an-jian
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese安检 (Security Review)
Security Check (Security Review)
技能安全审查技能。安装前审查,确保无安全隐患。
Security review for skills. Pre-installation check ensures no security risks.
Skill security review tool. Pre-installation check ensures no security risks.
Security review for skills. Pre-installation check ensures no security risks.
Quick Commands
Quick Commands
| 命令/Command | 功能/Function |
|---|---|
| 审查技能安全 |
| 深度扫描 |
| 列出已安装技能风险 |
| 修复安全问题 |
| Review skill security |
| Deep scan |
| List installed risks |
| Fix security issues |
| Command | Function |
|---|---|
| Review skill security |
| Deep scan |
| List installed skill risks |
| Fix security issues |
| Review skill security |
| Deep scan |
| List installed risks |
| Fix security issues |
安全检查项/Security Checks
Security Checks
1. 危险命令/Dangerous Commands
1. Dangerous Commands
【严重风险/Critical】
- rm -rf / - 删除根目录
- rm -rf ~ - 删除用户目录
- dd if=/dev/zero - 磁盘擦除
- :(){ :|:& };: - Fork bomb
- curl ... \| bash - 执行远程脚本
- wget ... \| sh - 执行远程脚本
- sudo rm -rf - 提权删除
- chmod 777 / - 开放所有权限
- mkfs - 格式化磁盘
【高风险/High】
- rm -rf (无确认)
- sudo (无必要)
- curl/wget 下载可执行文件
- nc -e /bin/sh - 反弹 shell
- base64 -d \| sh - 解码执行
【中风险/Medium】
- eval - 动态执行
- exec - 动态执行
- subprocess with shell=True
- os.system - 系统调用【Critical】
- rm -rf / - Delete root directory
- rm -rf ~ - Delete user directory
- dd if=/dev/zero - Disk erasure
- :(){ :|:& };: - Fork bomb
- curl ... \| bash - Execute remote script
- wget ... \| sh - Execute remote script
- sudo rm -rf - Privileged deletion
- chmod 777 / - Grant all permissions
- mkfs - Format disk
【High】
- rm -rf (no confirmation)
- sudo (unnecessary)
- curl/wget download executable files
- nc -e /bin/sh - Reverse shell
- base64 -d \| sh - Decode and execute
【Medium】
- eval - Dynamic execution
- exec - Dynamic execution
- subprocess with shell=True
- os.system - System call2. 网络请求/Network Requests
2. Network Requests
【检查项/Checks】
- 是否发送数据到外部服务器
- 是否收集用户环境信息
- 是否上传代码或凭证
- 是否有硬编码的 URL
- 是否使用 HTTPS
【风险模式/Risk Patterns】
curl -X POST http://... # 发送数据
requests.post(..., json={...}) # 发送 JSON
fetch('http://...', {...}) # 发送请求【Checks】
- Whether data is sent to external servers
- Whether user environment information is collected
- Whether code or credentials are uploaded
- Whether there are hard-coded URLs
- Whether HTTPS is used
【Risk Patterns】
curl -X POST http://... # Send data
requests.post(..., json={...}) # Send JSON
fetch('http://...', {...}) # Send request3. 文件写入/File Writes
3. File Writes
【敏感位置/Sensitive Locations】
- /etc/ - 系统配置
- /usr/ - 系统程序
- ~/.ssh/ - SSH 密钥
- ~/.bashrc - Shell 配置
- /tmp/ - 临时目录(可能被利用)
- 用户家目录/ - 用户文件
【检查项/Checks】
- 是否写入敏感位置
- 是否覆盖现有文件
- 是否创建隐藏文件
- 是否修改系统配置【Sensitive Locations】
- /etc/ - System configuration
- /usr/ - System programs
- ~/.ssh/ - SSH keys
- ~/.bashrc - Shell configuration
- /tmp/ - Temporary directory (may be exploited)
- User home directory/ - User files
【Checks】
- Whether writing to sensitive locations
- Whether overwriting existing files
- Whether creating hidden files
- Whether modifying system configuration4. 凭证泄露/Credentials
4. Credentials
【风险模式/Risk Patterns】
- API_KEY = "sk-..." # 硬编码 API 密钥
- password = "..." # 硬编码密码
- token = "..." # 硬编码令牌
- AWS_SECRET_ACCESS_KEY # AWS 凭证
- GITHUB_TOKEN # GitHub 令牌
【环境变量/Env Vars】
- 是否读取敏感环境变量
- 是否泄露环境变量到日志
- 是否发送到外部服务器【Risk Patterns】
- API_KEY = "sk-..." # Hard-coded API key
- password = "..." # Hard-coded password
- token = "..." # Hard-coded token
- AWS_SECRET_ACCESS_KEY # AWS credentials
- GITHUB_TOKEN # GitHub token
【Env Vars】
- Whether sensitive environment variables are read
- Whether environment variables are leaked to logs
- Whether sent to external servers5. 资源耗尽/Resource Exhaustion
5. Resource Exhaustion
【风险模式/Risk Patterns】
- while true: ... # 无限循环
- for i in range(999999999): ... # 大循环
- recursion without limit # 无限递归
- 创建大量文件/进程
- 分配大量内存【Risk Patterns】
- while true: ... # Infinite loop
- for i in range(999999999): ... # Large loop
- recursion without limit # Infinite recursion
- Create large number of files/processes
- Allocate large amount of memory6. 权限提升/Privilege Escalation
6. Privilege Escalation
【风险模式/Risk Patterns】
- sudo - 提权执行
- setuid/setgid - 设置权限位
- chown root - 修改所有者
- 利用漏洞提权【Risk Patterns】
- sudo - Privileged execution
- setuid/setgid - Set permission bits
- chown root - Modify owner
- Exploit vulnerabilities for privilege escalation7. 外部依赖/External Dependencies
7. External Dependencies
【检查项/Checks】
- 依赖是否来自可信源
- 依赖是否有已知漏洞
- 依赖是否过多(供应链攻击)
- 是否有非常见依赖【Checks】
- Whether dependencies come from trusted sources
- Whether dependencies have known vulnerabilities
- Whether there are too many dependencies (supply chain attack)
- Whether there are uncommon dependencies风险评估/Risk Assessment
Risk Assessment
【风险等级/Risk Levels】
严重/Critical:
- 可能导致系统损坏
- 可能导致数据丢失
- 可能导致凭证泄露
处理:阻止安装,除非用户明确确认
高/High:
- 可能执行危险操作
- 可能泄露敏感信息
处理:需要用户确认,建议修复
中/Medium:
- 潜在风险
- 需要特定条件触发
处理:提示用户,可选修复
低/Low:
- 轻微风险
- 最佳实践问题
处理:建议改进,不影响安装【Risk Levels】
Critical:
- May cause system damage
- May cause data loss
- May cause credential leakage
Handling: Block installation unless explicitly confirmed by user
High:
- May perform dangerous operations
- May leak sensitive information
Handling: User confirmation required, repair recommended
Medium:
- Potential risk
- Requires specific conditions to trigger
Handling: Prompt user, optional repair
Low:
- Minor risk
- Best practice issue
Handling: Suggest improvement, does not affect installation审查流程/Review Workflow
Review Workflow
Phase 1: 静态分析/Static Analysis
Phase 1: Static Analysis
markdown
undefinedmarkdown
undefined静态分析报告/Static Analysis Report
Static Analysis Report
技能/Skill: {skill_name}
审查时间/Time: {timestamp}
Skill: {skill_name}
Review Time: {timestamp}
危险命令/Dangerous Commands
Dangerous Commands
| 位置/Location | 命令/Command | 风险/Risk | 说明/Description |
|---|---|---|---|
| SKILL.md:L45 | rm -rf | 高/High | 无确认删除 |
| Location | Command | Risk | Description |
|---|---|---|---|
| SKILL.md:L45 | rm -rf | High | Deletion without confirmation |
网络请求/Network
Network
| 位置/Location | URL | 方法/Method | 风险/Risk |
|---|---|---|---|
| script.py:L20 | http://... | POST | 中/Medium |
| Location | URL | Method | Risk |
|---|---|---|---|
| script.py:L20 | http://... | POST | Medium |
文件操作/File Operations
File Operations
| 位置/Location | 路径/Path | 操作/Operation | 风险/Risk |
|---|---|---|---|
| setup.sh:L10 | ~/.bashrc | Append | 高/High |
| Location | Path | Operation | Risk |
|---|---|---|---|
| setup.sh:L10 | ~/.bashrc | Append | High |
凭证/Credentials
Credentials
| 位置/Location | 类型/Type | 风险/Risk |
|---|---|---|
| config.py:L5 | API_KEY | 严重/Critical |
undefined| Location | Type | Risk |
|---|---|---|
| config.py:L5 | API_KEY | Critical |
undefinedPhase 2: 风险评估/Risk Assessment
Phase 2: Risk Assessment
markdown
undefinedmarkdown
undefined风险评估/Risk Assessment
Risk Assessment
总体风险/Overall Risk: {Critical/High/Medium/Low}
Overall Risk: {Critical/High/Medium/Low}
风险汇总/Risk Summary
Risk Summary
| 风险等级/Risk | 数量/Count | 处理/Action |
|---|---|---|
| 严重/Critical | {n} | 必须修复/Must fix |
| 高/High | {n} | 建议修复/Should fix |
| 中/Medium | {n} | 可选修复/Optional |
| 低/Low | {n} | 建议改进/Suggest |
undefined| Risk Level | Count | Action |
|---|---|---|
| Critical | {n} | Must fix |
| High | {n} | Should fix |
| Medium | {n} | Optional |
| Low | {n} | Suggest |
undefinedPhase 3: 用户决策/User Decision
Phase 3: User Decision
markdown
undefinedmarkdown
undefined安全审查决策/Security Decision
Security Decision
技能/Skill: {skill_name}
总体风险/Overall Risk: {level}
Skill: {skill_name}
Overall Risk: {level}
发现的风险/Risks Found
Risks Found
{risk_list}
{risk_list}
建议操作/Recommended Actions
Recommended Actions
- {action1}
- {action2}
- {action1}
- {action2}
请选择/Please Choose:
Please Choose:
[A] 自动修复/Auto-fix
- 移除或替换危险代码
- 禁用危险功能
- 添加安全确认
[B] 手动审查/Manual Review
- 查看具体风险位置
- 逐项决定是否保留
[C] 禁用危险部分/Disable Dangerous Parts
- 保留技能但禁用风险功能
- 需要时手动启用
[D] 取消安装/Cancel Installation
- 不安装此技能
- 寻找替代方案
[E] 继续安装(风险自负)/Continue at Own Risk
- 忽略所有警告
- 用户承担全部责任
选择/Choice: [A/B/C/D/E]
undefined[A] Auto-fix
- Remove or replace dangerous code
- Disable dangerous features
- Add security confirmation
[B] Manual Review
- View specific risk locations
- Decide item by item whether to keep
[C] Disable Dangerous Parts
- Keep skill but disable risky features
- Manually enable when needed
[D] Cancel Installation
- Do not install this skill
- Look for alternatives
[E] Continue at Own Risk
- Ignore all warnings
- User assumes full responsibility
Choice: [A/B/C/D/E]
undefinedPhase 4: 执行决策/Execute Decision
Phase 4: Execute Decision
markdown
undefinedmarkdown
undefined决策执行/Decision Execution
Decision Execution
用户选择/User Choice: {choice}
User Choice: {choice}
执行结果/Execution Result
Execution Result
自动修复/Auto-fix
Auto-fix
| 原代码/Original | 修复后/Fixed | 状态/Status |
|---|---|---|
| rm -rf {dir} | rm -rf {dir} && confirm() | ✅ |
| Original | Fixed | Status |
|---|---|---|
| rm -rf {dir} | rm -rf {dir} && confirm() | ✅ |
禁用部分/Disabled
Disabled
| 功能/Feature | 状态/Status |
|---|---|
| network_upload | 已禁用/Disabled |
| Feature | Status |
|---|---|
| network_upload | Disabled |
安装确认/Installation Confirm
Installation Confirm
- 用户已确认风险/User confirmed risks
- 已记录审计日志/Audit logged
- 已创建回滚方案/Rollback ready
undefined- User confirmed risks
- Audit logged
- Rollback ready
undefined审计报告/Audit Report
Audit Report
markdown
undefinedmarkdown
undefined安全审计报告/Security Audit Report
Security Audit Report
技能/Skill: {skill_name}
审查者/Reviewer: an-jian
时间/Time: {timestamp}
版本/Version: {version}
Skill: {skill_name}
Reviewer: an-jian
Time: {timestamp}
Version: {version}
审查摘要/Summary
Summary
- 检查项/Checks: {total}
- 发现风险/Risks: {count}
- 已修复/Fixed: {count}
- 剩余风险/Remaining: {count}
- Checks: {total}
- Risks Found: {count}
- Fixed: {count}
- Remaining Risks: {count}
风险详情/Risk Details
Risk Details
{detailed_risks}
{detailed_risks}
修复记录/Fix Records
Fix Records
{fix_records}
{fix_records}
用户确认/User Confirmation
User Confirmation
- 已告知风险/Risks disclosed: ✅
- 用户确认/User confirmed: ✅
- 确认时间/Time: {timestamp}
- Risks disclosed: ✅
- User confirmed: ✅
- Confirmation Time: {timestamp}
建议/Recommendations
Recommendations
{recommendations}
undefined{recommendations}
undefined使用示例/Examples
Examples
示例 1:审查新技能
Example 1: Review New Skill
用户/User: /安检 ./skills/new-skill
→ Phase 1: 静态分析/Static analysis
→ Phase 2: 风险评估/Risk assessment
→ Phase 3: 用户决策/User decision
→ Phase 4: 执行决策/Execute decision
→ 输出审计报告/Output audit reportUser: /安检 ./skills/new-skill
→ Phase 1: Static analysis
→ Phase 2: Risk assessment
→ Phase 3: User decision
→ Phase 4: Execute decision
→ Output audit reportExample 2: List Installed Risks
Example 2: List Installed Risks
用户/User: /security list
→ 扫描已安装技能/Scan installed skills
→ 列出所有风险/List all risks
→ 提供修复建议/Provide fix suggestionsUser: /security list
→ Scan installed skills
→ List all risks
→ Provide fix suggestions示例 3:修复安全问题
Example 3: Fix Security Issues
用户/User: /安检 fix <技能名>
→ 分析安全问题/Analyze security issues
→ 生成修复方案/Generate fix plan
→ 执行修复/Execute fixes
→ 验证修复结果/Verify fixesUser: /安检 fix <skill-name>
→ Analyze security issues
→ Generate fix plan
→ Execute fixes
→ Verify fixesRules
Rules
- rules/dangerous-patterns.md - 危险模式/Dangerous Patterns
- rules/risk-assessment.md - 风险评估/Risk Assessment
- rules/fix-strategies.md - 修复策略/Fix Strategies
- rules/audit-format.md - 审计格式/Audit Format
- rules/dangerous-patterns.md - Dangerous Patterns
- rules/risk-assessment.md - Risk Assessment
- rules/fix-strategies.md - Fix Strategies
- rules/audit-format.md - Audit Format
配置选项/Configuration
Configuration
| 参数/Param | 默认值/Default | 说明/Description |
|---|---|---|
| auto_block_critical | true | 自动阻止严重风险/Auto-block critical |
| require_confirm_high | true | 高风险需要确认/Confirm high risk |
| audit_log_enabled | true | 启用审计日志/Enable audit log |
| max_risk_level | high | 最大允许风险/Max allowed risk |
| Param | Default | Description |
|---|---|---|
| auto_block_critical | true | Auto-block critical risks |
| require_confirm_high | true | Confirm required for high risk |
| audit_log_enabled | true | Enable audit log |
| max_risk_level | high | Max allowed risk level |
集成/Integration
Integration
与安装流程集成/Install Integration
Install Integration
安装技能/Install Skill:
↓
调用 /安检/Call /security
↓
风险审查/Risk Review
↓
┌─────────────────────────────────────┐
│ 风险等级/Risk Level │
├─────────────────────────────────────┤
│ 严重/Critical → 阻止 (用户确认例外) │
│ 高/High → 需要用户确认 │
│ 中/Medium → 提示,可选修复 │
│ 低/Low → 通过 │
└─────────────────────────────────────┘
↓
通过/Pass → 继续安装/Continue
↓
失败/Fail → 取消安装/CancelInstall Skill:
↓
Call /security
↓
Risk Review
↓
┌─────────────────────────────────────┐
│ Risk Level │
├─────────────────────────────────────┤
│ Critical → Block (exception with user confirmation) │
│ High → User confirmation required │
│ Medium → Prompt, optional fix │
│ Low → Pass │
└─────────────────────────────────────┘
↓
Pass → Continue installation
↓
Fail → Cancel installation