feat: release v1.0.0 with security check

Author: yeasy

.gitignore

@@ -32,3 +32,4 @@ ask.yaml
 homebrew-tap/
 dist/
 .agent/
+.ask/

CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.0] - 2026-01-25
+
+### Added
+- **Security Checks**: New `ask check` command to scan skills for secrets, dangerous commands, and suspicious files.
+- **Security Reports**: Generate detailed security reports in Markdown or HTML with `ask check --report <file>`.
+- **Entropy Analysis**: Smart secret detection using Shannon entropy to reduce false positives.
+
 ## [1.0.0-rc2] - 2026-01-24
 
 ### Added

README.md

@@ -99,6 +99,10 @@ ask install mcp-builder@v1.0.0
 
 # Install for specific agent
 ask install mcp-builder --agent claude
+
+# Security Check
+ask check .
+ask check anthropics/mcp-builder --report report.html
 ```
 
 ## 📋 Commands
@@ -112,6 +116,7 @@ ask install mcp-builder --agent claude
 | `ask skill uninstall <name>` | Remove a skill |
 | `ask skill update` | Update skills to latest version |
 | `ask skill outdated` | Check for newer versions |
+| `ask skill check <path>` | Security scan (Secrets, Dangerous Commands) |
 
 ### Repository Management
 | Command | Description |

README_zh.md

@@ -99,6 +99,10 @@ ask install mcp-builder@v1.0.0
 
 # 为指定 Agent 安装
 ask install mcp-builder --agent claude
+
+# 安全检查
+ask check .
+ask check anthropics/mcp-builder --report report.html
 ```
 
 ## 📋 命令参考
@@ -112,6 +116,7 @@ ask install mcp-builder --agent claude
 | `ask uninstall <name>` | 卸载 Skill |
 | `ask update` | 更新 Skill 到最新版本 |
 | `ask outdated` | 检查可用更新 |
+| `ask check <path>` | 安全扫描 (密钥泄漏, 危险命令等) |
 
 ### 仓库管理
 | 命令 | 说明 |

cmd/check.go

@@ -0,0 +1,134 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/fatih/color"
+	"github.com/spf13/cobra"
+	"github.com/yeasy/ask/internal/skill"
+)
+
+// checkCmd represents the check command
+var checkCmd = &cobra.Command{
+	Use:   "check [skill-path]",
+	Short: "Check a skill for security issues",
+	Long: `Analyze a skill directory for potential security risks, 
+including hardcoded secrets, dangerous commands, and network activity.
+
+If skill-path is not provided, the current directory is checked.`,
+	Args: cobra.MaximumNArgs(1),
+	Run:  runCheck,
+}
+
+var reportFile string
+
+func init() {
+	checkCmd.Flags().StringVar(&reportFile, "report", "", "Save report to file (supports .md, .html)")
+}
+
+func runCheck(cmd *cobra.Command, args []string) {
+	skillPath := "."
+	if len(args) > 0 {
+		skillPath = args[0]
+	}
+
+	absPath, err := filepath.Abs(skillPath)
+	if err != nil {
+		fmt.Printf("Error resolving path: %v\n", err)
+		os.Exit(1)
+	}
+
+	if !skill.FindSkillMD(absPath) {
+		fmt.Printf("Error: No SKILL.md found in %s. Is this a valid skill directory?\n", absPath)
+		os.Exit(1)
+	}
+
+	fmt.Printf("Checking skill at %s...\n", absPath)
+	result, err := skill.CheckSafety(absPath)
+	if err != nil {
+		fmt.Printf("Error checking skill: %v\n", err)
+		os.Exit(1)
+	}
+
+	if reportFile != "" {
+		handleReport(result, reportFile)
+	} else {
+		printReport(result)
+	}
+}
+
+func handleReport(result *skill.CheckResult, filename string) {
+	ext := filepath.Ext(filename)
+	format := "md"
+	if ext == ".html" || ext == ".htm" {
+		format = "html"
+	}
+
+	content, err := skill.GenerateReport(result, format)
+	if err != nil {
+		fmt.Printf("Error generating report: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := os.WriteFile(filename, []byte(content), 0644); err != nil {
+		fmt.Printf("Error writing report to %s: %v\n", filename, err)
+		os.Exit(1)
+	}
+
+	fmt.Printf("\n%s Security report saved to %s\n", color.GreenString("✓"), filename)
+
+	// Print a brief summary even when saving to file
+	criticals := 0
+	for _, f := range result.Findings {
+		if f.Severity == skill.SeverityCritical {
+			criticals++
+		}
+	}
+	if criticals > 0 {
+		fmt.Printf("%s Found %d critical issues. Please review the report.\n", color.RedString("!"), criticals)
+		os.Exit(1)
+	}
+}
+
+func printReport(result *skill.CheckResult) {
+	fmt.Printf("\nSecurity Report for: %s\n", color.CyanString(result.SkillName))
+	fmt.Println("----------------------------------------")
+
+	if len(result.Findings) == 0 {
+		color.Green("✓ No issues found. Skill appears safe.\n")
+		return
+	}
+
+	criticals := 0
+	warnings := 0
+	infos := 0
+
+	for _, finding := range result.Findings {
+		switch finding.Severity {
+		case skill.SeverityCritical:
+			criticals++
+			printFinding(color.RedString("[CRITICAL]"), finding)
+		case skill.SeverityWarning:
+			warnings++
+			printFinding(color.YellowString("[WARNING] "), finding)
+		case skill.SeverityInfo:
+			infos++
+			printFinding(color.BlueString("[INFO]    "), finding)
+		}
+	}
+
+	fmt.Println("----------------------------------------")
+	fmt.Printf("Summary: %d Critical, %d Warning, %d Info\n", criticals, warnings, infos)
+
+	if criticals > 0 {
+		os.Exit(1) // Exit with error if critical issues found
+	}
+}
+
+func printFinding(prefix string, finding skill.Finding) {
+	fmt.Printf("%s %s\n", prefix, finding.Description)
+	fmt.Printf("  File: %s:%d\n", finding.File, finding.Line)
+	fmt.Printf("  Match: %s\n\n", finding.Match)
+}

cmd/root.go

@@ -24,6 +24,7 @@ Skill Commands (ask skill <command>):
   info        Show detailed skill information
   update      Update skills to latest versions
   outdated    Check for available updates
+  check       Check a skill for security issues
   create      Create a new skill template
 
 Repository Commands (ask repo <command>):
@@ -46,7 +47,7 @@ Codex, etc.) with a familiar CLI experience, just like Homebrew or npm.`,
 	// Uncomment the following line if your bare application
 	// has an action associated with it:
 	// Run: func(cmd *cobra.Command, args []string) { },
-	Version: "1.0.0-rc2",
+	Version: "1.0.0",
 }
 
 // Top-level aliases (Docker-style)
@@ -84,6 +85,13 @@ var uninstallRootCmd = &cobra.Command{
 	Run:     uninstallCmd.Run,
 }
 
+var checkRootCmd = &cobra.Command{
+	Use:   "check [skill-path]",
+	Short: "Check a skill for security issues (alias for 'skill check')",
+	Long:  "Analyze a skill directory for potential security risks.\nThis is a shortcut for 'ask skill check'.",
+	Run:   runCheck,
+}
+
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
@@ -118,13 +126,15 @@ func init() {
 	registerListFlags(listRootCmd)
 
 	rootCmd.AddCommand(uninstallRootCmd)
+	rootCmd.AddCommand(checkRootCmd)
 	// No specific flags to register for uninstall root shim as it uses uninstallCmd.Run directly?
 	// Actually uninstallCmd.Run uses flags so we should share flags definition or re-register.
 	// Since uninstallCmd is in another file, we can't easily reuse 'registerUninstallFlags' unless we export it.
 	// But uninstallCmd is exported. Let's see how registerListFlags works.
 	// It's likely defined in list.go.
 	// We should probably just copy flags setup here.
 	uninstallRootCmd.Flags().AddFlagSet(uninstallCmd.Flags())
+	checkRootCmd.Flags().StringVar(&reportFile, "report", "", "Save report to file (supports .md, .html)")
 }
 
 // initConfig reads in config file and ENV variables if set.

cmd/skill.go

@@ -20,4 +20,5 @@ Examples:
 
 func init() {
 	rootCmd.AddCommand(skillCmd)
+	skillCmd.AddCommand(checkCmd)
 }

docs/commands.md

@@ -244,6 +244,28 @@ Generate shell completion scripts.
 ask completion [bash|zsh|fish|powershell]
 ```
 
+
+---
+
+### ask skill check
+
+Check a skill for security issues.
+
+```bash
+ask skill check <skill-path>      # Check local skill
+ask skill check .                 # Check current directory
+ask skill check --report out.html # Generate HTML report
+```
+
+**Flags:**
+- `--report`: Save detailed findings to a file (`.md` or `.html`).
+
+**What it does:**
+- Scans for hardcoded secrets (API keys, tokens)
+- specific dangerous commands (`rm -rf`, `sudo`, reverse shells)
+- Flags suspicious file extensions (`.exe`, `.dll`, etc.)
+- Calculates entropy to reduce false positives
+
 ---
 
 ## Global Flags

go.mod

@@ -3,6 +3,7 @@ module github.com/yeasy/ask
 go 1.24.2
 
 require (
+	github.com/fatih/color v1.18.0
 	github.com/schollz/progressbar/v3 v3.19.0
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
@@ -13,6 +14,8 @@ require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect

go.sum

@@ -3,6 +3,8 @@ github.com/chengxilo/virtualterm v1.0.4/go.mod h1:DyxxBZz/x1iqJjFxTFcr6/x+jSpqN0
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -17,6 +19,11 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
@@ -53,6 +60,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
 golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=