v0.18.0

Added

• Package-name typosquatting detection (ST-TYPOSQUAT). Flags an npm/PyPI package whose name
  is one or two character edits from a well-known popular package — the classic supply-chain
  name-confusion attack (lodash → loddash). Deterministic, stdlib-only, no LLM; a synthesized
  finding keyed off component identity with evidence anchored to the manifest name declaration
  (skilltotal/typosquatting.py). Conservative (exact matches, scoped names, and short names are
  never flagged) so it holds false positives at zero on benign corpora. Maps to OWASP AST02
  (Supply Chain Compromise). Ruleset 19.
• GitHub Action: optional pull-request comment. A new comment-on-pr input posts (and updates
  in place) a single sticky summary comment — risk level, score, findings, capabilities — on pull
  requests. Off by default; needs pull-requests: write. SARIF upload to Code Scanning is unchanged.
• README: "Add a status badge" section pointing to the per-report badge snippet.

v0.17.0

Added

• OWASP Agentic Skills Top 10 mapping. Every finding now carries machine-readable owasp
  category ids (e.g. ["AST04"]) in the JSON report, and SARIF output emits the taxonomy as
  native taxonomies + per-rule relationships. Deterministic projection over the rule registry
  (skilltotal/owasp.py); no execution, no LLM. Findings with no honest static fit (raw
  capabilities, classic code-level vulns) carry an empty list rather than a forced category — see
  docs/owasp-agentic-skills-mapping.md. Report schema 1.4 (adds finding.owasp); ruleset 18.

v0.16.6

Fixed

• .skilltotal.toml with a UTF-8 BOM is now parsed instead of being silently ignored. The
  config loader reads with utf-8-sig, so a leading BOM (commonly added by Windows editors and
  PowerShell) no longer voids the config — which previously could silently disable a configured CI
  gate (fail-open). No engine/detection or report-schema change (ruleset 17).

v0.16.5

Security / supply-chain hardening (CI only — engine unchanged, ruleset 17)

• All GitHub Actions pinned to full commit SHA (with a version comment) across CI, CodeQL, Release, and the composite action.yml — removes the mutable-tag supply-chain risk.
• Least-privilege permissions: declared at the top of every workflow.
• OpenSSF Scorecard workflow + README badge (weekly supply-chain posture check, published to Code Scanning and the OpenSSF registry).
• Dependabot for the github-actions ecosystem, so pinned SHAs are auto-updated.

No engine/detection or report-schema change — ruleset 17, report schema 1.3. Install: pip install skilltotal==0.16.5.

v0.16.3

SkillTotal statically scans AI components — MCP servers, agent skills/plugins, npm/PyPI
packages, and repositories — for supply-chain risk, dangerous capabilities, prompt-injection
surfaces, and data-exfiltration paths. Deterministic (regex + AST, no LLM), offline, and
evidence-anchored (every finding points at an exact file:line). Uploads SARIF to GitHub Code
Scanning and fails the build on high/critical findings.

Usage

- uses: pezhik/skilltotal@v0.16.3
  with:
    source: .          # a path, a git URL, or an npm:/pypi:<name> spec
    fail-on: high      # fail on a high/critical finding (or 'none')

Highlights (since 0.15)

• E-mail/SMTP exfiltration channel — catches mail backdoors (e.g. constant-BCC).
• .pth auto-exec, shell decode-and-exec / curl | bash, defense-evasion idioms, and install-time dropper correlation.
• MCP: over-broad scope detection + mapping to the OWASP MCP Security Cheat Sheet.
• Data-flow: lethal-trifecta and malicious-indicator convergence findings.

Changelog: https://github.com/pezhik/skilltotal/blob/main/CHANGELOG.md