【Critical】
- rm -rf / - Delete root directory
- rm -rf ~ - Delete user directory
- dd if=/dev/zero - Disk erasure
- :(){ :|:& };: - Fork bomb
- curl ... \| bash - Execute remote script
- wget ... \| sh - Execute remote script
- sudo rm -rf - Privileged deletion
- chmod 777 / - Grant all permissions
- mkfs - Format disk

【High】
- rm -rf (no confirmation)
- sudo (unnecessary)
- curl/wget download executable files
- nc -e /bin/sh - Reverse shell
- base64 -d \| sh - Decode and execute

【Medium】
- eval - Dynamic execution
- exec - Dynamic execution
- subprocess with shell=True
- os.system - System call

【Checks】
- Whether data is sent to external servers
- Whether user environment information is collected
- Whether code or credentials are uploaded
- Whether there are hard-coded URLs
- Whether HTTPS is used

【Risk Patterns】
curl -X POST http://...  # Send data
requests.post(..., json={...})  # Send JSON
fetch('http://...', {...})  # Send request

【Sensitive Locations】
- /etc/ - System configuration
- /usr/ - System programs
- ~/.ssh/ - SSH keys
- ~/.bashrc - Shell configuration
- /tmp/ - Temporary directory (may be exploited)
- User home directory/ - User files

【Checks】
- Whether writing to sensitive locations
- Whether overwriting existing files
- Whether creating hidden files
- Whether modifying system configuration

【Risk Patterns】
- API_KEY = "sk-..."  # Hard-coded API key
- password = "..."  # Hard-coded password
- token = "..."  # Hard-coded token
- AWS_SECRET_ACCESS_KEY  # AWS credentials
- GITHUB_TOKEN  # GitHub token

【Env Vars】
- Whether sensitive environment variables are read
- Whether environment variables are leaked to logs
- Whether sent to external servers

【Risk Patterns】
- while true: ...  # Infinite loop
- for i in range(999999999): ...  # Large loop
- recursion without limit  # Infinite recursion
- Create large number of files/processes
- Allocate large amount of memory

【Risk Patterns】
- sudo - Privileged execution
- setuid/setgid - Set permission bits
- chown root - Modify owner
- Exploit vulnerabilities for privilege escalation

【Checks】
- Whether dependencies come from trusted sources
- Whether dependencies have known vulnerabilities
- Whether there are too many dependencies (supply chain attack)
- Whether there are uncommon dependencies

【Risk Levels】

Critical:
- May cause system damage
- May cause data loss
- May cause credential leakage
Handling: Block installation unless explicitly confirmed by user

High:
- May perform dangerous operations
- May leak sensitive information
Handling: User confirmation required, repair recommended

Medium:
- Potential risk
- Requires specific conditions to trigger
Handling: Prompt user, optional repair

Low:
- Minor risk
- Best practice issue
Handling: Suggest improvement, does not affect installation

## Static Analysis Report

**Skill**: {skill_name}
**Review Time**: {timestamp}

### Dangerous Commands
| Location | Command | Risk | Description |
|--------------|-------------|----------|-----------------|
| SKILL.md:L45 | rm -rf | High | Deletion without confirmation |

### Network
| Location | URL | Method | Risk |
|--------------|-----|----------|----------|
| script.py:L20 | http://... | POST | Medium |

### File Operations
| Location | Path | Operation | Risk |
|--------------|----------|-------------|----------|
| setup.sh:L10 | ~/.bashrc | Append | High |

### Credentials
| Location | Type | Risk |
|--------------|----------|----------|
| config.py:L5 | API_KEY | Critical |

## Risk Assessment

**Overall Risk**: {Critical/High/Medium/Low}

### Risk Summary
| Risk Level | Count | Action |
|--------------|-----------|------------|
| Critical | {n} | Must fix |
| High | {n} | Should fix |
| Medium | {n} | Optional |
| Low | {n} | Suggest |

## Security Decision

**Skill**: {skill_name}
**Overall Risk**: {level}

### Risks Found
{risk_list}

### Recommended Actions
1. {action1}
2. {action2}

### Please Choose:

[A] Auto-fix
    - Remove or replace dangerous code
    - Disable dangerous features
    - Add security confirmation

[B] Manual Review
    - View specific risk locations
    - Decide item by item whether to keep

[C] Disable Dangerous Parts
    - Keep skill but disable risky features
    - Manually enable when needed

[D] Cancel Installation
    - Do not install this skill
    - Look for alternatives

[E] Continue at Own Risk
    - Ignore all warnings
    - User assumes full responsibility

Choice: [A/B/C/D/E]

## Decision Execution

**User Choice**: {choice}

### Execution Result

#### Auto-fix
| Original | Fixed | Status |
|---------------|------------|------------|
| rm -rf {dir} | rm -rf {dir} && confirm() | ✅ |

#### Disabled
| Feature | Status |
|------------|------------|
| network_upload | Disabled |

#### Installation Confirm
- [ ] User confirmed risks
- [ ] Audit logged
- [ ] Rollback ready

## Security Audit Report

**Skill**: {skill_name}
**Reviewer**: an-jian
**Time**: {timestamp}
**Version**: {version}

### Summary
- Checks: {total}
- Risks Found: {count}
- Fixed: {count}
- Remaining Risks: {count}

### Risk Details
{detailed_risks}

### Fix Records
{fix_records}

### User Confirmation
- Risks disclosed: ✅
- User confirmed: ✅
- Confirmation Time: {timestamp}

### Recommendations
{recommendations}

User: /安检 ./skills/new-skill

→ Phase 1: Static analysis
→ Phase 2: Risk assessment
→ Phase 3: User decision
→ Phase 4: Execute decision
→ Output audit report

User: /security list

→ Scan installed skills
→ List all risks
→ Provide fix suggestions

User: /安检 fix <skill-name>

→ Analyze security issues
→ Generate fix plan
→ Execute fixes
→ Verify fixes

Install Skill:
    ↓
Call /security
    ↓
Risk Review
    ↓
┌─────────────────────────────────────┐
│ Risk Level                 │
├─────────────────────────────────────┤
│ Critical → Block (exception with user confirmation)  │
│ High → User confirmation required              │
│ Medium → Prompt, optional fix          │
│ Low → Pass                       │
└─────────────────────────────────────┘
    ↓
Pass → Continue installation
    ↓
Fail → Cancel installation