Back to Details

wxmini-security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

wxmini-security-audit

wxmini-security-audit

Skill by ara.so — Security Skills collection.
Automated security auditing framework for WeChat mini-programs using Claude Code Agent Teams. Orchestrates 7 specialized agents to perform comprehensive static analysis covering sensitive information leakage, API endpoint extraction, cryptographic analysis, and vulnerability detection across seven security dimensions.
ara.so开发的Skill — 安全技能合集。
基于Claude Code Agent Teams的微信小程序自动化安全审计框架。编排7个专业Agent执行全面静态分析,覆盖敏感信息泄露、API端点提取、加密分析、漏洞检测等七大安全维度。

What It Does

功能介绍

  • Multi-Agent Orchestration: Coordinates 7 specialized agents (decompiler, secret scanner, endpoint miner, crypto analyzer, vulnerability analyzer, custom analyzer, reporter)
  • Dual-Layer Architecture: Python regex scripts ensure 100% rule coverage, LLM agents provide intelligent analysis with context awareness
  • Parallel Phase 2 Execution: Runs 4 analysis agents simultaneously to minimize audit time
  • User Intent Parsing: Automatically triggers deep custom analysis when specific endpoints/parameters are mentioned
  • Pure Static Analysis: Zero network requests, no attack code generation, fully local processing
  • Comprehensive Reporting: Generates both summary reports and detailed documentation with structured data exports
  • 多Agent编排:协调7个专业Agent(反编译Agent、密钥扫描Agent、端点挖掘Agent、加密分析Agent、漏洞分析Agent、自定义分析Agent、报告生成Agent)
  • 双层架构:Python正则脚本确保100%规则覆盖,LLM Agent提供具备上下文感知能力的智能分析
  • 并行第二阶段执行:同时运行4个分析Agent以最小化审计耗时
  • 用户意图解析:当提及特定端点/参数时自动触发深度自定义分析
  • 纯静态分析:零网络请求,不生成攻击代码,全程本地处理
  • 全面报告生成:生成汇总报告和结构化数据导出的详细文档

Architecture

架构设计

The framework operates in sequential phases:
  1. Phase 0: User intent parsing (extracts target path, creates output directory, parses requirements)
  2. Phase 1: Decompilation (unveilr.exe processes wxapkg files, generates file inventory)
  3. Phase 1.5: Script pre-scanning (Python regex extracts raw endpoints and secrets)
  4. Phase 2: Parallel analysis (4 agents run simultaneously: SecretScanner, EndpointMiner, CryptoAnalyzer, VulnAnalyzer)
  5. Phase 2.5: Custom analysis (triggered only when user specifies particular endpoints/parameters)
  6. Phase 3: Report generation (aggregates findings into structured reports)
框架按以下阶段顺序运行:
  1. 阶段0:用户意图解析(提取目标路径、创建输出目录、解析需求)
  2. 阶段1:反编译(unveilr.exe处理wxapkg文件,生成文件清单)
  3. 阶段1.5:脚本预扫描(Python正则提取原始端点和密钥)
  4. 阶段2:并行分析(4个Agent同时运行:SecretScanner、EndpointMiner、CryptoAnalyzer、VulnAnalyzer)
  5. 阶段2.5:自定义分析(仅当用户指定特定端点/参数时触发)
  6. 阶段3:报告生成(将分析结果汇总为结构化报告)

Installation

安装步骤

Prerequisites

前置要求

  • Claude Code CLI environment with Agent Teams/Skill support
  • Python 3.x (standard library only, no external dependencies)
  • Windows platform (current version requires unveilr.exe)
  • unveilr.exe binary (WeChat mini-program decompiler)
  • 支持Agent Teams/Skill的Claude Code CLI环境
  • Python 3.x(仅需标准库,无外部依赖)
  • Windows平台(当前版本依赖unveilr.exe)
  • unveilr.exe二进制文件(微信小程序反编译工具)

Setup

配置流程

Clone the repository into your Claude Code Skills directory:
bash
git clone https://github.com/sssmmmwww/wxmini-security-audit.git
cd wxmini-security-audit
Obtain 
unveilr.exe
from the unveilr project and place it in the 
tools/
directory:
wxmini-security-audit/
├── SKILL.md
├── agents/
│   ├── agent-01-decompiler.md
│   ├── agent-02-secret-scanner.md
│   ├── agent-03-endpoint-miner.md
│   ├── agent-04-crypto-analyzer.md
│   ├── agent-05-vuln-analyzer.md
│   ├── agent-06-reporter.md
│   └── agent-07-custom-analyzer.md
└── tools/
    ├── unveilr.exe          # Place here
    └── scripts/
        ├── endpoint_extractor.py
        └── secret_scanner.py
将仓库克隆到你的Claude Code Skills目录:
bash
git clone https://github.com/sssmmmwww/wxmini-security-audit.git
cd wxmini-security-audit
unveilr项目获取
unveilr.exe
并放置在
tools/
目录下:
wxmini-security-audit/
├── SKILL.md
├── agents/
│   ├── agent-01-decompiler.md
│   ├── agent-02-secret-scanner.md
│   ├── agent-03-endpoint-miner.md
│   ├── agent-04-crypto-analyzer.md
│   ├── agent-05-vuln-analyzer.md
│   ├── agent-06-reporter.md
│   └── agent-07-custom-analyzer.md
└── tools/
    ├── unveilr.exe          # 放置于此
    └── scripts/
        ├── endpoint_extractor.py
        └── secret_scanner.py

Usage

使用方法

Basic Audit

基础审计

Trigger the audit by providing a mini-program directory path:
Audit this WeChat mini program D:\wechat\miniapp\wxapkg_files
Analyze this mini program for security issues C:\miniprogram\target
提供小程序目录路径触发审计:
Audit this WeChat mini program D:\wechat\miniapp\wxapkg_files
Analyze this mini program for security issues C:\miniprogram\target

Focused Analysis

聚焦分析

Specify particular concerns to trigger Phase 2.5 custom analysis:
Audit this mini program D:\wxapp, focus on the /api/user/login endpoint
Scan D:\wxapp for vulnerabilities, particularly payment security and privilege escalation
指定关注内容以触发阶段2.5的自定义分析:
Audit this mini program D:\wxapp, focus on the /api/user/login endpoint
Scan D:\wxapp for vulnerabilities, particularly payment security and privilege escalation

With External Tool Integration

集成外部工具

Provide context from intercepting proxies:
Analyze this mini program D:\wxapp, Burp Suite captured the /api/pay endpoint with a tamperable amount parameter
提供拦截代理的上下文信息:
Analyze this mini program D:\wxapp, Burp Suite captured the /api/pay endpoint with a tamperable amount parameter

Output Structure

输出结构

After completion, find results in 
wxaudit-output/
:
wxaudit-output/
├── security_report.md          # Primary findings, risk assessment, remediation
├── api_endpoints_full.md       # Complete endpoint inventory
├── secrets_full.md             # All sensitive findings including false positives
├── findings.json               # Structured summary data
├── domains.txt                 # Extracted domain list
├── endpoints_fuzz.txt          # Fuzzing-ready endpoint list
├── file_inventory.json         # Decompiled file asset manifest
├── raw_endpoints.json          # Regex extraction raw results
├── raw_secrets.json            # Secret scanner raw results
├── secrets_report.json         # Intelligent secret analysis
├── api_endpoints.json          # Intelligent API analysis
├── crypto_analysis.json        # Cryptographic assessment
├── vuln_analysis.json          # Vulnerability findings
└── custom_analysis.json        # Custom requirement analysis (conditional)
完成后,结果将保存在
wxaudit-output/
目录中:
wxaudit-output/
├── security_report.md          # 核心发现、风险评估、修复建议
├── api_endpoints_full.md       # 完整端点清单
├── secrets_full.md             # 所有敏感信息发现(含误报)
├── findings.json               # 结构化汇总数据
├── domains.txt                 # 提取的域名列表
├── endpoints_fuzz.txt          # 可用于模糊测试的端点列表
├── file_inventory.json         # 反编译文件资产清单
├── raw_endpoints.json          # 正则提取原始结果
├── raw_secrets.json            # 密钥扫描原始结果
├── secrets_report.json         # 智能密钥分析结果
├── api_endpoints.json          # 智能API分析结果
├── crypto_analysis.json        # 加密评估结果
├── vuln_analysis.json          # 漏洞发现结果
└── custom_analysis.json        # 自定义需求分析结果(按需生成)

Python Script Layer

Python脚本层

Endpoint Extraction Script

端点提取脚本

Located at 
tools/scripts/endpoint_extractor.py
, this script provides 100% rule coverage for API endpoint detection:
python
import re
import json
import os

def extract_endpoints(source_dir):
    """
    Extract API endpoints from decompiled mini-program files.
    Returns: List of dicts with {pattern, file, line, context}
    """
    endpoints = []
    patterns = [
        r'https?://[^\s\'"]+',                    # Full URLs
        r'wx\.request\s*\(\s*\{[^}]+url\s*:\s*[\'"]([^\'"]+)',
        r'url\s*:\s*[\'"]([^\'"]+)[\'"]',         # Generic URL assignments
        r'/api/[a-zA-Z0-9/_-]+',                  # API path fragments
        r'baseURL\s*:\s*[\'"]([^\'"]+)[\'"]',     # Base URL configs
    ]
    
    for root, dirs, files in os.walk(source_dir):
        for file in files:
            if not file.endswith(('.js', '.json')):
                continue
            
            filepath = os.path.join(root, file)
            try:
                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
                    for line_num, line in enumerate(f, 1):
                        for pattern in patterns:
                            for match in re.finditer(pattern, line):
                                endpoints.append({
                                    'pattern': pattern,
                                    'value': match.group(0),
                                    'file': filepath,
                                    'line': line_num,
                                    'context': line.strip()
                                })
            except Exception as e:
                continue
    
    return endpoints

if __name__ == '__main__':
    import sys
    source_dir = sys.argv[1]
    output_file = sys.argv[2]
    
    results = extract_endpoints(source_dir)
    with open(output_file, 'w', encoding='utf-8') as f:
        json.dump(results, f, indent=2, ensure_ascii=False)
位于
tools/scripts/endpoint_extractor.py
,该脚本为API端点检测提供100%规则覆盖:
python
import re
import json
import os

def extract_endpoints(source_dir):
    """
    Extract API endpoints from decompiled mini-program files.
    Returns: List of dicts with {pattern, file, line, context}
    """
    endpoints = []
    patterns = [
        r'https?://[^\s\'"]+',                    # Full URLs
        r'wx\.request\s*\(\s*\{[^}]+url\s*:\s*[\'"]([^\'"]+)',
        r'url\s*:\s*[\'"]([^\'"]+)[\'"]',         # Generic URL assignments
        r'/api/[a-zA-Z0-9/_-]+',                  # API path fragments
        r'baseURL\s*:\s*[\'"]([^\'"]+)[\'"]',     # Base URL configs
    ]
    
    for root, dirs, files in os.walk(source_dir):
        for file in files:
            if not file.endswith(('.js', '.json')):
                continue
            
            filepath = os.path.join(root, file)
            try:
                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
                    for line_num, line in enumerate(f, 1):
                        for pattern in patterns:
                            for match in re.finditer(pattern, line):
                                endpoints.append({
                                    'pattern': pattern,
                                    'value': match.group(0),
                                    'file': filepath,
                                    'line': line_num,
                                    'context': line.strip()
                                })
            except Exception as e:
                continue
    
    return endpoints

if __name__ == '__main__':
    import sys
    source_dir = sys.argv[1]
    output_file = sys.argv[2]
    
    results = extract_endpoints(source_dir)
    with open(output_file, 'w', encoding='utf-8') as f:
        json.dump(results, f, indent=2, ensure_ascii=False)

Secret Scanner Script

密钥扫描脚本

Located at 
tools/scripts/secret_scanner.py
:
python
import re
import json
import os

SECRET_PATTERNS = {
    'api_key': r'(?i)(api[_-]?key|apikey|key)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-]{16,})[\'"]',
    'access_token': r'(?i)(access[_-]?token|accesstoken)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-\.]{20,})[\'"]',
    'secret': r'(?i)(secret|app[_-]?secret)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-]{16,})[\'"]',
    'password': r'(?i)(password|passwd|pwd)\s*[:=]\s*[\'"](.{6,})[\'"]',
    'private_key': r'-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----',
    'ip_internal': r'\b(?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b',
    'phone': r'(?<![0-9])(1[3-9]\d{9})(?![0-9])',
    'id_card': r'[1-6]\d{5}(?:19|20)\d{2}(?:0[1-9]|1[0-2])(?:0[1-9]|[12]\d|3[01])\d{3}[\dXx]',
    'email': r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',
    'debug_flag': r'(?i)(debug|test|dev)[_-]?(mode|flag|env)\s*[:=]\s*(true|1|yes)',
}

def scan_secrets(source_dir):
    """
    Scan for sensitive information in source files.
    Returns: List of findings with {type, value, file, line, context}
    """
    findings = []
    
    for root, dirs, files in os.walk(source_dir):
        for file in files:
            if not file.endswith(('.js', '.json', '.xml')):
                continue
            
            filepath = os.path.join(root, file)
            try:
                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
                    for line_num, line in enumerate(f, 1):
                        for secret_type, pattern in SECRET_PATTERNS.items():
                            for match in re.finditer(pattern, line):
                                findings.append({
                                    'type': secret_type,
                                    'value': match.group(0),
                                    'file': filepath,
                                    'line': line_num,
                                    'context': line.strip(),
                                    'severity': classify_severity(secret_type)
                                })
            except Exception as e:
                continue
    
    return findings

def classify_severity(secret_type):
    """Assign severity based on secret type."""
    critical = ['private_key', 'secret', 'api_key']
    high = ['access_token', 'password']
    medium = ['ip_internal', 'debug_flag']
    
    if secret_type in critical:
        return 'CRITICAL'
    elif secret_type in high:
        return 'HIGH'
    elif secret_type in medium:
        return 'MEDIUM'
    return 'LOW'

if __name__ == '__main__':
    import sys
    source_dir = sys.argv[1]
    output_file = sys.argv[2]
    
    results = scan_secrets(source_dir)
    with open(output_file, 'w', encoding='utf-8') as f:
        json.dump(results, f, indent=2, ensure_ascii=False)
位于
tools/scripts/secret_scanner.py
python
import re
import json
import os

SECRET_PATTERNS = {
    'api_key': r'(?i)(api[_-]?key|apikey|key)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-]{16,})[\'"]',
    'access_token': r'(?i)(access[_-]?token|accesstoken)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-\.]{20,})[\'"]',
    'secret': r'(?i)(secret|app[_-]?secret)\s*[:=]\s*[\'"]([a-zA-Z0-9_\-]{16,})[\'"]',
    'password': r'(?i)(password|passwd|pwd)\s*[:=]\s*[\'"](.{6,})[\'"]',
    'private_key': r'-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----',
    'ip_internal': r'\b(?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b',
    'phone': r'(?<![0-9])(1[3-9]\d{9})(?![0-9])',
    'id_card': r'[1-6]\d{5}(?:19|20)\d{2}(?:0[1-9]|1[0-2])(?:0[1-9]|[12]\d|3[01])\d{3}[\dXx]',
    'email': r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',
    'debug_flag': r'(?i)(debug|test|dev)[_-]?(mode|flag|env)\s*[:=]\s*(true|1|yes)',
}

def scan_secrets(source_dir):
    """
    Scan for sensitive information in source files.
    Returns: List of findings with {type, value, file, line, context}
    """
    findings = []
    
    for root, dirs, files in os.walk(source_dir):
        for file in files:
            if not file.endswith(('.js', '.json', '.xml')):
                continue
            
            filepath = os.path.join(root, file)
            try:
                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
                    for line_num, line in enumerate(f, 1):
                        for secret_type, pattern in SECRET_PATTERNS.items():
                            for match in re.finditer(pattern, line):
                                findings.append({
                                    'type': secret_type,
                                    'value': match.group(0),
                                    'file': filepath,
                                    'line': line_num,
                                    'context': line.strip(),
                                    'severity': classify_severity(secret_type)
                                })
            except Exception as e:
                continue
    
    return findings

def classify_severity(secret_type):
    """Assign severity based on secret type."""
    critical = ['private_key', 'secret', 'api_key']
    high = ['access_token', 'password']
    medium = ['ip_internal', 'debug_flag']
    
    if secret_type in critical:
        return 'CRITICAL'
    elif secret_type in high:
        return 'HIGH'
    elif secret_type in medium:
        return 'MEDIUM'
    return 'LOW'

if __name__ == '__main__':
    import sys
    source_dir = sys.argv[1]
    output_file = sys.argv[2]
    
    results = scan_secrets(source_dir)
    with open(output_file, 'w', encoding='utf-8') as f:
        json.dump(results, f, indent=2, ensure_ascii=False)

Agent Configuration

Agent配置

Agent 02: SecretScanner

Agent 02: SecretScanner

Receives 
raw_secrets.json
from the script layer and performs intelligent filtering:
markdown
undefined
接收脚本层的
raw_secrets.json
并执行智能过滤:
markdown
undefined

Role

Role

You are a security analyst specializing in sensitive information leakage detection.
You are a security analyst specializing in sensitive information leakage detection.

Input

Input

  • file_inventory.json (file asset manifest)
  • raw_secrets.json (script extraction results)
  • file_inventory.json (file asset manifest)
  • raw_secrets.json (script extraction results)

Task

Task

  1. Load raw_secrets.json
  2. Filter false positives:
    • Placeholder values (e.g., "YOUR_API_KEY", "example.com")
    • Comments and documentation
    • Test/demo code markers
  3. Classify real findings by severity
  4. Generate contextual risk assessment
  1. Load raw_secrets.json
  2. Filter false positives:
    • Placeholder values (e.g., "YOUR_API_KEY", "example.com")
    • Comments and documentation
    • Test/demo code markers
  3. Classify real findings by severity
  4. Generate contextual risk assessment

Output Format

Output Format

secrets_report.json: { "valid_findings": [ { "type": "api_key", "value": "[REDACTED]", "file": "pages/user/login.js", "line": 42, "severity": "CRITICAL", "reasoning": "Hardcoded API key in production login flow", "recommendation": "Move to secure backend configuration" } ], "false_positives": [...], "summary": { "total_raw": 156, "valid": 23, "critical": 3, "high": 8, "medium": 12 } }
undefined
secrets_report.json: { "valid_findings": [ { "type": "api_key", "value": "[REDACTED]", "file": "pages/user/login.js", "line": 42, "severity": "CRITICAL", "reasoning": "Hardcoded API key in production login flow", "recommendation": "Move to secure backend configuration" } ], "false_positives": [...], "summary": { "total_raw": 156, "valid": 23, "critical": 3, "high": 8, "medium": 12 } }
undefined

Agent 03: EndpointMiner

Agent 03: EndpointMiner

Correlates endpoint fragments with BaseURL configurations:
markdown
undefined
关联端点片段与BaseURL配置:
markdown
undefined

Role

Role

API endpoint extraction and intelligent correlation specialist.
API endpoint extraction and intelligent correlation specialist.

Input

Input

  • file_inventory.json
  • raw_endpoints.json (script results)
  • file_inventory.json
  • raw_endpoints.json (script results)

Task

Task

  1. Group endpoints by BaseURL
  2. Reconstruct complete API URLs from fragments
  3. Identify request methods from wx.request contexts
  4. Map endpoints to source files
  5. Flag suspicious patterns (internal IPs, non-HTTPS, hardcoded credentials in URLs)
  1. Group endpoints by BaseURL
  2. Reconstruct complete API URLs from fragments
  3. Identify request methods from wx.request contexts
  4. Map endpoints to source files
  5. Flag suspicious patterns (internal IPs, non-HTTPS, hardcoded credentials in URLs)

Output Format

Output Format

api_endpoints.json: { "domains": ["https://api.example.com", "https://backend.example.com"], "endpoints": [ { "method": "POST", "url": "https://api.example.com/api/user/login", "base": "https://api.example.com", "path": "/api/user/login", "source_file": "utils/request.js", "line": 15, "params": ["username", "password"], "security_notes": ["Uses HTTPS", "No credential exposure"] } ] }
undefined
api_endpoints.json: { "domains": ["https://api.example.com", "https://backend.example.com"], "endpoints": [ { "method": "POST", "url": "https://api.example.com/api/user/login", "base": "https://api.example.com", "path": "/api/user/login", "source_file": "utils/request.js", "line": 15, "params": ["username", "password"], "security_notes": ["Uses HTTPS", "No credential exposure"] } ] }
undefined

Agent 05: VulnAnalyzer

Agent 05: VulnAnalyzer

Performs vulnerability analysis across seven dimensions:
markdown
undefined
从七大维度执行漏洞分析:
markdown
undefined

Vulnerability Analysis Dimensions

Vulnerability Analysis Dimensions

  1. Authentication & Authorization
    • Token storage in localStorage
    • Session management flaws
    • Missing authentication checks
  2. Data Security
    • Sensitive data in logs
    • Unencrypted storage
    • PII exposure
  3. Injection Vulnerabilities
    • SQL injection vectors
    • XSS potential
    • Command injection
  4. Privilege Escalation
    • Role-based access control bypasses
    • User ID manipulation risks
  5. Payment Security
    • Amount tampering potential
    • Order verification gaps
  6. Information Leakage
    • Error messages exposing internals
    • Debug mode in production
    • Version disclosure
  7. Configuration Security
    • Insecure default settings
    • Missing security headers
    • Weak encryption algorithms
  1. Authentication & Authorization
    • Token storage in localStorage
    • Session management flaws
    • Missing authentication checks
  2. Data Security
    • Sensitive data in logs
    • Unencrypted storage
    • PII exposure
  3. Injection Vulnerabilities
    • SQL injection vectors
    • XSS potential
    • Command injection
  4. Privilege Escalation
    • Role-based access control bypasses
    • User ID manipulation risks
  5. Payment Security
    • Amount tampering potential
    • Order verification gaps
  6. Information Leakage
    • Error messages exposing internals
    • Debug mode in production
    • Version disclosure
  7. Configuration Security
    • Insecure default settings
    • Missing security headers
    • Weak encryption algorithms

Output Format

Output Format

vuln_analysis.json with findings categorized by dimension and severity.
undefined
vuln_analysis.json with findings categorized by dimension and severity.
undefined

Common Patterns

常见使用模式

Pattern 1: Basic Directory Audit

模式1:基础目录审计

User: Audit this WeChat mini program D:\projects\wxapp
Agent: [Executes full 6-phase pipeline]
Output: wxaudit-output/ with 14 files
用户: Audit this WeChat mini program D:\projects\wxapp
Agent: [执行完整的6阶段流程]
输出: wxaudit-output/目录下包含14个文件

Pattern 2: Targeted Endpoint Analysis

模式2:目标端点分析

User: Analyze D:\wxapp, focus on /api/payment/submit
Agent: [Triggers Phase 2.5 CustomAnalyzer]
Output: Includes custom_analysis.json with deep dive on payment endpoint
用户: Analyze D:\wxapp, focus on /api/payment/submit
Agent: [触发阶段2.5的CustomAnalyzer]
输出: 包含针对支付端点深度分析的custom_analysis.json

Pattern 3: Integration with Burp Suite

模式3:集成Burp Suite

User: Audit D:\wxapp, Burp found /api/user/profile returns other users' data when changing uid parameter
Agent: [Correlates with extracted endpoints, flags in vuln_analysis.json under "Privilege Escalation"]
用户: Audit D:\wxapp, Burp found /api/user/profile returns other users' data when changing uid parameter
Agent: [关联提取的端点,在vuln_analysis.json的"Privilege Escalation"维度下标记]

Troubleshooting

故障排除

Issue: "unveilr.exe not found"

问题:"unveilr.exe not found"

Solution: Download unveilr.exe and place in 
tools/
directory:
bash
undefined
解决方案: 下载unveilr.exe并放置在
tools/
目录下:
bash
undefined

Verify placement

验证放置位置

ls tools/unveilr.exe
ls tools/unveilr.exe

Should show: tools/unveilr.exe

应显示: tools/unveilr.exe

undefined
undefined

Issue: "No endpoints found in raw_endpoints.json"

问题:"No endpoints found in raw_endpoints.json"

Cause: Source directory contains only compiled wxapkg files, not decompiled JS.
Solution: Ensure Phase 1 (agent-01-decompiler) completes successfully. Check 
file_inventory.json
for .js files:
bash
cat wxaudit-output/file_inventory.json | grep ".js"
原因: 源目录仅包含编译后的wxapkg文件,未包含反编译后的JS文件。
解决方案: 确保阶段1(agent-01-decompiler)执行成功。检查
file_inventory.json
中是否存在.js文件:
bash
cat wxaudit-output/file_inventory.json | grep ".js"

Issue: "High false positive rate in secrets_full.md"

问题:"secrets_full.md中误报率高"

Expected: The dual-layer architecture intentionally preserves all script findings. Agent-02 filters these in 
secrets_report.json
.
Check: Review 
secrets_report.json
for filtered valid findings:
bash
cat wxaudit-output/secrets_report.json | jq '.summary'
预期情况: 双层架构会保留所有脚本发现的结果,Agent-02会在
secrets_report.json
中过滤这些结果。
检查: 查看
secrets_report.json
中的过滤后有效发现:
bash
cat wxaudit-output/secrets_report.json | jq '.summary'

Issue: "Custom analysis not triggered"

问题:"自定义分析未触发"

Cause: User prompt did not specify particular endpoints/parameters.
Solution: Explicitly mention target areas:
Analyze D:\wxapp, investigate the /api/order/create endpoint and its amount parameter
原因: 用户提示未指定特定端点/参数。
解决方案: 明确提及目标分析区域:
Analyze D:\wxapp, investigate the /api/order/create endpoint and its amount parameter

Issue: "Script execution errors in Phase 1.5"

问题:"阶段1.5中脚本执行错误"

Debug: Check Python script output directly:
bash
python tools/scripts/endpoint_extractor.py D:\decompiled_output wxaudit-output/raw_endpoints.json
python tools/scripts/secret_scanner.py D:\decompiled_output wxaudit-output/raw_secrets.json
调试: 直接检查Python脚本输出:
bash
python tools/scripts/endpoint_extractor.py D:\decompiled_output wxaudit-output/raw_endpoints.json
python tools/scripts/secret_scanner.py D:\decompiled_output wxaudit-output/raw_secrets.json

Security Constraints

安全约束

This framework adheres to strict ethical boundaries:
  1. No Network Activity: All analysis is local; no validation of extracted secrets/tokens
  2. No Attack Code: Does not generate PoC exploits or automated attack scripts
  3. Minimal Permissions: Read-only access to source directory, write-only to output directory
  4. Data Privacy: No telemetry, no external uploads, all processing remains local
本框架严格遵守伦理边界:
  1. 无网络活动:所有分析均在本地进行;不验证提取的密钥/令牌
  2. 无攻击代码:不生成PoC利用程序或自动化攻击脚本
  3. 最小权限:仅对源目录具有只读权限,对输出目录具有只写权限
  4. 数据隐私:无遥测数据,无外部上传,所有处理均保留在本地

Environment Variables

环境变量

No environment variables required. All configuration is embedded in agent prompt files under 
agents/
.
To customize agent behavior, edit the respective 
.md
files:
bash
undefined
无需环境变量。所有配置均嵌入在
agents/
目录下的Agent提示文件中。
如需自定义Agent行为,编辑对应的
.md
文件:
bash
undefined

Example: Adjust SecretScanner sensitivity

示例:调整SecretScanner的敏感度

vim agents/agent-02-secret-scanner.md
vim agents/agent-02-secret-scanner.md

Modify the false positive filtering rules section

修改误报过滤规则部分

undefined
undefined

Advanced Usage

高级用法

Custom Vulnerability Rules

自定义漏洞规则

Extend 
agent-05-vuln-analyzer.md
with project-specific patterns:
markdown
undefined
agent-05-vuln-analyzer.md
中扩展项目特定规则:
markdown
undefined

Custom Rules (add to agent-05-vuln-analyzer.md)

Custom Rules (add to agent-05-vuln-analyzer.md)

  1. Business Logic Flaws
    • Check for discount code stacking vulnerabilities
    • Verify coupon expiration enforcement
    • Validate inventory deduction timing
undefined
  1. Business Logic Flaws
    • Check for discount code stacking vulnerabilities
    • Verify coupon expiration enforcement
    • Validate inventory deduction timing
undefined

Integration with CI/CD

集成CI/CD

Run as part of security pipeline:
bash
undefined
作为安全流水线的一部分运行:
bash
undefined

Example GitLab CI job

示例GitLab CI任务

security_audit: script: - claude-code execute-skill wxmini-security-audit "Audit ./decompiled_app" - cat wxaudit-output/findings.json | jq '.summary.critical' | grep -q '^0$' || exit 1
undefined
security_audit: script: - claude-code execute-skill wxmini-security-audit "Audit ./decompiled_app" - cat wxaudit-output/findings.json | jq '.summary.critical' | grep -q '^0$' || exit 1
undefined

Bulk Analysis

批量分析

Process multiple mini-programs:
bash
for dir in ./mini-programs/*/; do
  claude-code execute-skill wxmini-security-audit "Audit $dir"
  mv wxaudit-output "results/$(basename $dir)-audit"
done
处理多个小程序:
bash
for dir in ./mini-programs/*/; do
  claude-code execute-skill wxmini-security-audit "Audit $dir"
  mv wxaudit-output "results/$(basename $dir)-audit"
done