Skip to content

v0.2.0 — tar-engine scan CLI, multi-format discovery, quality lint rules

Choose a tag to compare

@qingxuantang qingxuantang released this 16 Jun 01:41

New tar-engine scan CLI for CI usage. Drop into GitHub Actions / pre-commit hooks to audit AI skill safety before you ship.

What's new

CLI (new tar-engine console script)

  • scan <path> and list <path> subcommands
  • 5-format discovery: SKILL.md, .claude/commands/*.md, skill.yaml, manifest.json, opencode.json
  • Side-file scan: bundles .sh / .py / .js / .ts / .yaml / .json helpers in the skill directory into the audit payload (200 KB cap). Catches the "SKILL.md clean but install.sh malicious" pattern.
  • Flags: --min-score N, --json, --concurrency, --lang en|zh, -v
  • Exit codes: 0 clean, 1 below threshold, 2 usage error

Engine

  • 2 new informational quality lint rules:
    • QL-001 shell-no-error-handling
    • QL-002 unpinned-install
  • New quality category in score breakdown
  • RULE_SET_VERSION bumped to 1.1.0

Install

claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.2.0" tar-engine-mcp

Backwards compatibility

  • tar-engine-mcp MCP server entry unchanged
  • New tar-engine binary is additive

Deferred

  • QL-003 broken_anchor_link — naive regex false-positives on every valid anchor link, needs check_document cross-reference hook. Tracked as a follow-up.