MCPcopy Index your code
hub / github.com/alice-dot-io/caterpillar

github.com/alice-dot-io/caterpillar @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
111 symbols 310 edges 33 files 9 documented · 8%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Caterpillar

Security scanner for AI agent skills. Scans for malicious patterns before you install.

Install

curl -fsSL caterpillar.alice.io/d/i.sh | sh

Or via npm:

npm install -g @alice-io/caterpillar

Windows (PowerShell):

irm caterpillar.alice.io/d/i.ps1 | iex

Requires Node.js >= 18.

Usage

# Authenticate (opens browser)
caterpillar login

# Scan a skill file before installing
caterpillar ask ./path/to/SKILL.md

# Scan all installed skills
caterpillar scan

# Scan a directory
caterpillar scan ./my-skills/

Scan Modes

Caterpillar supports three scan modes:

# Alice API — most thorough, requires login
caterpillar ask ./skill/ --mode alice

# OpenAI — use your own OpenAI API key
caterpillar ask ./skill/ --mode openai

# Offline — fast pattern matching, no API needed
caterpillar ask ./skill/ --mode offline
  • Alice — sends skills to the Caterpillar server API for full analysis.
  • OpenAI — uses your own OpenAI API key for LLM analysis. All code is in this repo.
  • Offline — built-in pattern matching, no network calls. All code is in this repo.

By default, the mode is auto-detected based on available credentials.

Output Formats

# JSON output
caterpillar scan --json

# CSV output
caterpillar scan -o csv

# Verbose output with detailed findings
caterpillar ask ./skill/ --verbose

Each skill gets a grade (AF) and a score (0–100). Grade F exits with code 1 for CI/CD integration.

Configuration

# View current config
caterpillar config get

# Set a config value
caterpillar config set <key> <value>

What it detects

  • Credential theft (SSH keys, AWS credentials, API tokens)
  • Data exfiltration (curl/wget to external servers)
  • Persistence mechanisms (crontab, startup scripts)
  • Crypto wallet theft
  • Network attacks
  • Code obfuscation (base64, hex encoding)
  • Overly broad permissions
  • Supply chain attacks (postinstall hooks, remote script execution)

Library API

Use Caterpillar programmatically:

import { runPatternScan, ALL_RULES, scanSingleSkill, collectSkill } from '@alice-io/caterpillar';

// Collect a skill from a path
const skill = await collectSkill('./my-skill/');

// Run offline pattern scan
const results = runPatternScan(skill.content);

// Full scan with mode selection
const response = await scanSingleSkill(skill, { mode: 'offline' });

Development

# Install dependencies
npm install

# Run in dev mode (no build step)
npm run dev -- scan ./example_skills/

# Build the CLI binary
npm run build

# Run the built CLI
node dist/cli.js scan ./example_skills/

# Run tests
npm test

Links

Website · The Skills Report · Built by Alice

License

MIT

Extension points exported contracts — how you extend this code

SkillTarget (Interface)
(no doc)
core/src/commands/scan.ts
ScanRequest (Interface)
(no doc)
core/src/lib/api-client.ts
SecurityFinding (Interface)
(no doc)
core/src/lib/api-client.ts
ArtifactRecord (Interface)
(no doc)
core/src/lib/api-client.ts
ScanResponse (Interface)
(no doc)
core/src/lib/api-client.ts

Core symbols most depended-on inside this repo

getMimeType
called by 72
core/src/lib/mime.ts
runPatternScan
called by 21
core/src/lib/pattern-scanner.ts
isFancyTerminal
called by 17
core/src/lib/ui.ts
printInfo
called by 17
core/src/lib/display.ts
stop
called by 16
core/src/lib/ui.ts
printError
called by 13
core/src/lib/display.ts
loadConfig
called by 8
core/src/lib/config.ts
csvEscape
called by 8
core/src/lib/display.ts

Shape

Function 87
Interface 18
Method 4
Class 2

Languages

TypeScript100%

Modules by API surface

core/src/lib/ui.ts23 symbols
core/src/lib/scan-skill.ts16 symbols
core/src/lib/display.ts16 symbols
core/src/lib/config.ts9 symbols
core/src/lib/collector.ts9 symbols
core/src/lib/api-client.ts9 symbols
core/src/commands/scan.ts6 symbols
core/src/lib/archives.ts5 symbols
core/src/lib/virustotal.ts3 symbols
core/src/lib/pattern-scanner.ts3 symbols
core/src/lib/llm-judge.ts2 symbols
core/src/commands/login.ts2 symbols

For agents

$ claude mcp add caterpillar \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact