{
"canonical_name": "decoy-run/decoy-scan",
"compilation_id": "pack_4f7fe37650e9451fa744fddaa14ab61a",
"created_at": "2026-05-19T06:39:08.095091+00:00",
"created_by": "project-pack-compiler",
"feedback": {
"carrier_selection_notes": [
"viable_asset_types=mcp_config, recipe, host_instruction, eval, preflight",
"recommended_asset_types=mcp_config, recipe, host_instruction, eval, preflight"
],
"evidence_delta": {
"confirmed_claims": [
"identity_anchor_present",
"capability_and_host_targets_present",
"install_path_declared_or_better"
],
"missing_required_fields": [],
"must_verify_forwarded": [
"Run or inspect `npx decoy-scan` in an isolated environment.",
"Confirm the project exposes the claimed capability to at least one target host."
],
"quickstart_execution_scope": "allowlisted_sandbox_smoke",
"sandbox_command": "npx decoy-scan",
"sandbox_container_image": "node:22-slim",
"sandbox_execution_backend": "docker",
"sandbox_planner_decision": "deterministic_isolated_install",
"sandbox_validation_id": "sbx_bca44921f44f421fadc666299b912420"
},
"feedback_event_type": "project_pack_compilation_feedback",
"learning_candidate_reasons": [],
"template_gaps": []
},
"identity": {
"canonical_id": "project_6cccd8281bc7d4751569e89a401fa601",
"canonical_name": "decoy-run/decoy-scan",
"homepage_url": null,
"license": "unknown",
"repo_url": "https://github.com/decoy-run/decoy-scan",
"slug": "decoy-scan",
"source_packet_id": "phit_12b62813167341809147a778a2899855",
"source_validation_id": "dval_433a8a227aee446a86b78cc771e0d20b"
},
"merchandising": {
"best_for": "需要安全审查与权限治理能力,并使用 mcp_host的用户",
"github_forks": 0,
"github_stars": 1,
"one_liner_en": "Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.",
"one_liner_zh": "Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.",
"primary_category": {
"category_id": "security-permissions",
"confidence": "high",
"name_en": "Security & Permissions",
"name_zh": "安全审查与权限治理",
"reason": "matched_keywords:security, permission, risk"
},
"target_user": "使用 mcp_host 等宿主 AI 的用户",
"title_en": "decoy-scan",
"title_zh": "decoy-scan 能力包",
"visible_tags": [
{
"label_en": "Security & Permissions",
"label_zh": "安全审查与权限治理",
"source": "repo_evidence_project_characteristics",
"tag_id": "product_domain-security-permissions",
"type": "product_domain"
},
{
"label_en": "Web Task Automation",
"label_zh": "网页任务自动化",
"source": "repo_evidence_project_characteristics",
"tag_id": "user_job-web-task-automation",
"type": "user_job"
},
{
"label_en": "Browser Automation",
"label_zh": "浏览器自动化",
"source": "repo_evidence_project_characteristics",
"tag_id": "core_capability-browser-automation",
"type": "core_capability"
},
{
"label_en": "Node-based Workflow",
"label_zh": "节点式流程编排",
"source": "repo_evidence_project_characteristics",
"tag_id": "workflow_pattern-node-based-workflow",
"type": "workflow_pattern"
},
{
"label_en": "Evaluation Suite",
"label_zh": "评测体系",
"source": "repo_evidence_project_characteristics",
"tag_id": "selection_signal-evaluation-suite",
"type": "selection_signal"
}
]
},
"packet_id": "phit_12b62813167341809147a778a2899855",
"page_model": {
"artifacts": {
"artifact_slug": "decoy-scan",
"files": [
"PROJECT_PACK.json",
"QUICK_START.md",
"PROMPT_PREVIEW.md",
"HUMAN_MANUAL.md",
"AI_CONTEXT_PACK.md",
"BOUNDARY_RISK_CARD.md",
"PITFALL_LOG.md",
"REPO_INSPECTION.json",
"REPO_INSPECTION.md",
"CAPABILITY_CONTRACT.json",
"EVIDENCE_INDEX.json",
"CLAIM_GRAPH.json"
],
"required_files": [
"PROJECT_PACK.json",
"QUICK_START.md",
"PROMPT_PREVIEW.md",
"HUMAN_MANUAL.md",
"AI_CONTEXT_PACK.md",
"BOUNDARY_RISK_CARD.md",
"PITFALL_LOG.md",
"REPO_INSPECTION.json"
]
},
"detail": {
"capability_source": "Project Hit Packet + DownstreamValidationResult",
"commands": [
{
"command": "npx decoy-scan",
"label": "Node.js / npx · 官方安装入口",
"source": "https://github.com/decoy-run/decoy-scan#readme",
"verified": true
}
],
"display_tags": [
"安全审查与权限治理",
"网页任务自动化",
"浏览器自动化",
"节点式流程编排",
"评测体系"
],
"eyebrow": "安全审查与权限治理",
"glance": [
{
"body": "判断自己是不是目标用户。",
"label": "最适合谁",
"value": "需要安全审查与权限治理能力,并使用 mcp_host的用户"
},
{
"body": "先理解能力边界,再决定是否继续。",
"label": "核心价值",
"value": "Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies."
},
{
"body": "未完成验证前保持审慎。",
"label": "继续前",
"value": "publish to Doramagic.ai project surfaces"
}
],
"guardrail_source": "Boundary & Risk Card",
"guardrails": [
{
"body": "Prompt Preview 只展示流程,不证明项目已安装或运行。",
"label": "Check 1",
"value": "不要把试用当真实运行"
},
{
"body": "mcp_host",
"label": "Check 2",
"value": "确认宿主兼容"
},
{
"body": "publish to Doramagic.ai project surfaces",
"label": "Check 3",
"value": "先隔离验证"
}
],
"mode": "mcp_config, recipe, host_instruction, eval, preflight",
"pitfall_log": {
"items": [
{
"body": "README/documentation is current enough for a first validation pass.",
"category": "能力坑",
"evidence": [
"capability.assumptions | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | README/documentation is current enough for a first validation pass."
],
"severity": "medium",
"suggested_check": "将假设转成下游验证清单。",
"title": "能力判断依赖假设",
"user_impact": "假设不成立时,用户拿不到承诺的能力。"
},
{
"body": "未记录 last_activity_observed。",
"category": "维护坑",
"evidence": [
"evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | last_activity_observed missing"
],
"severity": "medium",
"suggested_check": "补 GitHub 最近 commit、release、issue/PR 响应信号。",
"title": "维护活跃度未知",
"user_impact": "新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。"
},
{
"body": "no_demo",
"category": "安全/权限坑",
"evidence": [
"downstream_validation.risk_items | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium"
],
"severity": "medium",
"suggested_check": "进入安全/权限治理复核队列。",
"title": "下游验证发现风险项",
"user_impact": "下游已经要求复核,不能在页面中弱化。"
},
{
"body": "no_demo",
"category": "安全/权限坑",
"evidence": [
"risks.scoring_risks | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium"
],
"severity": "medium",
"suggested_check": "把风险写入边界卡,并确认是否需要人工复核。",
"title": "存在评分风险",
"user_impact": "风险会影响是否适合普通用户安装。"
},
{
"body": "GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:Decoy Scan - MCP Security for CI/CD",
"category": "安全/权限坑",
"evidence": [
"community_evidence:github | cevd_1dfbf3581ef44580b28d89d74f78c803 | https://github.com/decoy-run/decoy-scan/releases/tag/v1 | 来源类型 github_release 暴露的待验证使用条件。"
],
"severity": "medium",
"suggested_check": "来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。",
"title": "来源证据:Decoy Scan - MCP Security for CI/CD",
"user_impact": "可能影响授权、密钥配置或安全边界。"
},
{
"body": "issue_or_pr_quality=unknown。",
"category": "维护坑",
"evidence": [
"evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | issue_or_pr_quality=unknown"
],
"severity": "low",
"suggested_check": "抽样最近 issue/PR,判断是否长期无人处理。",
"title": "issue/PR 响应质量未知",
"user_impact": "用户无法判断遇到问题后是否有人维护。"
},
{
"body": "release_recency=unknown。",
"category": "维护坑",
"evidence": [
"evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | release_recency=unknown"
],
"severity": "low",
"suggested_check": "确认最近 release/tag 和 README 安装命令是否一致。",
"title": "发布节奏不明确",
"user_impact": "安装命令和文档可能落后于代码,用户踩坑概率升高。"
}
],
"source": "ProjectPitfallLog + ProjectHitPacket + validation + community signals",
"summary": "发现 7 个潜在踩坑项,其中 0 个为 high/blocking;最高优先级:能力坑 - 能力判断依赖假设。",
"title": "踩坑日志"
},
"snapshot": {
"contributors": 1,
"forks": 0,
"license": "unknown",
"note": "站点快照,非实时质量证明;用于开工前背景判断。",
"stars": 1
},
"source_url": "https://github.com/decoy-run/decoy-scan",
"steps": [
{
"body": "不安装项目,先体验能力节奏。",
"code": "preview",
"title": "先试 Prompt"
},
{
"body": "理解输入、输出、失败模式和边界。",
"code": "manual",
"title": "读说明书"
},
{
"body": "把上下文交给宿主 AI 继续工作。",
"code": "context",
"title": "带给 AI"
},
{
"body": "进入主力环境前先完成安装入口与风险边界验证。",
"code": "verify",
"title": "沙箱验证"
}
],
"subtitle": "Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.",
"title": "decoy-scan 能力包",
"trial_prompt": "# decoy-scan - Prompt Preview\n\n> Copy the prompt below into your AI host before installing anything.\n> Its purpose is to let you safely feel the project's workflow, not to claim the project has already run.\n\n## Copy this prompt\n\n```text\nYou are using an independent Doramagic capability pack for decoy-run/decoy-scan.\n\nProject:\n- Name: decoy-scan\n- Repository: https://github.com/decoy-run/decoy-scan\n- Summary: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n- Host target: mcp_host\n\nGoal:\nHelp me evaluate this project for the following task without installing it yet: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n\nBefore taking action:\n1. Restate my task, success standard, and boundary.\n2. Identify whether the next step requires tools, browser access, network access, filesystem access, credentials, package installation, or host configuration.\n3. Use only the Doramagic Project Pack, the upstream repository, and the source-linked evidence listed below.\n4. If a real command, install step, API call, file write, or host integration is required, mark it as \"requires post-install verification\" and ask for approval first.\n5. If evidence is missing, say \"evidence is missing\" instead of filling the gap.\n\nPreviewable capabilities:\n- Capability 1: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n\nCapabilities that require post-install verification:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCore service flow:\n1. page-1: Overview. Produce one small intermediate artifact and wait for confirmation.\n2. page-2: Installation and Quick Start. Produce one small intermediate artifact and wait for confirmation.\n3. page-3: System Architecture. Produce one small intermediate artifact and wait for confirmation.\n4. page-5: Security Checks and Detection. Produce one small intermediate artifact and wait for confirmation.\n5. page-8: CLI Reference. Produce one small intermediate artifact and wait for confirmation.\n\nSource-backed evidence to keep in mind:\n- https://github.com/decoy-run/decoy-scan\n- https://github.com/decoy-run/decoy-scan#readme\n- README.md\n- index.mjs\n- package.json\n- bin/cli.mjs\n- lib/discovery.mjs\n- lib/scan.mjs\n- lib/probe.mjs\n- lib/telemetry.mjs\n\nFirst response rules:\n1. Start Step 1 only.\n2. Explain the one service action you will perform first.\n3. Ask exactly three questions about my target workflow, success standard, and sandbox boundary.\n4. Stop and wait for my answers.\n\nStep 1 follow-up protocol:\n- After I answer the first three questions, stay in Step 1.\n- Produce six parts only: clarified task, success standard, boundary conditions, two or three options, tradeoffs for each option, and one recommendation.\n- End by asking whether I confirm the recommendation.\n- Do not move to Step 2 until I explicitly confirm.\n\nConversation rules:\n- Advance one step at a time and wait for confirmation after each small artifact.\n- Write outputs as recommendations or planned checks, not as completed execution.\n- Do not claim tests passed, files changed, commands ran, APIs were called, or the project was installed.\n- If the user asks for execution, first provide the sandbox setup, expected output, rollback, and approval checkpoint.\n```\n",
"voices": [
{
"body": "来源平台:github。github/github_release: Decoy Scan - MCP Security for CI/CD(https://github.com/decoy-run/decoy-scan/releases/tag/v1)。这些是项目级外部声音,不作为单独质量证明。",
"items": [
{
"kind": "github_release",
"source": "github",
"title": "Decoy Scan - MCP Security for CI/CD",
"url": "https://github.com/decoy-run/decoy-scan/releases/tag/v1"
}
],
"status": "已收录 1 条来源",
"title": "社区讨论"
}
]
},
"homepage_card": {
"category": "安全审查与权限治理",
"desc": "Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.",
"effort": "安装已验证",
"forks": 0,
"icon": "shield",
"name": "decoy-scan 能力包",
"risk": "需复核",
"slug": "decoy-scan",
"stars": 1,
"tags": [
"安全审查与权限治理",
"网页任务自动化",
"浏览器自动化",
"节点式流程编排",
"评测体系"
],
"thumb": "purple",
"type": "MCP 配置"
},
"manual": {
"markdown": "# https://github.com/decoy-run/decoy-scan 项目说明书\n\n生成时间:2026-05-15 09:18:56 UTC\n\n## 目录\n\n- [Overview](#page-1)\n- [Installation and Quick Start](#page-2)\n- [System Architecture](#page-3)\n- [Core Modules Reference](#page-4)\n- [Security Checks and Detection](#page-5)\n- [Supply Chain and Advisory Database](#page-6)\n- [Skill Scanning](#page-7)\n- [CLI Reference](#page-8)\n- [GitHub Action Integration](#page-9)\n- [Output Formats and Policy Configuration](#page-10)\n\n\n\n## Overview\n\n### 相关页面\n\n相关主题:[Installation and Quick Start](#page-2), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n \n\n# Overview\n\n**decoy-scan** is a command-line security scanner for the MCP (Model Context Protocol) ecosystem. It identifies security risks in MCP server configurations, detects prompt injection attacks, analyzes dangerous tool permissions, and maps findings to the OWASP Agentic Top 10 security framework. The tool operates with zero dependencies, requiring only Node.js 18+, and needs no installation, account, or configuration to run.\n\n资料来源:[README.md:1]()\n\n## Purpose and Scope\n\nThe primary purpose of decoy-scan is to proactively discover security vulnerabilities in MCP server configurations before attackers can exploit them. The tool addresses a critical gap in the MCP supply chain by providing automated security scanning that was previously unavailable to developers and security teams.\n\n**Key objectives:**\n\n- Scan local MCP client configurations (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline)\n- Classify tool risk levels based on name patterns and description analysis\n- Detect prompt injection attacks hidden within tool descriptions\n- Identify environment variable exposure and credential leakage\n- Analyze toxic data flows across server boundaries\n- Provide machine-readable output (JSON, SARIF) for CI/CD integration\n\n资料来源:[README.md:1-5]()\n\n## Architecture Overview\n\ndecoy-scan follows a modular architecture where a single ES module (`index.mjs`) contains all core functionality without external dependencies.\n\n```mermaid\ngraph TD\n A[User runs decoy-scan] --> B[Discover MCP Configs]\n B --> C[Parse Server Configurations]\n C --> D[Probe Servers via stdio]\n D --> E{Analysis Engine}\n \n E --> F[Tool Risk Classification]\n E --> G[Poisoning Detection]\n E --> H[Command Analysis]\n E --> I[Env Exposure Check]\n E --> J[Readiness Analysis]\n E --> K[Advisory Cross-Reference]\n \n F --> L[Aggregate Results]\n G --> L\n H --> L\n I --> L\n J --> L\n K --> L\n \n L --> M[Output Formatter]\n M --> N[Pretty Print / JSON / SARIF]\n```\n\nThe scan orchestrator (`scan()`) coordinates all analysis modules and produces structured output. Each module operates independently, allowing the tool to continue analysis even if individual checks fail.\n\n资料来源:[CONTRIBUTING.md:14-29]()\n\n## Core Security Checks\n\ndecoy-scan performs multiple simultaneous security checks across different attack vectors:\n\n| Check Category | What it Detects |\n|----------------|-----------------|\n| Tool Risk Classification | Critical/high/medium/low tools by name and description |\n| Prompt Injection Detection | 37 patterns across 20 attack categories in tool descriptions |\n| Toxic Flow Analysis | Cross-server data leak (TF001) and destructive (TF002) attack chains |\n| Tool Manifest Hashing | Tool additions, removals, and description changes between scans |\n| Skill Scanning | Prompt injection, hardcoded secrets, suspicious URLs in Claude Code skills |\n| Server Command Analysis | Pipe-to-shell, inline code, typosquatting, temp directory spawning |\n| Environment Variable Exposure | API keys, tokens, secrets, cloud credentials passed to servers |\n| Supply Chain Advisories | 40+ known vulnerable MCP packages via Decoy advisory database |\n| Transport Security | HTTP without TLS, missing auth, wildcard CORS, public-bound SSE |\n| Input Sanitization | Unconstrained parameters, missing maxLength, open schemas |\n| Permission Scope | Over-privileged servers, dangerous capability combinations |\n| OWASP Mapping | Every finding mapped to ASI01–ASI05 |\n\n资料来源:[README.md:58-70]()\n\n### Tool Risk Tiers\n\nTools are classified into four risk tiers based on their potential impact:\n\n| Tier | Risk Level | Description | Examples |\n|------|------------|-------------|----------|\n| Critical | Can execute code, modify data, or cause irreversible changes | `execute_command`, `write_file`, `delete_database` |\n| High | Can read files, make network requests, or access sensitive data | `read_file`, `fetch_url`, `get_credentials` |\n| Medium | Moderate scope with limited blast radius | `list_directory`, `search_logs` |\n| Low | Minimal risk, read-only or sandboxed operations | `ping`, `get_status` |\n\n资料来源:[AGENTS.md:30-40]()\n\n### Poisoning Pattern Categories\n\nThe scanner detects 37 distinct prompt injection patterns organized into 20 attack categories:\n\n```mermaid\ngraph LR\n A[Tool Description] --> B[Poisoning Detection Engine]\n \n B --> C[Instruction Override]\n B --> D[Concealment]\n B --> E[Data Exfiltration]\n B --> F[Credential Harvesting]\n B --> G[Coercive Execution]\n B --> H[Tool Shadowing]\n B --> I[Evasion Techniques]\n \n C --> J[Findings with Severity]\n D --> J\n E --> J\n F --> J\n G --> J\n H --> J\n I --> J\n```\n\n资料来源:[CONTRIBUTING.md:30-45]()\n\n## Supported MCP Hosts\n\ndecoy-scan automatically discovers and scans MCP configurations across multiple clients. Config paths are platform-aware for macOS, Windows, and Linux.\n\n| Host | Platform Support | Config Location |\n|------|------------------|-----------------|\n| Claude Desktop | macOS, Windows, Linux | Platform-specific config directory |\n| Cursor | macOS, Windows, Linux | Platform-specific config directory |\n| Windsurf | macOS, Windows, Linux | Platform-specific config directory |\n| VS Code | macOS, Windows, Linux | Platform-specific config directory |\n| Claude Code | macOS, Windows, Linux | Platform-specific config directory |\n| Zed | macOS, Windows, Linux | Platform-specific config directory |\n| Cline | macOS, Windows, Linux | Platform-specific config directory |\n\nThe tool also supports project-level `.mcp.json` configuration files when run from a project root.\n\n资料来源:[AGENTS.md:85-93]()\n\n## Output Formats\n\ndecoy-scan provides multiple output formats to support different use cases:\n\n### Pretty Print (Default)\n\nHuman-readable output with colored severity badges and visual hierarchy:\n\n```\n▸ Discovering MCP servers…\n▸ Running 12 checks…\n\n✗ server-name 2 critical\n Critical tools: execute_command, write_file\n \n✓ another-server passed\n\n3 issues found · 2 critical, 1 high · 12 checks passed · 2.3s\n```\n\n### JSON Output\n\nMachine-readable format with full structural data:\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 1,\n \"medium\": 0,\n \"low\": 0,\n \"poisoned\": 0\n }\n}\n```\n\n### SARIF Output\n\nStandard format for CI/CD integration with GitHub Security tab:\n\n```json\n{\n \"$schema\": \"https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": { \"driver\": { \"name\": \"decoy-scan\", \"version\": \"0.7.0\" } },\n \"results\": [...]\n }]\n}\n```\n\n### Brief Output\n\nMinimal summary for agent consumption:\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md:65-84]()\n\n## Exit Codes\n\nThe tool uses standardized exit codes for programmatic integration:\n\n| Exit Code | Meaning | Triggers |\n|-----------|---------|----------|\n| 0 | No critical or high-risk issues | Clean scan |\n| 1 | High-risk issues found | High-risk tools or findings |\n| 2 | Critical issues, tool poisoning, toxic flows, or policy violation | Critical tools, prompt injection detected, or policy failure |\n\nThe exit code is also surfaced as `exitCode` on `--json` and `--brief` output for agent branching without re-deriving severity from summary counts.\n\n资料来源:[AGENTS.md:75-80]()\n\n## Command-Line Interface\n\n### Basic Usage\n\n```bash\nnpx decoy-scan # Full scan\nnpx decoy-scan --json # Machine-readable output\nnpx decoy-scan --sarif # SARIF 2.1.0 for CI/CD\nnpx decoy-scan --verbose # Show all tools including low-risk\nnpx decoy-scan --brief # Minimal summary\n```\n\n### Explain Subcommand\n\nFor resolving what a scan finding means without parsing full scan output:\n\n```bash\ndecoy-scan explain critical # Severity tier\ndecoy-scan explain tool-description # Finding category\ndecoy-scan explain prompt-override # Poisoning type\ndecoy-scan explain read_file # Tool name\ndecoy-scan explain list # Enumerate all explainable targets\ndecoy-scan explain --json # Structured output\n```\n\n### Global Flags\n\n| Flag | Short | Description |\n|------|-------|-------------|\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md:10-28]()\n\n## GitHub Action Integration\n\nThe official GitHub Action enables automated scanning on push and pull request events:\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n资料来源:[README.md:88-108]()\n\n## Library API\n\ndecoy-scan can be imported as a module for programmatic use:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\nconsole.log(results.toxicFlows); // [{ id: \"TF001\", severity: \"critical\", roles: {...} }]\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\n资料来源:[README.md:55-63]()\n\n## Design Principles\n\nThe project adheres to strict architectural constraints that differentiate it from similar tools:\n\n| Principle | Implementation |\n|-----------|----------------|\n| **Zero dependencies** | Node.js builtins only. No npm packages. |\n| **No build step** | Raw ES modules. No TypeScript, no bundler. |\n| **Fast execution** | Scan completes in seconds. Servers timeout aggressively. |\n| **Safe operation** | Read-only scanning. Never modifies configs. Kills spawned servers promptly. |\n| **Agent-first** | JSON and SARIF output are machine-parseable. AGENTS.md is comprehensive. |\n\nThese principles ensure the tool remains reliable, auditable, and easy to deploy across different environments.\n\n资料来源:[CONTRIBUTING.md:90-98]()\n\n## Version History\n\n| Version | Release Date | Key Additions |\n|---------|--------------|---------------|\n| 0.7.0 | 2026-05-10 | v2 telemetry envelope, retry + persistent queue, first-run dashboard link |\n| 0.6.2 | 2026-05-10 | Fixed telemetry for empty config scenarios |\n| 0.5.8 | 2026-05-06 | GitHub star ask |\n| 0.5.7 | 2026-04-28 | Fixed dashboard links for token setup |\n| 0.5.6 | 2026-04-28 | Exit code in JSON output, --brief implies --json |\n| 0.5.5 | 2026-04-25 | Pretty CLI output overhaul, fixed code-execution tool classification |\n| 0.5.4 | 2026-04-25 | Fixed explain --json second payload bug |\n| 0.5.0 | 2026-04-21 | Added explain subcommand |\n| 0.2.0 | 2026-03-20 | SSE transport security, input sanitization, dynamic tripwire detection |\n| 0.1.0 | 2026-03-15 | Initial release |\n\n资料来源:[CHANGELOG.md:1-30]()\n\n## Comparison with Similar Tools\n\n| Feature | decoy-scan | Snyk agent-scan |\n|---------|------------|-----------------|\n| Language | JavaScript | Python |\n| Dependencies | **0** | 15 (aiohttp, pydantic, mcp, etc.) |\n| Install | `npx decoy-scan` | `uvx snyk-agent-scan` |\n| MCP Hosts | 7 (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline) | Varies |\n| OWASP Mapping | ASI01–ASI05 | Limited |\n\n资料来源:[README.md:64-67]()\n\n---\n\n\n\n## Installation and Quick Start\n\n### 相关页面\n\n相关主题:[Overview](#page-1), [CLI Reference](#page-8)\n\n\nRelevant Source Files
\n\n以下源码文件用于生成本页说明:\n\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [package.json](https://github.com/decoy-run/decoy-scan/blob/main/package.json)\n \n\n# Installation and Quick Start\n\n## Overview\n\ndecoy-scan is a zero-dependency MCP (Model Context Protocol) supply chain security scanner. It requires no installation, no configuration, and no account to begin scanning. Users can run it directly via `npx` or clone the repository for development purposes.\n\nThe tool scans local MCP client configurations across seven supported hosts, analyzes server commands for security risks, detects prompt injection in tool descriptions, and provides structured output for CI/CD integration.\n\n资料来源:[README.md:1-5]()\n\n## System Requirements\n\n| Requirement | Specification |\n|-------------|---------------|\n| Runtime | Node.js 18+ |\n| Package Manager | Not required |\n| Build Tools | Not required |\n| OS Support | macOS, Windows, Linux |\n\nThe tool uses only Node.js built-in modules. No external npm packages are installed or required.\n\n资料来源:[CONTRIBUTING.md:10]()\n\n## Installation Methods\n\n### Method 1: Direct Execution (Recommended)\n\nThe fastest way to run decoy-scan is through `npx`, which downloads and executes the package without affecting local dependencies:\n\n```bash\nnpx decoy-scan\n```\n\nThis single command discovers all MCP configurations on the machine, probes configured servers, and produces a security report.\n\n资料来源:[README.md:14]()\n\n### Method 2: GitHub Action (CI/CD)\n\nFor automated security scanning in repositories, use the official GitHub Action:\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\nThe action supports configurable policy enforcement and SARIF output uploads to the GitHub Security tab.\n\n资料来源:[action.yml:1-20]()\n\n### Method 3: Local Clone (Development)\n\nFor contributing or modifying the scanner:\n\n```bash\ngit clone https://github.com/decoy-run/decoy-scan\ncd decoy-scan\nnode bin/cli.mjs --help\n```\n\nNo build step is required. The codebase uses raw ES modules with no bundler or TypeScript compilation.\n\n资料来源:[CONTRIBUTING.md:5-9]()\n\n## Quick Start Workflow\n\n```mermaid\ngraph TD\n A[Run npx decoy-scan] --> B{Node.js installed?}\n B -->|No| C[Install Node.js 18+]\n C --> A\n B -->|Yes| D[Discover MCP Configs]\n D --> E[Supported Hosts Found?]\n E -->|No| F[Print empty discovery message]\n E -->|Yes| G[Probe MCP Servers]\n G --> H[Analyze Tool Risk]\n H --> I[Detect Poisoning Patterns]\n I --> J[Check Environment Exposure]\n J --> K[Generate Report]\n K --> L{Human or CI Mode?}\n L -->|Human| M[Pretty Print Output]\n L -->|CI| N[JSON or SARIF Output]\n```\n\n## Supported MCP Hosts\n\ndecoy-scan automatically discovers configurations for the following MCP clients:\n\n| Host | Platform Support |\n|------|-----------------|\n| Claude Desktop | macOS, Windows, Linux |\n| Cursor | macOS, Windows, Linux |\n| Windsurf | macOS, Windows, Linux |\n| VS Code | macOS, Windows, Linux |\n| Claude Code | macOS, Windows, Linux |\n| Zed | macOS, Windows, Linux |\n| Cline | macOS, Windows, Linux |\n\nConfig paths are platform-aware, detecting macOS, Windows, and Linux configuration locations automatically.\n\n资料来源:[AGENTS.md:45-50]()\n\n## Command Line Interface\n\n### Basic Usage\n\n| Command | Description |\n|---------|-------------|\n| `npx decoy-scan` | Full scan with pretty CLI output |\n| `npx decoy-scan --json` | Machine-readable JSON output |\n| `npx decoy-scan --sarif` | SARIF 2.1.0 format for CI/CD |\n\n资料来源:[AGENTS.md:6-8]()\n\n### Output Modes\n\n#### Pretty Output (Default)\n\nHuman-readable format with color-coded severity badges and per-server summaries:\n\n```\n✗ server-name N critical\n! server-name poisoned tool\n✓ server-name passed\n```\n\n#### JSON Output\n\nStructured machine-readable format for programmatic consumption:\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"tools\": [{\n \"name\": \"read_file\",\n \"risk\": \"high\",\n \"poisoning\": []\n }],\n \"risk\": \"high\"\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 2\n }\n}\n```\n\n#### SARIF Output\n\nStandardized format for integration with security tools and GitHub Security tab:\n\n```bash\nnpx decoy-scan --sarif | jq\n```\n\n资料来源:[AGENTS.md:52-85]()\n\n### Common Flags\n\n| Flag | Short | Description |\n|------|-------|-------------|\n| `--json` | — | Machine-readable JSON output |\n| `--sarif` | — | SARIF 2.1.0 output format |\n| `--brief` | — | Minimal summary (implies `--json`) |\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--no-probe` | — | Config-only scan, skip server probing |\n| `--no-advisories` | — | Skip network calls to advisory database |\n| `--help` | `-h` | Print help message |\n| `--version` | `-V` | Print version |\n\n资料来源:[AGENTS.md:22-32]()\n\n## Exit Codes\n\nThe CLI returns exit codes for programmatic error handling:\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe `exitCode` field is also surfaced in `--json` and `--brief` output for agent consumption.\n\n资料来源:[AGENTS.md:35-45]()\n\n## GitHub Action Configuration\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (required for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n### Full Example\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n verbose: true\n```\n\n资料来源:[action.yml:1-30]()\n\n## Running Tests\n\nBefore submitting changes, run the full test suite to ensure all 48 tests pass:\n\n```bash\nnpm test\n```\n\nTests cover CLI output, JSON/SARIF structure, policy gates, toxic flow detection, skill analysis, and manifest hashing.\n\nFor manual testing with different output modes:\n\n| Command | Purpose |\n|---------|---------|\n| `node bin/cli.mjs --no-probe` | Config-only scan |\n| `node bin/cli.mjs --no-advisories` | Skip network calls |\n| `node bin/cli.mjs --json` | Verify JSON structure |\n| `node bin/cli.mjs --sarif` | Verify SARIF structure |\n| `node bin/cli.mjs --verbose` | Show everything |\n\n资料来源:[CONTRIBUTING.md:68-80]()\n\n## Project Structure\n\n```\ndecoy-scan/\n├── bin/\n│ └── cli.mjs # CLI entry point\n├── index.mjs # Core scanner logic\n├── package.json # Package metadata\n└── *.test.mjs # Test files\n```\n\nAll scanner logic lives in `index.mjs` including:\n\n| Section | Function |\n|---------|----------|\n| `RISK_PATTERNS` + `classifyTool()` | Tool risk classification |\n| `POISONING_PATTERNS` + `detectPoisoning()` | Prompt injection detection |\n| `analyzeServerCommand()` | Server spawn command analysis |\n| `SENSITIVE_ENV_PATTERNS` + `analyzeEnvExposure()` | Environment variable exposure |\n| `analyzeReadiness()` | Production readiness heuristics |\n| `OWASP_MAP` + `mapToOwasp()` | OWASP Agentic Top 10 mapping |\n| `HOST_CONFIGS` + `discoverConfigs()` | MCP client config discovery |\n| `probeServer()` | MCP stdio probing |\n| `scan()` | Full scan orchestrator |\n| `toSarif()` | SARIF output generator |\n\n资料来源:[CONTRIBUTING.md:14-32]()\n\n## Design Principles\n\nThe installation and runtime model follows these principles:\n\n- **Zero dependencies** — Only Node.js built-ins are used. No npm packages added.\n- **No build step** — Raw ES modules executed directly.\n- **Fast execution** — Servers are probed with aggressive timeouts.\n- **Read-only scanning** — Configs are never modified; spawned servers are killed promptly.\n- **Agent-first output** — JSON and SARIF formats are machine-parseable.\n\n资料来源:[CONTRIBUTING.md:82-88]()\n\n## Next Steps\n\nAfter installation, explore these topics:\n\n1. **[Explain Command](AGENTS.md)** — Resolve finding types using `decoy-scan explain `\n2. **Output Formats** — Understand [JSON Schema](AGENTS.md#json-output-schema) and [SARIF Schema](AGENTS.md#sarif-output-schema)\n3. **What It Checks** — Review the [complete security checks list](README.md#-what-it-checks)\n4. **Contributing** — Read [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines\n\n---\n\n\n\n## System Architecture\n\n### 相关页面\n\n相关主题:[Core Modules Reference](#page-4), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs) — Core library with all analysis functions\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs) — Command-line interface\n- [package.json](https://github.com/decoy-run/decoy-scan/blob/main/package.json) — Project metadata and dependencies\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md) — Development documentation\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md) — Agent reference documentation\n \n\n# System Architecture\n\n## Overview\n\ndecoy-scan is a zero-dependency MCP (Model Context Protocol) supply chain security scanner built with Node.js >= 18. The architecture follows a modular design where a single `index.mjs` file contains all core analysis logic, while `bin/cli.mjs` provides the command-line interface. The tool discovers MCP server configurations from supported hosts, probes servers via stdio, and performs multi-layered security analysis.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Architecture Principles\n\nThe system is built on four core principles:\n\n| Principle | Description |\n|-----------|-------------|\n| **Zero Dependencies** | Node.js builtins only; no npm packages |\n| **No Build Step** | Raw ES modules; no TypeScript or bundler |\n| **Fast Execution** | Aggressive server timeouts; scan completes in seconds |\n| **Read-Only** | Never modifies configs; only reads and analyzes |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## High-Level System Flow\n\n```mermaid\ngraph TD\n A[User invokes decoy-scan] --> B[Discover MCP Configs]\n B --> C{Hosts Found?}\n C -->|Yes| D[For each server]\n C -->|No| E[Log telemetry, exit]\n D --> F[Probe Server via stdio]\n F --> G[Analyze Tool List]\n G --> H{Analysis Results}\n H --> I[Security Findings]\n H --> J[Readiness Issues]\n I --> K[Generate Output]\n J --> K\n K --> L{Output Format}\n L -->|JSON| M[JSON to stdout]\n L -->|SARIF| N[SARIF to stdout]\n L -->|Pretty| O[Terminal formatting]\n K --> P[Send telemetry]\n P --> Q[Exit with code]\n```\n\n## Core Components\n\n### 1. Configuration Discovery (`discoverConfigs`)\n\nThe discovery module locates MCP server configurations across supported host applications. Configuration paths are platform-aware, supporting macOS, Windows, and Linux.\n\n#### Supported Hosts\n\n| Host | Platform Support |\n|------|------------------|\n| Claude Desktop | macOS, Windows, Linux |\n| Cursor | macOS, Windows, Linux |\n| Windsurf | macOS, Windows, Linux |\n| VS Code | macOS, Windows, Linux |\n| Claude Code | macOS, Windows, Linux |\n| Zed | macOS, Windows, Linux |\n| Cline | macOS, Windows, Linux |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n#### Host Configuration Structure\n\n```javascript\n\"Claude Desktop\": () => {\n const p = platform();\n if (p === \"darwin\") return join(homedir(), \"path\", \"to\", \"config.json\");\n if (p === \"win32\") return join(process.env.APPDATA || \"\", \"path\", \"config.json\");\n return join(homedir(), \".config\", \"path\", \"config.json\");\n}\n```\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n### 2. Server Probing (`probeServer`)\n\nThe probing component spawns each MCP server via stdio protocol and queries its tool list. Servers are spawned with aggressive timeouts to ensure fast scanning.\n\n#### Probe Behavior\n\n- Spawns server process with configured command and arguments\n- Sends `initialize` and `tools/list` requests via stdio\n- Captures tool definitions including name, description, and input schemas\n- Kills spawned servers promptly after receiving response\n- Records probe errors for failed servers\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 3. Security Analysis Engine\n\nThe analysis engine performs multi-layered security checks on discovered tools and server configurations.\n\n#### 3.1 Tool Risk Classification (`classifyTool`)\n\nClassifies every tool into risk tiers based on name patterns and description analysis:\n\n| Risk Level | Description | Examples |\n|------------|-------------|----------|\n| Critical | Can execute code, modify data, cause irreversible changes | `execute_command`, `write_file`, `eval_code` |\n| High | File read, network access, credential exposure | `read_file`, `fetch`, `run_sql` |\n| Medium | Environment access, configuration changes | `get_env`, `set_config` |\n| Low | Read-only, informational | `list_files`, `get_time` |\n\n#### Risk Pattern Matching\n\n```javascript\nRISK_PATTERNS = {\n critical: [\n /^execute[_-]?(command|shell|code|script)$/i,\n /^run[_-]?(script|code|js|javascript|python|sql)$/i,\n /^eval[_-]?(script|code)$/i,\n /^evaluate[_-]?(script|code)$/i,\n // ... more patterns\n ],\n high: [\n /^read[_-]?(file|dir|directory)$/i,\n /^fetch[_-]?(url|http|https)?$/i,\n // ... more patterns\n ]\n}\n```\n\nThe classifier also uses substring fallback on lowercased names for tools without descriptions.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n#### 3.2 Prompt Injection Detection (`detectPoisoning`)\n\nDetects 37 regex patterns across 20 attack categories in tool descriptions:\n\n| Category | Description |\n|----------|-------------|\n| Instruction Override | Tools that override system instructions |\n| Concealment | Hidden or disguised malicious intent |\n| Data Exfiltration | Credential or data stealing patterns |\n| Credential Harvesting | Requests for sensitive credentials |\n| Coercive Execution | Forced execution patterns |\n| Tool Shadowing | Impersonation of legitimate tools |\n| Evasion Techniques | Patterns to bypass detection |\n\nEach pattern includes:\n- `pattern`: Regex to match\n- `type`: Finding category (used for OWASP mapping)\n- `severity`: critical, high, medium, or low\n- `description`: Human-readable explanation\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n#### 3.3 Server Command Analysis (`analyzeServerCommand`)\n\nChecks spawn commands for security issues:\n\n| Check | What it detects |\n|-------|----------------|\n| Pipe-to-shell | Commands using `|` operators |\n| Temp directories | Spawning from `/tmp` or similar |\n| Inline code | Commands with embedded scripts |\n| Typosquatting | Similar names to popular packages |\n| Network tools | Suspicious network utilities |\n\n#### 3.4 Environment Variable Analysis (`analyzeEnvExposure`)\n\nFlags 12 categories of sensitive credentials passed to MCP servers:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY` |\n| Tokens | `GITHUB_TOKEN`, `AWS_TOKEN` |\n| Passwords | `DB_PASSWORD`, `SERVICE_PASSWORD` |\n| Database URLs | Connection strings with credentials |\n| Cloud Credentials | `AWS_SECRET`, `GCP_TOKEN` |\n\n#### 3.5 Production Readiness (`analyzeReadiness`)\n\nChecks for deployment readiness issues:\n\n- Missing tool descriptions\n- Missing input schemas\n- No required field validation\n- Overloaded tool scope\n- Destructive tools without safety hints\n\n#### 3.6 OWASP Mapping (`mapToOwasp`)\n\nMaps every finding to the OWASP Agentic Top 10 categories (ASI01–ASI05):\n\n| OWASP ID | Category |\n|----------|----------|\n| ASI01 | Agentic Access Control |\n| ASI02 | Excessive Agency |\n| ASI03 | hallucinations |\n| ASI04 | Data Leakage |\n| ASI05 | Overreliance |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### 4. Scan Orchestration (`scan`)\n\nThe main orchestrator combines all analysis components:\n\n```javascript\nasync function scan({ skills = false } = {}) {\n // 1. Discover MCP configs from all hosts\n // 2. For each server, probe via stdio\n // 3. Run all analysis functions\n // 4. Collect findings\n // 5. Generate output based on format\n return {\n servers: [...],\n toxicFlows: [...],\n skills: [...],\n summary: {...}\n };\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 5. Output Generation\n\n#### SARIF Output (`toSarif`)\n\nGenerates SARIF 2.1.0 compliant output for CI/CD integration:\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"results\": [...],\n \"tool\": { \"driver\": { \"name\": \"decoy-scan\", \"version\": \"...\" }}\n }]\n}\n```\n\n#### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{ \"type\": \"env-exposure\", \"severity\": \"high\", \"description\": \"...\" }]\n }],\n \"summary\": { \"total\": 2, \"critical\": 1, \"high\": 1 }\n}\n```\n\n#### Brief Output Schema\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 6. Telemetry System\n\nThe telemetry module (v2 envelope) collects anonymized usage data:\n\n```javascript\n{\n schema_version: \"2\",\n event_id: \"uuid\",\n run_id: \"uuid\",\n ts: \"ISO-8601\",\n env: {\n node: \"v20.x.x\",\n platform: \"darwin\",\n arch: \"x64\",\n ci: false,\n host: \"claude-desktop\",\n locale: \"en-US\"\n }\n}\n```\n\n#### Telemetry Features\n\n| Feature | Description |\n|---------|-------------|\n| Retry Logic | 1 retry with 200→800ms backoff |\n| Persistent Queue | `~/.decoy/telemetry-queue.jsonl` (FIFO, 1000 event cap) |\n| Opt-out | `DECOY_TELEMETRY=0` or `--no-telemetry` flag |\n| First-run Notice | Cached at `~/.decoy/telemetry-notice-shown` |\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## CLI Architecture\n\n```mermaid\ngraph TD\n A[CLI Entry: bin/cli.mjs] --> B[Parse Arguments]\n B --> C{Command?}\n C -->|explain| D[Explain Handler]\n C -->|scan| E[Scan Handler]\n C -->|login| F[Auth Handler]\n D --> G[Resolve against RISK_PATTERNS]\n E --> H[Initialize scan options]\n F --> I[Open browser to auth]\n H --> J[Call scan from index.mjs]\n J --> K[Format output]\n K --> L{Format?}\n L -->|json| M[JSON.stringify]\n L -->|sarif| N[toSarif]\n L -->|pretty| O[ANSI colors]\n L -->|brief| P[Summary object]\n M --> Q[Send telemetry]\n N --> Q\n O --> Q\n P --> Q\n Q --> R[Exit with code]\n```\n\n### CLI Options\n\n| Flag | Description |\n|------|-------------|\n| `--json` | Machine-readable JSON output |\n| `--sarif` | SARIF 2.1.0 for CI/CD |\n| `--brief` | Minimal summary object |\n| `--verbose`, `-v` | Show all tools including low-risk |\n| `--quiet`, `-q` | Suppress status output |\n| `--no-probe` | Config-only scan (skip stdio) |\n| `--no-advisories` | Skip network calls |\n| `--explain ` | Explain severity/category/tool |\n| `--version`, `-V` | Print version |\n| `--help`, `-h` | Print help |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\n## Module Dependency Graph\n\n```mermaid\ngraph LR\n A[bin/cli.mjs] --> B[index.mjs]\n B --> C[RISK_PATTERNS]\n B --> D[POISONING_PATTERNS]\n B --> E[HOST_CONFIGS]\n B --> F[SENSITIVE_ENV_PATTERNS]\n B --> G[OWASP_MAP]\n C --> H[classifyTool]\n D --> I[detectPoisoning]\n E --> J[discoverConfigs]\n F --> K[analyzeEnvExposure]\n G --> L[mapToOwasp]\n H --> M[scan]\n I --> M\n J --> M\n K --> M\n L --> M\n M --> N[toSarif]\n M --> O[JSON Output]\n M --> P[analyzeReadiness]\n M --> Q[analyzeServerCommand]\n```\n\n## Library API\n\nThe module can be imported and used programmatically:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\nconsole.log(results.toxicFlows); // [{ id: \"TF001\", severity: \"critical\", roles: {...} }]\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Additional Analysis Features\n\n### Toxic Flow Analysis\n\nDetects cross-server data leak (TF001) and destructive (TF002) attack chains:\n\n```javascript\nresults.toxicFlows = [\n { id: \"TF001\", severity: \"critical\", roles: {...} },\n { id: \"TF002\", severity: \"high\", roles: {...} }\n];\n```\n\n### Skill Scanning\n\nAnalyzes Claude Code skills for:\n- Prompt injection in skill definitions\n- Hardcoded secrets\n- Suspicious URLs\n\n### Manifest Hashing\n\nTracks tool additions, removals, and description changes between scans:\n\n```javascript\nresults.servers[0].manifestHash // \"45c4c571f03c78a2\"\n```\n\n### Supply Chain Advisories\n\nCross-references against Decoy advisory database covering 40+ known vulnerable MCP packages.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## GitHub Action Integration\n\n```mermaid\ngraph LR\n A[GitHub Workflow] --> B[decoy-run/decoy-scan@v1]\n B --> C[Scan MCP Configs]\n C --> D{Policy Violation?}\n D -->|Yes| E[Fail Build]\n D -->|No| F[Upload SARIF]\n F --> G[GitHub Security Tab]\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Core Modules Reference\n\n### 相关页面\n\n相关主题:[System Architecture](#page-3), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [lib/analyzers.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/analyzers.mjs)\n- [lib/patterns.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/patterns.mjs)\n- [lib/tier.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/tier.mjs)\n- [lib/owasp.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/owasp.mjs)\n- [lib/verify.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/verify.mjs)\n \n\n# Core Modules Reference\n\nThis reference documents the core modules that power decoy-scan's MCP security scanning engine. The tool uses a modular architecture with each library file handling a specific aspect of security analysis, from pattern matching to OWASP compliance mapping.\n\n## Architecture Overview\n\n```mermaid\ngraph TD\n A[CLI Entry] --> B[scan orchestrator]\n B --> C[analyzers.mjs]\n B --> D[patterns.mjs]\n B --> E[tier.mjs]\n B --> F[owasp.mjs]\n B --> G[verify.mjs]\n C --> H[Tool Risk Classification]\n C --> I[Poisoning Detection]\n C --> J[Env Exposure Analysis]\n C --> K[Readiness Heuristics]\n H --> L[JSON/SARIF Output]\n I --> L\n J --> L\n K --> L\n```\n\n## Module Responsibilities\n\n| Module | Primary Role | Key Exports |\n|--------|-------------|-------------|\n| `analyzers.mjs` | Security analysis engine | `analyzeServerCommand`, `analyzeEnvExposure`, `analyzeReadiness`, `probeServer` |\n| `patterns.mjs` | Pattern definitions | `RISK_PATTERNS`, `POISONING_PATTERNS`, `SENSITIVE_ENV_PATTERNS` |\n| `tier.mjs` | Risk tier classification | `classifyTool`, severity tiers |\n| `owasp.mjs` | OWASP mapping | `OWASP_MAP`, `mapToOwasp` |\n| `verify.mjs` | Policy verification | Security policy enforcement |\n\n## Risk Tier Classification (`tier.mjs`)\n\nThe `tier.mjs` module implements the `classifyTool()` function that evaluates MCP tools against predefined risk patterns. Tools are classified into four severity tiers:\n\n```mermaid\ngraph LR\n A[Tool Name + Description] --> B[classifyTool]\n B --> C{pattern match}\n C -->|execute*| D[Critical]\n C -->|write*| D\n C -->|eval*| D\n C -->|read*| E[High]\n C -->|fetch*| E\n C -->|delete*| E\n C -->|search*| F[Medium]\n C -->|other| G[Low]\n```\n\n### Severity Tiers\n\n| Tier | Description | Example Tools | Exit Code Impact |\n|------|-------------|---------------|------------------|\n| **Critical** | Code execution, file write, data modification | `execute_command`, `write_file`, `evaluate_script` | Exit code 2 |\n| **High** | File read, network access, data deletion | `read_file`, `fetch_url`, `delete_record` | Exit code 1 |\n| **Medium** | Information retrieval, search operations | `search_files`, `list_directory` | Exit code 1 |\n| **Low** | Safe, read-only operations | `get_time`, `ping` | Exit code 0 |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n### Pattern Anchoring\n\nCritical patterns use anchoring (`^` and `$`) to ensure exact matching. The module includes patterns for:\n\n- `^execute[_-]?(script|code|js|javascript|python|sql)$`\n- `^evaluate[_-]?(script|code)$`\n- `^run[_-]?(script|code|js|javascript|python|sql)$`\n- `^eval[_-]?(script|code)$`\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Pattern Definitions (`patterns.mjs`)\n\nThe `patterns.mjs` module contains the security pattern definitions used across all analyzers.\n\n### Poisoning Patterns\n\nDetects prompt injection attacks hidden in tool descriptions. The module defines 37 regex patterns across 20 attack categories:\n\n| Category | Severity | Description |\n|----------|----------|-------------|\n| `prompt-override` | Critical | Direct instruction override attempts |\n| `instruction-hijack` | Critical | Hidden system prompt modifications |\n| `credential-harvest` | Critical | Credentials or tokens in descriptions |\n| `data-exfiltration` | High | Data extraction patterns |\n| `tool-shadowing` | High | Tool name override patterns |\n| `concealment` | Medium | Hidden/obfuscated content |\n| `coercive-execution` | High | Force execution patterns |\n| `evasion-techniques` | Medium | Detection evasion attempts |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md), [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Pattern Structure\n\nEach poisoning pattern follows this schema:\n\n```javascript\n{\n pattern: /regex/i, // Regex with case-insensitive flag\n type: \"category-name\", // Finding type for OWASP mapping\n severity: \"critical\", // critical, high, medium, low\n description: \"Human-readable explanation\"\n}\n```\n\n### Sensitive Environment Patterns\n\nThe `SENSITIVE_ENV_PATTERNS` constant identifies 12 categories of sensitive credentials:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GITHUB_TOKEN` |\n| Database | `DATABASE_URL`, `DB_PASSWORD`, `REDIS_URL` |\n| Cloud | `AWS_SECRET_KEY`, `AZURE_KEY`, `GCP_TOKEN` |\n| Auth | `JWT_SECRET`, `SESSION_KEY`, `AUTH_TOKEN` |\n\n## Security Analyzers (`analyzers.mjs`)\n\nThe `analyzers.mjs` module contains the core analysis functions that evaluate MCP servers and their tools.\n\n### Server Command Analysis\n\nThe `analyzeServerCommand()` function examines how MCP servers are spawned:\n\n- Pipe-to-shell patterns (`| sh`, `| bash`)\n- Temp directory spawning (`/tmp/`, `$TMPDIR`)\n- Inline code execution\n- Typosquatting detection\n- Network tool usage\n\n### Environment Exposure Analysis\n\nThe `analyzeEnvExposure()` function scans environment variables passed to MCP servers, flagging:\n\n- Exposed API keys and tokens\n- Database connection strings\n- Cloud service credentials\n- Private authentication tokens\n\n### Production Readiness Analysis\n\nThe `analyzeReadiness()` function applies heuristics to evaluate production readiness:\n\n```javascript\n// Readiness check pattern\nif (/* condition */) {\n findings.push({\n type: \"readiness-check-name\",\n severity: \"medium\",\n description: \"What's wrong and why it matters\"\n });\n}\n```\n\nChecks include:\n- Missing tool descriptions\n- Missing input schemas\n- Tools without required fields\n- Overloaded tool scope\n- Destructive tools without safety hints\n\n### Server Probing\n\nThe `probeServer()` function implements MCP stdio protocol probing:\n\n1. Spawns the server process\n2. Sends JSON-RPC initialize request\n3. Sends tools/list request\n4. Parses and returns tool manifest\n5. Terminates server process\n\n## OWASP Mapping (`owasp.mjs`)\n\nThe `owasp.mjs` module maps all findings to the OWASP Agentic Top 10 for 2026.\n\n### OWASP Categories\n\n| Code | Category | Description |\n|------|----------|-------------|\n| ASI01 | Agentic Access Control | Over-privileged agent permissions |\n| ASI02 | Tool Poisoning | Prompt injection in tools |\n| ASI03 | Data Exfiltration | Cross-server data leaks |\n| ASI04 | Unbounded Tool Execution | Tools without safeguards |\n| ASI05 | Supply Chain | Vulnerable dependencies |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Mapping Function\n\nThe `mapToOwasp()` function converts internal finding types to OWASP categories:\n\n```javascript\n// After adding a pattern, add its type to OWASP_MAP\nASI02: [\"prompt-override\", \"instruction-hijack\", \"credential-harvest\"]\n```\n\n## Policy Verification (`verify.mjs`)\n\nThe `verify.mjs` module enforces security policies defined via CLI flags.\n\n### Policy Rules\n\n| Rule | Action |\n|------|--------|\n| `no-critical` | Fail if critical tools found |\n| `no-high` | Fail if high-risk tools found |\n| `no-poisoning` | Fail if prompt injection detected |\n| `no-toxic-flows` | Fail on cross-server attack chains |\n| `no-secrets` | Fail on exposed secrets |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n| `max-critical=N` | Limit critical tool count |\n\n### Verification Flow\n\n```mermaid\ngraph TD\n A[Scan Results] --> B[verify.mjs]\n B --> C{Policy Check}\n C -->|no-critical| D{critical count > 0?}\n C -->|no-poisoning| E{poisoning detected?}\n C -->|no-toxic-flows| F{toxic flows found?}\n D -->|Yes| G[Exit Code 2]\n E -->|Yes| G\n F -->|Yes| G\n D -->|No| H[Continue]\n E -->|No| H\n F -->|No| H\n H --> I[Exit Code 0 or 1]\n```\n\n## Integration Flow\n\n```mermaid\nsequenceDiagram\n participant CLI\n participant scan\n participant analyzers\n participant patterns\n participant owasp\n participant verify\n participant output\n\n CLI->>scan: scan({ options })\n scan->>analyzers: discoverConfigs()\n analyzers-->>scan: server configs\n scan->>analyzers: probeServer(server)\n analyzers-->>scan: tool manifest\n scan->>patterns: detectPoisoning(tools)\n patterns-->>scan: poisoning findings\n scan->>patterns: classifyTool(tool)\n patterns-->>scan: risk tier\n scan->>analyzers: analyzeEnvExposure()\n analyzers-->>scan: env findings\n scan->>owasp: mapToOwasp(findings)\n owasp-->>scan: OWASP mappings\n scan->>verify: checkPolicy(results)\n verify-->>CLI: exitCode\n scan->>output: toSarif(results)\n output-->>CLI: SARIF report\n```\n\n## Export Summary\n\nThe library can be imported directly:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\n```\n\nKey exports include:\n- `scan()` — Full scan orchestrator\n- `toSarif()` — SARIF 2.1.0 output generator\n- `classifyTool()` — Tool risk classification\n- `detectPoisoning()` — Prompt injection detection\n- `analyzeToxicFlows()` — Cross-server attack chain analysis\n- `hashToolManifest()` — Tool manifest hashing\n- `detectManifestChanges()` — Change tracking between scans\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Security Checks and Detection\n\n### 相关页面\n\n相关主题:[Supply Chain and Advisory Database](#page-6), [Skill Scanning](#page-7), [Output Formats and Policy Configuration](#page-10)\n\n\nRelevant Source Files
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs) - Main scanner implementation containing RISK_PATTERNS, POISONING_PATTERNS, SENSITIVE_ENV_PATTERNS, classifyTool(), detectPoisoning(), analyzeEnvExposure(), analyzeReadiness(), mapToOwasp(), and other security detection functions\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs) - CLI interface and scan orchestration\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md) - Agent reference documentation\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md) - Project overview and feature documentation\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md) - Code structure and development guide\n- [CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md) - Version history\n \n\n# Security Checks and Detection\n\n## Overview\n\ndecoy-scan implements a comprehensive multi-layered security detection system for MCP (Model Context Protocol) servers. The scanner analyzes MCP client configurations, probes running servers, and evaluates tools against various threat categories including prompt injection, credential exposure, dangerous command execution, and supply chain vulnerabilities.\n\n资料来源:[README.md:37-51]()\n\nThe detection engine operates across eight primary security dimensions, providing both static configuration analysis and dynamic runtime probing to identify risks before they can be exploited.\n\n## Architecture Overview\n\n```mermaid\ngraph TD\n A[MCP Client Configs] --> B[Config Discovery]\n B --> C[Server Command Analysis]\n B --> D[Environment Variable Analysis]\n C --> E[Server Probing]\n E --> F[Tool Risk Classification]\n E --> G[Poisoning Detection]\n E --> H[Readiness Checks]\n F --> I[Toxic Flow Analysis]\n G --> I\n H --> I\n I --> J[OWASP Mapping]\n J --> K[SARIF/JSON Output]\n D --> K\n```\n\n## Detection Layers\n\n### 1. Tool Risk Classification\n\nThe scanner classifies every discovered tool into severity tiers based on name patterns and description analysis. Risk levels follow a four-tier system:\n\n| Tier | Risk Level | Description | Exit Code Impact |\n|------|------------|-------------|------------------|\n| Critical | Critical | Can execute code, modify data, or cause irreversible changes | Exit code 2 |\n| High | High | File system access, network operations | Exit code 1 |\n| Medium | Medium | Information disclosure potential | Exit code 0 |\n| Low | Low | Minimal risk, read-only operations | Exit code 0 |\n\n资料来源:[AGENTS.md:85-90]()\n\n#### Classification Mechanism\n\nTool classification uses the `classifyTool()` function which applies regex pattern matching against both tool names and descriptions. The `RISK_PATTERNS` object defines critical patterns including:\n\n- `execute_command`, `run_shell`, `bash`, `exec` — command execution\n- `write_file`, `create_file`, `update_file` — file modification\n- `delete_file`, `remove_file` — destructive operations\n- `evaluate_script`, `execute_script`, `run_javascript`, `run_python`, `run_sql` — code evaluation variants\n- `spawn`, `fork`, `child_process` — process spawning\n\n资料来源:[CONTRIBUTING.md:15-16]()\n\nThe substring fallback mechanism matches against lowercased tool names, ensuring risky verbs like `evaluate`, `spawn`, and `fetch` classify correctly even when no description is provided.\n\n### 2. Prompt Injection Detection\n\nPrompt injection detection identifies malicious content hidden within tool descriptions. The system uses 37 regex patterns across 20 attack categories:\n\n| Category | Severity | Description |\n|----------|----------|-------------|\n| instruction-override | Critical | Overrides agent instructions |\n| role-assumption | Critical | Impersonates system roles |\n| concealed-commands | High | Hidden command instructions |\n| privilege-escalation | High | Attempts to gain elevated access |\n| context-manipulation | Medium | Manipulates conversation context |\n| data-exfiltration | High | Extracts sensitive information |\n| credential-harvesting | Critical | Collects authentication credentials |\n| coercion | High | Forces specific behaviors |\n| tool-shadowing | Critical | Masks legitimate tool behavior |\n\n资料来源:[README.md:37-40]()\n\nThe `detectPoisoning()` function scans tool descriptions against `POISONING_PATTERNS`, identifying injection attempts that could compromise agent behavior.\n\n#### Poisoning Pattern Structure\n\nEach pattern in `POISONING_PATTERNS` follows this schema:\n\n```javascript\n{\n pattern: /regex/i, // Match criteria\n type: \"category-name\", // Finding type for OWASP mapping\n severity: \"critical\", // critical, high, medium, low\n description: \"Human-readable\" // Display message\n}\n```\n\n资料来源:[CONTRIBUTING.md:33-40]()\n\n### 3. Server Command Analysis\n\nThe `analyzeServerCommand()` function examines how MCP servers are spawned, detecting suspicious invocation patterns:\n\n- **Pipe-to-shell patterns** — Commands using `|` to pipe output to shell interpreters\n- **Temp directory spawning** — Servers running from `/tmp` or similar writable locations\n- **Inline code execution** — Commands with embedded code strings\n- **Typosquatting detection** — Package names similar to legitimate tools\n- **Network tool usage** — Presence of `curl`, `wget`, or other network utilities\n\nThis analysis operates on configuration data without requiring server execution.\n\n### 4. Environment Variable Exposure Detection\n\nThe `analyzeEnvExposure()` function identifies sensitive environment variables being passed to MCP servers. It checks against `SENSITIVE_ENV_PATTERNS` covering 12 categories:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `AWS_ACCESS_KEY_ID` |\n| Tokens | `GITHUB_TOKEN`, `GITLAB_TOKEN`, `SLACK_TOKEN` |\n| Database Credentials | `DB_PASSWORD`, `POSTGRES_PASSWORD`, `MONGO_URI` |\n| Cloud Credentials | `AWS_SECRET_ACCESS_KEY`, `AZURE_CLIENT_SECRET` |\n| Private Keys | `SSH_PRIVATE_KEY`, `GPG_KEY` |\n\n资料来源:[CONTRIBUTING.md:21-22]()\n\n### 5. Production Readiness Checks\n\nThe `analyzeReadiness()` function applies heuristics to evaluate production readiness:\n\n| Check | Severity | Description |\n|-------|----------|-------------|\n| Missing descriptions | Medium | Tools without documentation |\n| Missing schemas | Medium | Tools without input validation schemas |\n| No required fields | Medium | Unvalidated parameter acceptance |\n| Overloaded scope | Medium | Tools performing multiple unrelated operations |\n| Destructive tools without safety hints | Low | Dangerous operations lacking warnings |\n\n资料来源:[CONTRIBUTING.md:23-24]()\n\n### 6. Toxic Flow Analysis\n\nToxic flow detection identifies dangerous cross-server data leakage patterns. Two primary flow types are detected:\n\n| Flow ID | Severity | Description |\n|---------|----------|-------------|\n| TF001 | Critical | Cross-server data leak — data read by one server flows to another |\n| TF002 | Critical | Destructive attack chain — combined operations cause irreversible damage |\n\n资料来源:[README.md:43-44]()\n\nThe `analyzeToxicFlows()` function examines the interaction patterns between multiple MCP servers to identify these attack vectors.\n\n### 7. Tool Manifest Hashing\n\nManifest hashing tracks changes in the tool list exposed by MCP servers:\n\n```javascript\nconst results = await scan({ skills: true });\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\nThe `hashToolManifest()` and `detectManifestChanges()` functions detect:\n- Tool additions (potential malicious injection)\n- Tool removals (potential functionality loss)\n- Description changes (potential poisoning updates)\n\n资料来源:[AGENTS.md:101-105]()\n\n### 8. Skill Scanning\n\nFor Claude Code environments, the scanner performs additional analysis on skills:\n\n- Prompt injection detection in skill prompts\n- Hardcoded secret detection\n- Suspicious URL identification\n\nThe `discoverSkills()` and `analyzeSkill()` functions implement this analysis.\n\n## OWASP Agentic Top 10 Mapping\n\nAll findings are mapped to the OWASP Agentic Top 10 for Agentic Applications using the `mapToOwasp()` function with `OWASP_MAP`. The mapping covers ASI01 through ASI05 categories:\n\n| OWASP Code | Category | Mapped From |\n|------------|----------|-------------|\n| ASI01 | Sensitive Action Without Confirmation | Critical tool findings |\n| ASI02 | Tool Poisoning | Poisoning pattern matches |\n| ASI03 | Over-Privileged Tool Scope | Readiness check failures |\n| ASI04 | Sandbox Escape | Command execution patterns |\n| ASI05 | Context Length Exhaustion | Heavy tool descriptions |\n\n资料来源:[README.md:50]()\n\n## Scan Orchestration\n\nThe `scan()` function orchestrates all security checks in the following sequence:\n\n```mermaid\ngraph LR\n A[Discover Hosts] --> B[Find Server Configs]\n B --> C[Analyze Commands]\n C --> D[Probe Servers]\n D --> E[Classify Tools]\n E --> F[Detect Poisoning]\n F --> G[Check Readiness]\n G --> H[Analyze Flows]\n H --> I[Map to OWASP]\n I --> J[Generate Output]\n```\n\n## Output Formats\n\n### SARIF Output\n\nThe `toSarif()` function generates SARIF 2.1.0 format output suitable for CI/CD integration and GitHub Security tab uploads.\n\n### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\"\n }]\n }],\n \"summary\": {\n \"total\": 2, \"critical\": 1, \"high\": 1\n }\n}\n```\n\n资料来源:[AGENTS.md:53-71]()\n\n## Exit Codes\n\n| Code | Meaning | Condition |\n|------|---------|-----------|\n| 0 | Clean | No critical or high-risk issues |\n| 1 | Warning | High-risk issues found |\n| 2 | Failure | Critical issues, tool poisoning, or toxic flows |\n\nThe `exitCode` field is also surfaced in JSON and `--brief` output for programmatic consumption.\n\n## Policy Enforcement\n\nThe `--policy` flag enables CI/CD policy gates:\n\n| Rule | Behavior |\n|------|----------|\n| `no-critical` | Fail on critical tools |\n| `no-high` | Fail on high-risk tools |\n| `no-poisoning` | Fail on prompt injection |\n| `no-toxic-flows` | Fail on cross-server leaks |\n| `no-secrets` | Fail on exposed secrets |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n\n资料来源:[README.md:66-77]()\n\n## Explain Functionality\n\nThe `explain` subcommand provides context for findings without running a full scan:\n\n```bash\ndecoy-scan explain critical # Severity tier explanation\ndecoy-scan explain tool-description # Finding category details\ndecoy-scan explain prompt-override # Poisoning type explanation\ndecoy-scan explain evaluate_script # Tool classification reasoning\n```\n\nExplanations resolve against the same patterns used by the scanner, ensuring consistency between detection and documentation.\n\n## CLI Integration\n\nThe GitHub Action integration provides automated security scanning:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n```\n\nResults are uploaded to the GitHub Security tab via the SARIF format.\n\n## Summary Table of Detection Capabilities\n\n| Detection Type | Function | Patterns/Checks | Exit Code |\n|----------------|----------|-----------------|-----------|\n| Tool Risk | `classifyTool()` | Name + description matching | 0/1/2 |\n| Poisoning | `detectPoisoning()` | 37 regex patterns | 2 |\n| Command | `analyzeServerCommand()` | 5 pattern categories | 1/2 |\n| Env Exposure | `analyzeEnvExposure()` | 12 credential categories | 1/2 |\n| Readiness | `analyzeReadiness()` | 5 heuristic checks | 0/1 |\n| Toxic Flows | `analyzeToxicFlows()` | TF001, TF002 | 2 |\n| Manifest Hash | `hashToolManifest()` | Change detection | 1 |\n| Skill Scan | `analyzeSkill()` | Injection + secrets | 1/2 |\n\n资料来源:[index.mjs](), [bin/cli.mjs]()\n\n---\n\n\n\n## Supply Chain and Advisory Database\n\n### 相关页面\n\n相关主题:[Security Checks and Detection](#page-5), [Skill Scanning](#page-7)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/advisories.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/advisories.mjs)\n- [lib/constants.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/constants.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n \n\n# Supply Chain and Advisory Database\n\n## Overview\n\nThe Supply Chain and Advisory Database module in decoy-scan provides security checks against a curated database of known vulnerable MCP packages. This feature enables automated cross-referencing of configured MCP servers against known supply chain threats, helping organizations identify and mitigate risks from third-party dependencies before attackers can exploit them.\n\nThe advisory system is designed to be non-intrusive and fast. It performs network lookups against the Decoy advisory database to fetch security intelligence about MCP packages, with built-in retry logic and offline fallbacks to ensure scanning reliability.\n\n## Architecture\n\n```mermaid\ngraph TD\n A[scan] --> B[Discover MCP Configs]\n B --> C[For Each Server]\n C --> D[Probe Server via Stdio]\n D --> E[Fetch Tool List]\n E --> F[Run Security Checks]\n F --> G{Tool Risk Classification}\n F --> H{Poisoning Detection}\n F --> I{Supply Chain Advisories}\n \n I --> J[HTTP GET /api/advisories?]\n J --> K{API Available?}\n K -->|Yes| L[Cache Response]\n K -->|No| M[Retry 1x]\n M -->|Fail| N[Fallback to Local]\n \n L --> O[Apply Findings]\n N --> O\n```\n\n## Core Components\n\n### Advisory Database Integration\n\nThe supply chain advisory system integrates with an external Decoy advisory database via HTTP API calls. When scanning MCP configurations, the system extracts package identifiers from server configurations and queries the advisory database for known vulnerabilities.\n\n```javascript\n// Conceptual flow from index.mjs\nconst advisories = await fetchAdvisories(packageList);\n```\n\n**资料来源:** [index.mjs:scan()](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n\n### Advisory Data Structure\n\nAdvisory records returned from the database contain the following fields:\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `package` | string | NPM package name or MCP server identifier |\n| `severity` | string | critical, high, medium, or low |\n| `title` | string | Brief description of the vulnerability |\n| `description` | string | Detailed advisory information |\n| `cve` | string | CVE identifier (if available) |\n| `recommendation` | string | Suggested remediation steps |\n\n### Network Layer\n\nThe advisory fetcher implements resilient network handling:\n\n```mermaid\nsequenceDiagram\n participant Scanner\n participant API as Decoy API\n participant Cache\n \n Scanner->>API: GET /api/advisories?packages=...\n API-->>Scanner: 200 OK (advisory data)\n Scanner->>Cache: Store response\n Note over Scanner: 1 retry with 200-800ms backoff\n \n Scanner->>API: GET /api/advisories?packages=...\n API-->>Scanner: 5xx Error\n Scanner->>API: Retry after backoff\n API-->>Scanner: Still failing\n Scanner->>Scanner: Fallback to cached/local data\n```\n\n**资料来源:** [CHANGELOG.md:0.7.0](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Configuration Options\n\n### CLI Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--no-advisories` | false | Skip supply chain advisory checks |\n| `--advisory-cache` | ~/.decoy/advisory-cache.json | Local cache file path |\n| `--api-url` | https://api.decoy.run | Override advisory API endpoint |\n\n### Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `DECOY_API_URL` | Custom API endpoint for advisory lookups |\n| `DECOY_API_TOKEN` | Authentication token for premium advisories |\n\n## Advisory Categories\n\nThe Decoy advisory database covers multiple vulnerability categories relevant to MCP servers:\n\n| Category | Description | Example |\n|----------|-------------|---------|\n| Code Execution | Vulnerabilities allowing arbitrary code execution | Malicious npm package with postinstall script |\n| Data Exfiltration | Packages that leak sensitive information | Telemetry packages with credential harvesting |\n| Dependency Confusion | Typosquatting or substitution attacks | `mcp-server` vs `mc-p-server` |\n| Known Exploits | CVE-assigned vulnerabilities with active exploitation | Remote code execution in popular MCP packages |\n\n**资料来源:** [README.md:What it checks](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Scan Integration\n\n### Scan Categories\n\nThe supply chain advisory check is one of nine scan categories in decoy-scan:\n\n| Check | Priority |\n|-------|----------|\n| Tool risk classification | 1 |\n| Tool poisoning detection | 2 |\n| **Supply chain advisories** | 3 |\n| Server command analysis | 4 |\n| Environment variable exposure | 5 |\n| Production readiness | 6 |\n| Toxic flow analysis | 7 |\n| Manifest change tracking | 8 |\n| Transport security | 9 |\n\n**资料来源:** [AGENTS.md:Scan Categories](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Integration with Tool Classification\n\nAdvisory findings are combined with tool risk classification results to produce comprehensive security reports:\n\n```javascript\n// Simplified integration flow\nconst toolRisk = classifyTool(toolName, toolDescription);\nconst advisoryInfo = await lookupAdvisory(serverPackage);\nconst combinedRisk = mergeRiskScores(toolRisk, advisoryInfo);\n```\n\n**资料来源:** [index.mjs:classifyTool()](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n\n## Output Integration\n\n### JSON Output\n\nAdvisory findings appear in the JSON output under each server's `findings` array:\n\n```json\n{\n \"servers\": [{\n \"name\": \"example-mcp-server\",\n \"findings\": [{\n \"type\": \"supply-chain-advisory\",\n \"severity\": \"high\",\n \"package\": \"@example/mcp-server\",\n \"description\": \"Known vulnerability in version < 1.2.0\",\n \"cve\": \"CVE-2024-1234\",\n \"recommendation\": \"Upgrade to version 1.2.0 or later\"\n }]\n }]\n}\n```\n\n### SARIF Output\n\nAdvisory findings are also exported in SARIF 2.1.0 format for CI/CD integration:\n\n```json\n{\n \"results\": [{\n \"ruleId\": \"decoy-advisory-HIGH-001\",\n \"level\": \"warning\",\n \"message\": {\n \"text\": \"Package @example/mcp-server has known vulnerability CVE-2024-1234\"\n }\n }]\n}\n```\n\n**资料来源:** [README.md:Structured output for agents](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Telemetry and Analytics\n\nThe supply chain advisory system includes anonymized telemetry to help improve the advisory database:\n\n| Event | Purpose |\n|-------|---------|\n| `scan.discovery` | Records which hosts and servers were scanned |\n| `scan.complete` | Final scan results including advisory findings |\n| `scan.uploaded` | Indicates when results were uploaded to dashboard |\n\nTelemetry includes environment metadata (Node version, platform, architecture) but no sensitive user data. Users can opt out via `DECOY_TELEMETRY=0` or the `--no-telemetry` flag.\n\n**资料来源:** [CHANGELOG.md:0.7.0](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Performance Considerations\n\n### Timeout Configuration\n\nAdvisory API calls use aggressive timeouts to maintain scan performance:\n\n| Setting | Value | Rationale |\n|---------|-------|-----------|\n| Connection timeout | 2000ms | Fast failure on unreachable API |\n| Read timeout | 5000ms | Allow for large response payloads |\n| Retry attempts | 1 | Minimize latency impact |\n\n### Caching Strategy\n\nAdvisory responses are cached locally to reduce API calls:\n\n```mermaid\ngraph LR\n A[Scan Start] --> B{Cache Hit?}\n B -->|Yes| C[Use Cached Data]\n B -->|No| D[Query API]\n D --> E[Store in Cache]\n E --> C\n C --> F[Continue Scan]\n```\n\nCache location is platform-aware:\n\n| Platform | Cache Path |\n|----------|------------|\n| macOS | `~/.decoy/advisory-cache.json` |\n| Linux | `~/.decoy/advisory-cache.json` |\n| Windows | `%APPDATA%/.decoy/advisory-cache.json` |\n\n**资料来源:** [AGENTS.md:Supported Hosts](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Extensibility\n\n### Adding New Advisory Categories\n\nTo extend the advisory system with new vulnerability categories, modify the pattern definitions in the constants module:\n\n```javascript\n// In lib/constants.mjs\nexport const ADVISORY_CATEGORIES = {\n // ... existing categories\n NEW_CATEGORY: {\n pattern: /new-vulnerability-pattern/i,\n severity: \"medium\",\n description: \"Description of new vulnerability type\"\n }\n};\n```\n\n### Custom Advisory Sources\n\nOrganizations can integrate private advisory databases by implementing a custom advisory fetcher:\n\n```javascript\nimport { createAdvisoryFetcher } from './lib/advisories.mjs';\n\nconst customFetcher = createAdvisoryFetcher({\n apiUrl: 'https://internal.advisories.example.com',\n apiToken: process.env.INTERNAL_ADVISORY_TOKEN\n});\n```\n\n**资料来源:** [CONTRIBUTING.md:Code Structure](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Exit Codes and Policy Enforcement\n\nAdvisory findings affect the scan exit code:\n\n| Exit Code | Condition |\n|-----------|-----------|\n| `0` | No critical or high-risk issues, no advisories |\n| `1` | High-risk advisories found |\n| `2` | Critical advisories found |\n\nPolicy gates can be configured via CLI:\n\n```bash\ndecoy-scan --policy no-critical,no-high\n```\n\n**资料来源:** [README.md:Exit codes](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## See Also\n\n- [CLI Reference](AGENTS.md) - Full CLI documentation including advisory flags\n- [Contributing Guide](CONTRIBUTING.md) - How to extend the advisory system\n- [GitHub Action](README.md#-github-action) - CI/CD integration with policy enforcement\n\n---\n\n\n\n## Skill Scanning\n\n### 相关页面\n\n相关主题:[Security Checks and Detection](#page-5), [CLI Reference](#page-8)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [lib/skills.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/skills.mjs)\n- [lib/discovery.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/discovery.mjs)\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n \n\n# Skill Scanning\n\nSkill Scanning is a security analysis feature in decoy-scan that detects vulnerabilities within Claude Code skills. It scans skill definitions for prompt injection payloads, hardcoded secrets, and suspicious URLs that could compromise agent safety.\n\n## Overview\n\nSkill Scanning operates as part of the broader MCP (Model Context Protocol) security assessment suite. While tool scanning analyzes the risk profile of MCP server tools, skill scanning focuses on identifying malicious content embedded within skill definitions that could be exploited during agent execution.\n\n技能扫描与工具扫描的核心区别在于:工具扫描评估 MCP 服务器提供的工具能力风险,而技能扫描检查本地定义的技能文件中可能被恶意利用的内容。\n\n## Architecture\n\nThe skill scanning subsystem consists of three primary components that work together to provide comprehensive skill security analysis:\n\n```mermaid\ngraph TD\n A[Skill Definitions] --> B[discoverSkills]\n B --> C{Skill Files Found?}\n C -->|Yes| D[analyzeSkill]\n C -->|No| E[Skip Analysis]\n D --> F[Skill Findings Array]\n F --> G[Integration into scan Results]\n \n H[Poisoning Patterns] --> D\n I[Secret Patterns] --> D\n J[URL Patterns] --> D\n```\n\nThe architecture follows a two-phase approach: first discovering skill definitions across the filesystem, then analyzing each discovered skill for multiple categories of security issues.\n\n## Core Functions\n\n### discoverSkills()\n\nThe `discoverSkills()` function searches for Claude Code skill definition files in the project directory. It recursively traverses the filesystem to locate `.mdc` files that contain skill definitions.\n\n| Property | Value |\n|----------|-------|\n| Function Name | `discoverSkills` |\n| Module | `lib/skills.mjs` |\n| Return Type | `Promise` |\n| Side Effects | Read-only filesystem scan |\n\n技能发现采用递归目录遍历策略,从当前工作目录开始搜索 `.mdc` 扩展名的文件。\n\n### analyzeSkill(skill)\n\nThe `analyzeSkill()` function performs deep security analysis on an individual skill definition. It evaluates the skill content against multiple pattern sets to detect various attack vectors.\n\n分析函数对每个技能执行三类安全检查:\n- 提示注入检测 (Prompt Injection Detection)\n- 硬编码密钥检测 (Hardcoded Secret Detection)\n- 可疑 URL 检测 (Suspicious URL Detection)\n\n### Integration with scan()\n\nIn the main scan orchestration, skills are discovered and analyzed when the `skills` option is enabled:\n\n```javascript\nconst results = await scan({ skills: true });\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Finding Categories\n\nSkill scanning identifies three primary categories of security issues:\n\n### Prompt Injection Detection\n\nDetects prompt injection payloads hidden within skill descriptions. These attacks embed malicious instructions that could override agent behavior when the skill is executed.\n\n| Severity | Description |\n|----------|--------------|\n| Critical | Active prompt override instructions |\n| High | Concealment techniques hiding true intent |\n| Medium | Subtle manipulation hints |\n\n### Hardcoded Secrets\n\nIdentifies API keys, tokens, passwords, and other credentials accidentally embedded in skill definitions. This finding type aligns with OWASP credential exposure categories.\n\n### Suspicious URLs\n\nDetects references to potentially malicious or untrusted URLs within skill content. URLs to external resources could lead agents to compromised servers or phishing pages.\n\n## Output Structure\n\nWhen skill scanning is enabled, the scan results include a `skills` array containing analysis results for each discovered skill:\n\n```json\n{\n \"skills\": [\n {\n \"name\": \"skill-name\",\n \"path\": \"/path/to/skill.mdc\",\n \"findings\": [\n {\n \"type\": \"prompt-injection\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"skill-content\"\n }\n ]\n }\n ]\n}\n```\n\nThe `skills` findings are integrated into the overall scan results alongside tool risk classifications, poisoning detections, and toxic flow analysis.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Usage\n\n### CLI Usage\n\nSkill scanning is enabled by default when running a full scan with skill analysis:\n\n```bash\nnpx decoy-scan --verbose\n```\n\nThe `--verbose` flag reveals all discovered skills and their findings, including those previously hidden in standard output.\n\n### Programmatic Usage\n\n```javascript\nimport { discoverSkills, analyzeSkill } from 'decoy-scan';\n\n// Discover all skills in the project\nconst skills = await discoverSkills();\n\n// Analyze each skill individually\nfor (const skill of skills) {\n const analysis = await analyzeSkill(skill);\n console.log(`${skill.name}: ${analysis.findings.length} issues`);\n}\n```\n\n## Configuration\n\nSkill scanning behavior can be controlled through scan options:\n\n| Option | Type | Default | Description |\n|--------|------|---------|-------------|\n| `skills` | `boolean` | `true` | Enable/disable skill scanning |\n| `verbose` | `boolean` | `false` | Show detailed skill findings |\n\n## OWASP Mapping\n\nSkill findings are mapped to the OWASP Agentic Top 10 categories where applicable:\n\n| Finding Type | OWASP Category |\n|--------------|----------------|\n| Prompt Injection | ASI01 - Prompt Injection |\n| Hardcoded Secrets | ASI04 - Sensitive Data Disclosure |\n| Suspicious URLs | ASI02 - Visualization Overflow |\n\nThe `OWASP_MAP` in the main scanner correlates skill finding types with their corresponding OWASP classifications for compliance reporting.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Discovery Process\n\nThe skill discovery process in `lib/discovery.mjs` locates Claude Code skill files through a structured search pattern:\n\n1. **Directory Traversal**: Recursively scan project directories\n2. **Pattern Matching**: Identify files matching skill definition patterns\n3. **Path Resolution**: Build absolute paths for discovered skills\n4. **Metadata Extraction**: Parse skill name and metadata from definitions\n\n技能发现是只读操作,不会修改任何文件系统内容。所有发现的文件路径都被规范化为绝对路径以便后续分析。\n\n## Integration Points\n\nSkill scanning integrates with several other decoy-scan subsystems:\n\n- **Tool Manifest Hashing**: Skills may reference tools whose manifests are hashed\n- **SARIF Export**: Skill findings appear in SARIF output under the appropriate rules\n- **Policy Enforcement**: `no-secrets` policy rules can target skill findings\n- **Telemetry**: Scan telemetry includes skill discovery counts\n\n## Testing\n\nThe test suite validates skill scanning behavior through `unit.test.mjs` which covers skill analysis patterns and findings generation. All skill-related tests must pass before PR submission.\n\n```bash\nnpm test # Runs 48 tests including skill scanning coverage\n```\n\n## See Also\n\n- [Tool Risk Classification](index.md#tool-risk-classification) - MCP tool security analysis\n- [Poisoning Detection](index.md#poisoning-detection) - Prompt injection pattern matching\n- [OWASP Mapping](index.md#owasp-mapping) - Compliance categorization\n\n---\n\n\n\n## CLI Reference\n\n### 相关页面\n\n相关主题:[Installation and Quick Start](#page-2), [GitHub Action Integration](#page-9), [Output Formats and Policy Configuration](#page-10)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n \n\n# CLI Reference\n\nThe `decoy-scan` CLI is the primary interface for scanning MCP (Model Context Protocol) client configurations and servers for security vulnerabilities. Built as a zero-dependency Node.js application, it provides comprehensive security scanning without requiring installation or configuration.\n\n## Overview\n\nThe CLI serves as an MCP supply chain security scanner that discovers MCP server configurations, probes running servers, and analyzes them for security risks including tool poisoning, sensitive environment variable exposure, and production readiness issues.\n\n**Key capabilities:**\n\n- Scans 7 MCP host configurations (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline)\n- Classifies tools by risk level (critical/high/medium/low)\n- Detects 37 prompt injection patterns across 20 attack categories\n- Outputs structured formats for CI/CD integration (JSON, SARIF)\n- Maps findings to OWASP Agentic Top 10\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Installation & Requirements\n\n### Prerequisites\n\n- Node.js >= 18\n- No npm packages required (zero dependencies)\n\n### Running the CLI\n\n```bash\nnpx decoy-scan # full scan\nnpx decoy-scan --json # machine-readable output\nnpx decoy-scan --sarif # SARIF 2.1.0 for CI/CD\n```\n\nNo installation step required. The CLI runs directly via `npx`.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Command Syntax\n\n```\ndecoy-scan [command] [options]\n```\n\n### Global Options\n\n| Option | Alias | Description |\n|--------|-------|-------------|\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Scan Command\n\nThe default command that discovers MCP servers, probes them, and analyzes for security issues.\n\n### Scan Options\n\n| Option | Description |\n|--------|-------------|\n| `--json` | Output results as JSON |\n| `--sarif` | Output results as SARIF 2.1.0 |\n| `--brief` | Output minimal summary (implies `--json`) |\n| `--verbose`, `-v` | Show all tools including low-risk |\n| `--quiet`, `-q` | Suppress status output |\n| `--no-probe` | Skip server probing (config-only scan) |\n| `--no-advisories` | Skip supply chain advisory checks |\n| `--skills` | Enable skill scanning |\n| `--report` | Upload results to Decoy Guard dashboard |\n| `--no-telemetry` | Disable telemetry collection |\n| `--verify` | AI-verify findings (requires token) |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Example Usage\n\n```bash\n# Full scan with pretty output\ndecoy-scan\n\n# JSON output for scripting\ndecoy-scan --json\n\n# SARIF output for GitHub Security tab\ndecoy-scan --sarif\n\n# Config-only scan (no server probing)\ndecoy-scan --no-probe\n\n# Skip network calls (faster, local only)\ndecoy-scan --no-advisories\n\n# Verbose mode showing all tools\ndecoy-scan --verbose\n```\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Explain Subcommand\n\nResolves what a scan finding means without parsing the full scan output. Useful when an agent sees a finding and needs structured context to act on it.\n\n```bash\ndecoy-scan explain critical # severity tier\ndecoy-scan explain tool-description # finding category\ndecoy-scan explain prompt-override # poisoning type\ndecoy-scan explain read_file # tool name (runs real classifier rules)\ndecoy-scan explain list # enumerate all explainable targets\ndecoy-scan explain --json # structured output (preferred for agents)\n```\n\n### Explain Target Types\n\n| Kind | Description | Example |\n|------|-------------|---------|\n| `tier` | Severity levels | `critical`, `high`, `medium`, `low` |\n| `category` | Finding categories | `env-exposure`, `command-analysis` |\n| `poisoning` | Attack types | `prompt-override`, `instruction-override` |\n| `tool` | Tool risk classifications | `execute_command`, `read_file` |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### JSON Output Schema\n\n```json\n{\n \"tool\": \"decoy-scan\",\n \"version\": \"0.5.1\",\n \"target\": \"critical\",\n \"result\": {\n \"kind\": \"tier\",\n \"key\": \"critical\",\n \"title\": \"Critical\",\n \"summary\": \"Can execute code, modify data, or cause irreversible changes.\",\n \"body\": \"...\",\n \"examples\": [\"execute_command\", \"write_file\", \"...\"],\n \"advice\": \"...\"\n }\n}\n```\n\nFor `tool` results, additional fields include `risk`, `reason`, `matched` (the regex that matched), and `note` when classification relied on name alone.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Exit Codes\n\nThe CLI returns specific exit codes for CI/CD pipeline integration:\n\n| Exit Code | Meaning |\n|-----------|---------|\n| `0` | No critical or high-risk issues found |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe exit code is also surfaced as `exitCode` on `--json` and `--brief` output, enabling agents to branch on severity without re-deriving it from summary counts.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Output Formats\n\n### Pretty Output\n\nDefault terminal output with color-coded severity badges:\n\n```\n✗ server-name N critical\n! server-name poisoned tool (magenta)\n? server-name probe failed\n✓ server-name passed\n```\n\nSeverity labels introduce each tool group; Low severity collapses to a count.\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 1,\n \"medium\": 0,\n \"low\": 0,\n \"poisoned\": 0\n },\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### SARIF Output\n\nSARIF 2.1.0 format for integration with GitHub Security tab:\n\n```bash\ndecoy-scan --sarif\n```\n\nThe SARIF output includes all findings, rules, and tool information compatible with GitHub's code scanning API.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Brief Output\n\nMinimal summary object (implies `--json`):\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\nFields:\n- `servers` — number of non-decoy, non-error servers scanned\n- `critical`, `high`, `medium`, `low` — tool risk counts\n- `poisoned` — number of tool poisoning findings\n- `status` — `\"pass\"` (clean), `\"warn\"` (high-risk), or `\"fail\"` (critical/poisoned/toxic flows)\n- `exitCode` — matches process exit code\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `DECOY_TOKEN` | API token for dashboard upload |\n| `DECOY_TELEMETRY=0` | Disable telemetry collection |\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## GitHub Action Integration\n\nThe CLI integrates with GitHub Actions via the official action:\n\n```yaml\n# .github/workflows/mcp-security.yml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n report: true\n token: ${{ secrets.DECOY_TOKEN }}\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Scan Architecture\n\n```mermaid\ngraph TD\n A[decoy-scan CLI] --> B[Discover MCP Configs]\n B --> C{Host Configs}\n C -->|Claude Desktop| D[~/.claude...json]\n C -->|Cursor| E[~/.cursor...json]\n C -->|VS Code| F[.vscode/mcp.json]\n C -->|Zed| G[~/.config/zed...]\n C -->|Cline| H[~/.cline...]\n \n D --> I[Parse Server Configs]\n E --> I\n F --> I\n G --> I\n H --> I\n \n I --> J[For Each Server]\n J --> K[Probe Server via stdio]\n K --> L{Probe Success?}\n L -->|No| M[Log Error & Continue]\n L -->|Yes| N[Analyze Tool List]\n \n N --> O[Tool Risk Classification]\n N --> P[Poisoning Detection]\n N --> Q[Command Analysis]\n N --> R[Env Exposure Check]\n \n O --> S[Aggregate Findings]\n P --> S\n Q --> S\n R --> S\n \n S --> T{Output Format}\n T -->|Pretty| U[Terminal Output]\n T -->|JSON| V[JSON to stdout]\n T -->|SARIF| W[SARIF to stdout]\n \n M --> X[Final Summary]\n U --> X\n V --> X\n W --> X\n X --> Y[Exit Code 0/1/2]\n```\n\n## Development\n\nFor local development and testing:\n\n```bash\ngit clone https://github.com/decoy-run/decoy-scan\ncd decoy-scan\nnode bin/cli.mjs --help\n```\n\nNo build step required. No dependencies to install.\n\n### Manual Testing Modes\n\n```bash\nnode bin/cli.mjs --no-probe # Config-only\nnode bin/cli.mjs --no-advisories # Skip network calls\nnode bin/cli.mjs --json # Verify JSON structure\nnode bin/cli.mjs --sarif # Verify SARIF structure\nnode bin/cli.mjs --verbose # Show everything\n```\n\n### Running Tests\n\n```bash\nnpm test\n```\n\nThis runs 48 tests covering CLI output, JSON/SARIF structure, policy gates, toxic flow detection, skill analysis, and manifest hashing.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Supported Hosts\n\nThe CLI automatically discovers MCP configurations across multiple platforms:\n\n| Host | macOS Path | Windows Path | Linux Path |\n|------|------------|--------------|------------|\n| Claude Desktop | `~/Library/Application Support/Claude` | `%APPDATA%/Claude` | `~/.config/Claude` |\n| Cursor | `~/.cursor` | `%APPDATA%/Cursor` | `~/.cursor` |\n| Windsurf | `~/.windsurf` | `%APPDATA%/Windsurf` | `~/.windsurf` |\n| VS Code | `.vscode/mcp.json` (workspace) | `.vscode/mcp.json` | `.vscode/mcp.json` |\n| Claude Code | `~/.claude.json` | `%APPDATA%/claude.json` | `~/.claude.json` |\n| Zed | `~/.config/zed` | `%APPDATA%/Zed` | `~/.config/zed` |\n| Cline | `~/.cline` | `%APPDATA%/cline` | `~/.cline` |\n\nConfig paths are platform-aware and detected automatically.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Scan Categories\n\n| Check | What it finds |\n|-------|---------------|\n| Tool risk classification | Critical/high/medium/low tools by name + description |\n| Prompt injection detection | 37 patterns across 20 attack categories in tool descriptions |\n| Toxic flow analysis | Cross-server data leak (TF001) and destructive (TF002) attack chains |\n| Tool manifest hashing | Tool additions, removals, and description changes between scans |\n| Skill scanning | Prompt injection, hardcoded secrets, suspicious URLs in Claude Code skills |\n| Server command analysis | Pipe-to-shell, inline code, typosquatting, temp directory spawning |\n| Environment variable exposure | API keys, tokens, secrets, cloud credentials passed to servers |\n| Supply chain advisories | 40+ known vulnerable MCP packages via Decoy advisory database |\n| Transport security | HTTP without TLS, missing auth, wildcard CORS, public-bound SSE |\n| Input sanitization | Unconstrained parameters, missing maxLength, open schemas |\n| Permission scope | Over-privileged servers, dangerous capability combinations |\n| OWASP mapping | Every finding mapped to ASI01–ASI05 |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## GitHub Action Integration\n\n### 相关页面\n\n相关主题:[CLI Reference](#page-8), [Output Formats and Policy Configuration](#page-10)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/sarif.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/sarif.mjs)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n \n\n# GitHub Action Integration\n\n## Overview\n\nThe decoy-scan GitHub Action provides automated MCP (Model Context Protocol) security scanning as part of a CI/CD pipeline. It integrates directly with GitHub's security infrastructure, enabling teams to enforce security policies on every push and pull request without manual intervention.\n\nThe action discovers MCP server configurations across multiple hosts (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline), executes the security scanner, and uploads results to the GitHub Security tab via SARIF format.\n\n资料来源:[README.md:72-89](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Architecture\n\n```mermaid\ngraph TD\n A[GitHub Workflow Trigger] --> B[decoy-run/decoy-scan Action]\n B --> C[Discover MCP Configs]\n B --> D[CLI: npx decoy-scan]\n D --> E[Scan MCP Servers]\n D --> F[Policy Gate Check]\n E --> G{Policy Violated?}\n F --> G\n G -->|No| H[Exit Code 0]\n G -->|Yes| I[Exit Code 1/2]\n E --> J[Generate SARIF Output]\n J --> K[github/codeql-action/upload-sarif]\n K --> L[GitHub Security Tab]\n I --> M[Fail Build]\n```\n\nThe action consists of two primary steps: a scan step that executes the decoy-scan CLI and a SARIF upload step that publishes results to GitHub Security.\n\n资料来源:[action.yml:20-45](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n## Action Inputs\n\n| Input | Default | Required | Description |\n|-------|---------|----------|-------------|\n| `policy` | `no-critical,no-poisoning` | No | Comma-separated policy rules that determine build failure conditions |\n| `sarif` | `true` | No | Whether to upload SARIF results to GitHub Security tab |\n| `report` | `false` | No | Whether to upload results to Decoy Guard dashboard |\n| `token` | — | Conditional | Decoy API token required when `report` is `true` |\n| `verbose` | `false` | No | Show all tools including low-risk items in output |\n\n资料来源:[README.md:80-86](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Workflow Example\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\nThis minimal configuration scans MCP servers on every push and pull request, uploading SARIF results to the GitHub Security tab.\n\n资料来源:[README.md:72-89](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Policy Rules\n\nThe `policy` input accepts comma-separated rules that define build failure conditions:\n\n| Rule | Behavior |\n|------|----------|\n| `no-critical` | Fail on critical tools (code exec, file write) |\n| `no-high` | Fail on high-risk tools (file read, network) |\n| `no-poisoning` | Fail on prompt injection in tool descriptions |\n| `no-toxic-flows` | Fail on cross-server data leak / destructive chains |\n| `no-secrets` | Fail on secrets exposed in MCP config |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n| `max-critical=N` | Fail if more than N critical tools |\n| `max-high=N` | Fail if more than N high-risk tools |\n\n资料来源:[README.md:97-106](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe exit code determines whether the GitHub Actions job succeeds or fails, enabling automatic policy enforcement.\n\n资料来源:[README.md:43-48](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## SARIF Integration\n\n### How SARIF Works\n\nSARIF (Static Analysis Results Interchange Format) is an industry-standard format for sharing static analysis results. The action generates SARIF 2.1.0 output that GitHub's code scanning feature can ingest and display.\n\n```mermaid\ngraph LR\n A[decoy-scan CLI] -->|--sarif flag| B[SARIF 2.1.0 JSON]\n B --> C[github/codeql-action/upload-sarif]\n C --> D[GitHub Security Tab]\n C -->|continue-on-error: true| E[Non-blocking Upload]\n```\n\nThe action includes SARIF upload as a separate step with `continue-on-error: true`, ensuring that SARIF upload failures do not cause the workflow to fail when the scan itself passes.\n\n资料来源:[action.yml:35-44](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n### Manual SARIF Upload\n\nFor workflows requiring more control, you can run the scan manually and upload SARIF separately:\n\n```yaml\n- run: npx decoy-scan --sarif > results.sarif\n- uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n```\n\n资料来源:[README.md:108-112](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## GitHub Step Summary\n\nThe action writes a summary to `$GITHUB_STEP_SUMMARY` providing immediate feedback within the GitHub Actions UI:\n\n```mermaid\ngraph TD\n A[Scan Complete] --> B{Exit Code}\n B -->|0 - Clean| C[\"✅ **Clean** — no issues found\"]\n B -->|Non-zero| D[\"🚨 **Issues found** — SUMMARY\"]\n B -->|Non-zero| E[\"Run `npx decoy-scan -v` locally for full details.\"]\n```\n\n资料来源:[action.yml:28-34](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n## Permissions\n\nThe workflow requires the `security-events: write` permission to upload SARIF results to the GitHub Security tab:\n\n```yaml\npermissions:\n security-events: write\n```\n\n资料来源:[README.md:76-78](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Advanced Configuration\n\n### Report to Decoy Dashboard\n\nTo upload results to the Decoy Guard dashboard for centralized monitoring:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n report: true\n token: ${{ secrets.DECOY_TOKEN }}\n```\n\n### Verbose Output\n\nTo include low-risk tools in the output for full visibility:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n verbose: true\n```\n\n### Custom Policy\n\nCombine multiple policy rules for stricter enforcement:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows,max-critical=0\n```\n\n资料来源:[README.md:80-90](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Dependencies\n\nThe decoy-scan action itself has **zero dependencies** at runtime. It uses Node.js built-in modules only, following the project's design principle of keeping the tool dependency-free.\n\nThe CLI is invoked via `npx decoy-scan`, which downloads and executes the package on-demand.\n\n资料来源:[CONTRIBUTING.md:9-10](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Version Pinning\n\nFor production CI/CD pipelines, pin to a major version to receive minor updates automatically:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n```\n\nOr pin to a specific version for complete stability:\n\n```yaml\n- uses: decoy-run/decoy-scan@v0.7.0\n```\n\n资料来源:[README.md:24-26](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Output Formats and Policy Configuration\n\n### 相关页面\n\n相关主题:[CLI Reference](#page-8), [GitHub Action Integration](#page-9), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/sarif.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/sarif.mjs)\n- [lib/explain.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/explain.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n \n\n# Output Formats and Policy Configuration\n\n## Overview\n\ndecoy-scan provides multiple output formats to serve different use cases—from human-readable console output for developers to machine-parseable JSON and SARIF formats for CI/CD pipelines and security automation. The tool also supports a flexible policy configuration system that enables automated enforcement of security rules.\n\nThe output and policy system is designed with an \"agent-first\" philosophy: JSON and SARIF outputs are structurally complete, include exit codes for programmatic branching, and contain all metadata needed for downstream processing without requiring additional parsing or context.\n\n资料来源:[AGENTS.md:1-20]()\n\n## Output Format Architecture\n\n### Format Types\n\ndecoy-scan supports four distinct output formats:\n\n| Format | Flag | Primary Use Case | Exit Code Included |\n|--------|------|------------------|--------------------|\n| Pretty Console | Default | Interactive terminal inspection | No |\n| JSON | `--json` | Scripted processing, APIs | Yes |\n| SARIF 2.1.0 | `--sarif` | GitHub Security tab, CI tools | Yes |\n| Brief | `--brief` | Quick summary for automation | Yes |\n\nAll structured formats (JSON, SARIF, Brief) include an `exitCode` field that mirrors the process exit code, enabling agents to branch on results without re-deriving severity from summary counts.\n\n资料来源:[AGENTS.md:80-95]()\n\n```mermaid\ngraph TD\n A[decoy-scan invocation] --> B{CLI Args?}\n B -->|Default| C[Pretty Console Output]\n B -->|--json| D[JSON Output]\n B -->|--sarif| E[SARIF 2.1.0 Output]\n B -->|--brief| F[Brief Summary JSON]\n B -->|combine| G[Multiple Formats]\n C --> H[Terminal Display]\n D --> I[Machine Processing]\n E --> J[GitHub Security Tab]\n F --> K[Quick Status Checks]\n```\n\n## JSON Output Format\n\n### Full Scan Schema\n\nThe JSON output provides complete scan results including all findings, server details, and summary statistics.\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0\n },\n \"exitCode\": 1\n}\n```\n\n资料来源:[AGENTS.md:28-55]()\n\n### Brief Output Schema\n\nThe `--brief` format provides a minimal summary object optimized for quick status checks:\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `servers` | number | Non-decoy, non-error servers scanned |\n| `critical` | number | Critical severity tool count |\n| `high` | number | High severity tool count |\n| `medium` | number | Medium severity tool count |\n| `low` | number | Low severity tool count |\n| `poisoned` | number | Prompt injection findings |\n| `status` | string | \"pass\", \"warn\", or \"fail\" |\n| `exitCode` | number | Process exit code (0/1/2) |\n\n资料来源:[AGENTS.md:60-75]()\n\n## SARIF 2.1.0 Output\n\nSARIF (Static Analysis Results Interchange Format) is generated by the `toSarif()` function in `lib/sarif.mjs`. This format is specifically designed for integration with GitHub Security tab and other security scanning platforms.\n\n### Key Features\n\n- **Rule definitions** mapping to OWASP Agentic Top 10 categories (ASI01–ASI05)\n- **Result categorization** by severity level\n- **Tool metadata** including version and run timestamps\n- **Multi-host support** in result locations\n\n### CLI Integration\n\nWhen using the GitHub Action or CLI with SARIF output:\n\n```bash\nnode bin/cli.mjs --sarif --no-advisories > scan-results.sarif\n```\n\nThe SARIF file can then be uploaded using the GitHub CodeQL action:\n\n```yaml\n- uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: ${{ steps.scan.outputs.sarif-file }}\n category: decoy-scan\n```\n\n资料来源:[action.yml:40-45]()\n\n### SARIF Structure Overview\n\n```mermaid\ngraph TD\n A[SARIF 2.1.0 Log] --> B[runs array]\n B --> C[Tool driver]\n B --> D[Results array]\n B --> E[Rules definitions]\n D --> F[Individual findings]\n E --> G[ASI01-ASI05 mappings]\n F --> H[severity, message, locations]\n```\n\n## Policy Configuration System\n\n### Policy Rules\n\nThe policy system uses comma-separated rules to define pass/fail criteria:\n\n| Rule | Effect | Example |\n|------|--------|---------|\n| `no-critical` | Fail on critical tools (code exec, file write) | `policy: no-critical` |\n| `no-high` | Fail on high-risk tools (file read, network) | `policy: no-high` |\n| `no-poisoning` | Fail on prompt injection in tool descriptions | `policy: no-poisoning` |\n| `no-toxic-flows` | Fail on cross-server data leak/destructive chains | `policy: no-toxic-flows` |\n| `no-secrets` | Fail on secrets exposed in MCP config | `policy: no-secrets` |\n| `require-tripwires` | Fail if decoy-tripwire not installed | `policy: require-tripwires` |\n| `max-critical=N` | Fail if critical tools exceed N | `policy: max-critical=0` |\n\nMultiple rules can be combined: `policy: no-critical,no-poisoning,no-toxic-flows`\n\n资料来源:[README.md:80-90]()\n\n### Policy Gates\n\nThe `analyzePolicyGates()` function evaluates scan results against configured policy rules. Each finding type maps to one or more policy rules:\n\n| Finding Type | Maps to Policy Rules |\n|--------------|---------------------|\n| Critical risk tools | `no-critical`, `max-critical=N` |\n| High risk tools | `no-high` |\n| Prompt injection | `no-poisoning` |\n| Toxic flows (TF001, TF002) | `no-toxic-flows` |\n| Environment exposure | `no-secrets` |\n| Missing decoy-tripwire | `require-tripwires` |\n\n资料来源:[index.mjs:RISK_PATTERNS,POISONING_PATTERNS]()\n\n## Exit Codes\n\nThe exit code system provides programmatic feedback about scan results:\n\n| Code | Meaning | Triggers |\n|------|---------|----------|\n| `0` | No critical or high-risk issues | Clean scan |\n| `1` | High-risk issues found | High-severity tools present |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation | Critical tools, injection detected, or policy failure |\n\nExit codes are included in both `--json` and `--brief` output as the `exitCode` field, enabling conditional logic in scripts:\n\n```javascript\nconst result = JSON.parse(childProcess.execSync('decoy-scan --json'));\nif (result.exitCode === 2) {\n process.exit(1); // Block deployment\n}\n```\n\n资料来源:[AGENTS.md:75-82]()\n\n## Explain Subcommand\n\nThe `explain` subcommand provides structured explanations for severity tiers, finding categories, poisoning types, and tool names:\n\n```bash\ndecoy-scan explain critical # severity tier\ndecoy-scan explain tool-description # finding category\ndecoy-scan explain prompt-override # poisoning type\ndecoy-scan explain read_file # tool name (runs real classifier)\ndecoy-scan explain list # enumerate all explainable targets\ndecoy-scan explain --json # structured output\n```\n\n### Explain Output Schema\n\n```json\n{\n \"tool\": \"decoy-scan\",\n \"version\": \"0.5.1\",\n \"target\": \"critical\",\n \"result\": {\n \"kind\": \"tier\",\n \"key\": \"critical\",\n \"title\": \"Critical\",\n \"summary\": \"Can execute code, modify data, or cause irreversible changes.\",\n \"body\": \"Detailed explanation...\",\n \"examples\": [\"execute_command\", \"write_file\", \"...\"],\n \"advice\": \"Remediation guidance...\"\n }\n}\n```\n\n| `result.kind` | Description |\n|---------------|-------------|\n| `tier` | Severity level (critical, high, medium, low) |\n| `category` | Finding category (env-exposure, missing-schema, etc.) |\n| `poisoning` | Poisoning type (instruction-override, credential-harvesting, etc.) |\n| `tool` | Tool name classification with risk level and matched pattern |\n\n资料来源:[AGENTS.md:32-55]()\n\n## CLI Options Reference\n\n| Option | Short | Description |\n|--------|-------|-------------|\n| `--json` | | JSON output format |\n| `--sarif` | | SARIF 2.1.0 output format |\n| `--brief` | | Brief summary (implies `--json`) |\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--no-probe` | | Config-only scan, skip server probing |\n| `--no-advisories` | | Skip network calls to advisory database |\n| `--no-telemetry` | | Opt out of telemetry |\n| `--policy` | | Comma-separated policy rules |\n| `--report` | | Upload results to Decoy Guard dashboard |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md:15-30]()\n\n## Integration Patterns\n\n### CI/CD Pipeline\n\n```mermaid\ngraph LR\n A[Push/PR] --> B[Checkout]\n B --> C[decoy-scan Action]\n C --> D{Policy Pass?}\n D -->|Yes| E[Continue Build]\n D -->|No| F[Fail Build]\n C --> G[Upload SARIF]\n G --> H[GitHub Security Tab]\n```\n\n### Agentic Workflow\n\n```mermaid\ngraph TD\n A[Agent receives scan result] --> B{exitCode === 0?}\n B -->|Yes| C[Proceed]\n B -->|No| D{exitCode === 2?}\n D -->|Yes| E[Block - Critical/Poisoning]\n D -->|No| F{exitCode === 1?}\n F -->|Yes| G[Warn - High-risk]\n F -->|No| H[Unknown state]\n B -->|Parse| I[Tool analysis]\n I --> J[Explain each finding]\n J --> K[Remediation]\n```\n\n## Output Stability Guarantees\n\ndecoy-scan maintains backward compatibility for structured outputs:\n\n1. **JSON Schema Versioning** — The `version` field in explain output enables consumers to handle schema changes\n2. **Exit Code Stability** — Exit code meanings are documented and stable across versions\n3. **SARIF Compliance** — SARIF output adheres to OASIS SARIF 2.1.0 specification\n\nThese guarantees enable reliable automation without constant schema adaptation.\n\n---\n\n---\n\n## Doramagic 踩坑日志\n\n项目:decoy-run/decoy-scan\n\n摘要:发现 7 个潜在踩坑项,其中 0 个为 high/blocking;最高优先级:能力坑 - 能力判断依赖假设。\n\n## 1. 能力坑 · 能力判断依赖假设\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:README/documentation is current enough for a first validation pass.\n- 对用户的影响:假设不成立时,用户拿不到承诺的能力。\n- 建议检查:将假设转成下游验证清单。\n- 防护动作:假设必须转成验证项;没有验证结果前不能写成事实。\n- 证据:capability.assumptions | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | README/documentation is current enough for a first validation pass.\n\n## 2. 维护坑 · 维护活跃度未知\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:未记录 last_activity_observed。\n- 对用户的影响:新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- 建议检查:补 GitHub 最近 commit、release、issue/PR 响应信号。\n- 防护动作:维护活跃度未知时,推荐强度不能标为高信任。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | last_activity_observed missing\n\n## 3. 安全/权限坑 · 下游验证发现风险项\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:下游已经要求复核,不能在页面中弱化。\n- 建议检查:进入安全/权限治理复核队列。\n- 防护动作:下游风险存在时必须保持 review/recommendation 降级。\n- 证据:downstream_validation.risk_items | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 4. 安全/权限坑 · 存在评分风险\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:风险会影响是否适合普通用户安装。\n- 建议检查:把风险写入边界卡,并确认是否需要人工复核。\n- 防护动作:评分风险必须进入边界卡,不能只作为内部分数。\n- 证据:risks.scoring_risks | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 5. 安全/权限坑 · 来源证据:Decoy Scan - MCP Security for CI/CD\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:Decoy Scan - MCP Security for CI/CD\n- 对用户的影响:可能影响授权、密钥配置或安全边界。\n- 建议检查:来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- 防护动作:不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- 证据:community_evidence:github | cevd_1dfbf3581ef44580b28d89d74f78c803 | https://github.com/decoy-run/decoy-scan/releases/tag/v1 | 来源类型 github_release 暴露的待验证使用条件。\n\n## 6. 维护坑 · issue/PR 响应质量未知\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:issue_or_pr_quality=unknown。\n- 对用户的影响:用户无法判断遇到问题后是否有人维护。\n- 建议检查:抽样最近 issue/PR,判断是否长期无人处理。\n- 防护动作:issue/PR 响应未知时,必须提示维护风险。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | issue_or_pr_quality=unknown\n\n## 7. 维护坑 · 发布节奏不明确\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:release_recency=unknown。\n- 对用户的影响:安装命令和文档可能落后于代码,用户踩坑概率升高。\n- 建议检查:确认最近 release/tag 和 README 安装命令是否一致。\n- 防护动作:发布节奏未知或过期时,安装说明必须标注可能漂移。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | release_recency=unknown\n\n\n",
"markdown_key": "decoy-scan",
"pages": "draft",
"source_refs": [
{
"evidence_id": "github_repo:1185640470",
"kind": "repo",
"supports_claim_ids": [
"claim_identity",
"claim_distribution",
"claim_capability"
],
"url": "https://github.com/decoy-run/decoy-scan"
},
{
"evidence_id": "art_f5cc6c64e4894efe8a980f3276052a78",
"kind": "docs",
"supports_claim_ids": [
"claim_identity",
"claim_distribution",
"claim_capability"
],
"url": "https://github.com/decoy-run/decoy-scan#readme"
}
],
"summary": "DeepWiki/Human Wiki 完整输出,末尾追加 Discovery Agent 踩坑日志。",
"title": "decoy-scan 说明书",
"toc": [
"https://github.com/decoy-run/decoy-scan 项目说明书",
"目录",
"Overview",
"Purpose and Scope",
"Architecture Overview",
"Core Security Checks",
"Supported MCP Hosts",
"Output Formats",
"Doramagic 踩坑日志"
]
}
},
"quality_gate": {
"blocking_gaps": [],
"category_confidence": "medium",
"compile_status": "ready_for_review",
"five_assets_present": true,
"install_sandbox_verified": true,
"missing_evidence": [],
"next_action": "publish to Doramagic.ai project surfaces",
"prompt_preview_boundary_ok": true,
"publish_status": "publishable",
"quick_start_verified": true,
"repo_clone_verified": true,
"repo_commit": "95ad9de5ca65ec6b6c0e78699730abd60e682d81",
"repo_inspection_error": null,
"repo_inspection_files": [
"package.json",
"README.md"
],
"repo_inspection_verified": true,
"review_reasons": [
"community_discussion_evidence_below_public_threshold"
],
"tag_count_ok": true,
"unsupported_claims": []
},
"schema_version": "0.1",
"user_assets": {
"ai_context_pack": {
"asset_id": "ai_context_pack",
"filename": "AI_CONTEXT_PACK.md",
"markdown": "# decoy-scan - Doramagic AI Context Pack\n\n> 定位:安装前体验与判断资产。它帮助宿主 AI 有一个好的开始,但不代表已经安装、执行或验证目标项目。\n\n## 充分原则\n\n- **充分原则,不是压缩原则**:AI Context Pack 应该充分到让宿主 AI 在开工前理解项目价值、能力边界、使用入口、风险和证据来源;它可以分层组织,但不以最短摘要为目标。\n- **压缩策略**:只压缩噪声和重复内容,不压缩会影响判断和开工质量的上下文。\n\n## 给宿主 AI 的使用方式\n\n你正在读取 Doramagic 为 decoy-scan 编译的 AI Context Pack。请把它当作开工前上下文:帮助用户理解适合谁、能做什么、如何开始、哪些必须安装后验证、风险在哪里。不要声称你已经安装、运行或执行了目标项目。\n\n## Claim 消费规则\n\n- **事实来源**:Repo Evidence + Claim/Evidence Graph;Human Wiki 只提供显著性、术语和叙事结构。\n- **事实最低状态**:`supported`\n- `supported`:可以作为项目事实使用,但回答中必须引用 claim_id 和证据路径。\n- `weak`:只能作为低置信度线索,必须要求用户继续核实。\n- `inferred`:只能用于风险提示或待确认问题,不能包装成项目事实。\n- `unverified`:不得作为事实使用,应明确说证据不足。\n- `contradicted`:必须展示冲突来源,不得替用户强行选择一个版本。\n\n## 它最适合谁\n\n- **正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**:README 或插件配置提到多个宿主 AI。 证据:`README.md` Claim:`clm_0002` supported 0.86\n\n## 它能做什么\n\n- **命令行启动或安装流程**(需要安装后验证):项目文档中存在可执行命令,真实使用需要在本地或宿主环境中运行这些命令。 证据:`AGENTS.md`, `README.md` Claim:`clm_0001` supported 0.86\n\n## 怎么开始\n\n- `npx decoy-scan` 证据:`README.md` Claim:`clm_0003` supported 0.86, `clm_0004` supported 0.86, `clm_0005` supported 0.86, `clm_0006` supported 0.86 等\n- `npx decoy-scan # Full scan with server probing` 证据:`README.md` Claim:`clm_0004` supported 0.86\n- `npx decoy-scan --json # JSON output (stdout, pipeable to jq)` 证据:`README.md` Claim:`clm_0005` supported 0.86\n- `npx decoy-scan --sarif # SARIF 2.1.0 for GitHub Security / VS Code` 证据:`README.md` Claim:`clm_0006` supported 0.86\n- `npx decoy-scan --skills # Also scan Claude Code skills` 证据:`README.md` Claim:`clm_0007` supported 0.86\n- `npx decoy-scan --no-probe # Config-only (don't spawn servers)` 证据:`README.md` Claim:`clm_0008` supported 0.86\n- `npx decoy-scan --no-advisories # Skip advisory database check` 证据:`README.md` Claim:`clm_0009` supported 0.86\n- `npx decoy-scan --report # Upload results to Decoy dashboard` 证据:`README.md` Claim:`clm_0010` supported 0.86\n- `npx decoy-scan --policy=RULES # CI/CD policy gate (exit 2 on violation)` 证据:`README.md` Claim:`clm_0011` supported 0.86\n- `npx decoy-scan --verbose # Show all tools including low-risk` 证据:`README.md` Claim:`clm_0012` supported 0.86\n\n## 继续前判断卡\n\n- **当前建议**:需要管理员/安全审批\n- **为什么**:继续前可能涉及密钥、账号、外部服务或敏感上下文,建议先经过管理员或安全审批。\n\n### 30 秒判断\n\n- **现在怎么做**:需要管理员/安全审批\n- **最小安全下一步**:先跑 Prompt Preview;若涉及凭证或企业环境,先审批再试装\n- **先别相信**:工具权限边界不能在安装前相信。\n- **继续会触碰**:命令执行、宿主 AI 配置、本地环境或项目文件\n\n### 现在可以相信\n\n- **适合人群线索:正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**(supported):有 supported claim 或项目证据支撑,但仍不等于真实安装效果。 证据:`README.md` Claim:`clm_0002` supported 0.86\n- **能力存在:命令行启动或安装流程**(supported):可以相信项目包含这类能力线索;是否适合你的具体任务仍要试用或安装后验证。 证据:`AGENTS.md`, `README.md` Claim:`clm_0001` supported 0.86\n- **存在 Quick Start / 安装命令线索**(supported):可以相信项目文档出现过启动或安装入口;不要因此直接在主力环境运行。 证据:`README.md` Claim:`clm_0003` supported 0.86, `clm_0004` supported 0.86, `clm_0005` supported 0.86, `clm_0006` supported 0.86\n\n### 现在还不能相信\n\n- **工具权限边界不能在安装前相信。**(unverified):MCP/tool 类项目通常会触碰文件、网络、浏览器或外部 API,必须真实检查权限和日志。\n- **真实输出质量不能在安装前相信。**(unverified):Prompt Preview 只能展示引导方式,不能证明真实项目中的结果质量。\n- **宿主 AI 版本兼容性不能在安装前相信。**(unverified):Claude、Cursor、Codex、Gemini 等宿主加载规则和版本差异必须在真实环境验证。\n- **不会污染现有宿主 AI 行为,不能直接相信。**(inferred):Skill、plugin、AGENTS/CLAUDE/GEMINI 指令可能改变宿主 AI 的默认行为。 证据:`AGENTS.md`\n- **可安全回滚不能默认相信。**(unverified):除非项目明确提供卸载和恢复说明,否则必须先在隔离环境验证。\n- **真实安装后是否与用户当前宿主 AI 版本兼容?**(unverified):兼容性只能通过实际宿主环境验证。\n- **项目输出质量是否满足用户具体任务?**(unverified):安装前预览只能展示流程和边界,不能替代真实评测。\n- **安装命令是否需要网络、权限或全局写入?**(unverified):这影响企业环境和个人环境的安装风险。 证据:`README.md`\n\n### 继续会触碰什么\n\n- **命令执行**:包管理器、网络下载、本地插件目录、项目配置或用户主目录。 原因:运行第一条命令就可能产生环境改动;必须先判断是否值得跑。 证据:`AGENTS.md`, `README.md`\n- **宿主 AI 配置**:Claude/Codex/Cursor/Gemini/OpenCode 等宿主的 plugin、Skill 或规则加载配置。 原因:宿主配置会改变 AI 后续工作方式,可能和用户已有规则冲突。 证据:`AGENTS.md`\n- **本地环境或项目文件**:安装结果、插件缓存、项目配置或本地依赖目录。 原因:安装前无法证明写入范围和回滚方式,需要隔离验证。 证据:`AGENTS.md`, `README.md`\n- **环境变量 / API Key**:项目入口文档明确出现 API key、token、secret 或账号凭证配置。 原因:如果真实安装需要凭证,应先使用测试凭证并经过权限/合规判断。 证据:`README.md`\n- **宿主 AI 上下文**:AI Context Pack、Prompt Preview、Skill 路由、风险规则和项目事实。 原因:导入上下文会影响宿主 AI 后续判断,必须避免把未验证项包装成事实。\n\n### 最小安全下一步\n\n- **先跑 Prompt Preview**:用安装前交互式试用判断工作方式是否匹配,不需要授权或改环境。(适用:任何项目都适用,尤其是输出质量未知时。)\n- **只在隔离目录或测试账号试装**:避免安装命令污染主力宿主 AI、真实项目或用户主目录。(适用:存在命令执行、插件配置或本地写入线索时。)\n- **先备份宿主 AI 配置**:Skill、plugin、规则文件可能改变 Claude/Cursor/Codex 的默认行为。(适用:存在插件 manifest、Skill 或宿主规则入口时。)\n- **不要使用真实生产凭证**:环境变量/API key 一旦进入宿主或工具链,可能产生账号和合规风险。(适用:出现 API、TOKEN、KEY、SECRET 等环境线索时。)\n- **安装后只验证一个最小任务**:先验证加载、兼容、输出质量和回滚,再决定是否深用。(适用:准备从试用进入真实工作流时。)\n\n### 退出方式\n\n- **保留安装前状态**:记录原始宿主配置和项目状态,后续才能判断是否可恢复。\n- **准备移除宿主 plugin / Skill / 规则入口**:如果试装后行为异常,可以把宿主 AI 恢复到试装前状态。\n- **记录安装命令和写入路径**:没有明确卸载说明时,至少要知道哪些目录或配置需要手动清理。\n- **准备撤销测试 API key 或 token**:测试凭证泄露或误用时,可以快速止损。\n- **如果没有回滚路径,不进入主力环境**:不可回滚是继续前阻断项,不应靠信任或运气继续。\n\n## 哪些只能预览\n\n- 解释项目适合谁和能做什么\n- 基于项目文档演示典型对话流程\n- 帮助用户判断是否值得安装或继续研究\n\n## 哪些必须安装后验证\n\n- 真实安装 Skill、插件或 CLI\n- 执行脚本、修改本地文件或访问外部服务\n- 验证真实输出质量、性能和兼容性\n\n## 边界与风险判断卡\n\n- **把安装前预览误认为真实运行**:用户可能高估项目已经完成的配置、权限和兼容性验证。 处理方式:明确区分 prompt_preview_can_do 与 runtime_required。 Claim:`clm_0026` inferred 0.45\n- **命令执行会修改本地环境**:安装命令可能写入用户主目录、宿主插件目录或项目配置。 处理方式:先在隔离环境或测试账号中运行。 证据:`AGENTS.md`, `README.md` Claim:`clm_0027` supported 0.86\n- **待确认**:真实安装后是否与用户当前宿主 AI 版本兼容?。原因:兼容性只能通过实际宿主环境验证。\n- **待确认**:项目输出质量是否满足用户具体任务?。原因:安装前预览只能展示流程和边界,不能替代真实评测。\n- **待确认**:安装命令是否需要网络、权限或全局写入?。原因:这影响企业环境和个人环境的安装风险。\n\n## 开工前工作上下文\n\n### 加载顺序\n\n- 先读取 how_to_use.host_ai_instruction,建立安装前判断资产的边界。\n- 读取 claim_graph_summary,确认事实来自 Claim/Evidence Graph,而不是 Human Wiki 叙事。\n- 再读取 intended_users、capabilities 和 quick_start_candidates,判断用户是否匹配。\n- 需要执行具体任务时,优先查 role_skill_index,再查 evidence_index。\n- 遇到真实安装、文件修改、网络访问、性能或兼容性问题时,转入 risk_card 和 boundaries.runtime_required。\n\n### 任务路由\n\n- **命令行启动或安装流程**:先说明这是安装后验证能力,再给出安装前检查清单。 边界:必须真实安装或运行后验证。 证据:`AGENTS.md`, `README.md` Claim:`clm_0001` supported 0.86\n\n### 上下文规模\n\n- 文件总数:33\n- 重要文件覆盖:30/33\n- 证据索引条目:30\n- 角色 / Skill 条目:5\n\n### 证据不足时的处理\n\n- **missing_evidence**:说明证据不足,要求用户提供目标文件、README 段落或安装后验证记录;不要补全事实。\n- **out_of_scope_request**:说明该任务超出当前 AI Context Pack 证据范围,并建议用户先查看 Human Manual 或真实安装后验证。\n- **runtime_request**:给出安装前检查清单和命令来源,但不要替用户执行命令或声称已执行。\n- **source_conflict**:同时展示冲突来源,标记为待核实,不要强行选择一个版本。\n\n## Prompt Recipes\n\n### 适配判断\n\n- 目标:判断这个项目是否适合用户当前任务。\n- 预期输出:适配结论、关键理由、证据引用、安装前可预览内容、必须安装后验证内容、下一步建议。\n\n```text\n请基于 decoy-scan 的 AI Context Pack,先问我 3 个必要问题,然后判断它是否适合我的任务。回答必须包含:适合谁、能做什么、不能做什么、是否值得安装、证据来自哪里。所有项目事实必须引用 evidence_refs、source_paths 或 claim_id。\n```\n\n### 安装前体验\n\n- 目标:让用户在安装前感受核心工作流,同时避免把预览包装成真实能力或营销承诺。\n- 预期输出:一段带边界标签的体验剧本、安装后验证清单和谨慎建议;不含真实运行承诺或强营销表述。\n\n```text\n请把 decoy-scan 当作安装前体验资产,而不是已安装工具或真实运行环境。\n\n请严格输出四段:\n1. 先问我 3 个必要问题。\n2. 给出一段“体验剧本”:用 [安装前可预览]、[必须安装后验证]、[证据不足] 三种标签展示它可能如何引导工作流。\n3. 给出安装后验证清单:列出哪些能力只有真实安装、真实宿主加载、真实项目运行后才能确认。\n4. 给出谨慎建议:只能说“值得继续研究/试装”“先补充信息后再判断”或“不建议继续”,不得替项目背书。\n\n硬性边界:\n- 不要声称已经安装、运行、执行测试、修改文件或产生真实结果。\n- 不要写“自动适配”“确保通过”“完美适配”“强烈建议安装”等承诺性表达。\n- 如果描述安装后的工作方式,必须使用“如果安装成功且宿主正确加载 Skill,它可能会……”这种条件句。\n- 体验剧本只能写成“示例台词/假设流程”:使用“可能会询问/可能会建议/可能会展示”,不要写“已写入、已生成、已通过、正在运行、正在生成”。\n- Prompt Preview 不负责给安装命令;如用户准备试装,只能提示先阅读 Quick Start 和 Risk Card,并在隔离环境验证。\n- 所有项目事实必须来自 supported claim、evidence_refs 或 source_paths;inferred/unverified 只能作风险或待确认项。\n\n```\n\n### 角色 / Skill 选择\n\n- 目标:从项目里的角色或 Skill 中挑选最匹配的资产。\n- 预期输出:候选角色或 Skill 列表,每项包含适用场景、证据路径、风险边界和是否需要安装后验证。\n\n```text\n请读取 role_skill_index,根据我的目标任务推荐 3-5 个最相关的角色或 Skill。每个推荐都要说明适用场景、可能输出、风险边界和 evidence_refs。\n```\n\n### 风险预检\n\n- 目标:安装或引入前识别环境、权限、规则冲突和质量风险。\n- 预期输出:环境、权限、依赖、许可、宿主冲突、质量风险和未知项的检查清单。\n\n```text\n请基于 risk_card、boundaries 和 quick_start_candidates,给我一份安装前风险预检清单。不要替我执行命令,只说明我应该检查什么、为什么检查、失败会有什么影响。\n```\n\n### 宿主 AI 开工指令\n\n- 目标:把项目上下文转成一次对话开始前的宿主 AI 指令。\n- 预期输出:一段边界明确、证据引用明确、适合复制给宿主 AI 的开工前指令。\n\n```text\n请基于 decoy-scan 的 AI Context Pack,生成一段我可以粘贴给宿主 AI 的开工前指令。这段指令必须遵守 not_runtime=true,不能声称项目已经安装、运行或产生真实结果。\n```\n\n\n## 角色 / Skill 索引\n\n- 共索引 5 个角色 / Skill / 项目文档条目。\n\n- **decoy-scan — Agent Reference**(project_doc):MCP supply chain security scanner. Zero dependencies. Node.js = 18. 激活提示:当用户需要理解项目结构、安装方式或边界时参考。 证据:`AGENTS.md`\n- **🚀 Get Started**(project_doc):Find security risks in your MCP servers before attackers do. Zero dependencies, zero config, zero account required. 激活提示:当用户需要理解项目结构、安装方式或边界时参考。 证据:`README.md`\n- **Contributing to decoy-scan**(project_doc):Thanks for your interest in improving MCP security. 激活提示:当用户需要理解项目结构、安装方式或边界时参考。 证据:`CONTRIBUTING.md`\n- **Changelog**(project_doc):All notable changes to this project will be documented in this file. 激活提示:当用户需要理解项目结构、安装方式或边界时参考。 证据:`CHANGELOG.md`\n- **Security Policy**(project_doc):Version Supported ------- --------- 0.4.x Yes < 0.4 No 激活提示:当用户需要理解项目结构、安装方式或边界时参考。 证据:`SECURITY.md`\n\n## 证据索引\n\n- 共索引 30 条证据。\n\n- **decoy-scan — Agent Reference**(documentation):MCP supply chain security scanner. Zero dependencies. Node.js = 18. 证据:`AGENTS.md`\n- **🚀 Get Started**(documentation):Find security risks in your MCP servers before attackers do. Zero dependencies, zero config, zero account required. 证据:`README.md`\n- **Package**(package_manifest):{ \"name\": \"decoy-scan\", \"version\": \"0.8.1\", \"description\": \"Security scanner for MCP server configurations. Finds risky tools, vulnerable packages, and suspicious servers across Claude Desktop, Cursor, VS Code, and more.\", \"type\": \"module\", \"main\": \"index.mjs\", \"exports\": { \".\": \"./index.mjs\" }, \"bin\": { \"decoy-scan\": \"bin/cli.mjs\" }, \"files\": \"index.mjs\", \"lib/\", \"bin/\" , \"keywords\": \"mcp\", \"security\", \"scanner\", \"supply-chain\", \"ai-agent\", \"vulnerability\", \"prompt-injection\", \"tool-risk\" , \"repository\": { \"type\": \"git\", \"url\": \"https://github.com/decoy-run/decoy-scan\" }, \"homepage\": \"https://decoy.run\", \"bugs\": { \"url\": \"https://github.com/decoy-run/decoy-scan/issues\" }, \"scripts\": { \"tes… 证据:`package.json`\n- **Contributing to decoy-scan**(documentation):Thanks for your interest in improving MCP security. 证据:`CONTRIBUTING.md`\n- **License**(source_file):Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files the \"Software\" , to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 证据:`LICENSE`\n- **Changelog**(documentation):All notable changes to this project will be documented in this file. 证据:`CHANGELOG.md`\n- **Security Policy**(documentation):Version Supported ------- --------- 0.4.x Yes < 0.4 No 证据:`SECURITY.md`\n- **.gitignore**(source_file):node modules/ .DS Store .next/ .env .log 证据:`.gitignore`\n- **Build flags**(source_file):name: Decoy Scan description: Scan MCP server configurations for security risks — tool poisoning, toxic flows, secrets exposure, and more. author: decoy-run 证据:`action.yml`\n- **!/usr/bin/env node**(source_file):// decoy-scan CLI — MCP supply chain security scanner 证据:`bin/cli.mjs`\n- **Index**(source_file):// decoy-scan — MCP supply chain scanner // Public API — re-exports from lib/ modules. 证据:`index.mjs`\n- **Advisories**(source_file):// Advisory check — fetches vulnerability advisories from the Decoy API. 证据:`lib/advisories.mjs`\n- **Analyzers**(source_file):// Analysis functions — pure, composable, no side effects. // Each takes a tool/entry/array, returns structured findings. 证据:`lib/analyzers.mjs`\n- **Constants**(source_file):// Extracted constants — no more magic numbers at 3am 证据:`lib/constants.mjs`\n- **Discovery**(source_file):// Host config discovery — finds MCP server configurations across IDEs and tools. 证据:`lib/discovery.mjs`\n- **Explain**(source_file):// Explanations for decoy-scan's classifications. // Sourced from the same rules the scanner uses, so explanations stay in sync. 证据:`lib/explain.mjs`\n- **Install Id**(source_file):// Install ID — stable, anonymous identifier for this machine. Written to // ~/.decoy/install id on first run. The only stable identifier the CLI sends // to /api/telemetry; on signup the dashboard links it to an account so // pre-signup history is preserved. 证据:`lib/install_id.mjs`\n- **Owasp**(source_file):// OWASP Agentic Top 10 mapping — finding type → OWASP ID 证据:`lib/owasp.mjs`\n- **Patterns**(source_file):// Pattern definitions — the data layer. // Pure arrays of regex + metadata. No logic, no side effects. 证据:`lib/patterns.mjs`\n- **Probe**(source_file):// Server probing — spawns MCP servers and extracts tools via JSON-RPC 2.0. 证据:`lib/probe.mjs`\n- **Sarif**(source_file):// SARIF 2.1.0 output — exports scan results for GitHub Security tab and other SARIF consumers. 证据:`lib/sarif.mjs`\n- **Scan**(source_file):// Scan orchestration — wires discovery, probing, analysis, and reporting together. 证据:`lib/scan.mjs`\n- **Skills**(source_file):// Skill scanning — discovers and analyzes Claude Code skills for injection and secrets. 证据:`lib/skills.mjs`\n- **Telemetry**(source_file):// Anonymous telemetry client v2 envelope for decoy- CLIs. // // Default: ON. Every event carries: // { schema version: 2, tool, version, installId, accountId?, event, // event id, run id, ts, env: { node, platform, arch, ci, host, locale }, // payload } // // Three durability guarantees: // 1. Retry — 1 retry with 200→800ms backoff on timeout / 5xx. // 2. Persistent queue — on final failure events append to // ~/.decoy/telemetry-queue.jsonl capped 1000, FIFO . The next // CLI run drains the queue first as a batched POST. // 3. Dedup — every event carries a UUID event id, so retries + // queue-drain replays are server-side idempotent. // // Opt-out: DECOY TELEMETRY=0 env var or --no-telemet… 证据:`lib/telemetry.mjs`\n- **Tier**(source_file):// Plan/tier resolution for the CLI. Looks up a token's plan via /api/billing // and caches the answer at ~/.decoy/tier for 24 hours so each explain call // doesn't take an extra network round-trip. // // Returns one of: \"free\" \"team\" \"business\" \"unknown\". // \"unknown\" means: no token, fetch failed, or response was malformed — // callers should treat unknown as free for gating purposes. 证据:`lib/tier.mjs`\n- **Verify**(source_file):// Client for the /api/verify endpoint — DeepSec-style AI verification of // scan findings. Requires a free Decoy account claim install id at // app.decoy.run/d/ . Free: 5/account/month. Team: 30/seat/day. // Business: 60/seat/day. // // Returns: // { ok: true, verified: ... , stats: {...}, quota: {...} null } // { ok: false, status, code, message, claimUrl?, upgradeUrl?, quota?, cap? } // // Never throws — caller switches on ok and renders. 证据:`lib/verify.mjs`\n- **Cli.Test**(source_file):// decoy-scan CLI tests // Run: node --test test/cli.test.mjs 证据:`test/cli.test.mjs`\n- **Probe.Test**(source_file):// Probe, advisory, SARIF, and poisoning false-positive tests // Run: node --test test/probe.test.mjs 证据:`test/probe.test.mjs`\n- **Telemetry.Test**(source_file):// Tests for install id + telemetry helpers. // Run: node --test test/telemetry.test.mjs 证据:`test/telemetry.test.mjs`\n- **Unit.Test**(source_file):// Unit tests for individual modules // Run: node --test test/unit.test.mjs 证据:`test/unit.test.mjs`\n\n## 宿主 AI 必须遵守的规则\n\n- **把本资产当作开工前上下文,而不是运行环境。**:AI Context Pack 只包含证据化项目理解,不包含目标项目的可执行状态。 证据:`AGENTS.md`, `README.md`, `package.json`\n- **回答用户时区分可预览内容与必须安装后才能验证的内容。**:安装前体验的消费者价值来自降低误装和误判,而不是伪装成真实运行。 证据:`AGENTS.md`, `README.md`, `package.json`\n\n## 用户开工前应该回答的问题\n\n- 你准备在哪个宿主 AI 或本地环境中使用它?\n- 你只是想先体验工作流,还是准备真实安装?\n- 你最在意的是安装成本、输出质量、还是和现有规则的冲突?\n\n## 验收标准\n\n- 所有能力声明都能回指到 evidence_refs 中的文件路径。\n- AI_CONTEXT_PACK.md 没有把预览包装成真实运行。\n- 用户能在 3 分钟内看懂适合谁、能做什么、如何开始和风险边界。\n\n---\n\n## Doramagic Context Augmentation\n\n下面内容用于强化 Repomix/AI Context Pack 主体。Human Manual 只提供阅读骨架;踩坑日志会被转成宿主 AI 必须遵守的工作约束。\n\n## Human Manual 骨架\n\n使用规则:这里只是项目阅读路线和显著性信号,不是事实权威。具体事实仍必须回到 repo evidence / Claim Graph。\n\n宿主 AI 硬性规则:\n- 不得把页标题、章节顺序、摘要或 importance 当作项目事实证据。\n- 解释 Human Manual 骨架时,必须明确说它只是阅读路线/显著性信号。\n- 能力、安装、兼容性、运行状态和风险判断必须引用 repo evidence、source path 或 Claim Graph。\n\n- **Overview**:importance `high`\n - source_paths: README.md, index.mjs\n- **Installation and Quick Start**:importance `high`\n - source_paths: package.json, bin/cli.mjs\n- **System Architecture**:importance `high`\n - source_paths: lib/discovery.mjs, lib/scan.mjs, lib/probe.mjs, lib/telemetry.mjs\n- **Core Modules Reference**:importance `medium`\n - source_paths: lib/analyzers.mjs, lib/patterns.mjs, lib/tier.mjs, lib/owasp.mjs, lib/verify.mjs\n- **Security Checks and Detection**:importance `high`\n - source_paths: lib/patterns.mjs, lib/explain.mjs, lib/tier.mjs\n- **Supply Chain and Advisory Database**:importance `medium`\n - source_paths: lib/advisories.mjs, lib/constants.mjs\n- **Skill Scanning**:importance `medium`\n - source_paths: lib/skills.mjs, lib/discovery.mjs\n- **CLI Reference**:importance `high`\n - source_paths: bin/cli.mjs, action.yml\n\n## Repo Inspection Evidence / 源码检查证据\n\n- repo_clone_verified: true\n- repo_inspection_verified: true\n- repo_commit: `95ad9de5ca65ec6b6c0e78699730abd60e682d81`\n- inspected_files: `package.json`, `README.md`\n\n宿主 AI 硬性规则:\n- 没有 repo_clone_verified=true 时,不得声称已经读过源码。\n- 没有 repo_inspection_verified=true 时,不得把 README/docs/package 文件判断写成事实。\n- 没有 quick_start_verified=true 时,不得声称 Quick Start 已跑通。\n\n## Doramagic Pitfall Constraints / 踩坑约束\n\n这些规则来自 Doramagic 发现、验证或编译过程中的项目专属坑点。宿主 AI 必须把它们当作工作约束,而不是普通说明文字。\n\n### Constraint 1: 能力判断依赖假设\n\n- Trigger: README/documentation is current enough for a first validation pass.\n- Host AI rule: 将假设转成下游验证清单。\n- Why it matters: 假设不成立时,用户拿不到承诺的能力。\n- Evidence: capability.assumptions | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | README/documentation is current enough for a first validation pass.\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 2: 维护活跃度未知\n\n- Trigger: 未记录 last_activity_observed。\n- Host AI rule: 补 GitHub 最近 commit、release、issue/PR 响应信号。\n- Why it matters: 新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- Evidence: evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | last_activity_observed missing\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 3: 下游验证发现风险项\n\n- Trigger: no_demo\n- Host AI rule: 进入安全/权限治理复核队列。\n- Why it matters: 下游已经要求复核,不能在页面中弱化。\n- Evidence: downstream_validation.risk_items | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 4: 存在评分风险\n\n- Trigger: no_demo\n- Host AI rule: 把风险写入边界卡,并确认是否需要人工复核。\n- Why it matters: 风险会影响是否适合普通用户安装。\n- Evidence: risks.scoring_risks | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 5: 来源证据:Decoy Scan - MCP Security for CI/CD\n\n- Trigger: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:Decoy Scan - MCP Security for CI/CD\n- Host AI rule: 来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- Why it matters: 可能影响授权、密钥配置或安全边界。\n- Evidence: community_evidence:github | cevd_1dfbf3581ef44580b28d89d74f78c803 | https://github.com/decoy-run/decoy-scan/releases/tag/v1 | 来源类型 github_release 暴露的待验证使用条件。\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 6: issue/PR 响应质量未知\n\n- Trigger: issue_or_pr_quality=unknown。\n- Host AI rule: 抽样最近 issue/PR,判断是否长期无人处理。\n- Why it matters: 用户无法判断遇到问题后是否有人维护。\n- Evidence: evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | issue_or_pr_quality=unknown\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n\n### Constraint 7: 发布节奏不明确\n\n- Trigger: release_recency=unknown。\n- Host AI rule: 确认最近 release/tag 和 README 安装命令是否一致。\n- Why it matters: 安装命令和文档可能落后于代码,用户踩坑概率升高。\n- Evidence: evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | release_recency=unknown\n- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略,除非后续验证证据明确证明它已经关闭。\n",
"summary": "给宿主 AI 的上下文和工作边界。",
"title": "AI Context Pack / 带给我的 AI"
},
"boundary_risk_card": {
"asset_id": "boundary_risk_card",
"filename": "BOUNDARY_RISK_CARD.md",
"markdown": "# Boundary & Risk Card / 安装前决策卡\n\n项目:decoy-run/decoy-scan\n\n## Doramagic 试用结论\n\n当前结论:可以进入发布前推荐检查;首次使用仍应从最小权限、临时目录和可回滚配置开始。\n\n## 用户现在可以做\n\n- 可以先阅读 Human Manual,理解项目目的和主要工作流。\n- 可以复制 Prompt Preview 做安装前体验;这只验证交互感,不代表真实运行。\n- 可以把官方 Quick Start 命令放到隔离环境中验证,不要直接进主力环境。\n\n## 现在不要做\n\n- 不要把 Prompt Preview 当成项目实际运行结果。\n- 不要把 metadata-only validation 当成沙箱安装验证。\n- 不要把未验证能力写成“已支持、已跑通、可放心安装”。\n- 不要在首次试用时交出生产数据、私人文件、真实密钥或主力配置目录。\n\n## 安装前检查\n\n- 宿主 AI 是否匹配:mcp_host\n- 官方安装入口状态:已发现官方入口\n- 是否在临时目录、临时宿主或容器中验证:必须是\n- 是否能回滚配置改动:必须能\n- 是否需要 API Key、网络访问、读写文件或修改宿主配置:未确认前按高风险处理\n- 是否记录了安装命令、实际输出和失败日志:必须记录\n\n## 当前阻塞项\n\n- review_required: community_discussion_evidence_below_public_threshold\n\n## 项目专属踩坑\n\n- 能力判断依赖假设(medium):假设不成立时,用户拿不到承诺的能力。 建议检查:将假设转成下游验证清单。\n- 维护活跃度未知(medium):新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。 建议检查:补 GitHub 最近 commit、release、issue/PR 响应信号。\n- 下游验证发现风险项(medium):下游已经要求复核,不能在页面中弱化。 建议检查:进入安全/权限治理复核队列。\n- 存在评分风险(medium):风险会影响是否适合普通用户安装。 建议检查:把风险写入边界卡,并确认是否需要人工复核。\n- 来源证据:Decoy Scan - MCP Security for CI/CD(medium):可能影响授权、密钥配置或安全边界。 建议检查:来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n\n## 风险与权限提示\n\n- no_demo: medium\n\n## 证据缺口\n\n- 暂未发现结构化证据缺口。\n",
"summary": "安装、权限、验证和推荐前风险。",
"title": "Boundary & Risk Card / 边界与风险卡"
},
"human_manual": {
"asset_id": "human_manual",
"filename": "HUMAN_MANUAL.md",
"markdown": "# https://github.com/decoy-run/decoy-scan 项目说明书\n\n生成时间:2026-05-15 09:18:56 UTC\n\n## 目录\n\n- [Overview](#page-1)\n- [Installation and Quick Start](#page-2)\n- [System Architecture](#page-3)\n- [Core Modules Reference](#page-4)\n- [Security Checks and Detection](#page-5)\n- [Supply Chain and Advisory Database](#page-6)\n- [Skill Scanning](#page-7)\n- [CLI Reference](#page-8)\n- [GitHub Action Integration](#page-9)\n- [Output Formats and Policy Configuration](#page-10)\n\n\n\n## Overview\n\n### 相关页面\n\n相关主题:[Installation and Quick Start](#page-2), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n \n\n# Overview\n\n**decoy-scan** is a command-line security scanner for the MCP (Model Context Protocol) ecosystem. It identifies security risks in MCP server configurations, detects prompt injection attacks, analyzes dangerous tool permissions, and maps findings to the OWASP Agentic Top 10 security framework. The tool operates with zero dependencies, requiring only Node.js 18+, and needs no installation, account, or configuration to run.\n\n资料来源:[README.md:1]()\n\n## Purpose and Scope\n\nThe primary purpose of decoy-scan is to proactively discover security vulnerabilities in MCP server configurations before attackers can exploit them. The tool addresses a critical gap in the MCP supply chain by providing automated security scanning that was previously unavailable to developers and security teams.\n\n**Key objectives:**\n\n- Scan local MCP client configurations (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline)\n- Classify tool risk levels based on name patterns and description analysis\n- Detect prompt injection attacks hidden within tool descriptions\n- Identify environment variable exposure and credential leakage\n- Analyze toxic data flows across server boundaries\n- Provide machine-readable output (JSON, SARIF) for CI/CD integration\n\n资料来源:[README.md:1-5]()\n\n## Architecture Overview\n\ndecoy-scan follows a modular architecture where a single ES module (`index.mjs`) contains all core functionality without external dependencies.\n\n```mermaid\ngraph TD\n A[User runs decoy-scan] --> B[Discover MCP Configs]\n B --> C[Parse Server Configurations]\n C --> D[Probe Servers via stdio]\n D --> E{Analysis Engine}\n \n E --> F[Tool Risk Classification]\n E --> G[Poisoning Detection]\n E --> H[Command Analysis]\n E --> I[Env Exposure Check]\n E --> J[Readiness Analysis]\n E --> K[Advisory Cross-Reference]\n \n F --> L[Aggregate Results]\n G --> L\n H --> L\n I --> L\n J --> L\n K --> L\n \n L --> M[Output Formatter]\n M --> N[Pretty Print / JSON / SARIF]\n```\n\nThe scan orchestrator (`scan()`) coordinates all analysis modules and produces structured output. Each module operates independently, allowing the tool to continue analysis even if individual checks fail.\n\n资料来源:[CONTRIBUTING.md:14-29]()\n\n## Core Security Checks\n\ndecoy-scan performs multiple simultaneous security checks across different attack vectors:\n\n| Check Category | What it Detects |\n|----------------|-----------------|\n| Tool Risk Classification | Critical/high/medium/low tools by name and description |\n| Prompt Injection Detection | 37 patterns across 20 attack categories in tool descriptions |\n| Toxic Flow Analysis | Cross-server data leak (TF001) and destructive (TF002) attack chains |\n| Tool Manifest Hashing | Tool additions, removals, and description changes between scans |\n| Skill Scanning | Prompt injection, hardcoded secrets, suspicious URLs in Claude Code skills |\n| Server Command Analysis | Pipe-to-shell, inline code, typosquatting, temp directory spawning |\n| Environment Variable Exposure | API keys, tokens, secrets, cloud credentials passed to servers |\n| Supply Chain Advisories | 40+ known vulnerable MCP packages via Decoy advisory database |\n| Transport Security | HTTP without TLS, missing auth, wildcard CORS, public-bound SSE |\n| Input Sanitization | Unconstrained parameters, missing maxLength, open schemas |\n| Permission Scope | Over-privileged servers, dangerous capability combinations |\n| OWASP Mapping | Every finding mapped to ASI01–ASI05 |\n\n资料来源:[README.md:58-70]()\n\n### Tool Risk Tiers\n\nTools are classified into four risk tiers based on their potential impact:\n\n| Tier | Risk Level | Description | Examples |\n|------|------------|-------------|----------|\n| Critical | Can execute code, modify data, or cause irreversible changes | `execute_command`, `write_file`, `delete_database` |\n| High | Can read files, make network requests, or access sensitive data | `read_file`, `fetch_url`, `get_credentials` |\n| Medium | Moderate scope with limited blast radius | `list_directory`, `search_logs` |\n| Low | Minimal risk, read-only or sandboxed operations | `ping`, `get_status` |\n\n资料来源:[AGENTS.md:30-40]()\n\n### Poisoning Pattern Categories\n\nThe scanner detects 37 distinct prompt injection patterns organized into 20 attack categories:\n\n```mermaid\ngraph LR\n A[Tool Description] --> B[Poisoning Detection Engine]\n \n B --> C[Instruction Override]\n B --> D[Concealment]\n B --> E[Data Exfiltration]\n B --> F[Credential Harvesting]\n B --> G[Coercive Execution]\n B --> H[Tool Shadowing]\n B --> I[Evasion Techniques]\n \n C --> J[Findings with Severity]\n D --> J\n E --> J\n F --> J\n G --> J\n H --> J\n I --> J\n```\n\n资料来源:[CONTRIBUTING.md:30-45]()\n\n## Supported MCP Hosts\n\ndecoy-scan automatically discovers and scans MCP configurations across multiple clients. Config paths are platform-aware for macOS, Windows, and Linux.\n\n| Host | Platform Support | Config Location |\n|------|------------------|-----------------|\n| Claude Desktop | macOS, Windows, Linux | Platform-specific config directory |\n| Cursor | macOS, Windows, Linux | Platform-specific config directory |\n| Windsurf | macOS, Windows, Linux | Platform-specific config directory |\n| VS Code | macOS, Windows, Linux | Platform-specific config directory |\n| Claude Code | macOS, Windows, Linux | Platform-specific config directory |\n| Zed | macOS, Windows, Linux | Platform-specific config directory |\n| Cline | macOS, Windows, Linux | Platform-specific config directory |\n\nThe tool also supports project-level `.mcp.json` configuration files when run from a project root.\n\n资料来源:[AGENTS.md:85-93]()\n\n## Output Formats\n\ndecoy-scan provides multiple output formats to support different use cases:\n\n### Pretty Print (Default)\n\nHuman-readable output with colored severity badges and visual hierarchy:\n\n```\n▸ Discovering MCP servers…\n▸ Running 12 checks…\n\n✗ server-name 2 critical\n Critical tools: execute_command, write_file\n \n✓ another-server passed\n\n3 issues found · 2 critical, 1 high · 12 checks passed · 2.3s\n```\n\n### JSON Output\n\nMachine-readable format with full structural data:\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 1,\n \"medium\": 0,\n \"low\": 0,\n \"poisoned\": 0\n }\n}\n```\n\n### SARIF Output\n\nStandard format for CI/CD integration with GitHub Security tab:\n\n```json\n{\n \"$schema\": \"https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": { \"driver\": { \"name\": \"decoy-scan\", \"version\": \"0.7.0\" } },\n \"results\": [...]\n }]\n}\n```\n\n### Brief Output\n\nMinimal summary for agent consumption:\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md:65-84]()\n\n## Exit Codes\n\nThe tool uses standardized exit codes for programmatic integration:\n\n| Exit Code | Meaning | Triggers |\n|-----------|---------|----------|\n| 0 | No critical or high-risk issues | Clean scan |\n| 1 | High-risk issues found | High-risk tools or findings |\n| 2 | Critical issues, tool poisoning, toxic flows, or policy violation | Critical tools, prompt injection detected, or policy failure |\n\nThe exit code is also surfaced as `exitCode` on `--json` and `--brief` output for agent branching without re-deriving severity from summary counts.\n\n资料来源:[AGENTS.md:75-80]()\n\n## Command-Line Interface\n\n### Basic Usage\n\n```bash\nnpx decoy-scan # Full scan\nnpx decoy-scan --json # Machine-readable output\nnpx decoy-scan --sarif # SARIF 2.1.0 for CI/CD\nnpx decoy-scan --verbose # Show all tools including low-risk\nnpx decoy-scan --brief # Minimal summary\n```\n\n### Explain Subcommand\n\nFor resolving what a scan finding means without parsing full scan output:\n\n```bash\ndecoy-scan explain critical # Severity tier\ndecoy-scan explain tool-description # Finding category\ndecoy-scan explain prompt-override # Poisoning type\ndecoy-scan explain read_file # Tool name\ndecoy-scan explain list # Enumerate all explainable targets\ndecoy-scan explain --json # Structured output\n```\n\n### Global Flags\n\n| Flag | Short | Description |\n|------|-------|-------------|\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md:10-28]()\n\n## GitHub Action Integration\n\nThe official GitHub Action enables automated scanning on push and pull request events:\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n资料来源:[README.md:88-108]()\n\n## Library API\n\ndecoy-scan can be imported as a module for programmatic use:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\nconsole.log(results.toxicFlows); // [{ id: \"TF001\", severity: \"critical\", roles: {...} }]\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\n资料来源:[README.md:55-63]()\n\n## Design Principles\n\nThe project adheres to strict architectural constraints that differentiate it from similar tools:\n\n| Principle | Implementation |\n|-----------|----------------|\n| **Zero dependencies** | Node.js builtins only. No npm packages. |\n| **No build step** | Raw ES modules. No TypeScript, no bundler. |\n| **Fast execution** | Scan completes in seconds. Servers timeout aggressively. |\n| **Safe operation** | Read-only scanning. Never modifies configs. Kills spawned servers promptly. |\n| **Agent-first** | JSON and SARIF output are machine-parseable. AGENTS.md is comprehensive. |\n\nThese principles ensure the tool remains reliable, auditable, and easy to deploy across different environments.\n\n资料来源:[CONTRIBUTING.md:90-98]()\n\n## Version History\n\n| Version | Release Date | Key Additions |\n|---------|--------------|---------------|\n| 0.7.0 | 2026-05-10 | v2 telemetry envelope, retry + persistent queue, first-run dashboard link |\n| 0.6.2 | 2026-05-10 | Fixed telemetry for empty config scenarios |\n| 0.5.8 | 2026-05-06 | GitHub star ask |\n| 0.5.7 | 2026-04-28 | Fixed dashboard links for token setup |\n| 0.5.6 | 2026-04-28 | Exit code in JSON output, --brief implies --json |\n| 0.5.5 | 2026-04-25 | Pretty CLI output overhaul, fixed code-execution tool classification |\n| 0.5.4 | 2026-04-25 | Fixed explain --json second payload bug |\n| 0.5.0 | 2026-04-21 | Added explain subcommand |\n| 0.2.0 | 2026-03-20 | SSE transport security, input sanitization, dynamic tripwire detection |\n| 0.1.0 | 2026-03-15 | Initial release |\n\n资料来源:[CHANGELOG.md:1-30]()\n\n## Comparison with Similar Tools\n\n| Feature | decoy-scan | Snyk agent-scan |\n|---------|------------|-----------------|\n| Language | JavaScript | Python |\n| Dependencies | **0** | 15 (aiohttp, pydantic, mcp, etc.) |\n| Install | `npx decoy-scan` | `uvx snyk-agent-scan` |\n| MCP Hosts | 7 (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline) | Varies |\n| OWASP Mapping | ASI01–ASI05 | Limited |\n\n资料来源:[README.md:64-67]()\n\n---\n\n\n\n## Installation and Quick Start\n\n### 相关页面\n\n相关主题:[Overview](#page-1), [CLI Reference](#page-8)\n\n\nRelevant Source Files
\n\n以下源码文件用于生成本页说明:\n\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [package.json](https://github.com/decoy-run/decoy-scan/blob/main/package.json)\n \n\n# Installation and Quick Start\n\n## Overview\n\ndecoy-scan is a zero-dependency MCP (Model Context Protocol) supply chain security scanner. It requires no installation, no configuration, and no account to begin scanning. Users can run it directly via `npx` or clone the repository for development purposes.\n\nThe tool scans local MCP client configurations across seven supported hosts, analyzes server commands for security risks, detects prompt injection in tool descriptions, and provides structured output for CI/CD integration.\n\n资料来源:[README.md:1-5]()\n\n## System Requirements\n\n| Requirement | Specification |\n|-------------|---------------|\n| Runtime | Node.js 18+ |\n| Package Manager | Not required |\n| Build Tools | Not required |\n| OS Support | macOS, Windows, Linux |\n\nThe tool uses only Node.js built-in modules. No external npm packages are installed or required.\n\n资料来源:[CONTRIBUTING.md:10]()\n\n## Installation Methods\n\n### Method 1: Direct Execution (Recommended)\n\nThe fastest way to run decoy-scan is through `npx`, which downloads and executes the package without affecting local dependencies:\n\n```bash\nnpx decoy-scan\n```\n\nThis single command discovers all MCP configurations on the machine, probes configured servers, and produces a security report.\n\n资料来源:[README.md:14]()\n\n### Method 2: GitHub Action (CI/CD)\n\nFor automated security scanning in repositories, use the official GitHub Action:\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\nThe action supports configurable policy enforcement and SARIF output uploads to the GitHub Security tab.\n\n资料来源:[action.yml:1-20]()\n\n### Method 3: Local Clone (Development)\n\nFor contributing or modifying the scanner:\n\n```bash\ngit clone https://github.com/decoy-run/decoy-scan\ncd decoy-scan\nnode bin/cli.mjs --help\n```\n\nNo build step is required. The codebase uses raw ES modules with no bundler or TypeScript compilation.\n\n资料来源:[CONTRIBUTING.md:5-9]()\n\n## Quick Start Workflow\n\n```mermaid\ngraph TD\n A[Run npx decoy-scan] --> B{Node.js installed?}\n B -->|No| C[Install Node.js 18+]\n C --> A\n B -->|Yes| D[Discover MCP Configs]\n D --> E[Supported Hosts Found?]\n E -->|No| F[Print empty discovery message]\n E -->|Yes| G[Probe MCP Servers]\n G --> H[Analyze Tool Risk]\n H --> I[Detect Poisoning Patterns]\n I --> J[Check Environment Exposure]\n J --> K[Generate Report]\n K --> L{Human or CI Mode?}\n L -->|Human| M[Pretty Print Output]\n L -->|CI| N[JSON or SARIF Output]\n```\n\n## Supported MCP Hosts\n\ndecoy-scan automatically discovers configurations for the following MCP clients:\n\n| Host | Platform Support |\n|------|-----------------|\n| Claude Desktop | macOS, Windows, Linux |\n| Cursor | macOS, Windows, Linux |\n| Windsurf | macOS, Windows, Linux |\n| VS Code | macOS, Windows, Linux |\n| Claude Code | macOS, Windows, Linux |\n| Zed | macOS, Windows, Linux |\n| Cline | macOS, Windows, Linux |\n\nConfig paths are platform-aware, detecting macOS, Windows, and Linux configuration locations automatically.\n\n资料来源:[AGENTS.md:45-50]()\n\n## Command Line Interface\n\n### Basic Usage\n\n| Command | Description |\n|---------|-------------|\n| `npx decoy-scan` | Full scan with pretty CLI output |\n| `npx decoy-scan --json` | Machine-readable JSON output |\n| `npx decoy-scan --sarif` | SARIF 2.1.0 format for CI/CD |\n\n资料来源:[AGENTS.md:6-8]()\n\n### Output Modes\n\n#### Pretty Output (Default)\n\nHuman-readable format with color-coded severity badges and per-server summaries:\n\n```\n✗ server-name N critical\n! server-name poisoned tool\n✓ server-name passed\n```\n\n#### JSON Output\n\nStructured machine-readable format for programmatic consumption:\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"tools\": [{\n \"name\": \"read_file\",\n \"risk\": \"high\",\n \"poisoning\": []\n }],\n \"risk\": \"high\"\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 2\n }\n}\n```\n\n#### SARIF Output\n\nStandardized format for integration with security tools and GitHub Security tab:\n\n```bash\nnpx decoy-scan --sarif | jq\n```\n\n资料来源:[AGENTS.md:52-85]()\n\n### Common Flags\n\n| Flag | Short | Description |\n|------|-------|-------------|\n| `--json` | — | Machine-readable JSON output |\n| `--sarif` | — | SARIF 2.1.0 output format |\n| `--brief` | — | Minimal summary (implies `--json`) |\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--no-probe` | — | Config-only scan, skip server probing |\n| `--no-advisories` | — | Skip network calls to advisory database |\n| `--help` | `-h` | Print help message |\n| `--version` | `-V` | Print version |\n\n资料来源:[AGENTS.md:22-32]()\n\n## Exit Codes\n\nThe CLI returns exit codes for programmatic error handling:\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe `exitCode` field is also surfaced in `--json` and `--brief` output for agent consumption.\n\n资料来源:[AGENTS.md:35-45]()\n\n## GitHub Action Configuration\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (required for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n### Full Example\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n verbose: true\n```\n\n资料来源:[action.yml:1-30]()\n\n## Running Tests\n\nBefore submitting changes, run the full test suite to ensure all 48 tests pass:\n\n```bash\nnpm test\n```\n\nTests cover CLI output, JSON/SARIF structure, policy gates, toxic flow detection, skill analysis, and manifest hashing.\n\nFor manual testing with different output modes:\n\n| Command | Purpose |\n|---------|---------|\n| `node bin/cli.mjs --no-probe` | Config-only scan |\n| `node bin/cli.mjs --no-advisories` | Skip network calls |\n| `node bin/cli.mjs --json` | Verify JSON structure |\n| `node bin/cli.mjs --sarif` | Verify SARIF structure |\n| `node bin/cli.mjs --verbose` | Show everything |\n\n资料来源:[CONTRIBUTING.md:68-80]()\n\n## Project Structure\n\n```\ndecoy-scan/\n├── bin/\n│ └── cli.mjs # CLI entry point\n├── index.mjs # Core scanner logic\n├── package.json # Package metadata\n└── *.test.mjs # Test files\n```\n\nAll scanner logic lives in `index.mjs` including:\n\n| Section | Function |\n|---------|----------|\n| `RISK_PATTERNS` + `classifyTool()` | Tool risk classification |\n| `POISONING_PATTERNS` + `detectPoisoning()` | Prompt injection detection |\n| `analyzeServerCommand()` | Server spawn command analysis |\n| `SENSITIVE_ENV_PATTERNS` + `analyzeEnvExposure()` | Environment variable exposure |\n| `analyzeReadiness()` | Production readiness heuristics |\n| `OWASP_MAP` + `mapToOwasp()` | OWASP Agentic Top 10 mapping |\n| `HOST_CONFIGS` + `discoverConfigs()` | MCP client config discovery |\n| `probeServer()` | MCP stdio probing |\n| `scan()` | Full scan orchestrator |\n| `toSarif()` | SARIF output generator |\n\n资料来源:[CONTRIBUTING.md:14-32]()\n\n## Design Principles\n\nThe installation and runtime model follows these principles:\n\n- **Zero dependencies** — Only Node.js built-ins are used. No npm packages added.\n- **No build step** — Raw ES modules executed directly.\n- **Fast execution** — Servers are probed with aggressive timeouts.\n- **Read-only scanning** — Configs are never modified; spawned servers are killed promptly.\n- **Agent-first output** — JSON and SARIF formats are machine-parseable.\n\n资料来源:[CONTRIBUTING.md:82-88]()\n\n## Next Steps\n\nAfter installation, explore these topics:\n\n1. **[Explain Command](AGENTS.md)** — Resolve finding types using `decoy-scan explain `\n2. **Output Formats** — Understand [JSON Schema](AGENTS.md#json-output-schema) and [SARIF Schema](AGENTS.md#sarif-output-schema)\n3. **What It Checks** — Review the [complete security checks list](README.md#-what-it-checks)\n4. **Contributing** — Read [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines\n\n---\n\n\n\n## System Architecture\n\n### 相关页面\n\n相关主题:[Core Modules Reference](#page-4), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs) — Core library with all analysis functions\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs) — Command-line interface\n- [package.json](https://github.com/decoy-run/decoy-scan/blob/main/package.json) — Project metadata and dependencies\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md) — Development documentation\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md) — Agent reference documentation\n \n\n# System Architecture\n\n## Overview\n\ndecoy-scan is a zero-dependency MCP (Model Context Protocol) supply chain security scanner built with Node.js >= 18. The architecture follows a modular design where a single `index.mjs` file contains all core analysis logic, while `bin/cli.mjs` provides the command-line interface. The tool discovers MCP server configurations from supported hosts, probes servers via stdio, and performs multi-layered security analysis.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Architecture Principles\n\nThe system is built on four core principles:\n\n| Principle | Description |\n|-----------|-------------|\n| **Zero Dependencies** | Node.js builtins only; no npm packages |\n| **No Build Step** | Raw ES modules; no TypeScript or bundler |\n| **Fast Execution** | Aggressive server timeouts; scan completes in seconds |\n| **Read-Only** | Never modifies configs; only reads and analyzes |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## High-Level System Flow\n\n```mermaid\ngraph TD\n A[User invokes decoy-scan] --> B[Discover MCP Configs]\n B --> C{Hosts Found?}\n C -->|Yes| D[For each server]\n C -->|No| E[Log telemetry, exit]\n D --> F[Probe Server via stdio]\n F --> G[Analyze Tool List]\n G --> H{Analysis Results}\n H --> I[Security Findings]\n H --> J[Readiness Issues]\n I --> K[Generate Output]\n J --> K\n K --> L{Output Format}\n L -->|JSON| M[JSON to stdout]\n L -->|SARIF| N[SARIF to stdout]\n L -->|Pretty| O[Terminal formatting]\n K --> P[Send telemetry]\n P --> Q[Exit with code]\n```\n\n## Core Components\n\n### 1. Configuration Discovery (`discoverConfigs`)\n\nThe discovery module locates MCP server configurations across supported host applications. Configuration paths are platform-aware, supporting macOS, Windows, and Linux.\n\n#### Supported Hosts\n\n| Host | Platform Support |\n|------|------------------|\n| Claude Desktop | macOS, Windows, Linux |\n| Cursor | macOS, Windows, Linux |\n| Windsurf | macOS, Windows, Linux |\n| VS Code | macOS, Windows, Linux |\n| Claude Code | macOS, Windows, Linux |\n| Zed | macOS, Windows, Linux |\n| Cline | macOS, Windows, Linux |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n#### Host Configuration Structure\n\n```javascript\n\"Claude Desktop\": () => {\n const p = platform();\n if (p === \"darwin\") return join(homedir(), \"path\", \"to\", \"config.json\");\n if (p === \"win32\") return join(process.env.APPDATA || \"\", \"path\", \"config.json\");\n return join(homedir(), \".config\", \"path\", \"config.json\");\n}\n```\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n### 2. Server Probing (`probeServer`)\n\nThe probing component spawns each MCP server via stdio protocol and queries its tool list. Servers are spawned with aggressive timeouts to ensure fast scanning.\n\n#### Probe Behavior\n\n- Spawns server process with configured command and arguments\n- Sends `initialize` and `tools/list` requests via stdio\n- Captures tool definitions including name, description, and input schemas\n- Kills spawned servers promptly after receiving response\n- Records probe errors for failed servers\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 3. Security Analysis Engine\n\nThe analysis engine performs multi-layered security checks on discovered tools and server configurations.\n\n#### 3.1 Tool Risk Classification (`classifyTool`)\n\nClassifies every tool into risk tiers based on name patterns and description analysis:\n\n| Risk Level | Description | Examples |\n|------------|-------------|----------|\n| Critical | Can execute code, modify data, cause irreversible changes | `execute_command`, `write_file`, `eval_code` |\n| High | File read, network access, credential exposure | `read_file`, `fetch`, `run_sql` |\n| Medium | Environment access, configuration changes | `get_env`, `set_config` |\n| Low | Read-only, informational | `list_files`, `get_time` |\n\n#### Risk Pattern Matching\n\n```javascript\nRISK_PATTERNS = {\n critical: [\n /^execute[_-]?(command|shell|code|script)$/i,\n /^run[_-]?(script|code|js|javascript|python|sql)$/i,\n /^eval[_-]?(script|code)$/i,\n /^evaluate[_-]?(script|code)$/i,\n // ... more patterns\n ],\n high: [\n /^read[_-]?(file|dir|directory)$/i,\n /^fetch[_-]?(url|http|https)?$/i,\n // ... more patterns\n ]\n}\n```\n\nThe classifier also uses substring fallback on lowercased names for tools without descriptions.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n#### 3.2 Prompt Injection Detection (`detectPoisoning`)\n\nDetects 37 regex patterns across 20 attack categories in tool descriptions:\n\n| Category | Description |\n|----------|-------------|\n| Instruction Override | Tools that override system instructions |\n| Concealment | Hidden or disguised malicious intent |\n| Data Exfiltration | Credential or data stealing patterns |\n| Credential Harvesting | Requests for sensitive credentials |\n| Coercive Execution | Forced execution patterns |\n| Tool Shadowing | Impersonation of legitimate tools |\n| Evasion Techniques | Patterns to bypass detection |\n\nEach pattern includes:\n- `pattern`: Regex to match\n- `type`: Finding category (used for OWASP mapping)\n- `severity`: critical, high, medium, or low\n- `description`: Human-readable explanation\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n#### 3.3 Server Command Analysis (`analyzeServerCommand`)\n\nChecks spawn commands for security issues:\n\n| Check | What it detects |\n|-------|----------------|\n| Pipe-to-shell | Commands using `|` operators |\n| Temp directories | Spawning from `/tmp` or similar |\n| Inline code | Commands with embedded scripts |\n| Typosquatting | Similar names to popular packages |\n| Network tools | Suspicious network utilities |\n\n#### 3.4 Environment Variable Analysis (`analyzeEnvExposure`)\n\nFlags 12 categories of sensitive credentials passed to MCP servers:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY` |\n| Tokens | `GITHUB_TOKEN`, `AWS_TOKEN` |\n| Passwords | `DB_PASSWORD`, `SERVICE_PASSWORD` |\n| Database URLs | Connection strings with credentials |\n| Cloud Credentials | `AWS_SECRET`, `GCP_TOKEN` |\n\n#### 3.5 Production Readiness (`analyzeReadiness`)\n\nChecks for deployment readiness issues:\n\n- Missing tool descriptions\n- Missing input schemas\n- No required field validation\n- Overloaded tool scope\n- Destructive tools without safety hints\n\n#### 3.6 OWASP Mapping (`mapToOwasp`)\n\nMaps every finding to the OWASP Agentic Top 10 categories (ASI01–ASI05):\n\n| OWASP ID | Category |\n|----------|----------|\n| ASI01 | Agentic Access Control |\n| ASI02 | Excessive Agency |\n| ASI03 | hallucinations |\n| ASI04 | Data Leakage |\n| ASI05 | Overreliance |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### 4. Scan Orchestration (`scan`)\n\nThe main orchestrator combines all analysis components:\n\n```javascript\nasync function scan({ skills = false } = {}) {\n // 1. Discover MCP configs from all hosts\n // 2. For each server, probe via stdio\n // 3. Run all analysis functions\n // 4. Collect findings\n // 5. Generate output based on format\n return {\n servers: [...],\n toxicFlows: [...],\n skills: [...],\n summary: {...}\n };\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 5. Output Generation\n\n#### SARIF Output (`toSarif`)\n\nGenerates SARIF 2.1.0 compliant output for CI/CD integration:\n\n```json\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"results\": [...],\n \"tool\": { \"driver\": { \"name\": \"decoy-scan\", \"version\": \"...\" }}\n }]\n}\n```\n\n#### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{ \"type\": \"env-exposure\", \"severity\": \"high\", \"description\": \"...\" }]\n }],\n \"summary\": { \"total\": 2, \"critical\": 1, \"high\": 1 }\n}\n```\n\n#### Brief Output Schema\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### 6. Telemetry System\n\nThe telemetry module (v2 envelope) collects anonymized usage data:\n\n```javascript\n{\n schema_version: \"2\",\n event_id: \"uuid\",\n run_id: \"uuid\",\n ts: \"ISO-8601\",\n env: {\n node: \"v20.x.x\",\n platform: \"darwin\",\n arch: \"x64\",\n ci: false,\n host: \"claude-desktop\",\n locale: \"en-US\"\n }\n}\n```\n\n#### Telemetry Features\n\n| Feature | Description |\n|---------|-------------|\n| Retry Logic | 1 retry with 200→800ms backoff |\n| Persistent Queue | `~/.decoy/telemetry-queue.jsonl` (FIFO, 1000 event cap) |\n| Opt-out | `DECOY_TELEMETRY=0` or `--no-telemetry` flag |\n| First-run Notice | Cached at `~/.decoy/telemetry-notice-shown` |\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## CLI Architecture\n\n```mermaid\ngraph TD\n A[CLI Entry: bin/cli.mjs] --> B[Parse Arguments]\n B --> C{Command?}\n C -->|explain| D[Explain Handler]\n C -->|scan| E[Scan Handler]\n C -->|login| F[Auth Handler]\n D --> G[Resolve against RISK_PATTERNS]\n E --> H[Initialize scan options]\n F --> I[Open browser to auth]\n H --> J[Call scan from index.mjs]\n J --> K[Format output]\n K --> L{Format?}\n L -->|json| M[JSON.stringify]\n L -->|sarif| N[toSarif]\n L -->|pretty| O[ANSI colors]\n L -->|brief| P[Summary object]\n M --> Q[Send telemetry]\n N --> Q\n O --> Q\n P --> Q\n Q --> R[Exit with code]\n```\n\n### CLI Options\n\n| Flag | Description |\n|------|-------------|\n| `--json` | Machine-readable JSON output |\n| `--sarif` | SARIF 2.1.0 for CI/CD |\n| `--brief` | Minimal summary object |\n| `--verbose`, `-v` | Show all tools including low-risk |\n| `--quiet`, `-q` | Suppress status output |\n| `--no-probe` | Config-only scan (skip stdio) |\n| `--no-advisories` | Skip network calls |\n| `--explain ` | Explain severity/category/tool |\n| `--version`, `-V` | Print version |\n| `--help`, `-h` | Print help |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\n## Module Dependency Graph\n\n```mermaid\ngraph LR\n A[bin/cli.mjs] --> B[index.mjs]\n B --> C[RISK_PATTERNS]\n B --> D[POISONING_PATTERNS]\n B --> E[HOST_CONFIGS]\n B --> F[SENSITIVE_ENV_PATTERNS]\n B --> G[OWASP_MAP]\n C --> H[classifyTool]\n D --> I[detectPoisoning]\n E --> J[discoverConfigs]\n F --> K[analyzeEnvExposure]\n G --> L[mapToOwasp]\n H --> M[scan]\n I --> M\n J --> M\n K --> M\n L --> M\n M --> N[toSarif]\n M --> O[JSON Output]\n M --> P[analyzeReadiness]\n M --> Q[analyzeServerCommand]\n```\n\n## Library API\n\nThe module can be imported and used programmatically:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\nconsole.log(results.toxicFlows); // [{ id: \"TF001\", severity: \"critical\", roles: {...} }]\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Additional Analysis Features\n\n### Toxic Flow Analysis\n\nDetects cross-server data leak (TF001) and destructive (TF002) attack chains:\n\n```javascript\nresults.toxicFlows = [\n { id: \"TF001\", severity: \"critical\", roles: {...} },\n { id: \"TF002\", severity: \"high\", roles: {...} }\n];\n```\n\n### Skill Scanning\n\nAnalyzes Claude Code skills for:\n- Prompt injection in skill definitions\n- Hardcoded secrets\n- Suspicious URLs\n\n### Manifest Hashing\n\nTracks tool additions, removals, and description changes between scans:\n\n```javascript\nresults.servers[0].manifestHash // \"45c4c571f03c78a2\"\n```\n\n### Supply Chain Advisories\n\nCross-references against Decoy advisory database covering 40+ known vulnerable MCP packages.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## GitHub Action Integration\n\n```mermaid\ngraph LR\n A[GitHub Workflow] --> B[decoy-run/decoy-scan@v1]\n B --> C[Scan MCP Configs]\n C --> D{Policy Violation?}\n D -->|Yes| E[Fail Build]\n D -->|No| F[Upload SARIF]\n F --> G[GitHub Security Tab]\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Core Modules Reference\n\n### 相关页面\n\n相关主题:[System Architecture](#page-3), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [lib/analyzers.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/analyzers.mjs)\n- [lib/patterns.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/patterns.mjs)\n- [lib/tier.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/tier.mjs)\n- [lib/owasp.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/owasp.mjs)\n- [lib/verify.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/verify.mjs)\n \n\n# Core Modules Reference\n\nThis reference documents the core modules that power decoy-scan's MCP security scanning engine. The tool uses a modular architecture with each library file handling a specific aspect of security analysis, from pattern matching to OWASP compliance mapping.\n\n## Architecture Overview\n\n```mermaid\ngraph TD\n A[CLI Entry] --> B[scan orchestrator]\n B --> C[analyzers.mjs]\n B --> D[patterns.mjs]\n B --> E[tier.mjs]\n B --> F[owasp.mjs]\n B --> G[verify.mjs]\n C --> H[Tool Risk Classification]\n C --> I[Poisoning Detection]\n C --> J[Env Exposure Analysis]\n C --> K[Readiness Heuristics]\n H --> L[JSON/SARIF Output]\n I --> L\n J --> L\n K --> L\n```\n\n## Module Responsibilities\n\n| Module | Primary Role | Key Exports |\n|--------|-------------|-------------|\n| `analyzers.mjs` | Security analysis engine | `analyzeServerCommand`, `analyzeEnvExposure`, `analyzeReadiness`, `probeServer` |\n| `patterns.mjs` | Pattern definitions | `RISK_PATTERNS`, `POISONING_PATTERNS`, `SENSITIVE_ENV_PATTERNS` |\n| `tier.mjs` | Risk tier classification | `classifyTool`, severity tiers |\n| `owasp.mjs` | OWASP mapping | `OWASP_MAP`, `mapToOwasp` |\n| `verify.mjs` | Policy verification | Security policy enforcement |\n\n## Risk Tier Classification (`tier.mjs`)\n\nThe `tier.mjs` module implements the `classifyTool()` function that evaluates MCP tools against predefined risk patterns. Tools are classified into four severity tiers:\n\n```mermaid\ngraph LR\n A[Tool Name + Description] --> B[classifyTool]\n B --> C{pattern match}\n C -->|execute*| D[Critical]\n C -->|write*| D\n C -->|eval*| D\n C -->|read*| E[High]\n C -->|fetch*| E\n C -->|delete*| E\n C -->|search*| F[Medium]\n C -->|other| G[Low]\n```\n\n### Severity Tiers\n\n| Tier | Description | Example Tools | Exit Code Impact |\n|------|-------------|---------------|------------------|\n| **Critical** | Code execution, file write, data modification | `execute_command`, `write_file`, `evaluate_script` | Exit code 2 |\n| **High** | File read, network access, data deletion | `read_file`, `fetch_url`, `delete_record` | Exit code 1 |\n| **Medium** | Information retrieval, search operations | `search_files`, `list_directory` | Exit code 1 |\n| **Low** | Safe, read-only operations | `get_time`, `ping` | Exit code 0 |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n### Pattern Anchoring\n\nCritical patterns use anchoring (`^` and `$`) to ensure exact matching. The module includes patterns for:\n\n- `^execute[_-]?(script|code|js|javascript|python|sql)$`\n- `^evaluate[_-]?(script|code)$`\n- `^run[_-]?(script|code|js|javascript|python|sql)$`\n- `^eval[_-]?(script|code)$`\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Pattern Definitions (`patterns.mjs`)\n\nThe `patterns.mjs` module contains the security pattern definitions used across all analyzers.\n\n### Poisoning Patterns\n\nDetects prompt injection attacks hidden in tool descriptions. The module defines 37 regex patterns across 20 attack categories:\n\n| Category | Severity | Description |\n|----------|----------|-------------|\n| `prompt-override` | Critical | Direct instruction override attempts |\n| `instruction-hijack` | Critical | Hidden system prompt modifications |\n| `credential-harvest` | Critical | Credentials or tokens in descriptions |\n| `data-exfiltration` | High | Data extraction patterns |\n| `tool-shadowing` | High | Tool name override patterns |\n| `concealment` | Medium | Hidden/obfuscated content |\n| `coercive-execution` | High | Force execution patterns |\n| `evasion-techniques` | Medium | Detection evasion attempts |\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md), [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Pattern Structure\n\nEach poisoning pattern follows this schema:\n\n```javascript\n{\n pattern: /regex/i, // Regex with case-insensitive flag\n type: \"category-name\", // Finding type for OWASP mapping\n severity: \"critical\", // critical, high, medium, low\n description: \"Human-readable explanation\"\n}\n```\n\n### Sensitive Environment Patterns\n\nThe `SENSITIVE_ENV_PATTERNS` constant identifies 12 categories of sensitive credentials:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GITHUB_TOKEN` |\n| Database | `DATABASE_URL`, `DB_PASSWORD`, `REDIS_URL` |\n| Cloud | `AWS_SECRET_KEY`, `AZURE_KEY`, `GCP_TOKEN` |\n| Auth | `JWT_SECRET`, `SESSION_KEY`, `AUTH_TOKEN` |\n\n## Security Analyzers (`analyzers.mjs`)\n\nThe `analyzers.mjs` module contains the core analysis functions that evaluate MCP servers and their tools.\n\n### Server Command Analysis\n\nThe `analyzeServerCommand()` function examines how MCP servers are spawned:\n\n- Pipe-to-shell patterns (`| sh`, `| bash`)\n- Temp directory spawning (`/tmp/`, `$TMPDIR`)\n- Inline code execution\n- Typosquatting detection\n- Network tool usage\n\n### Environment Exposure Analysis\n\nThe `analyzeEnvExposure()` function scans environment variables passed to MCP servers, flagging:\n\n- Exposed API keys and tokens\n- Database connection strings\n- Cloud service credentials\n- Private authentication tokens\n\n### Production Readiness Analysis\n\nThe `analyzeReadiness()` function applies heuristics to evaluate production readiness:\n\n```javascript\n// Readiness check pattern\nif (/* condition */) {\n findings.push({\n type: \"readiness-check-name\",\n severity: \"medium\",\n description: \"What's wrong and why it matters\"\n });\n}\n```\n\nChecks include:\n- Missing tool descriptions\n- Missing input schemas\n- Tools without required fields\n- Overloaded tool scope\n- Destructive tools without safety hints\n\n### Server Probing\n\nThe `probeServer()` function implements MCP stdio protocol probing:\n\n1. Spawns the server process\n2. Sends JSON-RPC initialize request\n3. Sends tools/list request\n4. Parses and returns tool manifest\n5. Terminates server process\n\n## OWASP Mapping (`owasp.mjs`)\n\nThe `owasp.mjs` module maps all findings to the OWASP Agentic Top 10 for 2026.\n\n### OWASP Categories\n\n| Code | Category | Description |\n|------|----------|-------------|\n| ASI01 | Agentic Access Control | Over-privileged agent permissions |\n| ASI02 | Tool Poisoning | Prompt injection in tools |\n| ASI03 | Data Exfiltration | Cross-server data leaks |\n| ASI04 | Unbounded Tool Execution | Tools without safeguards |\n| ASI05 | Supply Chain | Vulnerable dependencies |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Mapping Function\n\nThe `mapToOwasp()` function converts internal finding types to OWASP categories:\n\n```javascript\n// After adding a pattern, add its type to OWASP_MAP\nASI02: [\"prompt-override\", \"instruction-hijack\", \"credential-harvest\"]\n```\n\n## Policy Verification (`verify.mjs`)\n\nThe `verify.mjs` module enforces security policies defined via CLI flags.\n\n### Policy Rules\n\n| Rule | Action |\n|------|--------|\n| `no-critical` | Fail if critical tools found |\n| `no-high` | Fail if high-risk tools found |\n| `no-poisoning` | Fail if prompt injection detected |\n| `no-toxic-flows` | Fail on cross-server attack chains |\n| `no-secrets` | Fail on exposed secrets |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n| `max-critical=N` | Limit critical tool count |\n\n### Verification Flow\n\n```mermaid\ngraph TD\n A[Scan Results] --> B[verify.mjs]\n B --> C{Policy Check}\n C -->|no-critical| D{critical count > 0?}\n C -->|no-poisoning| E{poisoning detected?}\n C -->|no-toxic-flows| F{toxic flows found?}\n D -->|Yes| G[Exit Code 2]\n E -->|Yes| G\n F -->|Yes| G\n D -->|No| H[Continue]\n E -->|No| H\n F -->|No| H\n H --> I[Exit Code 0 or 1]\n```\n\n## Integration Flow\n\n```mermaid\nsequenceDiagram\n participant CLI\n participant scan\n participant analyzers\n participant patterns\n participant owasp\n participant verify\n participant output\n\n CLI->>scan: scan({ options })\n scan->>analyzers: discoverConfigs()\n analyzers-->>scan: server configs\n scan->>analyzers: probeServer(server)\n analyzers-->>scan: tool manifest\n scan->>patterns: detectPoisoning(tools)\n patterns-->>scan: poisoning findings\n scan->>patterns: classifyTool(tool)\n patterns-->>scan: risk tier\n scan->>analyzers: analyzeEnvExposure()\n analyzers-->>scan: env findings\n scan->>owasp: mapToOwasp(findings)\n owasp-->>scan: OWASP mappings\n scan->>verify: checkPolicy(results)\n verify-->>CLI: exitCode\n scan->>output: toSarif(results)\n output-->>CLI: SARIF report\n```\n\n## Export Summary\n\nThe library can be imported directly:\n\n```javascript\nimport {\n scan,\n toSarif,\n classifyTool,\n detectPoisoning,\n analyzeToxicFlows,\n hashToolManifest,\n detectManifestChanges,\n discoverSkills,\n analyzeSkill,\n} from 'decoy-scan';\n\nconst results = await scan({ skills: true });\n```\n\nKey exports include:\n- `scan()` — Full scan orchestrator\n- `toSarif()` — SARIF 2.1.0 output generator\n- `classifyTool()` — Tool risk classification\n- `detectPoisoning()` — Prompt injection detection\n- `analyzeToxicFlows()` — Cross-server attack chain analysis\n- `hashToolManifest()` — Tool manifest hashing\n- `detectManifestChanges()` — Change tracking between scans\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Security Checks and Detection\n\n### 相关页面\n\n相关主题:[Supply Chain and Advisory Database](#page-6), [Skill Scanning](#page-7), [Output Formats and Policy Configuration](#page-10)\n\n\nRelevant Source Files
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs) - Main scanner implementation containing RISK_PATTERNS, POISONING_PATTERNS, SENSITIVE_ENV_PATTERNS, classifyTool(), detectPoisoning(), analyzeEnvExposure(), analyzeReadiness(), mapToOwasp(), and other security detection functions\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs) - CLI interface and scan orchestration\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md) - Agent reference documentation\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md) - Project overview and feature documentation\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md) - Code structure and development guide\n- [CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md) - Version history\n \n\n# Security Checks and Detection\n\n## Overview\n\ndecoy-scan implements a comprehensive multi-layered security detection system for MCP (Model Context Protocol) servers. The scanner analyzes MCP client configurations, probes running servers, and evaluates tools against various threat categories including prompt injection, credential exposure, dangerous command execution, and supply chain vulnerabilities.\n\n资料来源:[README.md:37-51]()\n\nThe detection engine operates across eight primary security dimensions, providing both static configuration analysis and dynamic runtime probing to identify risks before they can be exploited.\n\n## Architecture Overview\n\n```mermaid\ngraph TD\n A[MCP Client Configs] --> B[Config Discovery]\n B --> C[Server Command Analysis]\n B --> D[Environment Variable Analysis]\n C --> E[Server Probing]\n E --> F[Tool Risk Classification]\n E --> G[Poisoning Detection]\n E --> H[Readiness Checks]\n F --> I[Toxic Flow Analysis]\n G --> I\n H --> I\n I --> J[OWASP Mapping]\n J --> K[SARIF/JSON Output]\n D --> K\n```\n\n## Detection Layers\n\n### 1. Tool Risk Classification\n\nThe scanner classifies every discovered tool into severity tiers based on name patterns and description analysis. Risk levels follow a four-tier system:\n\n| Tier | Risk Level | Description | Exit Code Impact |\n|------|------------|-------------|------------------|\n| Critical | Critical | Can execute code, modify data, or cause irreversible changes | Exit code 2 |\n| High | High | File system access, network operations | Exit code 1 |\n| Medium | Medium | Information disclosure potential | Exit code 0 |\n| Low | Low | Minimal risk, read-only operations | Exit code 0 |\n\n资料来源:[AGENTS.md:85-90]()\n\n#### Classification Mechanism\n\nTool classification uses the `classifyTool()` function which applies regex pattern matching against both tool names and descriptions. The `RISK_PATTERNS` object defines critical patterns including:\n\n- `execute_command`, `run_shell`, `bash`, `exec` — command execution\n- `write_file`, `create_file`, `update_file` — file modification\n- `delete_file`, `remove_file` — destructive operations\n- `evaluate_script`, `execute_script`, `run_javascript`, `run_python`, `run_sql` — code evaluation variants\n- `spawn`, `fork`, `child_process` — process spawning\n\n资料来源:[CONTRIBUTING.md:15-16]()\n\nThe substring fallback mechanism matches against lowercased tool names, ensuring risky verbs like `evaluate`, `spawn`, and `fetch` classify correctly even when no description is provided.\n\n### 2. Prompt Injection Detection\n\nPrompt injection detection identifies malicious content hidden within tool descriptions. The system uses 37 regex patterns across 20 attack categories:\n\n| Category | Severity | Description |\n|----------|----------|-------------|\n| instruction-override | Critical | Overrides agent instructions |\n| role-assumption | Critical | Impersonates system roles |\n| concealed-commands | High | Hidden command instructions |\n| privilege-escalation | High | Attempts to gain elevated access |\n| context-manipulation | Medium | Manipulates conversation context |\n| data-exfiltration | High | Extracts sensitive information |\n| credential-harvesting | Critical | Collects authentication credentials |\n| coercion | High | Forces specific behaviors |\n| tool-shadowing | Critical | Masks legitimate tool behavior |\n\n资料来源:[README.md:37-40]()\n\nThe `detectPoisoning()` function scans tool descriptions against `POISONING_PATTERNS`, identifying injection attempts that could compromise agent behavior.\n\n#### Poisoning Pattern Structure\n\nEach pattern in `POISONING_PATTERNS` follows this schema:\n\n```javascript\n{\n pattern: /regex/i, // Match criteria\n type: \"category-name\", // Finding type for OWASP mapping\n severity: \"critical\", // critical, high, medium, low\n description: \"Human-readable\" // Display message\n}\n```\n\n资料来源:[CONTRIBUTING.md:33-40]()\n\n### 3. Server Command Analysis\n\nThe `analyzeServerCommand()` function examines how MCP servers are spawned, detecting suspicious invocation patterns:\n\n- **Pipe-to-shell patterns** — Commands using `|` to pipe output to shell interpreters\n- **Temp directory spawning** — Servers running from `/tmp` or similar writable locations\n- **Inline code execution** — Commands with embedded code strings\n- **Typosquatting detection** — Package names similar to legitimate tools\n- **Network tool usage** — Presence of `curl`, `wget`, or other network utilities\n\nThis analysis operates on configuration data without requiring server execution.\n\n### 4. Environment Variable Exposure Detection\n\nThe `analyzeEnvExposure()` function identifies sensitive environment variables being passed to MCP servers. It checks against `SENSITIVE_ENV_PATTERNS` covering 12 categories:\n\n| Category | Examples |\n|----------|----------|\n| API Keys | `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `AWS_ACCESS_KEY_ID` |\n| Tokens | `GITHUB_TOKEN`, `GITLAB_TOKEN`, `SLACK_TOKEN` |\n| Database Credentials | `DB_PASSWORD`, `POSTGRES_PASSWORD`, `MONGO_URI` |\n| Cloud Credentials | `AWS_SECRET_ACCESS_KEY`, `AZURE_CLIENT_SECRET` |\n| Private Keys | `SSH_PRIVATE_KEY`, `GPG_KEY` |\n\n资料来源:[CONTRIBUTING.md:21-22]()\n\n### 5. Production Readiness Checks\n\nThe `analyzeReadiness()` function applies heuristics to evaluate production readiness:\n\n| Check | Severity | Description |\n|-------|----------|-------------|\n| Missing descriptions | Medium | Tools without documentation |\n| Missing schemas | Medium | Tools without input validation schemas |\n| No required fields | Medium | Unvalidated parameter acceptance |\n| Overloaded scope | Medium | Tools performing multiple unrelated operations |\n| Destructive tools without safety hints | Low | Dangerous operations lacking warnings |\n\n资料来源:[CONTRIBUTING.md:23-24]()\n\n### 6. Toxic Flow Analysis\n\nToxic flow detection identifies dangerous cross-server data leakage patterns. Two primary flow types are detected:\n\n| Flow ID | Severity | Description |\n|---------|----------|-------------|\n| TF001 | Critical | Cross-server data leak — data read by one server flows to another |\n| TF002 | Critical | Destructive attack chain — combined operations cause irreversible damage |\n\n资料来源:[README.md:43-44]()\n\nThe `analyzeToxicFlows()` function examines the interaction patterns between multiple MCP servers to identify these attack vectors.\n\n### 7. Tool Manifest Hashing\n\nManifest hashing tracks changes in the tool list exposed by MCP servers:\n\n```javascript\nconst results = await scan({ skills: true });\nconsole.log(results.servers[0].manifestHash); // \"45c4c571f03c78a2\"\n```\n\nThe `hashToolManifest()` and `detectManifestChanges()` functions detect:\n- Tool additions (potential malicious injection)\n- Tool removals (potential functionality loss)\n- Description changes (potential poisoning updates)\n\n资料来源:[AGENTS.md:101-105]()\n\n### 8. Skill Scanning\n\nFor Claude Code environments, the scanner performs additional analysis on skills:\n\n- Prompt injection detection in skill prompts\n- Hardcoded secret detection\n- Suspicious URL identification\n\nThe `discoverSkills()` and `analyzeSkill()` functions implement this analysis.\n\n## OWASP Agentic Top 10 Mapping\n\nAll findings are mapped to the OWASP Agentic Top 10 for Agentic Applications using the `mapToOwasp()` function with `OWASP_MAP`. The mapping covers ASI01 through ASI05 categories:\n\n| OWASP Code | Category | Mapped From |\n|------------|----------|-------------|\n| ASI01 | Sensitive Action Without Confirmation | Critical tool findings |\n| ASI02 | Tool Poisoning | Poisoning pattern matches |\n| ASI03 | Over-Privileged Tool Scope | Readiness check failures |\n| ASI04 | Sandbox Escape | Command execution patterns |\n| ASI05 | Context Length Exhaustion | Heavy tool descriptions |\n\n资料来源:[README.md:50]()\n\n## Scan Orchestration\n\nThe `scan()` function orchestrates all security checks in the following sequence:\n\n```mermaid\ngraph LR\n A[Discover Hosts] --> B[Find Server Configs]\n B --> C[Analyze Commands]\n C --> D[Probe Servers]\n D --> E[Classify Tools]\n E --> F[Detect Poisoning]\n F --> G[Check Readiness]\n G --> H[Analyze Flows]\n H --> I[Map to OWASP]\n I --> J[Generate Output]\n```\n\n## Output Formats\n\n### SARIF Output\n\nThe `toSarif()` function generates SARIF 2.1.0 format output suitable for CI/CD integration and GitHub Security tab uploads.\n\n### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\"\n }]\n }],\n \"summary\": {\n \"total\": 2, \"critical\": 1, \"high\": 1\n }\n}\n```\n\n资料来源:[AGENTS.md:53-71]()\n\n## Exit Codes\n\n| Code | Meaning | Condition |\n|------|---------|-----------|\n| 0 | Clean | No critical or high-risk issues |\n| 1 | Warning | High-risk issues found |\n| 2 | Failure | Critical issues, tool poisoning, or toxic flows |\n\nThe `exitCode` field is also surfaced in JSON and `--brief` output for programmatic consumption.\n\n## Policy Enforcement\n\nThe `--policy` flag enables CI/CD policy gates:\n\n| Rule | Behavior |\n|------|----------|\n| `no-critical` | Fail on critical tools |\n| `no-high` | Fail on high-risk tools |\n| `no-poisoning` | Fail on prompt injection |\n| `no-toxic-flows` | Fail on cross-server leaks |\n| `no-secrets` | Fail on exposed secrets |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n\n资料来源:[README.md:66-77]()\n\n## Explain Functionality\n\nThe `explain` subcommand provides context for findings without running a full scan:\n\n```bash\ndecoy-scan explain critical # Severity tier explanation\ndecoy-scan explain tool-description # Finding category details\ndecoy-scan explain prompt-override # Poisoning type explanation\ndecoy-scan explain evaluate_script # Tool classification reasoning\n```\n\nExplanations resolve against the same patterns used by the scanner, ensuring consistency between detection and documentation.\n\n## CLI Integration\n\nThe GitHub Action integration provides automated security scanning:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n```\n\nResults are uploaded to the GitHub Security tab via the SARIF format.\n\n## Summary Table of Detection Capabilities\n\n| Detection Type | Function | Patterns/Checks | Exit Code |\n|----------------|----------|-----------------|-----------|\n| Tool Risk | `classifyTool()` | Name + description matching | 0/1/2 |\n| Poisoning | `detectPoisoning()` | 37 regex patterns | 2 |\n| Command | `analyzeServerCommand()` | 5 pattern categories | 1/2 |\n| Env Exposure | `analyzeEnvExposure()` | 12 credential categories | 1/2 |\n| Readiness | `analyzeReadiness()` | 5 heuristic checks | 0/1 |\n| Toxic Flows | `analyzeToxicFlows()` | TF001, TF002 | 2 |\n| Manifest Hash | `hashToolManifest()` | Change detection | 1 |\n| Skill Scan | `analyzeSkill()` | Injection + secrets | 1/2 |\n\n资料来源:[index.mjs](), [bin/cli.mjs]()\n\n---\n\n\n\n## Supply Chain and Advisory Database\n\n### 相关页面\n\n相关主题:[Security Checks and Detection](#page-5), [Skill Scanning](#page-7)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/advisories.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/advisories.mjs)\n- [lib/constants.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/constants.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n \n\n# Supply Chain and Advisory Database\n\n## Overview\n\nThe Supply Chain and Advisory Database module in decoy-scan provides security checks against a curated database of known vulnerable MCP packages. This feature enables automated cross-referencing of configured MCP servers against known supply chain threats, helping organizations identify and mitigate risks from third-party dependencies before attackers can exploit them.\n\nThe advisory system is designed to be non-intrusive and fast. It performs network lookups against the Decoy advisory database to fetch security intelligence about MCP packages, with built-in retry logic and offline fallbacks to ensure scanning reliability.\n\n## Architecture\n\n```mermaid\ngraph TD\n A[scan] --> B[Discover MCP Configs]\n B --> C[For Each Server]\n C --> D[Probe Server via Stdio]\n D --> E[Fetch Tool List]\n E --> F[Run Security Checks]\n F --> G{Tool Risk Classification}\n F --> H{Poisoning Detection}\n F --> I{Supply Chain Advisories}\n \n I --> J[HTTP GET /api/advisories?]\n J --> K{API Available?}\n K -->|Yes| L[Cache Response]\n K -->|No| M[Retry 1x]\n M -->|Fail| N[Fallback to Local]\n \n L --> O[Apply Findings]\n N --> O\n```\n\n## Core Components\n\n### Advisory Database Integration\n\nThe supply chain advisory system integrates with an external Decoy advisory database via HTTP API calls. When scanning MCP configurations, the system extracts package identifiers from server configurations and queries the advisory database for known vulnerabilities.\n\n```javascript\n// Conceptual flow from index.mjs\nconst advisories = await fetchAdvisories(packageList);\n```\n\n**资料来源:** [index.mjs:scan()](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n\n### Advisory Data Structure\n\nAdvisory records returned from the database contain the following fields:\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `package` | string | NPM package name or MCP server identifier |\n| `severity` | string | critical, high, medium, or low |\n| `title` | string | Brief description of the vulnerability |\n| `description` | string | Detailed advisory information |\n| `cve` | string | CVE identifier (if available) |\n| `recommendation` | string | Suggested remediation steps |\n\n### Network Layer\n\nThe advisory fetcher implements resilient network handling:\n\n```mermaid\nsequenceDiagram\n participant Scanner\n participant API as Decoy API\n participant Cache\n \n Scanner->>API: GET /api/advisories?packages=...\n API-->>Scanner: 200 OK (advisory data)\n Scanner->>Cache: Store response\n Note over Scanner: 1 retry with 200-800ms backoff\n \n Scanner->>API: GET /api/advisories?packages=...\n API-->>Scanner: 5xx Error\n Scanner->>API: Retry after backoff\n API-->>Scanner: Still failing\n Scanner->>Scanner: Fallback to cached/local data\n```\n\n**资料来源:** [CHANGELOG.md:0.7.0](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Configuration Options\n\n### CLI Flags\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--no-advisories` | false | Skip supply chain advisory checks |\n| `--advisory-cache` | ~/.decoy/advisory-cache.json | Local cache file path |\n| `--api-url` | https://api.decoy.run | Override advisory API endpoint |\n\n### Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `DECOY_API_URL` | Custom API endpoint for advisory lookups |\n| `DECOY_API_TOKEN` | Authentication token for premium advisories |\n\n## Advisory Categories\n\nThe Decoy advisory database covers multiple vulnerability categories relevant to MCP servers:\n\n| Category | Description | Example |\n|----------|-------------|---------|\n| Code Execution | Vulnerabilities allowing arbitrary code execution | Malicious npm package with postinstall script |\n| Data Exfiltration | Packages that leak sensitive information | Telemetry packages with credential harvesting |\n| Dependency Confusion | Typosquatting or substitution attacks | `mcp-server` vs `mc-p-server` |\n| Known Exploits | CVE-assigned vulnerabilities with active exploitation | Remote code execution in popular MCP packages |\n\n**资料来源:** [README.md:What it checks](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Scan Integration\n\n### Scan Categories\n\nThe supply chain advisory check is one of nine scan categories in decoy-scan:\n\n| Check | Priority |\n|-------|----------|\n| Tool risk classification | 1 |\n| Tool poisoning detection | 2 |\n| **Supply chain advisories** | 3 |\n| Server command analysis | 4 |\n| Environment variable exposure | 5 |\n| Production readiness | 6 |\n| Toxic flow analysis | 7 |\n| Manifest change tracking | 8 |\n| Transport security | 9 |\n\n**资料来源:** [AGENTS.md:Scan Categories](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### Integration with Tool Classification\n\nAdvisory findings are combined with tool risk classification results to produce comprehensive security reports:\n\n```javascript\n// Simplified integration flow\nconst toolRisk = classifyTool(toolName, toolDescription);\nconst advisoryInfo = await lookupAdvisory(serverPackage);\nconst combinedRisk = mergeRiskScores(toolRisk, advisoryInfo);\n```\n\n**资料来源:** [index.mjs:classifyTool()](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n\n## Output Integration\n\n### JSON Output\n\nAdvisory findings appear in the JSON output under each server's `findings` array:\n\n```json\n{\n \"servers\": [{\n \"name\": \"example-mcp-server\",\n \"findings\": [{\n \"type\": \"supply-chain-advisory\",\n \"severity\": \"high\",\n \"package\": \"@example/mcp-server\",\n \"description\": \"Known vulnerability in version < 1.2.0\",\n \"cve\": \"CVE-2024-1234\",\n \"recommendation\": \"Upgrade to version 1.2.0 or later\"\n }]\n }]\n}\n```\n\n### SARIF Output\n\nAdvisory findings are also exported in SARIF 2.1.0 format for CI/CD integration:\n\n```json\n{\n \"results\": [{\n \"ruleId\": \"decoy-advisory-HIGH-001\",\n \"level\": \"warning\",\n \"message\": {\n \"text\": \"Package @example/mcp-server has known vulnerability CVE-2024-1234\"\n }\n }]\n}\n```\n\n**资料来源:** [README.md:Structured output for agents](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Telemetry and Analytics\n\nThe supply chain advisory system includes anonymized telemetry to help improve the advisory database:\n\n| Event | Purpose |\n|-------|---------|\n| `scan.discovery` | Records which hosts and servers were scanned |\n| `scan.complete` | Final scan results including advisory findings |\n| `scan.uploaded` | Indicates when results were uploaded to dashboard |\n\nTelemetry includes environment metadata (Node version, platform, architecture) but no sensitive user data. Users can opt out via `DECOY_TELEMETRY=0` or the `--no-telemetry` flag.\n\n**资料来源:** [CHANGELOG.md:0.7.0](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## Performance Considerations\n\n### Timeout Configuration\n\nAdvisory API calls use aggressive timeouts to maintain scan performance:\n\n| Setting | Value | Rationale |\n|---------|-------|-----------|\n| Connection timeout | 2000ms | Fast failure on unreachable API |\n| Read timeout | 5000ms | Allow for large response payloads |\n| Retry attempts | 1 | Minimize latency impact |\n\n### Caching Strategy\n\nAdvisory responses are cached locally to reduce API calls:\n\n```mermaid\ngraph LR\n A[Scan Start] --> B{Cache Hit?}\n B -->|Yes| C[Use Cached Data]\n B -->|No| D[Query API]\n D --> E[Store in Cache]\n E --> C\n C --> F[Continue Scan]\n```\n\nCache location is platform-aware:\n\n| Platform | Cache Path |\n|----------|------------|\n| macOS | `~/.decoy/advisory-cache.json` |\n| Linux | `~/.decoy/advisory-cache.json` |\n| Windows | `%APPDATA%/.decoy/advisory-cache.json` |\n\n**资料来源:** [AGENTS.md:Supported Hosts](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Extensibility\n\n### Adding New Advisory Categories\n\nTo extend the advisory system with new vulnerability categories, modify the pattern definitions in the constants module:\n\n```javascript\n// In lib/constants.mjs\nexport const ADVISORY_CATEGORIES = {\n // ... existing categories\n NEW_CATEGORY: {\n pattern: /new-vulnerability-pattern/i,\n severity: \"medium\",\n description: \"Description of new vulnerability type\"\n }\n};\n```\n\n### Custom Advisory Sources\n\nOrganizations can integrate private advisory databases by implementing a custom advisory fetcher:\n\n```javascript\nimport { createAdvisoryFetcher } from './lib/advisories.mjs';\n\nconst customFetcher = createAdvisoryFetcher({\n apiUrl: 'https://internal.advisories.example.com',\n apiToken: process.env.INTERNAL_ADVISORY_TOKEN\n});\n```\n\n**资料来源:** [CONTRIBUTING.md:Code Structure](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Exit Codes and Policy Enforcement\n\nAdvisory findings affect the scan exit code:\n\n| Exit Code | Condition |\n|-----------|-----------|\n| `0` | No critical or high-risk issues, no advisories |\n| `1` | High-risk advisories found |\n| `2` | Critical advisories found |\n\nPolicy gates can be configured via CLI:\n\n```bash\ndecoy-scan --policy no-critical,no-high\n```\n\n**资料来源:** [README.md:Exit codes](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## See Also\n\n- [CLI Reference](AGENTS.md) - Full CLI documentation including advisory flags\n- [Contributing Guide](CONTRIBUTING.md) - How to extend the advisory system\n- [GitHub Action](README.md#-github-action) - CI/CD integration with policy enforcement\n\n---\n\n\n\n## Skill Scanning\n\n### 相关页面\n\n相关主题:[Security Checks and Detection](#page-5), [CLI Reference](#page-8)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [lib/skills.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/skills.mjs)\n- [lib/discovery.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/discovery.mjs)\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n \n\n# Skill Scanning\n\nSkill Scanning is a security analysis feature in decoy-scan that detects vulnerabilities within Claude Code skills. It scans skill definitions for prompt injection payloads, hardcoded secrets, and suspicious URLs that could compromise agent safety.\n\n## Overview\n\nSkill Scanning operates as part of the broader MCP (Model Context Protocol) security assessment suite. While tool scanning analyzes the risk profile of MCP server tools, skill scanning focuses on identifying malicious content embedded within skill definitions that could be exploited during agent execution.\n\n技能扫描与工具扫描的核心区别在于:工具扫描评估 MCP 服务器提供的工具能力风险,而技能扫描检查本地定义的技能文件中可能被恶意利用的内容。\n\n## Architecture\n\nThe skill scanning subsystem consists of three primary components that work together to provide comprehensive skill security analysis:\n\n```mermaid\ngraph TD\n A[Skill Definitions] --> B[discoverSkills]\n B --> C{Skill Files Found?}\n C -->|Yes| D[analyzeSkill]\n C -->|No| E[Skip Analysis]\n D --> F[Skill Findings Array]\n F --> G[Integration into scan Results]\n \n H[Poisoning Patterns] --> D\n I[Secret Patterns] --> D\n J[URL Patterns] --> D\n```\n\nThe architecture follows a two-phase approach: first discovering skill definitions across the filesystem, then analyzing each discovered skill for multiple categories of security issues.\n\n## Core Functions\n\n### discoverSkills()\n\nThe `discoverSkills()` function searches for Claude Code skill definition files in the project directory. It recursively traverses the filesystem to locate `.mdc` files that contain skill definitions.\n\n| Property | Value |\n|----------|-------|\n| Function Name | `discoverSkills` |\n| Module | `lib/skills.mjs` |\n| Return Type | `Promise` |\n| Side Effects | Read-only filesystem scan |\n\n技能发现采用递归目录遍历策略,从当前工作目录开始搜索 `.mdc` 扩展名的文件。\n\n### analyzeSkill(skill)\n\nThe `analyzeSkill()` function performs deep security analysis on an individual skill definition. It evaluates the skill content against multiple pattern sets to detect various attack vectors.\n\n分析函数对每个技能执行三类安全检查:\n- 提示注入检测 (Prompt Injection Detection)\n- 硬编码密钥检测 (Hardcoded Secret Detection)\n- 可疑 URL 检测 (Suspicious URL Detection)\n\n### Integration with scan()\n\nIn the main scan orchestration, skills are discovered and analyzed when the `skills` option is enabled:\n\n```javascript\nconst results = await scan({ skills: true });\nconsole.log(results.skills); // [{ name: \"...\", findings: [...] }]\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Finding Categories\n\nSkill scanning identifies three primary categories of security issues:\n\n### Prompt Injection Detection\n\nDetects prompt injection payloads hidden within skill descriptions. These attacks embed malicious instructions that could override agent behavior when the skill is executed.\n\n| Severity | Description |\n|----------|--------------|\n| Critical | Active prompt override instructions |\n| High | Concealment techniques hiding true intent |\n| Medium | Subtle manipulation hints |\n\n### Hardcoded Secrets\n\nIdentifies API keys, tokens, passwords, and other credentials accidentally embedded in skill definitions. This finding type aligns with OWASP credential exposure categories.\n\n### Suspicious URLs\n\nDetects references to potentially malicious or untrusted URLs within skill content. URLs to external resources could lead agents to compromised servers or phishing pages.\n\n## Output Structure\n\nWhen skill scanning is enabled, the scan results include a `skills` array containing analysis results for each discovered skill:\n\n```json\n{\n \"skills\": [\n {\n \"name\": \"skill-name\",\n \"path\": \"/path/to/skill.mdc\",\n \"findings\": [\n {\n \"type\": \"prompt-injection\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"skill-content\"\n }\n ]\n }\n ]\n}\n```\n\nThe `skills` findings are integrated into the overall scan results alongside tool risk classifications, poisoning detections, and toxic flow analysis.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Usage\n\n### CLI Usage\n\nSkill scanning is enabled by default when running a full scan with skill analysis:\n\n```bash\nnpx decoy-scan --verbose\n```\n\nThe `--verbose` flag reveals all discovered skills and their findings, including those previously hidden in standard output.\n\n### Programmatic Usage\n\n```javascript\nimport { discoverSkills, analyzeSkill } from 'decoy-scan';\n\n// Discover all skills in the project\nconst skills = await discoverSkills();\n\n// Analyze each skill individually\nfor (const skill of skills) {\n const analysis = await analyzeSkill(skill);\n console.log(`${skill.name}: ${analysis.findings.length} issues`);\n}\n```\n\n## Configuration\n\nSkill scanning behavior can be controlled through scan options:\n\n| Option | Type | Default | Description |\n|--------|------|---------|-------------|\n| `skills` | `boolean` | `true` | Enable/disable skill scanning |\n| `verbose` | `boolean` | `false` | Show detailed skill findings |\n\n## OWASP Mapping\n\nSkill findings are mapped to the OWASP Agentic Top 10 categories where applicable:\n\n| Finding Type | OWASP Category |\n|--------------|----------------|\n| Prompt Injection | ASI01 - Prompt Injection |\n| Hardcoded Secrets | ASI04 - Sensitive Data Disclosure |\n| Suspicious URLs | ASI02 - Visualization Overflow |\n\nThe `OWASP_MAP` in the main scanner correlates skill finding types with their corresponding OWASP classifications for compliance reporting.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Discovery Process\n\nThe skill discovery process in `lib/discovery.mjs` locates Claude Code skill files through a structured search pattern:\n\n1. **Directory Traversal**: Recursively scan project directories\n2. **Pattern Matching**: Identify files matching skill definition patterns\n3. **Path Resolution**: Build absolute paths for discovered skills\n4. **Metadata Extraction**: Parse skill name and metadata from definitions\n\n技能发现是只读操作,不会修改任何文件系统内容。所有发现的文件路径都被规范化为绝对路径以便后续分析。\n\n## Integration Points\n\nSkill scanning integrates with several other decoy-scan subsystems:\n\n- **Tool Manifest Hashing**: Skills may reference tools whose manifests are hashed\n- **SARIF Export**: Skill findings appear in SARIF output under the appropriate rules\n- **Policy Enforcement**: `no-secrets` policy rules can target skill findings\n- **Telemetry**: Scan telemetry includes skill discovery counts\n\n## Testing\n\nThe test suite validates skill scanning behavior through `unit.test.mjs` which covers skill analysis patterns and findings generation. All skill-related tests must pass before PR submission.\n\n```bash\nnpm test # Runs 48 tests including skill scanning coverage\n```\n\n## See Also\n\n- [Tool Risk Classification](index.md#tool-risk-classification) - MCP tool security analysis\n- [Poisoning Detection](index.md#poisoning-detection) - Prompt injection pattern matching\n- [OWASP Mapping](index.md#owasp-mapping) - Compliance categorization\n\n---\n\n\n\n## CLI Reference\n\n### 相关页面\n\n相关主题:[Installation and Quick Start](#page-2), [GitHub Action Integration](#page-9), [Output Formats and Policy Configuration](#page-10)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n \n\n# CLI Reference\n\nThe `decoy-scan` CLI is the primary interface for scanning MCP (Model Context Protocol) client configurations and servers for security vulnerabilities. Built as a zero-dependency Node.js application, it provides comprehensive security scanning without requiring installation or configuration.\n\n## Overview\n\nThe CLI serves as an MCP supply chain security scanner that discovers MCP server configurations, probes running servers, and analyzes them for security risks including tool poisoning, sensitive environment variable exposure, and production readiness issues.\n\n**Key capabilities:**\n\n- Scans 7 MCP host configurations (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline)\n- Classifies tools by risk level (critical/high/medium/low)\n- Detects 37 prompt injection patterns across 20 attack categories\n- Outputs structured formats for CI/CD integration (JSON, SARIF)\n- Maps findings to OWASP Agentic Top 10\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Installation & Requirements\n\n### Prerequisites\n\n- Node.js >= 18\n- No npm packages required (zero dependencies)\n\n### Running the CLI\n\n```bash\nnpx decoy-scan # full scan\nnpx decoy-scan --json # machine-readable output\nnpx decoy-scan --sarif # SARIF 2.1.0 for CI/CD\n```\n\nNo installation step required. The CLI runs directly via `npx`.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Command Syntax\n\n```\ndecoy-scan [command] [options]\n```\n\n### Global Options\n\n| Option | Alias | Description |\n|--------|-------|-------------|\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Scan Command\n\nThe default command that discovers MCP servers, probes them, and analyzes for security issues.\n\n### Scan Options\n\n| Option | Description |\n|--------|-------------|\n| `--json` | Output results as JSON |\n| `--sarif` | Output results as SARIF 2.1.0 |\n| `--brief` | Output minimal summary (implies `--json`) |\n| `--verbose`, `-v` | Show all tools including low-risk |\n| `--quiet`, `-q` | Suppress status output |\n| `--no-probe` | Skip server probing (config-only scan) |\n| `--no-advisories` | Skip supply chain advisory checks |\n| `--skills` | Enable skill scanning |\n| `--report` | Upload results to Decoy Guard dashboard |\n| `--no-telemetry` | Disable telemetry collection |\n| `--verify` | AI-verify findings (requires token) |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Example Usage\n\n```bash\n# Full scan with pretty output\ndecoy-scan\n\n# JSON output for scripting\ndecoy-scan --json\n\n# SARIF output for GitHub Security tab\ndecoy-scan --sarif\n\n# Config-only scan (no server probing)\ndecoy-scan --no-probe\n\n# Skip network calls (faster, local only)\ndecoy-scan --no-advisories\n\n# Verbose mode showing all tools\ndecoy-scan --verbose\n```\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Explain Subcommand\n\nResolves what a scan finding means without parsing the full scan output. Useful when an agent sees a finding and needs structured context to act on it.\n\n```bash\ndecoy-scan explain critical # severity tier\ndecoy-scan explain tool-description # finding category\ndecoy-scan explain prompt-override # poisoning type\ndecoy-scan explain read_file # tool name (runs real classifier rules)\ndecoy-scan explain list # enumerate all explainable targets\ndecoy-scan explain --json # structured output (preferred for agents)\n```\n\n### Explain Target Types\n\n| Kind | Description | Example |\n|------|-------------|---------|\n| `tier` | Severity levels | `critical`, `high`, `medium`, `low` |\n| `category` | Finding categories | `env-exposure`, `command-analysis` |\n| `poisoning` | Attack types | `prompt-override`, `instruction-override` |\n| `tool` | Tool risk classifications | `execute_command`, `read_file` |\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### JSON Output Schema\n\n```json\n{\n \"tool\": \"decoy-scan\",\n \"version\": \"0.5.1\",\n \"target\": \"critical\",\n \"result\": {\n \"kind\": \"tier\",\n \"key\": \"critical\",\n \"title\": \"Critical\",\n \"summary\": \"Can execute code, modify data, or cause irreversible changes.\",\n \"body\": \"...\",\n \"examples\": [\"execute_command\", \"write_file\", \"...\"],\n \"advice\": \"...\"\n }\n}\n```\n\nFor `tool` results, additional fields include `risk`, `reason`, `matched` (the regex that matched), and `note` when classification relied on name alone.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Exit Codes\n\nThe CLI returns specific exit codes for CI/CD pipeline integration:\n\n| Exit Code | Meaning |\n|-----------|---------|\n| `0` | No critical or high-risk issues found |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe exit code is also surfaced as `exitCode` on `--json` and `--brief` output, enabling agents to branch on severity without re-deriving it from summary counts.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Output Formats\n\n### Pretty Output\n\nDefault terminal output with color-coded severity badges:\n\n```\n✗ server-name N critical\n! server-name poisoned tool (magenta)\n? server-name probe failed\n✓ server-name passed\n```\n\nSeverity labels introduce each tool group; Low severity collapses to a count.\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n### JSON Output Schema\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 1,\n \"medium\": 0,\n \"low\": 0,\n \"poisoned\": 0\n },\n \"exitCode\": 2\n}\n```\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n### SARIF Output\n\nSARIF 2.1.0 format for integration with GitHub Security tab:\n\n```bash\ndecoy-scan --sarif\n```\n\nThe SARIF output includes all findings, rules, and tool information compatible with GitHub's code scanning API.\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n### Brief Output\n\nMinimal summary object (implies `--json`):\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\nFields:\n- `servers` — number of non-decoy, non-error servers scanned\n- `critical`, `high`, `medium`, `low` — tool risk counts\n- `poisoned` — number of tool poisoning findings\n- `status` — `\"pass\"` (clean), `\"warn\"` (high-risk), or `\"fail\"` (critical/poisoned/toxic flows)\n- `exitCode` — matches process exit code\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Environment Variables\n\n| Variable | Description |\n|----------|-------------|\n| `DECOY_TOKEN` | API token for dashboard upload |\n| `DECOY_TELEMETRY=0` | Disable telemetry collection |\n\n资料来源:[CHANGELOG.md](https://github.com/decoy-run/decoy-scan/blob/main/CHANGELOG.md)\n\n## GitHub Action Integration\n\nThe CLI integrates with GitHub Actions via the official action:\n\n```yaml\n# .github/workflows/mcp-security.yml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows\n sarif: true\n report: true\n token: ${{ secrets.DECOY_TOKEN }}\n```\n\n### Action Inputs\n\n| Input | Default | Description |\n|-------|---------|-------------|\n| `policy` | `no-critical,no-poisoning` | Comma-separated policy rules |\n| `sarif` | `true` | Upload SARIF to GitHub Security tab |\n| `report` | `false` | Upload to Decoy Guard dashboard |\n| `token` | — | Decoy API token (for `report`) |\n| `verbose` | `false` | Show all tools including low-risk |\n\n### Policy Rules\n\n```\nno-critical Fail on critical tools (code exec, file write)\nno-high Fail on high-risk tools (file read, network)\nno-poisoning Fail on prompt injection in tool descriptions\nno-toxic-flows Fail on cross-server data leak / destructive chains\nno-secrets Fail on secrets exposed in MCP config\nrequire-tripwires Fail if decoy-tripwire not installed\nmax-critical=N Fail if more than N critical tools found\n```\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Scan Architecture\n\n```mermaid\ngraph TD\n A[decoy-scan CLI] --> B[Discover MCP Configs]\n B --> C{Host Configs}\n C -->|Claude Desktop| D[~/.claude...json]\n C -->|Cursor| E[~/.cursor...json]\n C -->|VS Code| F[.vscode/mcp.json]\n C -->|Zed| G[~/.config/zed...]\n C -->|Cline| H[~/.cline...]\n \n D --> I[Parse Server Configs]\n E --> I\n F --> I\n G --> I\n H --> I\n \n I --> J[For Each Server]\n J --> K[Probe Server via stdio]\n K --> L{Probe Success?}\n L -->|No| M[Log Error & Continue]\n L -->|Yes| N[Analyze Tool List]\n \n N --> O[Tool Risk Classification]\n N --> P[Poisoning Detection]\n N --> Q[Command Analysis]\n N --> R[Env Exposure Check]\n \n O --> S[Aggregate Findings]\n P --> S\n Q --> S\n R --> S\n \n S --> T{Output Format}\n T -->|Pretty| U[Terminal Output]\n T -->|JSON| V[JSON to stdout]\n T -->|SARIF| W[SARIF to stdout]\n \n M --> X[Final Summary]\n U --> X\n V --> X\n W --> X\n X --> Y[Exit Code 0/1/2]\n```\n\n## Development\n\nFor local development and testing:\n\n```bash\ngit clone https://github.com/decoy-run/decoy-scan\ncd decoy-scan\nnode bin/cli.mjs --help\n```\n\nNo build step required. No dependencies to install.\n\n### Manual Testing Modes\n\n```bash\nnode bin/cli.mjs --no-probe # Config-only\nnode bin/cli.mjs --no-advisories # Skip network calls\nnode bin/cli.mjs --json # Verify JSON structure\nnode bin/cli.mjs --sarif # Verify SARIF structure\nnode bin/cli.mjs --verbose # Show everything\n```\n\n### Running Tests\n\n```bash\nnpm test\n```\n\nThis runs 48 tests covering CLI output, JSON/SARIF structure, policy gates, toxic flow detection, skill analysis, and manifest hashing.\n\n资料来源:[CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Supported Hosts\n\nThe CLI automatically discovers MCP configurations across multiple platforms:\n\n| Host | macOS Path | Windows Path | Linux Path |\n|------|------------|--------------|------------|\n| Claude Desktop | `~/Library/Application Support/Claude` | `%APPDATA%/Claude` | `~/.config/Claude` |\n| Cursor | `~/.cursor` | `%APPDATA%/Cursor` | `~/.cursor` |\n| Windsurf | `~/.windsurf` | `%APPDATA%/Windsurf` | `~/.windsurf` |\n| VS Code | `.vscode/mcp.json` (workspace) | `.vscode/mcp.json` | `.vscode/mcp.json` |\n| Claude Code | `~/.claude.json` | `%APPDATA%/claude.json` | `~/.claude.json` |\n| Zed | `~/.config/zed` | `%APPDATA%/Zed` | `~/.config/zed` |\n| Cline | `~/.cline` | `%APPDATA%/cline` | `~/.cline` |\n\nConfig paths are platform-aware and detected automatically.\n\n资料来源:[AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n\n## Scan Categories\n\n| Check | What it finds |\n|-------|---------------|\n| Tool risk classification | Critical/high/medium/low tools by name + description |\n| Prompt injection detection | 37 patterns across 20 attack categories in tool descriptions |\n| Toxic flow analysis | Cross-server data leak (TF001) and destructive (TF002) attack chains |\n| Tool manifest hashing | Tool additions, removals, and description changes between scans |\n| Skill scanning | Prompt injection, hardcoded secrets, suspicious URLs in Claude Code skills |\n| Server command analysis | Pipe-to-shell, inline code, typosquatting, temp directory spawning |\n| Environment variable exposure | API keys, tokens, secrets, cloud credentials passed to servers |\n| Supply chain advisories | 40+ known vulnerable MCP packages via Decoy advisory database |\n| Transport security | HTTP without TLS, missing auth, wildcard CORS, public-bound SSE |\n| Input sanitization | Unconstrained parameters, missing maxLength, open schemas |\n| Permission scope | Over-privileged servers, dangerous capability combinations |\n| OWASP mapping | Every finding mapped to ASI01–ASI05 |\n\n资料来源:[README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## GitHub Action Integration\n\n### 相关页面\n\n相关主题:[CLI Reference](#page-8), [Output Formats and Policy Configuration](#page-10)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [action.yml](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/sarif.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/sarif.mjs)\n- [README.md](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n- [CONTRIBUTING.md](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n \n\n# GitHub Action Integration\n\n## Overview\n\nThe decoy-scan GitHub Action provides automated MCP (Model Context Protocol) security scanning as part of a CI/CD pipeline. It integrates directly with GitHub's security infrastructure, enabling teams to enforce security policies on every push and pull request without manual intervention.\n\nThe action discovers MCP server configurations across multiple hosts (Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline), executes the security scanner, and uploads results to the GitHub Security tab via SARIF format.\n\n资料来源:[README.md:72-89](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Architecture\n\n```mermaid\ngraph TD\n A[GitHub Workflow Trigger] --> B[decoy-run/decoy-scan Action]\n B --> C[Discover MCP Configs]\n B --> D[CLI: npx decoy-scan]\n D --> E[Scan MCP Servers]\n D --> F[Policy Gate Check]\n E --> G{Policy Violated?}\n F --> G\n G -->|No| H[Exit Code 0]\n G -->|Yes| I[Exit Code 1/2]\n E --> J[Generate SARIF Output]\n J --> K[github/codeql-action/upload-sarif]\n K --> L[GitHub Security Tab]\n I --> M[Fail Build]\n```\n\nThe action consists of two primary steps: a scan step that executes the decoy-scan CLI and a SARIF upload step that publishes results to GitHub Security.\n\n资料来源:[action.yml:20-45](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n## Action Inputs\n\n| Input | Default | Required | Description |\n|-------|---------|----------|-------------|\n| `policy` | `no-critical,no-poisoning` | No | Comma-separated policy rules that determine build failure conditions |\n| `sarif` | `true` | No | Whether to upload SARIF results to GitHub Security tab |\n| `report` | `false` | No | Whether to upload results to Decoy Guard dashboard |\n| `token` | — | Conditional | Decoy API token required when `report` is `true` |\n| `verbose` | `false` | No | Show all tools including low-risk items in output |\n\n资料来源:[README.md:80-86](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Workflow Example\n\n```yaml\nname: MCP Security\non: [push, pull_request]\n\njobs:\n scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: decoy-run/decoy-scan@v1\n```\n\nThis minimal configuration scans MCP servers on every push and pull request, uploading SARIF results to the GitHub Security tab.\n\n资料来源:[README.md:72-89](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Policy Rules\n\nThe `policy` input accepts comma-separated rules that define build failure conditions:\n\n| Rule | Behavior |\n|------|----------|\n| `no-critical` | Fail on critical tools (code exec, file write) |\n| `no-high` | Fail on high-risk tools (file read, network) |\n| `no-poisoning` | Fail on prompt injection in tool descriptions |\n| `no-toxic-flows` | Fail on cross-server data leak / destructive chains |\n| `no-secrets` | Fail on secrets exposed in MCP config |\n| `require-tripwires` | Fail if decoy-tripwire not installed |\n| `max-critical=N` | Fail if more than N critical tools |\n| `max-high=N` | Fail if more than N high-risk tools |\n\n资料来源:[README.md:97-106](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Exit Codes\n\n| Code | Meaning |\n|------|---------|\n| `0` | No critical or high-risk issues |\n| `1` | High-risk issues found |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation |\n\nThe exit code determines whether the GitHub Actions job succeeds or fails, enabling automatic policy enforcement.\n\n资料来源:[README.md:43-48](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## SARIF Integration\n\n### How SARIF Works\n\nSARIF (Static Analysis Results Interchange Format) is an industry-standard format for sharing static analysis results. The action generates SARIF 2.1.0 output that GitHub's code scanning feature can ingest and display.\n\n```mermaid\ngraph LR\n A[decoy-scan CLI] -->|--sarif flag| B[SARIF 2.1.0 JSON]\n B --> C[github/codeql-action/upload-sarif]\n C --> D[GitHub Security Tab]\n C -->|continue-on-error: true| E[Non-blocking Upload]\n```\n\nThe action includes SARIF upload as a separate step with `continue-on-error: true`, ensuring that SARIF upload failures do not cause the workflow to fail when the scan itself passes.\n\n资料来源:[action.yml:35-44](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n### Manual SARIF Upload\n\nFor workflows requiring more control, you can run the scan manually and upload SARIF separately:\n\n```yaml\n- run: npx decoy-scan --sarif > results.sarif\n- uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: results.sarif\n```\n\n资料来源:[README.md:108-112](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## GitHub Step Summary\n\nThe action writes a summary to `$GITHUB_STEP_SUMMARY` providing immediate feedback within the GitHub Actions UI:\n\n```mermaid\ngraph TD\n A[Scan Complete] --> B{Exit Code}\n B -->|0 - Clean| C[\"✅ **Clean** — no issues found\"]\n B -->|Non-zero| D[\"🚨 **Issues found** — SUMMARY\"]\n B -->|Non-zero| E[\"Run `npx decoy-scan -v` locally for full details.\"]\n```\n\n资料来源:[action.yml:28-34](https://github.com/decoy-run/decoy-scan/blob/main/action.yml)\n\n## Permissions\n\nThe workflow requires the `security-events: write` permission to upload SARIF results to the GitHub Security tab:\n\n```yaml\npermissions:\n security-events: write\n```\n\n资料来源:[README.md:76-78](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Advanced Configuration\n\n### Report to Decoy Dashboard\n\nTo upload results to the Decoy Guard dashboard for centralized monitoring:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n report: true\n token: ${{ secrets.DECOY_TOKEN }}\n```\n\n### Verbose Output\n\nTo include low-risk tools in the output for full visibility:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n verbose: true\n```\n\n### Custom Policy\n\nCombine multiple policy rules for stricter enforcement:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n with:\n policy: no-critical,no-poisoning,no-toxic-flows,max-critical=0\n```\n\n资料来源:[README.md:80-90](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n## Dependencies\n\nThe decoy-scan action itself has **zero dependencies** at runtime. It uses Node.js built-in modules only, following the project's design principle of keeping the tool dependency-free.\n\nThe CLI is invoked via `npx decoy-scan`, which downloads and executes the package on-demand.\n\n资料来源:[CONTRIBUTING.md:9-10](https://github.com/decoy-run/decoy-scan/blob/main/CONTRIBUTING.md)\n\n## Version Pinning\n\nFor production CI/CD pipelines, pin to a major version to receive minor updates automatically:\n\n```yaml\n- uses: decoy-run/decoy-scan@v1\n```\n\nOr pin to a specific version for complete stability:\n\n```yaml\n- uses: decoy-run/decoy-scan@v0.7.0\n```\n\n资料来源:[README.md:24-26](https://github.com/decoy-run/decoy-scan/blob/main/README.md)\n\n---\n\n\n\n## Output Formats and Policy Configuration\n\n### 相关页面\n\n相关主题:[CLI Reference](#page-8), [GitHub Action Integration](#page-9), [Security Checks and Detection](#page-5)\n\n\n相关源码文件
\n\n以下源码文件用于生成本页说明:\n\n- [index.mjs](https://github.com/decoy-run/decoy-scan/blob/main/index.mjs)\n- [lib/sarif.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/sarif.mjs)\n- [lib/explain.mjs](https://github.com/decoy-run/decoy-scan/blob/main/lib/explain.mjs)\n- [bin/cli.mjs](https://github.com/decoy-run/decoy-scan/blob/main/bin/cli.mjs)\n- [AGENTS.md](https://github.com/decoy-run/decoy-scan/blob/main/AGENTS.md)\n \n\n# Output Formats and Policy Configuration\n\n## Overview\n\ndecoy-scan provides multiple output formats to serve different use cases—from human-readable console output for developers to machine-parseable JSON and SARIF formats for CI/CD pipelines and security automation. The tool also supports a flexible policy configuration system that enables automated enforcement of security rules.\n\nThe output and policy system is designed with an \"agent-first\" philosophy: JSON and SARIF outputs are structurally complete, include exit codes for programmatic branching, and contain all metadata needed for downstream processing without requiring additional parsing or context.\n\n资料来源:[AGENTS.md:1-20]()\n\n## Output Format Architecture\n\n### Format Types\n\ndecoy-scan supports four distinct output formats:\n\n| Format | Flag | Primary Use Case | Exit Code Included |\n|--------|------|------------------|--------------------|\n| Pretty Console | Default | Interactive terminal inspection | No |\n| JSON | `--json` | Scripted processing, APIs | Yes |\n| SARIF 2.1.0 | `--sarif` | GitHub Security tab, CI tools | Yes |\n| Brief | `--brief` | Quick summary for automation | Yes |\n\nAll structured formats (JSON, SARIF, Brief) include an `exitCode` field that mirrors the process exit code, enabling agents to branch on results without re-deriving severity from summary counts.\n\n资料来源:[AGENTS.md:80-95]()\n\n```mermaid\ngraph TD\n A[decoy-scan invocation] --> B{CLI Args?}\n B -->|Default| C[Pretty Console Output]\n B -->|--json| D[JSON Output]\n B -->|--sarif| E[SARIF 2.1.0 Output]\n B -->|--brief| F[Brief Summary JSON]\n B -->|combine| G[Multiple Formats]\n C --> H[Terminal Display]\n D --> I[Machine Processing]\n E --> J[GitHub Security Tab]\n F --> K[Quick Status Checks]\n```\n\n## JSON Output Format\n\n### Full Scan Schema\n\nThe JSON output provides complete scan results including all findings, server details, and summary statistics.\n\n```json\n{\n \"timestamp\": \"ISO-8601\",\n \"hosts\": [\"Claude Desktop\", \"Cursor\"],\n \"servers\": [{\n \"name\": \"server-name\",\n \"hosts\": [\"Claude Desktop\"],\n \"command\": \"npx\",\n \"args\": [\"@modelcontextprotocol/server-filesystem\"],\n \"tools\": [{\n \"name\": \"read_file\",\n \"description\": \"...\",\n \"risk\": \"high\",\n \"poisoning\": [{ \"type\": \"...\", \"severity\": \"...\", \"description\": \"...\" }]\n }],\n \"risk\": \"high\",\n \"error\": null,\n \"findings\": [{\n \"type\": \"env-exposure\",\n \"severity\": \"high\",\n \"description\": \"...\",\n \"source\": \"env-config\"\n }]\n }],\n \"summary\": {\n \"total\": 2,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0\n },\n \"exitCode\": 1\n}\n```\n\n资料来源:[AGENTS.md:28-55]()\n\n### Brief Output Schema\n\nThe `--brief` format provides a minimal summary object optimized for quick status checks:\n\n```json\n{\n \"servers\": 3,\n \"critical\": 1,\n \"high\": 2,\n \"medium\": 4,\n \"low\": 5,\n \"poisoned\": 0,\n \"status\": \"fail\",\n \"exitCode\": 2\n}\n```\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `servers` | number | Non-decoy, non-error servers scanned |\n| `critical` | number | Critical severity tool count |\n| `high` | number | High severity tool count |\n| `medium` | number | Medium severity tool count |\n| `low` | number | Low severity tool count |\n| `poisoned` | number | Prompt injection findings |\n| `status` | string | \"pass\", \"warn\", or \"fail\" |\n| `exitCode` | number | Process exit code (0/1/2) |\n\n资料来源:[AGENTS.md:60-75]()\n\n## SARIF 2.1.0 Output\n\nSARIF (Static Analysis Results Interchange Format) is generated by the `toSarif()` function in `lib/sarif.mjs`. This format is specifically designed for integration with GitHub Security tab and other security scanning platforms.\n\n### Key Features\n\n- **Rule definitions** mapping to OWASP Agentic Top 10 categories (ASI01–ASI05)\n- **Result categorization** by severity level\n- **Tool metadata** including version and run timestamps\n- **Multi-host support** in result locations\n\n### CLI Integration\n\nWhen using the GitHub Action or CLI with SARIF output:\n\n```bash\nnode bin/cli.mjs --sarif --no-advisories > scan-results.sarif\n```\n\nThe SARIF file can then be uploaded using the GitHub CodeQL action:\n\n```yaml\n- uses: github/codeql-action/upload-sarif@v3\n with:\n sarif_file: ${{ steps.scan.outputs.sarif-file }}\n category: decoy-scan\n```\n\n资料来源:[action.yml:40-45]()\n\n### SARIF Structure Overview\n\n```mermaid\ngraph TD\n A[SARIF 2.1.0 Log] --> B[runs array]\n B --> C[Tool driver]\n B --> D[Results array]\n B --> E[Rules definitions]\n D --> F[Individual findings]\n E --> G[ASI01-ASI05 mappings]\n F --> H[severity, message, locations]\n```\n\n## Policy Configuration System\n\n### Policy Rules\n\nThe policy system uses comma-separated rules to define pass/fail criteria:\n\n| Rule | Effect | Example |\n|------|--------|---------|\n| `no-critical` | Fail on critical tools (code exec, file write) | `policy: no-critical` |\n| `no-high` | Fail on high-risk tools (file read, network) | `policy: no-high` |\n| `no-poisoning` | Fail on prompt injection in tool descriptions | `policy: no-poisoning` |\n| `no-toxic-flows` | Fail on cross-server data leak/destructive chains | `policy: no-toxic-flows` |\n| `no-secrets` | Fail on secrets exposed in MCP config | `policy: no-secrets` |\n| `require-tripwires` | Fail if decoy-tripwire not installed | `policy: require-tripwires` |\n| `max-critical=N` | Fail if critical tools exceed N | `policy: max-critical=0` |\n\nMultiple rules can be combined: `policy: no-critical,no-poisoning,no-toxic-flows`\n\n资料来源:[README.md:80-90]()\n\n### Policy Gates\n\nThe `analyzePolicyGates()` function evaluates scan results against configured policy rules. Each finding type maps to one or more policy rules:\n\n| Finding Type | Maps to Policy Rules |\n|--------------|---------------------|\n| Critical risk tools | `no-critical`, `max-critical=N` |\n| High risk tools | `no-high` |\n| Prompt injection | `no-poisoning` |\n| Toxic flows (TF001, TF002) | `no-toxic-flows` |\n| Environment exposure | `no-secrets` |\n| Missing decoy-tripwire | `require-tripwires` |\n\n资料来源:[index.mjs:RISK_PATTERNS,POISONING_PATTERNS]()\n\n## Exit Codes\n\nThe exit code system provides programmatic feedback about scan results:\n\n| Code | Meaning | Triggers |\n|------|---------|----------|\n| `0` | No critical or high-risk issues | Clean scan |\n| `1` | High-risk issues found | High-severity tools present |\n| `2` | Critical issues, tool poisoning, toxic flows, or policy violation | Critical tools, injection detected, or policy failure |\n\nExit codes are included in both `--json` and `--brief` output as the `exitCode` field, enabling conditional logic in scripts:\n\n```javascript\nconst result = JSON.parse(childProcess.execSync('decoy-scan --json'));\nif (result.exitCode === 2) {\n process.exit(1); // Block deployment\n}\n```\n\n资料来源:[AGENTS.md:75-82]()\n\n## Explain Subcommand\n\nThe `explain` subcommand provides structured explanations for severity tiers, finding categories, poisoning types, and tool names:\n\n```bash\ndecoy-scan explain critical # severity tier\ndecoy-scan explain tool-description # finding category\ndecoy-scan explain prompt-override # poisoning type\ndecoy-scan explain read_file # tool name (runs real classifier)\ndecoy-scan explain list # enumerate all explainable targets\ndecoy-scan explain --json # structured output\n```\n\n### Explain Output Schema\n\n```json\n{\n \"tool\": \"decoy-scan\",\n \"version\": \"0.5.1\",\n \"target\": \"critical\",\n \"result\": {\n \"kind\": \"tier\",\n \"key\": \"critical\",\n \"title\": \"Critical\",\n \"summary\": \"Can execute code, modify data, or cause irreversible changes.\",\n \"body\": \"Detailed explanation...\",\n \"examples\": [\"execute_command\", \"write_file\", \"...\"],\n \"advice\": \"Remediation guidance...\"\n }\n}\n```\n\n| `result.kind` | Description |\n|---------------|-------------|\n| `tier` | Severity level (critical, high, medium, low) |\n| `category` | Finding category (env-exposure, missing-schema, etc.) |\n| `poisoning` | Poisoning type (instruction-override, credential-harvesting, etc.) |\n| `tool` | Tool name classification with risk level and matched pattern |\n\n资料来源:[AGENTS.md:32-55]()\n\n## CLI Options Reference\n\n| Option | Short | Description |\n|--------|-------|-------------|\n| `--json` | | JSON output format |\n| `--sarif` | | SARIF 2.1.0 output format |\n| `--brief` | | Brief summary (implies `--json`) |\n| `--verbose` | `-v` | Show all tools including low-risk |\n| `--quiet` | `-q` | Suppress status output |\n| `--no-probe` | | Config-only scan, skip server probing |\n| `--no-advisories` | | Skip network calls to advisory database |\n| `--no-telemetry` | | Opt out of telemetry |\n| `--policy` | | Comma-separated policy rules |\n| `--report` | | Upload results to Decoy Guard dashboard |\n| `--version` | `-V` | Print version |\n| `--help` | `-h` | Print help |\n\n资料来源:[AGENTS.md:15-30]()\n\n## Integration Patterns\n\n### CI/CD Pipeline\n\n```mermaid\ngraph LR\n A[Push/PR] --> B[Checkout]\n B --> C[decoy-scan Action]\n C --> D{Policy Pass?}\n D -->|Yes| E[Continue Build]\n D -->|No| F[Fail Build]\n C --> G[Upload SARIF]\n G --> H[GitHub Security Tab]\n```\n\n### Agentic Workflow\n\n```mermaid\ngraph TD\n A[Agent receives scan result] --> B{exitCode === 0?}\n B -->|Yes| C[Proceed]\n B -->|No| D{exitCode === 2?}\n D -->|Yes| E[Block - Critical/Poisoning]\n D -->|No| F{exitCode === 1?}\n F -->|Yes| G[Warn - High-risk]\n F -->|No| H[Unknown state]\n B -->|Parse| I[Tool analysis]\n I --> J[Explain each finding]\n J --> K[Remediation]\n```\n\n## Output Stability Guarantees\n\ndecoy-scan maintains backward compatibility for structured outputs:\n\n1. **JSON Schema Versioning** — The `version` field in explain output enables consumers to handle schema changes\n2. **Exit Code Stability** — Exit code meanings are documented and stable across versions\n3. **SARIF Compliance** — SARIF output adheres to OASIS SARIF 2.1.0 specification\n\nThese guarantees enable reliable automation without constant schema adaptation.\n\n---\n\n---\n\n## Doramagic 踩坑日志\n\n项目:decoy-run/decoy-scan\n\n摘要:发现 7 个潜在踩坑项,其中 0 个为 high/blocking;最高优先级:能力坑 - 能力判断依赖假设。\n\n## 1. 能力坑 · 能力判断依赖假设\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:README/documentation is current enough for a first validation pass.\n- 对用户的影响:假设不成立时,用户拿不到承诺的能力。\n- 建议检查:将假设转成下游验证清单。\n- 防护动作:假设必须转成验证项;没有验证结果前不能写成事实。\n- 证据:capability.assumptions | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | README/documentation is current enough for a first validation pass.\n\n## 2. 维护坑 · 维护活跃度未知\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:未记录 last_activity_observed。\n- 对用户的影响:新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- 建议检查:补 GitHub 最近 commit、release、issue/PR 响应信号。\n- 防护动作:维护活跃度未知时,推荐强度不能标为高信任。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | last_activity_observed missing\n\n## 3. 安全/权限坑 · 下游验证发现风险项\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:下游已经要求复核,不能在页面中弱化。\n- 建议检查:进入安全/权限治理复核队列。\n- 防护动作:下游风险存在时必须保持 review/recommendation 降级。\n- 证据:downstream_validation.risk_items | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 4. 安全/权限坑 · 存在评分风险\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:风险会影响是否适合普通用户安装。\n- 建议检查:把风险写入边界卡,并确认是否需要人工复核。\n- 防护动作:评分风险必须进入边界卡,不能只作为内部分数。\n- 证据:risks.scoring_risks | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 5. 安全/权限坑 · 来源证据:Decoy Scan - MCP Security for CI/CD\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:Decoy Scan - MCP Security for CI/CD\n- 对用户的影响:可能影响授权、密钥配置或安全边界。\n- 建议检查:来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- 防护动作:不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- 证据:community_evidence:github | cevd_1dfbf3581ef44580b28d89d74f78c803 | https://github.com/decoy-run/decoy-scan/releases/tag/v1 | 来源类型 github_release 暴露的待验证使用条件。\n\n## 6. 维护坑 · issue/PR 响应质量未知\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:issue_or_pr_quality=unknown。\n- 对用户的影响:用户无法判断遇到问题后是否有人维护。\n- 建议检查:抽样最近 issue/PR,判断是否长期无人处理。\n- 防护动作:issue/PR 响应未知时,必须提示维护风险。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | issue_or_pr_quality=unknown\n\n## 7. 维护坑 · 发布节奏不明确\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:release_recency=unknown。\n- 对用户的影响:安装命令和文档可能落后于代码,用户踩坑概率升高。\n- 建议检查:确认最近 release/tag 和 README 安装命令是否一致。\n- 防护动作:发布节奏未知或过期时,安装说明必须标注可能漂移。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | release_recency=unknown\n\n\n",
"summary": "DeepWiki/Human Wiki 完整输出,末尾追加 Discovery Agent 踩坑日志。",
"title": "Human Manual / 人类版说明书"
},
"pitfall_log": {
"asset_id": "pitfall_log",
"filename": "PITFALL_LOG.md",
"markdown": "# Pitfall Log / 踩坑日志\n\n项目:decoy-run/decoy-scan\n\n摘要:发现 7 个潜在踩坑项,其中 0 个为 high/blocking;最高优先级:能力坑 - 能力判断依赖假设。\n\n## 1. 能力坑 · 能力判断依赖假设\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:README/documentation is current enough for a first validation pass.\n- 对用户的影响:假设不成立时,用户拿不到承诺的能力。\n- 建议检查:将假设转成下游验证清单。\n- 防护动作:假设必须转成验证项;没有验证结果前不能写成事实。\n- 证据:capability.assumptions | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | README/documentation is current enough for a first validation pass.\n\n## 2. 维护坑 · 维护活跃度未知\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:未记录 last_activity_observed。\n- 对用户的影响:新项目、停更项目和活跃项目会被混在一起,推荐信任度下降。\n- 建议检查:补 GitHub 最近 commit、release、issue/PR 响应信号。\n- 防护动作:维护活跃度未知时,推荐强度不能标为高信任。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | last_activity_observed missing\n\n## 3. 安全/权限坑 · 下游验证发现风险项\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:下游已经要求复核,不能在页面中弱化。\n- 建议检查:进入安全/权限治理复核队列。\n- 防护动作:下游风险存在时必须保持 review/recommendation 降级。\n- 证据:downstream_validation.risk_items | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 4. 安全/权限坑 · 存在评分风险\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:no_demo\n- 对用户的影响:风险会影响是否适合普通用户安装。\n- 建议检查:把风险写入边界卡,并确认是否需要人工复核。\n- 防护动作:评分风险必须进入边界卡,不能只作为内部分数。\n- 证据:risks.scoring_risks | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | no_demo; severity=medium\n\n## 5. 安全/权限坑 · 来源证据:Decoy Scan - MCP Security for CI/CD\n\n- 严重度:medium\n- 证据强度:source_linked\n- 发现:GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题:Decoy Scan - MCP Security for CI/CD\n- 对用户的影响:可能影响授权、密钥配置或安全边界。\n- 建议检查:来源显示可能已有修复、规避或版本变化,说明书中必须标注适用版本。\n- 防护动作:不得脱离来源链接放大为确定性结论;需要标注适用版本和复核状态。\n- 证据:community_evidence:github | cevd_1dfbf3581ef44580b28d89d74f78c803 | https://github.com/decoy-run/decoy-scan/releases/tag/v1 | 来源类型 github_release 暴露的待验证使用条件。\n\n## 6. 维护坑 · issue/PR 响应质量未知\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:issue_or_pr_quality=unknown。\n- 对用户的影响:用户无法判断遇到问题后是否有人维护。\n- 建议检查:抽样最近 issue/PR,判断是否长期无人处理。\n- 防护动作:issue/PR 响应未知时,必须提示维护风险。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | issue_or_pr_quality=unknown\n\n## 7. 维护坑 · 发布节奏不明确\n\n- 严重度:low\n- 证据强度:source_linked\n- 发现:release_recency=unknown。\n- 对用户的影响:安装命令和文档可能落后于代码,用户踩坑概率升高。\n- 建议检查:确认最近 release/tag 和 README 安装命令是否一致。\n- 防护动作:发布节奏未知或过期时,安装说明必须标注可能漂移。\n- 证据:evidence.maintainer_signals | github_repo:1185640470 | https://github.com/decoy-run/decoy-scan | release_recency=unknown\n",
"summary": "用户实践前最可能遇到的身份、安装、配置、运行和安全坑。",
"title": "Pitfall Log / 踩坑日志"
},
"prompt_preview": {
"asset_id": "prompt_preview",
"filename": "PROMPT_PREVIEW.md",
"markdown": "# decoy-scan - Prompt Preview\n\n> Copy the prompt below into your AI host before installing anything.\n> Its purpose is to let you safely feel the project's workflow, not to claim the project has already run.\n\n## Copy this prompt\n\n```text\nYou are using an independent Doramagic capability pack for decoy-run/decoy-scan.\n\nProject:\n- Name: decoy-scan\n- Repository: https://github.com/decoy-run/decoy-scan\n- Summary: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n- Host target: mcp_host\n\nGoal:\nHelp me evaluate this project for the following task without installing it yet: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n\nBefore taking action:\n1. Restate my task, success standard, and boundary.\n2. Identify whether the next step requires tools, browser access, network access, filesystem access, credentials, package installation, or host configuration.\n3. Use only the Doramagic Project Pack, the upstream repository, and the source-linked evidence listed below.\n4. If a real command, install step, API call, file write, or host integration is required, mark it as \"requires post-install verification\" and ask for approval first.\n5. If evidence is missing, say \"evidence is missing\" instead of filling the gap.\n\nPreviewable capabilities:\n- Capability 1: Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.\n\nCapabilities that require post-install verification:\n- Capability 1: Use the source-backed project context to guide one small, checkable workflow step.\n\nCore service flow:\n1. page-1: Overview. Produce one small intermediate artifact and wait for confirmation.\n2. page-2: Installation and Quick Start. Produce one small intermediate artifact and wait for confirmation.\n3. page-3: System Architecture. Produce one small intermediate artifact and wait for confirmation.\n4. page-5: Security Checks and Detection. Produce one small intermediate artifact and wait for confirmation.\n5. page-8: CLI Reference. Produce one small intermediate artifact and wait for confirmation.\n\nSource-backed evidence to keep in mind:\n- https://github.com/decoy-run/decoy-scan\n- https://github.com/decoy-run/decoy-scan#readme\n- README.md\n- index.mjs\n- package.json\n- bin/cli.mjs\n- lib/discovery.mjs\n- lib/scan.mjs\n- lib/probe.mjs\n- lib/telemetry.mjs\n\nFirst response rules:\n1. Start Step 1 only.\n2. Explain the one service action you will perform first.\n3. Ask exactly three questions about my target workflow, success standard, and sandbox boundary.\n4. Stop and wait for my answers.\n\nStep 1 follow-up protocol:\n- After I answer the first three questions, stay in Step 1.\n- Produce six parts only: clarified task, success standard, boundary conditions, two or three options, tradeoffs for each option, and one recommendation.\n- End by asking whether I confirm the recommendation.\n- Do not move to Step 2 until I explicitly confirm.\n\nConversation rules:\n- Advance one step at a time and wait for confirmation after each small artifact.\n- Write outputs as recommendations or planned checks, not as completed execution.\n- Do not claim tests passed, files changed, commands ran, APIs were called, or the project was installed.\n- If the user asks for execution, first provide the sandbox setup, expected output, rollback, and approval checkpoint.\n```\n",
"summary": "不安装项目也能感受能力节奏的安全试用 Prompt。",
"title": "Prompt Preview / 安装前试用 Prompt"
},
"quick_start": {
"asset_id": "quick_start",
"filename": "QUICK_START.md",
"markdown": "# Quick Start / 官方入口\n\n项目:decoy-run/decoy-scan\n\n## 官方安装入口\n\n### Node.js / npx · 官方安装入口\n\n```bash\nnpx decoy-scan\n```\n\n来源:https://github.com/decoy-run/decoy-scan#readme\n\n## 来源\n\n- repo: https://github.com/decoy-run/decoy-scan\n- docs: https://github.com/decoy-run/decoy-scan#readme\n",
"summary": "从项目官方 README 或安装文档提取的开工入口。",
"title": "Quick Start / 官方入口"
}
},
"validation_id": "dval_433a8a227aee446a86b78cc771e0d20b"
}