v0.2.0 — tar-engine scan CLI, multi-format discovery, quality lint rules
New tar-engine scan CLI for CI usage. Drop into GitHub Actions / pre-commit hooks to audit AI skill safety before you ship.
What's new
CLI (new tar-engine console script)
scan <path>andlist <path>subcommands- 5-format discovery:
SKILL.md,.claude/commands/*.md,skill.yaml,manifest.json,opencode.json - Side-file scan: bundles
.sh / .py / .js / .ts / .yaml / .jsonhelpers in the skill directory into the audit payload (200 KB cap). Catches the "SKILL.md clean but install.sh malicious" pattern. - Flags:
--min-score N,--json,--concurrency,--lang en|zh,-v - Exit codes:
0clean,1below threshold,2usage error
Engine
- 2 new informational quality lint rules:
QL-001shell-no-error-handlingQL-002unpinned-install
- New
qualitycategory in score breakdown - RULE_SET_VERSION bumped to 1.1.0
Install
claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.2.0" tar-engine-mcp
Backwards compatibility
tar-engine-mcpMCP server entry unchanged- New
tar-enginebinary is additive
Deferred
QL-003 broken_anchor_link— naive regex false-positives on every valid anchor link, needscheck_documentcross-reference hook. Tracked as a follow-up.