#!/usr/bin/env bash # # audit.sh — a runnable version of the Module 22 vetting checklist. # # Static red-flag scan over a third-party MCP server or skill BEFORE you install it. It does not # execute anything in the target; it only reads. A clean run is NOT a guarantee (see "Where it # breaks") — it is a cheap first pass that catches the obvious and the lazy. # # Usage: bash audit.sh # set -euo pipefail TARGET="${1:-}" if [[ -z "$TARGET" || ! -d "$TARGET" ]]; then echo "usage: bash audit.sh " >&2 exit 2 fi hits=0 section () { printf '\n=== %s ===\n' "$1"; } # scan