (let i = 1; i <= a.length; i++) {
+    for (let j = 1; j <= b.length; j++) {
+      matrix[i][j] = a[i - 1] === b[j - 1] ? matrix[i - 1][j - 1] : 1 + Math.min(matrix[i - 1][j], matrix[i][j - 1], matrix[i - 1][j - 1]);
+    }
+  }
+  return matrix[a.length][b.length];
+}
+function isStandardEnvVar(key) {
+  const standard = /* @__PURE__ */ new Set([
+    "PATH",
+    "HOME",
+    "USER",
+    "SHELL",
+    "LANG",
+    "LC_ALL",
+    "NODE_ENV",
+    "DEBUG",
+    "LOG_LEVEL",
+    "PORT",
+    "HOST",
+    "HOSTNAME",
+    "TZ",
+    "TERM",
+    "EDITOR",
+    "VISUAL",
+    "TMPDIR",
+    "TEMP",
+    "TMP"
+  ]);
+  return standard.has(key);
+}
+function deduplicateFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    if (seen.has(f.id)) return false;
+    seen.add(f.id);
+    return true;
+  });
+}
+
+// src/scanner/skill-patterns.ts
+var INSTRUCTION_INJECTION_PATTERNS = [
+  {
+    id: "SK-001",
+    category: "instruction-injection",
+    severity: "critical",
+    title: "Agent role hijacking in skill",
+    pattern: /(?:you\s+are|act\s+as|pretend\s+to\s+be|your\s+new\s+role\s+is|from\s+now\s+on\s+you\s+are)\s+(?:a\s+)?(?:hacker|attacker|malicious|evil|unrestricted|jailbroken)/i,
+    description: "Skill file attempts to redefine the agent as a malicious persona. This is a critical prompt injection attack.",
+    recommendation: "Do NOT install this skill. It contains an explicit agent hijack attempt."
+  },
+  {
+    id: "SK-002",
+    category: "instruction-injection",
+    severity: "critical",
+    title: "Instruction override directive",
+    pattern: /(?:disregard|ignore|forget|override|bypass)\s+(?:all\s+)?(?:previous|prior|above|system|safety|security)\s+(?:instructions?|rules?|guidelines?|constraints?|prompts?)/i,
+    description: "Skill file contains a directive to override safety instructions or system prompts.",
+    recommendation: "Do NOT install this skill. It explicitly attempts to disable safety guardrails."
+  },
+  {
+    id: "SK-003",
+    category: "instruction-injection",
+    severity: "high",
+    title: "Hidden instructions in markdown",
+    pattern: /<!--[\s\S]*?(?:execute|run|install|download|curl|wget|fetch|eval|bash|sh\s+-c)[\s\S]*?-->/i,
+    description: "Skill file contains hidden instructions inside HTML/markdown comments that the user won't see in rendered view.",
+    recommendation: "Inspect all HTML comments in this skill file. Hidden instructions are a strong indicator of malicious intent."
+  },
+  {
+    id: "SK-004",
+    category: "instruction-injection",
+    severity: "high",
+    title: "Conditional behavior trigger",
+    pattern: /(?:when|if|once)\s+(?:the\s+)?user\s+(?:is\s+not\s+looking|isn'?t\s+(?:watching|paying\s+attention)|leaves|steps\s+away|is\s+away|is\s+idle)/i,
+    description: "Skill file contains instructions that trigger only when the user is not paying attention.",
+    recommendation: "Remove this skill immediately. Legitimate skills never check for user inattention."
+  },
+  {
+    id: "SK-005",
+    category: "instruction-injection",
+    severity: "high",
+    title: "Cross-skill poisoning directive",
+    pattern: /(?:when\s+(?:using|calling|invoking)\s+(?:any|other|the)\s+(?:skill|tool|command))|(?:modify|alter|change|update)\s+(?:other|the)\s+(?:skill|tool|command)\s+(?:files?|definitions?|descriptions?)/i,
+    description: "Skill file attempts to influence or modify other skills/tools, enabling cross-skill attack chaining.",
+    recommendation: "Review this skill carefully. It should not need to reference or modify other skills."
+  },
+  {
+    id: "SK-006",
+    category: "instruction-injection",
+    severity: "medium",
+    title: "Invisible unicode directives",
+    pattern: /[\u200B\u200C\u200D\uFEFF\u2060-\u2064\u00AD]{3,}/,
+    description: "Skill file contains clusters of invisible Unicode characters that may hide instructions from visual review.",
+    recommendation: "Strip invisible characters and inspect the resulting content."
+  }
+];
+var MALWARE_DELIVERY_PATTERNS = [
+  {
+    id: "SK-010",
+    category: "malware-delivery",
+    severity: "critical",
+    title: "Remote script execution",
+    pattern: /(?:curl|wget|fetch)\s+(?:-[sSkLfO]+\s+)?(?:https?:\/\/[^\s|]+)\s*\|\s*(?:bash|sh|zsh|python|node|perl|ruby)/i,
+    description: "Skill instructs the agent to download and pipe a remote script directly into an interpreter. This is a primary malware delivery vector.",
+    recommendation: "Do NOT install this skill. Piping remote scripts to interpreters is extremely dangerous."
+  },
+  {
+    id: "SK-011",
+    category: "malware-delivery",
+    severity: "critical",
+    title: "Reverse shell pattern",
+    pattern: /(?:\/dev\/tcp\/|bash\s+-i\s+>&|nc\s+-[elp]+|ncat\s+-[elp]+|mkfifo\s+\/tmp\/|python.*socket.*connect|socat\s+(?:exec|tcp))/i,
+    description: "Skill file contains a reverse shell pattern that would give a remote attacker interactive access to the user's machine.",
+    recommendation: "CRITICAL: Remove immediately. This is a backdoor attempt."
+  },
+  {
+    id: "SK-012",
+    category: "malware-delivery",
+    severity: "high",
+    title: "Suspicious install prerequisite",
+    pattern: /(?:first|before\s+(?:you\s+)?(?:start|begin|proceed))\s*,?\s*(?:you\s+)?(?:must|need\s+to|should)\s+(?:install|run|execute|download)\s+[`"]?(?:curl|wget|npm\s+i(?:nstall)?|pip\s+install|gem\s+install|brew\s+install)\s+\S+/i,
+    description: 'Skill file instructs the agent to install specific packages as a "prerequisite". This is a common social engineering vector for malware delivery.',
+    recommendation: "Verify the prerequisite package is legitimate before installing."
+  },
+  {
+    id: "SK-013",
+    category: "malware-delivery",
+    severity: "high",
+    title: "Encoded payload execution",
+    pattern: /(?:echo|printf)\s+['"]?[A-Za-z0-9+/]{40,}={0,2}['"]?\s*\|\s*(?:base64\s+(?:-[dD]|--decode)|openssl\s+(?:enc|base64))\s*\|\s*(?:bash|sh|python|node)/i,
+    description: "Skill contains a base64-encoded payload that is decoded and executed. This hides malicious code from inspection.",
+    recommendation: "Do NOT run this skill. Decode the base64 content to inspect what it actually executes."
+  },
+  {
+    id: "SK-014",
+    category: "malware-delivery",
+    severity: "high",
+    title: "Suspicious npm/pip package install",
+    pattern: /(?:npm\s+(?:install|i)\s+(?:-g\s+)?|pip\s+install\s+|gem\s+install\s+)(?!(?:typescript|react|express|flask|django|numpy|pandas|pytest|eslint|prettier|jest|mocha)\b)[a-z][\w.-]*(?:\s|$)/i,
+    description: "Skill instructs installation of a non-standard package. Verify the package name is not typosquatted.",
+    recommendation: "Verify this package exists on the official registry and is the intended package."
+  }
+];
+var STEALTH_PATTERNS = [
+  {
+    id: "SK-020",
+    category: "stealth-operations",
+    severity: "critical",
+    title: "Stealth action directive",
+    pattern: /(?:silently|quietly|without\s+(?:the\s+)?user\s+(?:knowing|noticing|seeing)|in\s+the\s+background|don'?t\s+(?:show|display|tell|inform|alert|notify)\s+(?:the\s+)?user)/i,
+    description: "Skill instructs the agent to perform actions without informing the user. This is a hallmark of malicious skills.",
+    recommendation: "Do NOT install. Legitimate skills never instruct the agent to hide actions from the user."
+  },
+  {
+    id: "SK-021",
+    category: "stealth-operations",
+    severity: "high",
+    title: "Output suppression",
+    pattern: /(?:suppress|hide|redact|omit|censor)\s+(?:the\s+)?(?:output|results?|response|error|warning|log)/i,
+    description: "Skill instructs the agent to hide output or errors from the user, preventing them from seeing what the skill does.",
+    recommendation: "Remove this skill. Users should always see the full output of actions taken on their behalf."
+  },
+  {
+    id: "SK-022",
+    category: "stealth-operations",
+    severity: "high",
+    title: "History/log evasion",
+    pattern: /(?:clear|delete|remove|wipe|purge)\s+(?:the\s+)?(?:history|logs?|traces?|evidence|audit\s+trail|command\s+history|bash_history)/i,
+    description: "Skill instructs the agent to clear logs or command history to cover its tracks.",
+    recommendation: "CRITICAL: Remove this skill. Clearing logs is a strong indicator of malicious intent."
+  },
+  {
+    id: "SK-023",
+    category: "stealth-operations",
+    severity: "medium",
+    title: "Deceptive user response",
+    pattern: /(?:tell|inform|show|respond\s+to)\s+(?:the\s+)?user\s+(?:that|with)\s+(?:everything\s+is|it'?s?\s+(?:fine|ok|normal|safe|working|complete|done))\s+(?:even\s+(?:if|though|when))/i,
+    description: 'Skill instructs the agent to give a misleading "all clear" response regardless of what actually happened.',
+    recommendation: "Remove this skill. It instructs the agent to deceive the user about outcomes."
+  }
+];
+var SAFETY_BYPASS_PATTERNS = [
+  {
+    id: "SK-030",
+    category: "safety-bypass",
+    severity: "critical",
+    title: "Confirmation bypass",
+    pattern: /(?:skip|bypass|disable|turn\s+off|don'?t\s+(?:ask\s+for|require|need|prompt\s+for))\s+(?:user\s+)?(?:confirmation|approval|consent|verification|permission|authorization)/i,
+    description: "Skill instructs the agent to bypass user confirmation for actions. This removes the human-in-the-loop safety check.",
+    recommendation: "Do NOT install. Disabling confirmation prompts allows the skill to take destructive actions without approval."
+  },
+  {
+    id: "SK-031",
+    category: "safety-bypass",
+    severity: "critical",
+    title: "Safety feature disable",
+    pattern: /(?:disable|turn\s+off|deactivate|circumvent|work\s+around)\s+(?:the\s+)?(?:safety|security|sandbox|firewall|antivirus|protection|guardrail|content\s+filter)/i,
+    description: "Skill explicitly instructs disabling safety or security features.",
+    recommendation: "Do NOT install. This is an explicit attempt to weaken system security."
+  },
+  {
+    id: "SK-032",
+    category: "safety-bypass",
+    severity: "high",
+    title: "Force flag usage",
+    pattern: /(?:always\s+)?(?:use|add|pass|include)\s+(?:the\s+)?(?:--force|--no-verify|-f\s|--yes|-y\s|--assume-yes|--no-confirm|--skip-validation|--allow-empty|--no-check)/i,
+    description: "Skill instructs the agent to always use force/bypass flags that skip safety validations.",
+    recommendation: "Review why this skill needs to bypass safety checks. Remove the force flags if not essential."
+  },
+  {
+    id: "SK-033",
+    category: "safety-bypass",
+    severity: "high",
+    title: "Root/sudo escalation",
+    pattern: /(?:run|execute|use)\s+(?:as\s+)?(?:root|sudo|admin(?:istrator)?)|(?:sudo\s+(?!apt\s+update|apt\s+install))/i,
+    description: "Skill instructs the agent to escalate to root/admin privileges.",
+    recommendation: "Review why this skill needs elevated privileges. Most skills should not require root access."
+  }
+];
+var PERSISTENCE_PATTERNS = [
+  {
+    id: "SK-040",
+    category: "persistence-abuse",
+    severity: "critical",
+    title: "Startup persistence mechanism",
+    pattern: /(?:add|write|append|insert)\s+(?:to|into)\s+(?:the\s+)?(?:\.bashrc|\.zshrc|\.bash_profile|\.profile|\.zprofile|crontab|\.config\/autostart|LaunchAgents|startup)/i,
+    description: "Skill instructs the agent to modify startup/shell config files to establish persistence across reboots.",
+    recommendation: "CRITICAL: Remove this skill. Modifying startup files is a persistence technique used by malware."
+  },
+  {
+    id: "SK-041",
+    category: "persistence-abuse",
+    severity: "critical",
+    title: "Memory file tampering",
+    pattern: /(?:modify|edit|write\s+to|append\s+to|update|overwrite)\s+(?:the\s+)?(?:CLAUDE\.md|SOUL\.md|MEMORY\.md|\.claude\/|\.cursorrules|\.cursor\/rules)/i,
+    description: "Skill instructs the agent to modify other skill/memory files. This can be used to inject persistent instructions that survive across sessions.",
+    recommendation: "Do NOT install. A skill should never modify other skill or memory files."
+  },
+  {
+    id: "SK-042",
+    category: "persistence-abuse",
+    severity: "high",
+    title: "Cron job creation",
+    pattern: /(?:crontab\s+-[el]|\/etc\/cron|systemctl\s+enable|launchctl\s+load|schtasks\s+\/create)/i,
+    description: "Skill instructs creation of scheduled tasks or cron jobs for persistent execution.",
+    recommendation: "Review why this skill needs scheduled tasks. This is unusual for agent skills."
+  },
+  {
+    id: "SK-043",
+    category: "persistence-abuse",
+    severity: "high",
+    title: "Git hook injection",
+    pattern: /(?:\.git\/hooks\/|pre-commit|post-commit|pre-push|post-receive|pre-receive)\s*(?:hook|script|file)/i,
+    description: "Skill instructs modification of git hooks, which execute automatically on git operations.",
+    recommendation: "Verify this skill legitimately needs git hook access. Malicious hooks can exfiltrate code on every commit."
+  }
+];
+var SKILL_EXFILTRATION_PATTERNS = [
+  {
+    id: "SK-050",
+    category: "data-exfiltration",
+    severity: "critical",
+    title: "Credential harvesting directive",
+    pattern: /(?:read|extract|get|find|locate|collect|gather|retrieve)\s+(?:all\s+)?(?:the\s+)?(?:api\s+keys?|tokens?|credentials?|passwords?|secrets?|private\s+keys?)\s+(?:from|in|stored\s+in|located\s+at)/i,
+    description: "Skill instructs the agent to collect credentials or secrets from the user's system.",
+    recommendation: "Do NOT install. This is a credential harvesting attack."
+  },
+  {
+    id: "SK-051",
+    category: "data-exfiltration",
+    severity: "critical",
+    title: "Data exfiltration via URL",
+    pattern: /(?:send|post|upload|transmit|forward|exfiltrate|ship)\s+(?:the\s+)?(?:data|contents?|results?|files?|output|information|credentials?|keys?)\s+(?:to|via|using|through)\s+(?:https?:\/\/|webhook|api|endpoint|server)/i,
+    description: "Skill instructs the agent to send data to an external URL or endpoint.",
+    recommendation: "CRITICAL: Review what data is being sent and to where. This matches known exfiltration patterns."
+  },
+  {
+    id: "SK-052",
+    category: "data-exfiltration",
+    severity: "high",
+    title: "File system enumeration",
+    pattern: /(?:list|enumerate|scan|find|search|catalogue|index)\s+(?:all\s+)?(?:the\s+)?(?:files?|directories|folders?)\s+(?:in|under|at|from)\s+(?:\/|~\/|home|root|the\s+(?:home|root|user))/i,
+    description: "Skill instructs broad filesystem enumeration, potentially to map out sensitive files for exfiltration.",
+    recommendation: "Verify this skill needs filesystem access. Broad enumeration is suspicious."
+  },
+  {
+    id: "SK-053",
+    category: "data-exfiltration",
+    severity: "high",
+    title: "Environment variable dumping",
+    pattern: /(?:print|dump|list|show|display|export|echo)\s+(?:all\s+)?(?:the\s+)?(?:environment\s+variables?|env\s+vars?|process\.env|os\.environ)/i,
+    description: "Skill instructs dumping all environment variables, which often contain secrets and API keys.",
+    recommendation: "Review why this skill needs access to all environment variables."
+  }
+];
+var ALL_SKILL_PATTERNS = [
+  ...INSTRUCTION_INJECTION_PATTERNS,
+  ...MALWARE_DELIVERY_PATTERNS,
+  ...STEALTH_PATTERNS,
+  ...SAFETY_BYPASS_PATTERNS,
+  ...PERSISTENCE_PATTERNS,
+  ...SKILL_EXFILTRATION_PATTERNS
+];
+
+// src/scanner/skill-scanner.ts
+var SEVERITY_DEDUCTIONS2 = {
+  critical: 35,
+  high: 20,
+  medium: 10,
+  low: 5,
+  info: 0
+};
+async function scanSkill(skill) {
+  const findings = [];
+  findings.push(...scanContent(skill.content, "skill content", ALL_SKILL_PATTERNS));
+  findings.push(...scanContent(skill.content, "skill content", ALL_PATTERNS));
+  findings.push(...analyzeStructure(skill));
+  if (skill.fileType === "mdc-rule") {
+    findings.push(...analyzeMDCRule(skill));
+  }
+  const uniqueFindings = deduplicateFindings2(findings);
+  const { score, breakdown } = calculateSkillTrustScore(uniqueFindings, skill);
+  const trustLevel = score >= 80 ? "trusted" : score >= 60 ? "caution" : score >= 40 ? "risky" : "dangerous";
+  return {
+    skill,
+    trustScore: score,
+    scoreBreakdown: breakdown,
+    findings: uniqueFindings,
+    trustLevel,
+    scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function scanContent(text, context, patterns) {
+  const findings = [];
+  for (const pattern of patterns) {
+    pattern.pattern.lastIndex = 0;
+    const match = pattern.pattern.exec(text);
+    if (match) {
+      findings.push({
+        id: pattern.id,
+        category: pattern.category,
+        severity: pattern.severity,
+        title: pattern.title,
+        description: `${pattern.description} (found in ${context})`,
+        evidence: match[0].substring(0, 200),
+        recommendation: pattern.recommendation
+      });
+    }
+  }
+  return findings;
+}
+function analyzeStructure(skill) {
+  const findings = [];
+  const content = skill.content;
+  if (skill.size > 5e4) {
+    findings.push({
+      id: "SK-060",
+      category: "obfuscation",
+      severity: "medium",
+      title: "Unusually large skill file",
+      description: `Skill file is ${Math.round(skill.size / 1024)}KB. Large skill files may contain hidden payloads or obfuscated content.`,
+      evidence: `File size: ${skill.size} bytes`,
+      recommendation: "Inspect the full file carefully. Large skill files are unusual."
+    });
+  }
+  const codeBlockPattern = /```(?:bash|sh|shell|zsh)?\n([\s\S]*?)```/g;
+  let codeMatch;
+  while ((codeMatch = codeBlockPattern.exec(content)) !== null) {
+    const codeBlock = codeMatch[1];
+    if (/rm\s+-rf\s+[\/~]|rm\s+-rf\s+\$\{?HOME/.test(codeBlock)) {
+      findings.push({
+        id: "SK-061",
+        category: "permission-abuse",
+        severity: "critical",
+        title: "Destructive command in code block",
+        description: "Skill contains a recursive delete command targeting the home or root directory.",
+        evidence: codeBlock.substring(0, 200),
+        recommendation: "Do NOT install. This command would delete critical files."
+      });
+    }
+    if (/chmod\s+(?:777|a\+rwx|\+rwx)/i.test(codeBlock)) {
+      findings.push({
+        id: "SK-062",
+        category: "permission-abuse",
+        severity: "high",
+        title: "World-writable permissions set",
+        description: "Skill sets overly permissive file permissions (777/world-writable).",
+        evidence: codeBlock.substring(0, 200),
+        recommendation: "Review why world-writable permissions are needed. This is almost always a security risk."
+      });
+    }
+  }
+  const urlPattern = /https?:\/\/[^\s)>\]"']+/g;
+  const urls = content.match(urlPattern) || [];
+  const externalUrls = urls.filter(
+    (url) => !url.includes("github.com") && !url.includes("npmjs.com") && !url.includes("docs.") && !url.includes("stackoverflow.com")
+  );
+  if (externalUrls.length > 5) {
+    findings.push({
+      id: "SK-063",
+      category: "data-exfiltration",
+      severity: "low",
+      title: "Many external URLs in skill",
+      description: `Skill contains ${externalUrls.length} external URLs. Excessive external URLs may indicate data exfiltration endpoints.`,
+      evidence: externalUrls.slice(0, 3).join(", "),
+      recommendation: "Review the external URLs to ensure they are all legitimate."
+    });
+  }
+  const invisibleChars = content.match(/[\u200B-\u200D\uFEFF\u2060-\u2064\u00AD]/g) || [];
+  if (invisibleChars.length > 10) {
+    findings.push({
+      id: "SK-064",
+      category: "obfuscation",
+      severity: "high",
+      title: "High concentration of invisible characters",
+      description: `Skill contains ${invisibleChars.length} invisible Unicode characters that may hide malicious instructions.`,
+      evidence: `${invisibleChars.length} invisible characters detected`,
+      recommendation: "Strip invisible characters and compare the before/after content."
+    });
+  }
+  return findings;
+}
+function analyzeMDCRule(skill) {
+  const findings = [];
+  const content = skill.content;
+  const frontmatterMatch = content.match(/^---\n([\s\S]*?)\n---/);
+  if (frontmatterMatch) {
+    const frontmatter = frontmatterMatch[1];
+    if (/globs?:\s*['"]\*\*\/\*['"]/i.test(frontmatter) || /globs?:\s*\*\*\/\*/i.test(frontmatter)) {
+      findings.push({
+        id: "SK-070",
+        category: "permission-abuse",
+        severity: "medium",
+        title: "MDC rule attached to all files",
+        description: "This Cursor rule uses a wildcard glob pattern that auto-attaches it to every file. This means its instructions apply universally.",
+        evidence: frontmatter.substring(0, 200),
+        recommendation: "Review why this rule needs to apply to all files. Narrow the glob pattern if possible."
+      });
+    }
+    if (/alwaysApply:\s*true/i.test(frontmatter)) {
+      findings.push({
+        id: "SK-071",
+        category: "permission-abuse",
+        severity: "low",
+        title: "MDC rule always applied",
+        description: "This Cursor rule has alwaysApply: true, meaning it runs on every interaction regardless of context.",
+        evidence: "alwaysApply: true",
+        recommendation: "Consider if this rule truly needs to run on every interaction."
+      });
+    }
+  }
+  return findings;
+}
+function calculateSkillTrustScore(findings, skill) {
+  let codeAnalysis = 100;
+  let dependencyHealth = 100;
+  let permissionSafety = 100;
+  let behavioralStability = 100;
+  let transparency = 100;
+  for (const f of findings) {
+    const deduction = SEVERITY_DEDUCTIONS2[f.severity];
+    switch (f.category) {
+      case "tool-poisoning":
+      case "instruction-injection":
+      case "obfuscation":
+        codeAnalysis -= deduction;
+        break;
+      case "malware-delivery":
+      case "dependency-risk":
+        dependencyHealth -= deduction;
+        break;
+      case "permission-abuse":
+      case "data-exfiltration":
+      case "safety-bypass":
+        permissionSafety -= deduction;
+        break;
+      case "stealth-operations":
+      case "persistence-abuse":
+        behavioralStability -= deduction;
+        break;
+      case "rug-pull":
+        transparency -= deduction;
+        break;
+    }
+  }
+  codeAnalysis = Math.max(0, codeAnalysis);
+  dependencyHealth = Math.max(0, dependencyHealth);
+  permissionSafety = Math.max(0, permissionSafety);
+  behavioralStability = Math.max(0, behavioralStability);
+  transparency = Math.max(0, transparency);
+  if (skill.scope === "project") {
+    transparency = Math.min(100, transparency + 10);
+  }
+  if (skill.fileType === "skill.md" || skill.fileType === "mdc-rule") {
+    transparency = Math.min(100, transparency + 5);
+  }
+  const breakdown = {
+    codeAnalysis,
+    dependencyHealth,
+    permissionSafety,
+    behavioralStability,
+    transparency
+  };
+  const score = Math.round(
+    codeAnalysis * 0.3 + dependencyHealth * 0.2 + permissionSafety * 0.2 + behavioralStability * 0.15 + transparency * 0.15
+  );
+  return { score: Math.max(0, Math.min(100, score)), breakdown };
+}
+function deduplicateFindings2(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    if (seen.has(f.id)) return false;
+    seen.add(f.id);
+    return true;
+  });
+}
+
+// src/output/terminal.ts
+var import_chalk = __toESM(require("chalk"));
+var TRUST_COLORS = {
+  trusted: import_chalk.default.green,
+  caution: import_chalk.default.yellow,
+  risky: import_chalk.default.hex("#FF8C00"),
+  // orange
+  dangerous: import_chalk.default.red
+};
+var SEVERITY_COLORS = {
+  critical: import_chalk.default.bgRed.white.bold,
+  high: import_chalk.default.red.bold,
+  medium: import_chalk.default.yellow,
+  low: import_chalk.default.blue,
+  info: import_chalk.default.gray
+};
+var TRUST_ICONS = {
+  trusted: "\u2713",
+  caution: "\u26A0",
+  risky: "\u26A0",
+  dangerous: "\u2717"
+};
+var SEVERITY_ICONS = {
+  critical: "!!!",
+  high: "!!",
+  medium: "!",
+  low: "i",
+  info: "\xB7"
+};
+var FILE_TYPE_LABELS = {
+  "skill.md": "SKILL.md",
+  "mdc-rule": ".mdc rule",
+  "claude.md": "CLAUDE.md",
+  "soul.md": "SOUL.md",
+  "memory.md": "MEMORY.md"
+};
+function printBanner() {
+  console.log("");
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u2566  \u2566\u2566\u2554\u2550\u2557\u2566\u2566  "));
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("  \u255A\u2557\u2554\u255D\u2551\u2551 \u2566\u2551\u2551  "));
+  console.log(import_chalk.default.bold.hex("#2C4A7C")("   \u255A\u255D \u2569\u255A\u2550\u255D\u2569\u2569\u2550\u255D"));
+  console.log(import_chalk.default.gray("  AI Agent Security Scanner"));
+  console.log("");
+}
+function printServerResult(result, verbose) {
+  const color = TRUST_COLORS[result.trustLevel];
+  const icon = TRUST_ICONS[result.trustLevel];
+  console.log(
+    import_chalk.default.bold(`  ${icon} `) + import_chalk.default.bold(result.server.name) + import_chalk.default.gray(` (${result.server.source})`) + "  " + color(`[${result.trustScore}/100 ${result.trustLevel.toUpperCase()}]`)
+  );
+  console.log(import_chalk.default.gray(`    Config: ${result.server.configPath}`));
+  console.log(
+    import_chalk.default.gray(`    Command: ${result.server.command} ${result.server.args.join(" ")}`)
+  );
+  if (result.findings.length === 0) {
+    console.log(import_chalk.default.green("    No security issues found."));
+  } else {
+    console.log(
+      import_chalk.default.dim(`    ${result.findings.length} finding(s):`)
+    );
+    for (const finding of result.findings) {
+      printFinding(finding, verbose);
+    }
+  }
+  if (verbose) {
+    printScoreBreakdown(result.scoreBreakdown);
+  }
+  console.log("");
+}
+function printSkillResult(result, verbose) {
+  const color = TRUST_COLORS[result.trustLevel];
+  const icon = TRUST_ICONS[result.trustLevel];
+  const typeLabel = FILE_TYPE_LABELS[result.skill.fileType] || result.skill.fileType;
+  console.log(
+    import_chalk.default.bold(`  ${icon} `) + import_chalk.default.bold(result.skill.name) + import_chalk.default.gray(` (${typeLabel} \xB7 ${result.skill.source} \xB7 ${result.skill.scope})`) + "  " + color(`[${result.trustScore}/100 ${result.trustLevel.toUpperCase()}]`)
+  );
+  console.log(import_chalk.default.gray(`    Path: ${result.skill.filePath}`));
+  const sizeKB = (result.skill.size / 1024).toFixed(1);
+  console.log(import_chalk.default.gray(`    Size: ${sizeKB} KB`));
+  if (result.findings.length === 0) {
+    console.log(import_chalk.default.green("    No security issues found."));
+  } else {
+    console.log(
+      import_chalk.default.dim(`    ${result.findings.length} finding(s):`)
+    );
+    for (const finding of result.findings) {
+      printFinding(finding, verbose);
+    }
+  }
+  if (verbose) {
+    printScoreBreakdown(result.scoreBreakdown);
+  }
+  console.log("");
+}
+function printFinding(finding, verbose) {
+  const color = SEVERITY_COLORS[finding.severity];
+  const icon = SEVERITY_ICONS[finding.severity];
+  console.log(
+    `      ${color(`[${icon}]`)} ${color(finding.severity.toUpperCase())} ` + import_chalk.default.white(finding.title) + import_chalk.default.gray(` (${finding.id})`)
+  );
+  if (verbose) {
+    console.log(import_chalk.default.gray(`          ${finding.description}`));
+    if (finding.evidence) {
+      console.log(import_chalk.default.gray(`          Evidence: ${finding.evidence}`));
+    }
+    console.log(import_chalk.default.cyan(`          \u2192 ${finding.recommendation}`));
+  }
+}
+function printScoreBreakdown(b) {
+  console.log(import_chalk.default.dim("    Score Breakdown:"));
+  console.log(import_chalk.default.dim(`      Code Analysis:       ${scoreBar(b.codeAnalysis)} ${b.codeAnalysis}/100 (30%)`));
+  console.log(import_chalk.default.dim(`      Dependency Health:    ${scoreBar(b.dependencyHealth)} ${b.dependencyHealth}/100 (20%)`));
+  console.log(import_chalk.default.dim(`      Permission Safety:    ${scoreBar(b.permissionSafety)} ${b.permissionSafety}/100 (20%)`));
+  console.log(import_chalk.default.dim(`      Behavioral Stability: ${scoreBar(b.behavioralStability)} ${b.behavioralStability}/100 (15%)`));
+  console.log(import_chalk.default.dim(`      Transparency:         ${scoreBar(b.transparency)} ${b.transparency}/100 (15%)`));
+}
+function printSummary(summary) {
+  console.log(import_chalk.default.bold("  \u2500\u2500\u2500 Scan Summary \u2500\u2500\u2500"));
+  console.log("");
+  if (summary.totalServers > 0) {
+    console.log(`  MCP servers scanned: ${import_chalk.default.bold(String(summary.totalServers))}`);
+  }
+  if (summary.totalSkills > 0) {
+    console.log(`  Skill files scanned: ${import_chalk.default.bold(String(summary.totalSkills))}`);
+  }
+  const totalScanned = summary.totalServers + summary.totalSkills;
+  if (totalScanned > 0 && summary.totalServers > 0 && summary.totalSkills > 0) {
+    console.log(`  Total scanned:       ${import_chalk.default.bold(String(totalScanned))}`);
+  }
+  console.log(
+    `  ${import_chalk.default.green(`${TRUST_ICONS.trusted} Trusted: ${summary.byTrustLevel.trusted}`)}  ${import_chalk.default.yellow(`${TRUST_ICONS.caution} Caution: ${summary.byTrustLevel.caution}`)}  ${import_chalk.default.hex("#FF8C00")(`${TRUST_ICONS.risky} Risky: ${summary.byTrustLevel.risky}`)}  ${import_chalk.default.red(`${TRUST_ICONS.dangerous} Dangerous: ${summary.byTrustLevel.dangerous}`)}`
+  );
+  const totalFindings = Object.values(summary.bySeverity).reduce((a, b) => a + b, 0);
+  if (totalFindings > 0) {
+    console.log("");
+    console.log(`  Total findings: ${import_chalk.default.bold(String(totalFindings))}`);
+    if (summary.bySeverity.critical > 0)
+      console.log(import_chalk.default.bgRed.white.bold(`    ${summary.bySeverity.critical} CRITICAL`));
+    if (summary.bySeverity.high > 0)
+      console.log(import_chalk.default.red.bold(`    ${summary.bySeverity.high} HIGH`));
+    if (summary.bySeverity.medium > 0)
+      console.log(import_chalk.default.yellow(`    ${summary.bySeverity.medium} MEDIUM`));
+    if (summary.bySeverity.low > 0)
+      console.log(import_chalk.default.blue(`    ${summary.bySeverity.low} LOW`));
+    if (summary.bySeverity.info > 0)
+      console.log(import_chalk.default.gray(`    ${summary.bySeverity.info} INFO`));
+  }
+  console.log("");
+  console.log(import_chalk.default.gray(`  Scanned at ${summary.timestamp}`));
+  console.log(import_chalk.default.gray(`  Vigile v${summary.version} \u2014 https://vigile.dev`));
+  console.log("");
+}
+function printNoServersFound() {
+  console.log(import_chalk.default.yellow("  No MCP server configurations found on this machine."));
+  console.log("");
+  console.log(import_chalk.default.gray("  Vigile checks the following locations:"));
+  console.log(import_chalk.default.gray("    \u2022 Claude Desktop config"));
+  console.log(import_chalk.default.gray("    \u2022 Cursor MCP config"));
+  console.log(import_chalk.default.gray("    \u2022 Claude Code config (.claude.json / .mcp.json)"));
+  console.log(import_chalk.default.gray("    \u2022 Windsurf MCP config"));
+  console.log(import_chalk.default.gray("    \u2022 VS Code MCP config (.vscode/mcp.json)"));
+  console.log("");
+  console.log(import_chalk.default.gray("  If you have MCP servers configured elsewhere, use:"));
+  console.log(import_chalk.default.cyan("    vigile-scan --config /path/to/config.json"));
+  console.log("");
+  console.log(import_chalk.default.gray("  To also scan agent skill files, use:"));
+  console.log(import_chalk.default.cyan("    vigile-scan --all"));
+  console.log("");
+}
+function printNoSkillsFound() {
+  console.log(import_chalk.default.yellow("  No agent skill files found on this machine."));
+  console.log("");
+  console.log(import_chalk.default.gray("  Vigile scans the following skill locations:"));
+  console.log(import_chalk.default.gray("    \u2022 Claude Code skills (.claude/skills/*/SKILL.md)"));
+  console.log(import_chalk.default.gray("    \u2022 Claude Code commands (.claude/commands/**/*.md)"));
+  console.log(import_chalk.default.gray("    \u2022 GitHub Copilot skills (.github/skills/*/SKILL.md)"));
+  console.log(import_chalk.default.gray("    \u2022 Cursor rules (.cursor/rules/*.mdc, .cursorrules)"));
+  console.log(import_chalk.default.gray("    \u2022 Memory files (CLAUDE.md, SOUL.md, MEMORY.md)"));
+  console.log("");
+}
+function printNothingFound() {
+  console.log(import_chalk.default.yellow("  No MCP servers or agent skill files found."));
+  console.log("");
+  console.log(import_chalk.default.gray("  Try scanning a specific config:"));
+  console.log(import_chalk.default.cyan("    vigile-scan --config /path/to/config.json"));
+  console.log("");
+  console.log(import_chalk.default.gray("  Or cd into a project directory that contains skill files:"));
+  console.log(import_chalk.default.cyan("    cd /path/to/project && vigile-scan --all"));
+  console.log("");
+}
+function scoreBar(score) {
+  const filled = Math.round(score / 10);
+  const empty = 10 - filled;
+  const color = score >= 80 ? import_chalk.default.green : score >= 60 ? import_chalk.default.yellow : score >= 40 ? import_chalk.default.hex("#FF8C00") : import_chalk.default.red;
+  return color("\u2588".repeat(filled)) + import_chalk.default.gray("\u2591".repeat(empty));
+}
+
+// src/output/json.ts
+function formatJSON(summary) {
+  return JSON.stringify(summary, null, 2);
+}
+
+// src/index.ts
+var VERSION = "0.1.0";
+var program = new import_commander.Command();
+program.name("vigile-scan").description(
+  "Security scanner for AI agent tools \u2014 detect tool poisoning, permission abuse, and supply chain attacks in MCP servers and agent skills"
+).version(VERSION);
+function addScanOptions(cmd) {
+  return cmd.option("-j, --json", "Output results as JSON").option("-v, --verbose", "Show detailed findings and score breakdown").option("-c, --config <path>", "Path to a custom MCP config file").option("-o, --output <path>", "Write results to a file").option(
+    "--client <client>",
+    "Only scan a specific client (claude-desktop, cursor, claude-code, windsurf, vscode)"
+  ).option("-s, --skills", "Scan agent skills only (SKILL.md, .mdc rules, CLAUDE.md, etc.)").option("-a, --all", "Scan both MCP servers and agent skills");
+}
+addScanOptions(
+  program.command("scan").description("Scan MCP server configurations and agent skill files on this machine")
+).action(async (options) => {
+  await runScan(options);
+});
+addScanOptions(program).action(async (options) => {
+  if (!process.argv.slice(2).includes("scan")) {
+    await runScan(options);
+  }
+});
+async function runScan(options) {
+  const isJSON = options.json;
+  const scanMCP = !options.skills;
+  const scanSkills = options.skills || options.all;
+  if (!isJSON) {
+    printBanner();
+  }
+  const results = [];
+  const skillResults = [];
+  if (scanMCP) {
+    const spinner = isJSON ? null : (0, import_ora.default)("Discovering MCP configurations...").start();
+    const discovery = await discoverAllServers(options.client);
+    if (discovery.servers.length === 0) {
+      spinner?.succeed("No MCP server configurations found");
+    } else {
+      spinner?.succeed(
+        `Found ${discovery.servers.length} MCP server(s) across ${discovery.configsFound} config file(s)`
+      );
+      const scanSpinner = isJSON ? null : (0, import_ora.default)("Scanning MCP servers...").start();
+      for (const server of discovery.servers) {
+        const result = await scanServer(server);
+        results.push(result);
+      }
+      scanSpinner?.succeed(`Scanned ${results.length} MCP server(s)`);
+    }
+  }
+  if (scanSkills) {
+    const spinner = isJSON ? null : (0, import_ora.default)("Discovering agent skill files...").start();
+    const skillDiscovery = await discoverAllSkills();
+    if (skillDiscovery.skills.length === 0) {
+      spinner?.succeed("No agent skill files found");
+    } else {
+      spinner?.succeed(
+        `Found ${skillDiscovery.skills.length} skill file(s) across ${skillDiscovery.locationsFound} location(s)`
+      );
+      const scanSpinner = isJSON ? null : (0, import_ora.default)("Scanning agent skills...").start();
+      for (const skill of skillDiscovery.skills) {
+        const result = await scanSkill(skill);
+        skillResults.push(result);
+      }
+      scanSpinner?.succeed(`Scanned ${skillResults.length} skill file(s)`);
+    }
+  }
+  if (results.length === 0 && skillResults.length === 0) {
+    if (!isJSON) {
+      if (scanMCP && !scanSkills) {
+        printNoServersFound();
+      } else if (scanSkills && !scanMCP) {
+        printNoSkillsFound();
+      } else {
+        printNothingFound();
+      }
+    } else {
+      console.log(JSON.stringify({ servers: [], skills: [], message: "Nothing found to scan" }));
+    }
+    return;
+  }
+  const allResults = [...results];
+  const allSkillResults = [...skillResults];
+  const allTrustLevels = [
+    ...results.map((r) => r.trustLevel),
+    ...skillResults.map((r) => r.trustLevel)
+  ];
+  const allFindings = [
+    ...results.flatMap((r) => r.findings),
+    ...skillResults.flatMap((r) => r.findings)
+  ];
+  const summary = {
+    totalServers: allResults.length,
+    totalSkills: allSkillResults.length,
+    byTrustLevel: {
+      trusted: allTrustLevels.filter((l) => l === "trusted").length,
+      caution: allTrustLevels.filter((l) => l === "caution").length,
+      risky: allTrustLevels.filter((l) => l === "risky").length,
+      dangerous: allTrustLevels.filter((l) => l === "dangerous").length
+    },
+    bySeverity: {
+      critical: allFindings.filter((f) => f.severity === "critical").length,
+      high: allFindings.filter((f) => f.severity === "high").length,
+      medium: allFindings.filter((f) => f.severity === "medium").length,
+      low: allFindings.filter((f) => f.severity === "low").length,
+      info: allFindings.filter((f) => f.severity === "info").length
+    },
+    results: allResults,
+    skillResults: allSkillResults,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    version: VERSION
+  };
+  if (isJSON) {
+    const jsonOutput = formatJSON(summary);
+    if (options.output) {
+      await (0, import_promises3.writeFile)(options.output, jsonOutput);
+    } else {
+      console.log(jsonOutput);
+    }
+  } else {
+    console.log("");
+    if (results.length > 0) {
+      for (const result of results) {
+        printServerResult(result, options.verbose ?? false);
+      }
+    }
+    if (skillResults.length > 0) {
+      for (const result of skillResults) {
+        printSkillResult(result, options.verbose ?? false);
+      }
+    }
+    printSummary(summary);
+    if (options.output) {
+      await (0, import_promises3.writeFile)(options.output, formatJSON(summary));
+      console.log(`  Results saved to ${options.output}`);
+    }
+  }
+  if (summary.bySeverity.critical > 0 || summary.bySeverity.high > 0) {
+    process.exit(1);
+  }
+}
+program.parse();
+//# sourceMappingURL=index.js.map