https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FAkshatmish%2FSkillSpector%2Fpull%2Fnew%2Ffeat%2Fmcp-rug-pull-analyzerfeat: implement MCP rug pull analyzer and unit tests

[Akshatmish]

Description

This pull request implements the planned but empty stub analyzer for MCP Rug Pulls (mcp_rug_pull.py) as outlined in docs/DEVELOPMENT.md.

A "Rug Pull" vulnerability occurs when an updated version of a previously trusted skill/tool silently alters its manifest to request unauthorized capabilities or hijack user intent.

Changes Made

1. MCP Rug Pull Analyzer (src/skillspector/nodes/analyzers/mcp_rug_pull.py):
   • Rule RP1 (Permission Expansion): Checks if any new permissions are requested in the current manifest that were not present in the previous manifest. Severity: HIGH, Confidence: 0.90.
   • Rule RP2 (Trigger Phrase Modification): Detects additions or removals of trigger phrases that could hijack user agent instructions. Severity: MEDIUM, Confidence: 0.85.
   • Rule RP3 (Parameter Schema Changes): Checks if parameters are added, removed, or if types, default values, or descriptions have been altered. Severity: MEDIUM, Confidence: 0.80.
2. Unit Tests (tests/nodes/analyzers/test_mcp_rug_pull.py):
   • Added comprehensive coverage testing edge cases, permission checks, trigger changes, parameter default value overrides, type mutations, and handling of missing previous manifests.

Verification Results

• Ran the unit test suite successfully inside the virtual environment:
  pytest -m "not integration and not provider" tests/ -> All tests passed successfully.
• Ran Ruff formatting and lint checking:
  ruff check src/ tests/ -> All checks passed.