Back to Details

skill-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Skill Auditor

Skill Auditor

Analyze agent skill directories for security risks and provide an install/reject verdict.
分析Agent技能目录的安全风险,并给出安装/拒绝的结论。

Workflow

工作流程

Auditing a skill follows these phases:
  1. Resolve input - Parse the user's input to locate the skill
  2. Research - Scan and understand what the skill does
  3. Report - Produce a detailed findings report
  4. Verdict - Deliver a clear install/reject recommendation
审核Skill遵循以下阶段:
  1. 解析输入 - 解析用户输入以定位目标Skill
  2. 调研分析 - 扫描并理解该Skill的功能
  3. 生成报告 - 生成详细的检测结果报告
  4. 给出结论 - 提供明确的安装/拒绝建议

Phase 0: Resolve Input

阶段0:解析输入

The user may provide the skill target in several formats. Parse the input and resolve it to a local directory before proceeding.
用户可能以多种格式提供目标Skill信息。先解析输入并将其转换为本地目录,再继续后续操作。

Format 1: Local path

格式1:本地路径

audit skills/my-skill/
audit /path/to/skill-dir
Use the path directly.
audit skills/my-skill/
audit /path/to/skill-dir
直接使用提供的路径。

Format 2: GitHub URL

格式2:GitHub URL

audit https://github.com/org/repo
Clone the repo to 
/tmp/<repo-name>
, audit the root as the skill directory. Clean up after.
audit https://github.com/org/repo
将仓库克隆到
/tmp/<repo-name>
,以仓库根目录作为Skill目录进行审核。审核完成后清理临时文件。

Format 3: Install command (npx skills add)

格式3:安装命令(npx skills add)

npx skills add https://github.com/org/repo --skill skill-name
npx skills add https://github.com/org/repo
Extract the GitHub URL and optional 
--skill
name:
  1. Parse the URL from the command (the 
    https://github.com/...
    part)
  2. Clone the repo to 
    /tmp/<repo-name>
  3. If 
    --skill <name>
    is present, the audit target is the subdirectory 
    skills/<name>/
    within the cloned repo. If that path doesn't exist, try 
    <name>/
    at the repo root.
  4. If no 
    --skill
    flag, audit the repo root as a single skill (look for 
    SKILL.md
    at root)
  5. Clean up the cloned repo after the audit
Parsing rule: Extract the GitHub URL with this pattern:
https://github.com/<owner>/<repo>
And the skill name (if any) from 
--skill <name>
anywhere in the command.
npx skills add https://github.com/org/repo --skill skill-name
npx skills add https://github.com/org/repo
提取GitHub URL及可选的
--skill
名称:
  1. 从命令中解析出GitHub URL(即
    https://github.com/...
    部分)
  2. 将仓库克隆到
    /tmp/<repo-name>
  3. 如果存在
    --skill <name>
    参数,则审核克隆仓库中的
    skills/<name>/
    子目录;若该路径不存在,则尝试仓库根目录下的
    <name>/
    目录
  4. 如果没有
    --skill
    参数,则将仓库根目录视为单个Skill进行审核(需在根目录下找到
    SKILL.md
    文件)
  5. 审核完成后清理克隆的仓库
解析规则:使用以下模式提取GitHub URL:
https://github.com/<owner>/<repo>
并从命令中任意位置提取
--skill <name>
中的Skill名称(如果有)。

Format 4: GitHub URL with skill name

格式4:带Skill名称的GitHub URL

audit https://github.com/org/repo --skill skill-name
audit https://github.com/org/repo skill-name
Same as Format 3 — clone, then audit 
skills/<name>/
or 
<name>/
.
audit https://github.com/org/repo --skill skill-name
audit https://github.com/org/repo skill-name
与格式3处理方式相同——先克隆仓库,再审核
skills/<name>/
<name>/
目录。

Resolution summary

解析规则汇总

InputClone?Audit target
Local pathNoThe path as-is
GitHub URL onlyYes → 
/tmp/<repo>
Repo root
GitHub URL + 
--skill X
Yes → 
/tmp/<repo>
skills/X/
or 
X/
in repo
npx skills add URL
Yes → 
/tmp/<repo>
Repo root
npx skills add URL --skill X
Yes → 
/tmp/<repo>
skills/X/
or 
X/
in repo
After resolving, verify the target directory contains a 
SKILL.md
. If not, report an error.
输入类型是否需要克隆审核目标
本地路径直接使用提供的路径
仅GitHub URL是 → 
/tmp/<repo>
仓库根目录
GitHub URL + 
--skill X
是 → 
/tmp/<repo>
仓库中的
skills/X/
X/
目录
npx skills add URL
是 → 
/tmp/<repo>
仓库根目录
npx skills add URL --skill X
是 → 
/tmp/<repo>
仓库中的
skills/X/
X/
目录
解析完成后,需验证目标目录中是否存在
SKILL.md
文件,若不存在则报错。

Phase 1: Research

阶段1:调研分析

1.1 Run the automated scanner

1.1 运行自动化扫描工具

bash
python3 {SKILL_DIR}/scripts/scan_skill.py <target-skill-path>
The scanner outputs JSON with:
  • File inventory (names, sizes, permissions, executability)
  • Pattern matches for dangerous imports, shell commands, obfuscation, credential access, filesystem access, and prompt injection
  • Summary counts
bash
python3 {SKILL_DIR}/scripts/scan_skill.py <target-skill-path>
扫描工具输出JSON格式的结果,包含:
  • 文件清单(文件名、大小、权限、可执行性)
  • 危险导入、Shell命令、混淆代码、凭证访问、文件系统访问及提示注入等模式的匹配结果
  • 统计摘要

1.2 Read SKILL.md frontmatter and body

1.2 读取SKILL.md的前置信息与正文

Read the target skill's 
SKILL.md
to understand:
  • Stated purpose: What the skill claims to do
  • Trigger conditions: When it activates
  • Instruction patterns: What it tells the agent to do
读取目标Skill的
SKILL.md
文件,以了解:
  • 声明用途:该Skill声称的功能
  • 触发条件:Skill激活的场景
  • 指令模式:Skill会指示Agent执行哪些操作

1.3 Read all script files

1.3 读取所有脚本文件

Read every 
.py
, 
.sh
, 
.js
, 
.ts
, 
.rb
file in the skill. For each:
  • Understand what the script does end-to-end
  • Note any network calls, file operations, or system commands
  • Check if input flows into dangerous operations (injection risk)
  • Look for obfuscated or encoded payloads
读取Skill中所有
.py
.sh
.js
.ts
.rb
文件。针对每个文件:
  • 全程理解脚本的功能
  • 记录所有网络调用、文件操作或系统命令
  • 检查输入是否会流入危险操作(注入风险)
  • 查找混淆或编码的负载

1.4 Read reference and instruction files

1.4 读取参考文档与指令文件

Read all 
.md
files in 
references/
and any other text files. Check for:
  • Prompt injection patterns hidden in documentation
  • Instructions that override safety or hide actions
  • Encoded content that doesn't match the stated purpose
读取
references/
目录下的所有
.md
文件及其他文本文件,检查:
  • 隐藏在文档中的提示注入模式
  • 覆盖安全设置或隐藏操作的指令
  • 与声明用途不符的编码内容

1.5 Contextual analysis

1.5 上下文分析

For each finding from the scanner, determine:
  • Is this pattern justified by the skill's stated purpose?
  • Is the scope appropriate (working directory vs system-wide)?
  • Are targets hardcoded/known or dynamic/user-controlled?
  • Is code readable or deliberately obfuscated?
Consult references/security-checklist.md for the full risk taxonomy and contextual analysis guidelines.
针对扫描工具发现的每个问题,判断:
  • 该模式是否与Skill的声明用途相符?
  • 范围是否合适(工作目录级 vs 系统级)?
  • 目标是硬编码/已知的还是动态/用户可控的?
  • 代码是可读的还是故意混淆的?
可参考references/security-checklist.md中的完整风险分类与上下文分析指南。

Phase 2: Report

阶段2:生成报告

Generate 
SKILL_AUDIT.md
in the current working directory using this structure:
markdown
undefined
在当前工作目录下生成
SKILL_AUDIT.md
文件,结构如下:
markdown
undefined

Skill Audit Report: [skill-name]

Skill Audit Report: [skill-name]

Date: YYYY-MM-DD Skill Path: path/to/skill Auditor: skill-auditor v1.0
Date: YYYY-MM-DD Skill Path: path/to/skill Auditor: skill-auditor v1.0

Skill Overview

Skill Overview

PropertyValue
Name[from frontmatter]
Description[from frontmatter]
Total FilesN
Script FilesN
Executable FilesN
Binary FilesN
PropertyValue
Name[from frontmatter]
Description[from frontmatter]
Total FilesN
Script FilesN
Executable FilesN
Binary FilesN

Risk Summary

Risk Summary

CategoryFindingsSeverity
Code ExecutionNCritical/High/Medium/Low/None
Network/ExfiltrationN...
Filesystem AccessN...
Privilege EscalationN...
ObfuscationN...
Prompt InjectionN...
Supply ChainN...
Credential ExposureN...
PersistenceN...
Overall Risk Level: [SAFE / LOW / MEDIUM / HIGH / CRITICAL]
CategoryFindingsSeverity
Code ExecutionNCritical/High/Medium/Low/None
Network/ExfiltrationN...
Filesystem AccessN...
Privilege EscalationN...
ObfuscationN...
Prompt InjectionN...
Supply ChainN...
Credential ExposureN...
PersistenceN...
Overall Risk Level: [SAFE / LOW / MEDIUM / HIGH / CRITICAL]

Detailed Findings

Detailed Findings

[Category Name] ([Severity])

[Category Name] ([Severity])

File: 
path/to/file:line
Pattern: [what was detected] Context: [the actual code/text] Analysis: [Is this justified? What is the real risk?]
[Repeat for each finding]
File: 
path/to/file:line
Pattern: [what was detected] Context: [the actual code/text] Analysis: [Is this justified? What is the real risk?]
[Repeat for each finding]

Files Inventory

Files Inventory

[Table of all files with size, permissions, and notes]
[Table of all files with size, permissions, and notes]

Verdict

Verdict

[SAFE TO INSTALL / INSTALL WITH CAUTION / DO NOT INSTALL]

[SAFE TO INSTALL / INSTALL WITH CAUTION / DO NOT INSTALL]

Reasoning: [2-3 sentence summary of why]
Key concerns (if any):
  1. [Specific concern with file:line reference]
  2. [Specific concern with file:line reference]
Mitigations (if applicable):
  1. [What the user can do to reduce risk]
  2. [Specific files to review or modify]
undefined
Reasoning: [2-3 sentence summary of why]
Key concerns (if any):
  1. [Specific concern with file:line reference]
  2. [Specific concern with file:line reference]
Mitigations (if applicable):
  1. [What the user can do to reduce risk]
  2. [Specific files to review or modify]
undefined

Phase 3: Verdict

阶段3:给出结论

Apply the verdict decision matrix:
Risk LevelCriteriaVerdict
SAFENo findings or only informationalSAFE TO INSTALL
LOWMinor patterns with clear legitimate contextSAFE TO INSTALL (note findings)
MEDIUMNetwork calls, file access, or installs with plausible purposeINSTALL WITH CAUTION
HIGHObfuscation, credential access, injection, or escalation without justificationDO NOT INSTALL
CRITICALExfiltration, reverse shells, encoded payloads, or active prompt injectionDO NOT INSTALL
When delivering the verdict, present it clearly with:
  1. Verdict badge: Use the exact phrase for easy scanning
  2. One-line summary: What the skill does and whether that's safe
  3. Top 3 concerns: If any, with specific file:line references
  4. Recommendation: What to do next (install, review specific files, or reject)
使用以下结论决策矩阵:
风险等级判定标准结论
SAFE无问题或仅存在信息性提示SAFE TO INSTALL
LOW存在次要模式,但有明确的合理上下文SAFE TO INSTALL(备注发现的问题)
MEDIUM存在网络调用、文件访问或安装操作,且有合理用途INSTALL WITH CAUTION
HIGH存在混淆代码、凭证访问、注入或权限提升操作,且无合理依据DO NOT INSTALL
CRITICAL存在数据泄露、反向Shell、编码负载或主动提示注入DO NOT INSTALL
给出结论时,需清晰呈现以下内容:
  1. 结论标识:使用精确的表述以便快速识别
  2. 一句话总结:Skill的功能及安全性
  3. Top 3风险点:若有,需包含具体的文件:行号引用
  4. 建议:下一步操作(安装、检查特定文件或拒绝安装)

Phase 4: Offer Installation (Safe/Low verdicts only)

阶段4:提供安装选项(仅适用于安全/低风险结论)

If the verdict is SAFE TO INSTALL or INSTALL WITH CAUTION, ask the user if they want to install the skill now.
如果结论为SAFE TO INSTALLINSTALL WITH CAUTION,询问用户是否立即安装该Skill。

Reconstruct the install command

重建安装命令

Build the 
npx skills add
command from the information gathered in Phase 0:
  • If the input was already an install command (
    npx skills add ...
    ): reuse it as-is
  • If the input was a GitHub URL (
    https://github.com/owner/repo
    ):
    • Without 
      --skill
      : 
      npx skills add https://github.com/owner/repo
    • With 
      --skill X
      : 
      npx skills add https://github.com/owner/repo --skill X
  • If the input was a local path: installation via 
    npx skills add
    is not applicable — skip this phase
根据阶段0收集的信息构建
npx skills add
命令:
  • 如果输入本身就是安装命令
    npx skills add ...
    ):直接复用该命令
  • 如果输入是GitHub URL
    https://github.com/owner/repo
    ): 
    • --skill
      参数:
      npx skills add https://github.com/owner/repo
    • --skill X
      参数:
      npx skills add https://github.com/owner/repo --skill X
  • 如果输入是本地路径:无法通过
    npx skills add
    命令安装,跳过此阶段

Ask and install

询问并执行安装

Present the install command to the user and ask if they want to proceed:
The skill passed the audit. Would you like to install it now?
npx skills add https://github.com/owner/repo --skill skill-name
If the user confirms, run the command. If the verdict was INSTALL WITH CAUTION, remind them of the key concerns before asking.
Do NOT offer installation for DO NOT INSTALL verdicts.
向用户展示安装命令并询问是否继续:
该Skill通过审核。是否立即安装?
npx skills add https://github.com/owner/repo --skill skill-name
如果用户确认,则执行该命令。如果结论为INSTALL WITH CAUTION,在询问前需提醒用户关键风险点。
对于DO NOT INSTALL的结论,不得提供安装选项。

Important Notes

重要注意事项

  • Always read ALL files in the skill - never skip based on file extension alone
  • Binary files (.png, .pptx, etc.) cannot be scanned for content but note their presence
  • A finding is NOT automatically a vulnerability - apply contextual judgment
  • Skills that only contain 
    .md
    files with no scripts are generally lower risk
  • The scanner catches patterns, not intent - human-readable analysis is the core value
  • 务必读取Skill中的所有文件——绝不能仅根据文件扩展名跳过某些文件
  • 二进制文件(.png、.pptx等)无法扫描内容,但需记录其存在
  • 检测到的模式并不自动等同于漏洞——需结合上下文判断
  • 仅包含
    .md
    文件且无脚本的Skill通常风险较低
  • 扫描工具仅能检测模式,无法判断意图——人工可读分析是核心价值