PyPI - plugin-scanner - Versions diffs - 2.0.119__tar.gz → 2.0.121__tar.gz - Mend

plugin-scanner 2.0.119tar.gz → 2.0.121tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (375) hide show

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.119
+Version: 2.0.121
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "plugin-scanner"
-version = "2.0.119"
+version = "2.0.121"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/pyproject.toml.bak RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hol-guard"
-version = "2.0.119"
+version = "2.0.121"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/cli/install_commands.py RENAMED Viewed

@@ -2,9 +2,12 @@
 from __future__ import annotations
+from pathlib import Path
 from ..adapters import get_adapter
 from ..adapters.base import HarnessContext
 from ..consumer import detect_all
+from ..runtime.skill_protection import build_skill_identity, detect_skill_content_risk
 from ..store import GuardStore
@@ -34,9 +37,60 @@ def apply_managed_install(
     }
     if len(managed_installs) == 1:
         payload["managed_install"] = managed_installs[0]
+    if active and context.workspace_dir is not None:
+        skill_scan = scan_workspace_skills(context.workspace_dir, store, now)
+        if skill_scan:
+            payload["skill_scan"] = skill_scan
     return payload
+def scan_workspace_skills(
+    workspace_dir: Path,
+    store: GuardStore,
+    now: str,
+) -> list[dict[str, object]]:
+    """Scan SKILL.md files in workspace and return risk summaries for any findings."""
+    results: list[dict[str, object]] = []
+    skills_dirs = [
+        workspace_dir / ".codex" / "skills",
+        workspace_dir / ".agents" / "skills",
+        workspace_dir / "skills",
+    ]
+    for skills_dir in skills_dirs:
+        if not skills_dir.is_dir():
+            continue
+        for skill_path in sorted(skills_dir.rglob("SKILL.md")):
+            try:
+                content = skill_path.read_text(encoding="utf-8", errors="replace")
+            except OSError:
+                continue
+            identity = build_skill_identity(content, skill_path=str(skill_path))
+            artifact_id = f"skill-path:{skill_path}"
+            stored = store.get_snapshot("skill_scan", artifact_id)
+            stored_hash = stored.get("identity_hash") if stored else None
+            if stored_hash == identity.identity_hash:
+                continue
+            signals = detect_skill_content_risk(content, skill_path=str(skill_path))
+            store.save_snapshot(
+                "skill_scan",
+                artifact_id,
+                {"identity_hash": identity.identity_hash, "skill_path": str(skill_path)},
+                identity.identity_hash,
+                now,
+            )
+            if signals:
+                results.append(
+                    {
+                        "skill_path": str(skill_path.relative_to(workspace_dir)),
+                        "identity_hash": identity.identity_hash,
+                        "risk_count": len(signals),
+                        "severities": sorted({s.severity for s in signals}),
+                        "signal_ids": [s.signal_id for s in signals],
+                    }
+                )
+    return results
 def _resolve_targets(
     command: str,
     requested_harness: str | None,
@@ -74,4 +128,4 @@ def _resolve_targets(
     )
-__all__ = ["apply_managed_install"]
+__all__ = ["apply_managed_install", "scan_workspace_skills"]

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/cli/render.py RENAMED Viewed

@@ -573,25 +573,77 @@ def _render_approvals(console: Console, payload: dict[str, object]) -> None:
 def _render_managed_install(console: Console, payload: dict[str, object]) -> None:
+    skill_scan = _coerce_dict_list(payload.get("skill_scan"))
+    supply_chain_risks = _coerce_dict_list(payload.get("supply_chain_risks"))
     managed_install = payload.get("managed_install")
     if isinstance(managed_install, dict):
         _render_single_managed_install(console, managed_install)
-        return
-    managed_installs = _coerce_dict_list(payload.get("managed_installs"))
-    if not managed_installs:
-        _render_fallback(console, payload)
-        return
+    else:
+        managed_installs = _coerce_dict_list(payload.get("managed_installs"))
+        if not managed_installs:
+            if not skill_scan and not supply_chain_risks:
+                _render_fallback(console, payload)
+                return
+        else:
+            console.print(
+                Panel(
+                    _managed_install_batch_summary(payload, managed_installs),
+                    title="Guard managed harnesses",
+                    border_style="cyan",
+                )
+            )
+            console.print(_managed_install_batch_table(managed_installs))
+            notes = _managed_install_batch_notes(managed_installs)
+            if notes:
+                console.print(_notes_panel(notes))
+    if skill_scan:
+        _render_skill_scan_results(console, skill_scan)
+    if supply_chain_risks:
+        _render_supply_chain_risk_results(console, supply_chain_risks)
+def _render_supply_chain_risk_results(console: Console, supply_chain_risks: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Signal", overflow="fold")
+    table.add_column("Severity", no_wrap=True)
+    table.add_column("Confidence", no_wrap=True)
+    table.add_column("Explanation", overflow="fold")
+    for entry in supply_chain_risks:
+        severity = str(entry.get("severity", "medium"))
+        severity_color = {"critical": "red", "high": "yellow", "medium": "cyan", "low": "dim"}.get(severity, "white")
+        table.add_row(
+            str(entry.get("signal_id", "?")),
+            f"[{severity_color}]{severity}[/{severity_color}]",
+            str(entry.get("confidence", "?")),
+            str(entry.get("plain_reason", "")),
+        )
     console.print(
         Panel(
-            _managed_install_batch_summary(payload, managed_installs),
-            title="Guard managed harnesses",
-            border_style="cyan",
+            table,
+            title=f"[bold yellow]Supply chain risks — {len(supply_chain_risks)} signal(s)[/bold yellow]",
+            border_style="yellow",
+        )
+    )
+def _render_skill_scan_results(console: Console, skill_scan: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Skill file", overflow="fold")
+    table.add_column("Risks", justify="right", no_wrap=True)
+    table.add_column("Severities", no_wrap=True)
+    table.add_column("Signals", overflow="fold")
+    for entry in skill_scan:
+        severity_text = ", ".join(_coerce_string_list(entry.get("severities")))
+        signal_text = " ".join(_coerce_string_list(entry.get("signal_ids")))
+        risk_count = str(entry.get("risk_count", 0))
+        table.add_row(str(entry.get("skill_path", "?")), risk_count, severity_text, signal_text)
+    console.print(
+        Panel(
+            table,
+            title=f"[bold red]Skill security scan — {len(skill_scan)} file(s) with risks[/bold red]",
+            border_style="red",
         )
     )
-    console.print(_managed_install_batch_table(managed_installs))
-    notes = _managed_install_batch_notes(managed_installs)
-    if notes:
-        console.print(_notes_panel(notes))
 def _render_single_managed_install(console: Console, managed_install: dict[str, object]) -> None:

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/mcp_tool_calls.py RENAMED Viewed

@@ -4,6 +4,7 @@ from __future__ import annotations
 import json
 import re
+from collections.abc import Mapping
 from dataclasses import dataclass
 from hashlib import sha256
 from pathlib import PurePath
@@ -65,6 +66,10 @@ def build_tool_call_artifact(
         description=tool_description,
     )
     metadata["mcp_tool_identity"] = mcp_tool_identity_metadata(tool_identity)
+    if tool_schema is not None:
+        metadata["tool_schema"] = tool_schema
+    if isinstance(tool_description, str) and tool_description.strip():
+        metadata["tool_description"] = tool_description.strip()
     return GuardArtifact(
         artifact_id=f"{harness}:runtime:{source_scope}:{server_name}:{tool_name}",
         name=f"{server_name}:{tool_name}",
@@ -90,7 +95,7 @@ def build_tool_call_hash(artifact: GuardArtifact, arguments: object) -> str:
         },
         sort_keys=True,
     )
-    return sha256(payload.encode("utf-8")).hexdigest()
+    return sha256(payload.encode()).hexdigest()
 def evaluate_tool_call(
@@ -149,11 +154,13 @@ def evaluate_tool_call(
 def tool_call_risk_signals(artifact: GuardArtifact, arguments: object) -> tuple[str, ...]:
     signals_by_category = {
+        "filesystem_access": "call shape implies filesystem path access",
         "destructive_mutation": "tool name implies destructive file or system changes",
         "command_execution": "tool name implies shell or command execution",
         "outbound_network": "call arguments imply outbound network activity",
         "secret_access": "call arguments mention sensitive local files or secrets",
         "privileged_system_mutation": "call arguments imply privileged system mutation",
+        "tool_schema_mismatch": "tool name understates dangerous schema capabilities",
     }
     return tuple(signals_by_category[category] for category in tool_call_risk_categories(artifact, arguments))
@@ -163,11 +170,13 @@ def tool_call_risk_categories(artifact: GuardArtifact, arguments: object) -> tup
     categories = _tool_call_risk_category_set(artifact, arguments)
     order = (
+        "filesystem_access",
         "command_execution",
         "destructive_mutation",
         "outbound_network",
         "privileged_system_mutation",
         "secret_access",
+        "tool_schema_mismatch",
     )
     return tuple(category for category in order if category in categories)
@@ -178,6 +187,9 @@ def _tool_call_risk_category_set(artifact: GuardArtifact, arguments: object) ->
     combined = _risk_match_text(f"{artifact.name} {serialized_arguments}")
     tool_name_tokens = set(_tool_name_tokens(tool_name))
     categories: set[str] = set()
+    argument_categories = _argument_key_risk_categories(arguments)
+    schema_categories = _schema_risk_categories(artifact.metadata.get("tool_schema"))
+    description_categories = _description_risk_categories(artifact.metadata.get("tool_description"))
     if len(tool_name_tokens.intersection({"delete", "remove", "rm", "destroy", "erase"})) > 0:
         categories.add("destructive_mutation")
@@ -206,6 +218,11 @@ def _tool_call_risk_category_set(artifact: GuardArtifact, arguments: object) ->
         (_token_pattern("sudo", "chmod", "chown", "launchctl", "systemctl"),),
     ):
         categories.add("privileged_system_mutation")
+    categories.update(argument_categories)
+    categories.update(schema_categories)
+    categories.update(description_categories)
+    if _tool_schema_understates_name(tool_name_tokens, schema_categories):
+        categories.add("tool_schema_mismatch")
     return categories
@@ -227,6 +244,289 @@ def _token_pattern(*tokens: str) -> str:
     return rf"(?<![a-z0-9])({alternatives})(?![a-z0-9])"
+def _argument_key_risk_categories(arguments: object) -> set[str]:
+    if not isinstance(arguments, Mapping):
+        return set()
+    categories: set[str] = set()
+    keys = _argument_key_names(arguments)
+    if keys.intersection(
+        {
+            "file",
+            "filepath",
+            "filepaths",
+            "files",
+            "path",
+            "paths",
+            "source",
+            "sourcepath",
+            "sourcepaths",
+            "sources",
+            "target",
+            "targetpath",
+            "targetpaths",
+            "targets",
+        }
+    ):
+        categories.add("filesystem_access")
+    if keys.intersection({"command", "cmd", "script", "shell"}):
+        categories.add("command_execution")
+    if keys.intersection({"callback", "endpoint", "uri", "url", "urls", "webhook"}):
+        categories.add("outbound_network")
+    return categories
+def _argument_key_names(value: object) -> set[str]:
+    names: set[str] = set()
+    pending: list[object] = [value]
+    visited_ids: set[int] = set()
+    while pending:
+        current = pending.pop()
+        if isinstance(current, Mapping):
+            current_id = id(current)
+            if current_id in visited_ids:
+                continue
+            visited_ids.add(current_id)
+            for key, item in current.items():
+                names.add(_normalized_argument_key(str(key)))
+                pending.append(item)
+        elif isinstance(current, list | tuple):
+            current_id = id(current)
+            if current_id in visited_ids:
+                continue
+            visited_ids.add(current_id)
+            pending.extend(current)
+    return names
+def _schema_risk_categories(schema: object) -> set[str]:
+    keys = _schema_property_key_names(schema)
+    categories: set[str] = set()
+    if keys.intersection(
+        {
+            "file",
+            "filepath",
+            "filepaths",
+            "files",
+            "path",
+            "paths",
+            "source",
+            "sourcepath",
+            "sourcepaths",
+            "sources",
+            "target",
+            "targetpath",
+            "targetpaths",
+            "targets",
+        }
+    ):
+        categories.add("filesystem_access")
+    if keys.intersection({"command", "cmd", "script", "shell"}):
+        categories.add("command_execution")
+    if keys.intersection({"callback", "endpoint", "uri", "url", "urls", "webhook"}):
+        categories.add("outbound_network")
+    return categories
+def _schema_property_key_names(
+    value: object,
+    *,
+    _root_schema: Mapping[str, object] | None = None,
+    _visited_refs: set[str] | None = None,
+    _visited_ids: set[int] | None = None,
+) -> set[str]:
+    names: set[str] = set()
+    if isinstance(value, Mapping):
+        root_schema = value if _root_schema is None else _root_schema
+        visited_refs = set() if _visited_refs is None else _visited_refs
+        visited_ids = set() if _visited_ids is None else _visited_ids
+        val_id = id(value)
+        if val_id in visited_ids:
+            return names
+        visited_ids.add(val_id)
+        ref_value = value.get("$ref")
+        if isinstance(ref_value, str) and ref_value not in visited_refs:
+            visited_refs.add(ref_value)
+            resolved = _resolve_local_schema_ref(root_schema, ref_value)
+            if resolved is not None:
+                names.update(
+                    _schema_property_key_names(
+                        resolved,
+                        _root_schema=root_schema,
+                        _visited_refs=visited_refs,
+                        _visited_ids=visited_ids,
+                    )
+                )
+        properties = value.get("properties")
+        if isinstance(properties, Mapping):
+            for key, item in properties.items():
+                names.add(_normalized_argument_key(str(key)))
+                names.update(
+                    _schema_property_key_names(
+                        item,
+                        _root_schema=root_schema,
+                        _visited_refs=visited_refs,
+                        _visited_ids=visited_ids,
+                    )
+                )
+        for collection_key in (
+            "additionalProperties",
+            "allOf",
+            "anyOf",
+            "contains",
+            "else",
+            "if",
+            "items",
+            "oneOf",
+            "prefixItems",
+            "propertyNames",
+            "then",
+            "unevaluatedItems",
+            "unevaluatedProperties",
+        ):
+            child = value.get(collection_key)
+            names.update(
+                _schema_property_key_names(
+                    child,
+                    _root_schema=root_schema,
+                    _visited_refs=visited_refs,
+                    _visited_ids=visited_ids,
+                )
+            )
+        dependent_schemas = value.get("dependentSchemas")
+        if isinstance(dependent_schemas, Mapping):
+            for child in dependent_schemas.values():
+                names.update(
+                    _schema_property_key_names(
+                        child,
+                        _root_schema=root_schema,
+                        _visited_refs=visited_refs,
+                        _visited_ids=visited_ids,
+                    )
+                )
+        pattern_properties = value.get("patternProperties")
+        if isinstance(pattern_properties, Mapping):
+            for child in pattern_properties.values():
+                names.update(
+                    _schema_property_key_names(
+                        child,
+                        _root_schema=root_schema,
+                        _visited_refs=visited_refs,
+                        _visited_ids=visited_ids,
+                    )
+                )
+        return names
+    if isinstance(value, list | tuple):
+        root_schema = _root_schema
+        visited_refs = set() if _visited_refs is None else _visited_refs
+        visited_ids = set() if _visited_ids is None else _visited_ids
+        for item in value:
+            names.update(
+                _schema_property_key_names(
+                    item,
+                    _root_schema=root_schema,
+                    _visited_refs=visited_refs,
+                    _visited_ids=visited_ids,
+                )
+            )
+    return names
+def _resolve_local_schema_ref(root_schema: Mapping[str, object], reference: str) -> object | None:
+    if reference.startswith("#/"):
+        current: object = root_schema
+        for part in reference[2:].split("/"):
+            token = part.replace("~1", "/").replace("~0", "~")
+            if isinstance(current, Mapping):
+                if token not in current:
+                    return None
+                current = current[token]
+            elif isinstance(current, list | tuple):
+                if not token.isdigit():
+                    return None
+                index = int(token)
+                if index >= len(current):
+                    return None
+                current = current[index]
+            else:
+                return None
+        return current
+    if not reference.startswith("#"):
+        return None
+    anchor_name = reference[1:]
+    if not anchor_name:
+        return root_schema
+    return _resolve_local_schema_anchor(root_schema, anchor_name)
+def _resolve_local_schema_anchor(root_schema: object, anchor_name: str) -> object | None:
+    pending: list[object] = [root_schema]
+    visited_ids: set[int] = set()
+    while pending:
+        current = pending.pop()
+        current_id = id(current)
+        if current_id in visited_ids:
+            continue
+        visited_ids.add(current_id)
+        if not isinstance(current, Mapping):
+            if isinstance(current, list | tuple):
+                pending.extend(item for item in current if isinstance(item, (Mapping, list, tuple)))
+            continue
+        anchor = current.get("$anchor")
+        dynamic_anchor = current.get("$dynamicAnchor")
+        if anchor == anchor_name or dynamic_anchor == anchor_name:
+            return current
+        pending.extend(item for item in current.values() if isinstance(item, (Mapping, list, tuple)))
+    return None
+def _description_risk_categories(description: object) -> set[str]:
+    if not isinstance(description, str):
+        return set()
+    normalized = _risk_match_text(description)
+    categories: set[str] = set()
+    if _matches_any(normalized, (r"\bread files?\b", r"\bopen files?\b", r"\bview files?\b")):
+        categories.add("filesystem_access")
+    if _matches_any(normalized, (_token_pattern("delete", "remove", "write"),)):
+        categories.add("destructive_mutation")
+    if _matches_any(normalized, (r"\brun command", _token_pattern("execute", "shell"))):
+        categories.add("command_execution")
+    return categories
+def _tool_schema_understates_name(tool_name_tokens: set[str], schema_categories: set[str]) -> bool:
+    dangerous_categories = {"command_execution", "destructive_mutation", "outbound_network"}
+    if len(schema_categories.intersection(dangerous_categories)) == 0:
+        return False
+    name_sounds_dangerous = (
+        len(
+            tool_name_tokens.intersection(
+                {
+                    "bash",
+                    "cmd",
+                    "command",
+                    "delete",
+                    "destroy",
+                    "exec",
+                    "execute",
+                    "patch",
+                    "remove",
+                    "rm",
+                    "run",
+                    "script",
+                    "shell",
+                    "write",
+                }
+            )
+        )
+        > 0
+    )
+    return not name_sounds_dangerous
+def _normalized_argument_key(value: str) -> str:
+    return re.sub(r"[^a-z0-9]", "", _risk_match_text(value))
 def tool_call_risk_summary(artifact: GuardArtifact, arguments: object) -> str:
     signals = tool_call_risk_signals(artifact, arguments)
     if len(signals) == 0:

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/runtime/actions.py RENAMED Viewed

@@ -134,6 +134,7 @@ class GuardActionEnvelope:
     tool_name: str | None
     command: str | None
     prompt_excerpt: str | None
+    prompt_text: str | None
     target_paths: tuple[str, ...]
     network_hosts: tuple[str, ...]
     mcp_server: str | None
@@ -190,6 +191,7 @@ class GuardActionEnvelope:
             tool_name=_string_value(payload.get("tool_name")),
             command=_string_value(payload.get("command")),
             prompt_excerpt=_string_value(payload.get("prompt_excerpt")),
+            prompt_text=_string_value(payload.get("prompt_text")),
             target_paths=_string_tuple(payload.get("target_paths")),
             network_hosts=_string_tuple(payload.get("network_hosts")),
             mcp_server=_string_value(payload.get("mcp_server")),
@@ -405,6 +407,7 @@ def _normalize_action_payload(
         tool_name=tool_name,
         command=command,
         prompt_excerpt=prompt_excerpt,
+        prompt_text=prompt_text,
         target_paths=target_paths,
         network_hosts=network_hosts,
         mcp_server=mcp_server,

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/runtime/detectors.py RENAMED Viewed

@@ -21,6 +21,8 @@ from codex_plugin_scanner.guard.runtime.signals import (
     confidence_label_from_score,
     severity_label_from_score,
 )
+from codex_plugin_scanner.guard.runtime.skill_protection import detect_skill_content_risk, has_skill_structure
+from codex_plugin_scanner.guard.runtime.supply_chain import detect_supply_chain_risk
 from codex_plugin_scanner.guard.types import PromptRequest
 DETECTOR_CATEGORY_TAGS: tuple[RiskSignalCategory, ...] = (
@@ -168,8 +170,52 @@ class PromptInjectionDetector:
         return tuple(_prompt_request_signal(request) for request in requests)
+class SkillRiskDetector:
+    detector_id = "skill.content"
+    categories: tuple[RiskSignalCategory, ...] = (
+        "skill",
+        "secret",
+        "network",
+        "execution",
+        "persistence",
+        "bypass",
+        "encoded",
+    )
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.action_type != "prompt" or action.prompt_text is None:
+            return ()
+        if not has_skill_structure(action.prompt_text):
+            return ()
+        return detect_skill_content_risk(action.prompt_text)
+class SupplyChainDetector:
+    detector_id = "supply-chain.content"
+    categories: tuple[RiskSignalCategory, ...] = (
+        "supply_chain",
+        "persistence",
+        "secret",
+        "execution",
+        "network",
+    )
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.prompt_text is None:
+            return ()
+        return detect_supply_chain_risk(action.prompt_text)
 def register_default_detectors() -> tuple[GuardDetector, ...]:
-    return (DataFlowExfiltrationDetector(), PromptInjectionDetector(), SecretPathDetector())
+    return (
+        DataFlowExfiltrationDetector(),
+        PromptInjectionDetector(),
+        SecretPathDetector(),
+        SkillRiskDetector(),
+        SupplyChainDetector(),
+    )
 def _prompt_request_signal(request: PromptRequest) -> RiskSignalV2:

{plugin_scanner-2.0.119 → plugin_scanner-2.0.121}/src/codex_plugin_scanner/guard/runtime/runner.py RENAMED Viewed

@@ -316,6 +316,7 @@ def _guard_run_action_envelope(
         tool_name=None,
         command=None,
         prompt_excerpt=None,
+        prompt_text=None,
         target_paths=(),
         network_hosts=(),
         mcp_server=None,

plugin-scanner 2.0.119__tar.gz → 2.0.121__tar.gz

plugin-scanner 2.0.119tar.gz → 2.0.121tar.gz