plugin-scanner 2.0.120__tar.gz → 2.0.122__tar.gz

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plugin-scanner
-Version: 2.0.120
+Version: 2.0.122
 Summary: Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows.
 Project-URL: Homepage, https://github.com/hashgraph-online/ai-plugin-scanner
 Project-URL: Repository, https://github.com/hashgraph-online/ai-plugin-scanner

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "plugin-scanner"
-version = "2.0.120"
+version = "2.0.122"
 description = "Lint, verify, and gate plugin ecosystems for maintainers, CI, and publish workflows."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/pyproject.toml.bak

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hol-guard"
-version = "2.0.120"
+version = "2.0.122"
 description = "Protect local AI harnesses with HOL Guard and run scanner checks for Codex, Claude, Cursor, Gemini, and OpenCode."
 readme = "README.md"
 license = "Apache-2.0"

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/src/codex_plugin_scanner/guard/cli/install_commands.py

@@ -2,9 +2,12 @@
 
 from __future__ import annotations
 
+from pathlib import Path
+
 from ..adapters import get_adapter
 from ..adapters.base import HarnessContext
 from ..consumer import detect_all
+from ..runtime.skill_protection import build_skill_identity, detect_skill_content_risk
 from ..store import GuardStore
 
 
@@ -34,9 +37,60 @@ def apply_managed_install(
     }
     if len(managed_installs) == 1:
         payload["managed_install"] = managed_installs[0]
+    if active and context.workspace_dir is not None:
+        skill_scan = scan_workspace_skills(context.workspace_dir, store, now)
+        if skill_scan:
+            payload["skill_scan"] = skill_scan
     return payload
 
 
+def scan_workspace_skills(
+    workspace_dir: Path,
+    store: GuardStore,
+    now: str,
+) -> list[dict[str, object]]:
+    """Scan SKILL.md files in workspace and return risk summaries for any findings."""
+    results: list[dict[str, object]] = []
+    skills_dirs = [
+        workspace_dir / ".codex" / "skills",
+        workspace_dir / ".agents" / "skills",
+        workspace_dir / "skills",
+    ]
+    for skills_dir in skills_dirs:
+        if not skills_dir.is_dir():
+            continue
+        for skill_path in sorted(skills_dir.rglob("SKILL.md")):
+            try:
+                content = skill_path.read_text(encoding="utf-8", errors="replace")
+            except OSError:
+                continue
+            identity = build_skill_identity(content, skill_path=str(skill_path))
+            artifact_id = f"skill-path:{skill_path}"
+            stored = store.get_snapshot("skill_scan", artifact_id)
+            stored_hash = stored.get("identity_hash") if stored else None
+            if stored_hash == identity.identity_hash:
+                continue
+            signals = detect_skill_content_risk(content, skill_path=str(skill_path))
+            store.save_snapshot(
+                "skill_scan",
+                artifact_id,
+                {"identity_hash": identity.identity_hash, "skill_path": str(skill_path)},
+                identity.identity_hash,
+                now,
+            )
+            if signals:
+                results.append(
+                    {
+                        "skill_path": str(skill_path.relative_to(workspace_dir)),
+                        "identity_hash": identity.identity_hash,
+                        "risk_count": len(signals),
+                        "severities": sorted({s.severity for s in signals}),
+                        "signal_ids": [s.signal_id for s in signals],
+                    }
+                )
+    return results
+
+
 def _resolve_targets(
     command: str,
     requested_harness: str | None,
@@ -74,4 +128,4 @@ def _resolve_targets(
     )
 
 
-__all__ = ["apply_managed_install"]
+__all__ = ["apply_managed_install", "scan_workspace_skills"]

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/src/codex_plugin_scanner/guard/cli/render.py

@@ -573,25 +573,105 @@ def _render_approvals(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_managed_install(console: Console, payload: dict[str, object]) -> None:
+    skill_scan = _coerce_dict_list(payload.get("skill_scan"))
+    supply_chain_risks = _coerce_dict_list(payload.get("supply_chain_risks"))
+    safe_decode_risks = _coerce_dict_list(payload.get("safe_decode_risks"))
     managed_install = payload.get("managed_install")
     if isinstance(managed_install, dict):
         _render_single_managed_install(console, managed_install)
-        return
-    managed_installs = _coerce_dict_list(payload.get("managed_installs"))
-    if not managed_installs:
-        _render_fallback(console, payload)
-        return
+    else:
+        managed_installs = _coerce_dict_list(payload.get("managed_installs"))
+        if not managed_installs:
+            if not skill_scan and not supply_chain_risks and not safe_decode_risks:
+                _render_fallback(console, payload)
+                return
+        else:
+            console.print(
+                Panel(
+                    _managed_install_batch_summary(payload, managed_installs),
+                    title="Guard managed harnesses",
+                    border_style="cyan",
+                )
+            )
+            console.print(_managed_install_batch_table(managed_installs))
+            notes = _managed_install_batch_notes(managed_installs)
+            if notes:
+                console.print(_notes_panel(notes))
+    if skill_scan:
+        _render_skill_scan_results(console, skill_scan)
+    if supply_chain_risks:
+        _render_supply_chain_risk_results(console, supply_chain_risks)
+    if safe_decode_risks:
+        _render_safe_decode_results(console, safe_decode_risks)
+
+
+def _render_supply_chain_risk_results(console: Console, supply_chain_risks: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Signal", overflow="fold")
+    table.add_column("Severity", no_wrap=True)
+    table.add_column("Confidence", no_wrap=True)
+    table.add_column("Explanation", overflow="fold")
+    for entry in supply_chain_risks:
+        severity = str(entry.get("severity", "medium"))
+        severity_color = {"critical": "red", "high": "yellow", "medium": "cyan", "low": "dim"}.get(severity, "white")
+        table.add_row(
+            str(entry.get("signal_id", "?")),
+            f"[{severity_color}]{severity}[/{severity_color}]",
+            str(entry.get("confidence", "?")),
+            str(entry.get("plain_reason", "")),
+        )
     console.print(
         Panel(
-            _managed_install_batch_summary(payload, managed_installs),
-            title="Guard managed harnesses",
-            border_style="cyan",
+            table,
+            title=f"[bold yellow]Supply chain risks — {len(supply_chain_risks)} signal(s)[/bold yellow]",
+            border_style="yellow",
+        )
+    )
+
+
+def _render_safe_decode_results(console: Console, safe_decode_risks: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Signal", overflow="fold")
+    table.add_column("Layers", no_wrap=True)
+    table.add_column("Severity", no_wrap=True)
+    table.add_column("Explanation", overflow="fold")
+    for entry in safe_decode_risks:
+        severity = str(entry.get("severity", "medium"))
+        severity_color = {"critical": "red", "high": "yellow", "medium": "cyan", "low": "dim"}.get(severity, "white")
+        layers = entry.get("technical_detail") or ""
+        table.add_row(
+            str(entry.get("signal_id", "?")),
+            layers[:60] if layers else "-",
+            f"[{severity_color}]{severity}[/{severity_color}]",
+            str(entry.get("plain_reason", "")),
+        )
+    console.print(
+        Panel(
+            table,
+            title=f"[bold magenta]Encoded payload risks — {len(safe_decode_risks)} signal(s)[/bold magenta]",
+            border_style="magenta",
+        )
+    )
+
+
+def _render_skill_scan_results(console: Console, skill_scan: list[dict[str, object]]) -> None:
+    table = Table(box=box.SIMPLE_HEAVY, show_header=True, expand=True)
+    table.add_column("Skill file", overflow="fold")
+    table.add_column("Risks", justify="right", no_wrap=True)
+    table.add_column("Severities", no_wrap=True)
+    table.add_column("Signals", overflow="fold")
+    for entry in skill_scan:
+        severity_text = ", ".join(_coerce_string_list(entry.get("severities")))
+        signal_text = " ".join(_coerce_string_list(entry.get("signal_ids")))
+        risk_count = str(entry.get("risk_count", 0))
+        table.add_row(str(entry.get("skill_path", "?")), risk_count, severity_text, signal_text)
+    console.print(
+        Panel(
+            table,
+            title=f"[bold red]Skill security scan — {len(skill_scan)} file(s) with risks[/bold red]",
+            border_style="red",
         )
     )
-    console.print(_managed_install_batch_table(managed_installs))
-    notes = _managed_install_batch_notes(managed_installs)
-    if notes:
-        console.print(_notes_panel(notes))
 
 
 def _render_single_managed_install(console: Console, managed_install: dict[str, object]) -> None:

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/src/codex_plugin_scanner/guard/runtime/actions.py

@@ -134,6 +134,7 @@ class GuardActionEnvelope:
     tool_name: str | None
     command: str | None
     prompt_excerpt: str | None
+    prompt_text: str | None
     target_paths: tuple[str, ...]
     network_hosts: tuple[str, ...]
     mcp_server: str | None
@@ -190,6 +191,7 @@ class GuardActionEnvelope:
             tool_name=_string_value(payload.get("tool_name")),
             command=_string_value(payload.get("command")),
             prompt_excerpt=_string_value(payload.get("prompt_excerpt")),
+            prompt_text=_string_value(payload.get("prompt_text")),
             target_paths=_string_tuple(payload.get("target_paths")),
             network_hosts=_string_tuple(payload.get("network_hosts")),
             mcp_server=_string_value(payload.get("mcp_server")),
@@ -405,6 +407,7 @@ def _normalize_action_payload(
         tool_name=tool_name,
         command=command,
         prompt_excerpt=prompt_excerpt,
+        prompt_text=prompt_text,
         target_paths=target_paths,
         network_hosts=network_hosts,
         mcp_server=mcp_server,

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/src/codex_plugin_scanner/guard/runtime/detectors.py

@@ -12,6 +12,7 @@ from codex_plugin_scanner.guard.config import GuardConfig
 from codex_plugin_scanner.guard.runtime.actions import GuardActionEnvelope
 from codex_plugin_scanner.guard.runtime.data_flow_rules import detect_data_flow_exfiltration
 from codex_plugin_scanner.guard.runtime.prompt_injection import detect_prompt_injection_requests
+from codex_plugin_scanner.guard.runtime.safe_decode import decode_layers
 from codex_plugin_scanner.guard.runtime.secret_sensitivity import SecretPathMatch, classify_secret_path
 from codex_plugin_scanner.guard.runtime.signals import (
     RiskConfidenceLabel,
@@ -21,6 +22,8 @@ from codex_plugin_scanner.guard.runtime.signals import (
     confidence_label_from_score,
     severity_label_from_score,
 )
+from codex_plugin_scanner.guard.runtime.skill_protection import detect_skill_content_risk, has_skill_structure
+from codex_plugin_scanner.guard.runtime.supply_chain import detect_supply_chain_risk
 from codex_plugin_scanner.guard.types import PromptRequest
 
 DETECTOR_CATEGORY_TAGS: tuple[RiskSignalCategory, ...] = (
@@ -168,8 +171,124 @@ class PromptInjectionDetector:
         return tuple(_prompt_request_signal(request) for request in requests)
 
 
+class SkillRiskDetector:
+    detector_id = "skill.content"
+    categories: tuple[RiskSignalCategory, ...] = (
+        "skill",
+        "secret",
+        "network",
+        "execution",
+        "persistence",
+        "bypass",
+        "encoded",
+    )
+
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.action_type != "prompt" or action.prompt_text is None:
+            return ()
+        if not has_skill_structure(action.prompt_text):
+            return ()
+        return detect_skill_content_risk(action.prompt_text)
+
+
+class SupplyChainDetector:
+    detector_id = "supply-chain.content"
+    categories: tuple[RiskSignalCategory, ...] = (
+        "supply_chain",
+        "persistence",
+        "secret",
+        "execution",
+        "network",
+    )
+
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.prompt_text is None:
+            return ()
+        return detect_supply_chain_risk(action.prompt_text)
+
+
+class SafeDecodeDetector:
+    """Detects obfuscated/encoded payloads that contain suspicious signals after decoding."""
+
+    detector_id = "safe-decode.content"
+    categories: tuple[RiskSignalCategory, ...] = (
+        "execution",
+        "network",
+        "secret",
+    )
+
+    def detect(self, action: GuardActionEnvelope, context: DetectorContext) -> tuple[RiskSignalV2, ...]:
+        del context
+        if action.prompt_text is None:
+            return ()
+        result = decode_layers(action.prompt_text)
+        if not result.layers:
+            return ()
+        signals: list[RiskSignalV2] = []
+        if result.eval_signals or result.exec_signals or result.marshal_signals:
+            detail_parts: list[str] = []
+            if result.eval_signals:
+                detail_parts.append(f"eval(): {result.eval_signals[0]!r}")
+            if result.exec_signals:
+                detail_parts.append(f"exec(): {result.exec_signals[0]!r}")
+            if result.marshal_signals:
+                detail_parts.append(f"marshal.loads(): {result.marshal_signals[0]!r}")
+            signals.append(
+                RiskSignalV2(
+                    signal_id="encoded.code-execution",
+                    category="execution",
+                    severity=severity_label_from_score(8),
+                    confidence=confidence_label_from_score(0.80),
+                    detector=self.detector_id,
+                    title="Encoded code-execution payload detected",
+                    plain_reason=(
+                        f"Decoded {len(result.layers)} encoding layer(s) and found "
+                        f"code-execution signals: {'; '.join(detail_parts[:2])}"
+                    ),
+                    technical_detail=f"Layers: {[layer.encoding for layer in result.layers]}; "
+                    f"eval={len(result.eval_signals)} exec={len(result.exec_signals)} "
+                    f"marshal={len(result.marshal_signals)}",
+                    evidence_ref=None,
+                    redaction_level="summary",
+                    false_positive_hint="Some build tools legitimately encode setup scripts.",
+                    advisory_id=None,
+                )
+            )
+        elif result.layers:
+            signals.append(
+                RiskSignalV2(
+                    signal_id="encoded.obfuscated-content",
+                    category="execution",
+                    severity=severity_label_from_score(5),
+                    confidence=confidence_label_from_score(0.60),
+                    detector=self.detector_id,
+                    title="Multi-layer encoded content detected",
+                    plain_reason=(
+                        f"Content decoded through {len(result.layers)} encoding layer(s) "
+                        f"({', '.join(layer.encoding for layer in result.layers)}). "
+                        "Obfuscated content may conceal malicious instructions."
+                    ),
+                    technical_detail=None,
+                    evidence_ref=None,
+                    redaction_level="summary",
+                    false_positive_hint="Encoded documentation or binary assets are common false positives.",
+                    advisory_id=None,
+                )
+            )
+        return tuple(signals)
+
+
 def register_default_detectors() -> tuple[GuardDetector, ...]:
-    return (DataFlowExfiltrationDetector(), PromptInjectionDetector(), SecretPathDetector())
+    return (
+        DataFlowExfiltrationDetector(),
+        PromptInjectionDetector(),
+        SafeDecodeDetector(),
+        SecretPathDetector(),
+        SkillRiskDetector(),
+        SupplyChainDetector(),
+    )
 
 
 def _prompt_request_signal(request: PromptRequest) -> RiskSignalV2:

{plugin_scanner-2.0.120 → plugin_scanner-2.0.122}/src/codex_plugin_scanner/guard/runtime/runner.py

@@ -316,6 +316,7 @@ def _guard_run_action_envelope(
         tool_name=None,
         command=None,
         prompt_excerpt=None,
+        prompt_text=None,
         target_paths=(),
         network_hosts=(),
         mcp_server=None,