Back to Details

skill-validator

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Skill Validator

Agent技能验证器

When to use this skill

何时使用该Skill

Use this skill when you need to validate an agent skill folder, checking its structure, content, and adherence to best practices. This includes verifying frontmatter, readability, workflow definitions, validation steps, cross-references, and isolation from other skills.
当你需要验证Agent技能文件夹,检查其结构、内容是否符合最佳实践时,可以使用该Skill。这包括验证前置元数据(frontmatter)、可读性、工作流定义、验证步骤、交叉引用,以及与其他技能的独立性。

Validation steps

验证步骤

  1. Read the skill folder structure: Ensure the folder contains a 
    SKILL.md
    file. Check for optional subdirectories like 
    scripts/
    , 
    references/
    , 
    assets/
    , but note that the skill must work in isolation without relying on other skills.
  2. Validate frontmatter:
    • The 
      SKILL.md
      file must start with YAML frontmatter containing at least 
      name
      (short identifier) and 
      description
      (clear indication of when to use the skill).
    • The description must be clear enough for agents to determine relevance without ambiguity.
    • The description should include either "When to use" or "Use this skill when" to clearly indicate applicability. If this phrasing is missing, it can lead to confusion about when the skill should be applied. To fix this, ensure the description contains a clear statement of the conditions or scenarios in which the skill is relevant, using one of the recommended phrases for clarity.
  3. Check cross-references: Parse the markdown content for links and references. Ensure internal links (e.g., to headings) point to existing sections. For file references, verify they exist within the skill's directory.
  4. Assess readability and conciseness:
    • Instructions should use clear, concise language.
    • Avoid overly verbose explanations; aim for direct, actionable content.
    • Check for grammar, spelling, and logical flow.
  5. Verify clear workflow definitions:
    • The skill should provide step-by-step instructions for performing the task.
    • Workflows must be unambiguous, with clear prerequisites, steps, and expected outcomes.
  6. Check for validation steps:
    • The skill must include steps at the end to validate that it was correctly executed (e.g., verify output, check for side effects).
    • This ensures the skill can confirm success or failure.
  7. Detect hallucinations:
    • Ensure instructions do not assume or reference non-existent tools, libraries, or capabilities.
    • All referenced tools or methods must be realistic and available in standard environments.
  8. Confirm isolation:
    • The skill should not reference or depend on other skills.
    • All necessary assets, scripts, and references must be bundled within the skill's directory.
  9. Detect duplicate content:
    • Scan all files (SKILL.md and supporting files) for overlapping or duplicate sections/instructions.
    • Check for repeated explanations, examples, or workflows across multiple files.
    • Identify content that could be consolidated or cross-referenced more efficiently.
    • Flag redundant subsections within the same file (e.g., repeated step descriptions).
    • Duplicates waste token budget and confuse users; consolidate where possible.
  10. Estimate token cost (skill weight):
    • Calculate approximate token count for the entire skill (SKILL.md + references + assets)
    • Consider all text content, code examples, and documentation
    • Categorize the skill's "weight" based on token consumption:
      • Lightweight (< 2,000 tokens): Simple, focused skills
      • Small (2,000-4,000 tokens): Moderate skills with examples
      • Medium (4,000-8,000 tokens): Comprehensive skills with multiple sections
      • Large (8,000-15,000 tokens): Extensive skills with many examples
      • Heavy (15,000-25,000 tokens): Very comprehensive skills
      • Overweight (> 25,000 tokens): Potentially too large; consider splitting
    • Include weight in validation report for context awareness
  11. Security audit ⭐ NEW:
    • Run the security validation module to check for common security vulnerabilities
    • Check for untrusted data sources (git, subprocess, files, APIs, user input)
    • Verify all untrusted data is properly sanitized before use
    • Identify high-privilege operations and verify they have user confirmation
    • Detect injection vulnerabilities (prompt, shell, SQL, code)
    • Verify error handling is comprehensive and doesn't leak sensitive data
    • Confirm secrets/credentials are not hardcoded and .env is documented
    • The security module will flag potential issues for remediation
    • Tools: Use 
      scripts/security_audit.py
      to automatically scan the skill
  12. Summarize and validate execution:
    • After completing all checks, provide a concise summary of the validation results, confirming the skill's status (valid or invalid), listing any issues, and suggesting fixes.
    • Categorize issues by severity (Critical 🚨, Warning ⚠️, Info ℹ️) and group them accordingly.
    • Include the skill's weight classification and token estimate.
    • If issues are found, include examples and suggestions for fixes. If no issues, confirm validity with a positive note.
    • This step ensures the validation process itself was correctly executed and provides closure.
  13. Check for user information presentation examples:
    • If the skill involves displaying or outputting information to the user (e.g., validation results, reports, or checklists), IT IS MANDATORY for it to include concrete examples of output formats.
    • Specify sample outputs, such as validation summaries with categorized issues (Critical 🚨, Warning ⚠️, Info ℹ️), checklists, or formatted messages.
    • This sets clear expectations and improves user experience by demonstrating the exact presentation style.
  14. Validate security audit report (automated via scripts/security_audit.py):
    • The security audit script generates a detailed report with security findings
    • Review any flagged issues and ensure they are addressed
    • Critical issues (🚨) must be resolved before the skill is approved
    • Warnings (⚠️) should be reviewed and justified if not addressed
    • Info items (ℹ️) are recommendations for future improvements
  1. 读取技能文件夹结构:确保文件夹包含
    SKILL.md
    文件。检查是否存在可选子目录,如
    scripts/
    references/
    assets/
    ,但需注意该技能必须能独立运行,不能依赖其他技能。
  2. 验证前置元数据
    • SKILL.md
      文件必须以YAML前置元数据开头,至少包含
      name
      (短标识符)和
      description
      (明确说明何时使用该技能)。
    • 描述必须足够清晰,让Agent能明确判断其相关性,无歧义。
    • 描述应包含"When to use"或"Use this skill when"这类表述,明确适用场景。如果缺少该表述,可能会导致技能适用时机混淆。修复方法:确保描述中包含清晰的适用条件或场景说明,使用推荐表述之一以提升清晰度。
  3. 检查交叉引用:解析Markdown内容中的链接和引用。确保内部链接(如指向标题的链接)指向存在的章节。对于文件引用,验证它们存在于技能目录内。
  4. 评估可读性与简洁性
    • 说明应使用清晰、简洁的语言。
    • 避免过于冗长的解释;力求内容直接、可操作。
    • 检查语法、拼写和逻辑连贯性。
  5. 验证工作流定义清晰度
    • 技能应提供执行任务的分步说明。
    • 工作流必须明确,包含清晰的前置条件、步骤和预期结果。
  6. 检查验证步骤
    • 技能末尾必须包含验证步骤,确认其是否执行正确(如验证输出、检查副作用)。
    • 这确保技能能确认执行成功或失败。
  7. 检测幻觉内容
    • 确保说明中没有假设或引用不存在的工具、库或功能。
    • 所有引用的工具或方法必须是真实的,且在标准环境中可用。
  8. 确认独立性
    • 技能不应引用或依赖其他技能。
    • 所有必要的资源、脚本和引用必须捆绑在技能目录内。
  9. 检测重复内容
    • 扫描所有文件(
      SKILL.md
      及支持文件),检查是否存在重叠或重复的章节/说明。
    • 检查多个文件中是否存在重复的解释、示例或工作流。
    • 识别可整合或更高效交叉引用的内容。
    • 标记同一文件内的冗余子章节(如重复的步骤描述)。
    • 重复内容会浪费令牌预算并使用户困惑;尽可能整合。
  10. 估算令牌成本(技能权重)
    • 计算整个技能的大致令牌数(
      SKILL.md
      + 引用文件 + 资源文件)
    • 考虑所有文本内容、代码示例和文档
    • 根据令牌消耗对技能的"权重"进行分类:
      • 轻量(< 2000令牌):简单、聚焦的技能
      • 小型(2000-4000令牌):带示例的中等复杂度技能
      • 中型(4000-8000令牌):包含多个章节的全面技能
      • 大型(8000-15000令牌):带大量示例的扩展技能
      • 重型(15000-25000令牌):非常全面的技能
      • 超量(>25000令牌):可能过大;考虑拆分
    • 在验证报告中包含权重信息,以提升上下文感知能力
  11. 安全审计 ⭐ 新增:
    • 运行安全验证模块,检查常见安全漏洞
    • 检查不可信数据源(git、子进程、文件、API、用户输入)
    • 验证所有不可信数据在使用前已正确清理
    • 识别高权限操作,并验证它们需要用户确认
    • 检测注入漏洞(提示注入、Shell注入、SQL注入、代码注入)
    • 验证错误处理全面,不会泄露敏感数据
    • 确认密钥/凭证未硬编码,且
      .env
      文件已被文档化
    • 安全模块会标记潜在问题以供修复
    • 工具:使用
      scripts/security_audit.py
      自动扫描技能
  12. 总结并验证执行结果
    • 完成所有检查后,提供验证结果的简明摘要,确认技能状态(有效或无效),列出所有问题并建议修复方案。
    • 按严重程度对问题分类(严重 🚨、警告 ⚠️、信息 ℹ️)并分组。
    • 包含技能的权重分类和令牌估算值。
    • 如果发现问题,包含示例和修复建议。如果无问题,用积极表述确认有效性。
    • 此步骤确保验证流程本身已正确执行,并提供闭环结果。
  13. 检查用户信息展示示例
    • 如果技能涉及向用户展示或输出信息(如验证结果、报告或清单),则必须包含具体的输出格式示例。
    • 指定示例输出,如包含分类问题(严重 🚨、警告 ⚠️、信息 ℹ️)的验证摘要、清单或格式化消息。
    • 这能明确预期结果,通过展示确切的呈现风格提升用户体验。
  14. 验证安全审计报告(通过
    scripts/security_audit.py
    自动执行):
    • 安全审计脚本会生成包含安全发现的详细报告
    • 审查所有标记的问题,并确保已解决
    • 严重问题(🚨)必须在技能获批前解决
    • 警告(⚠️)应被审查,若未解决需说明理由
    • 信息项(ℹ️)是未来改进的建议

Examples

示例

When issues are found:

发现问题时:

🚨 Critical Issues:
  • Missing required frontmatter (e.g., no 
    name
    field): Fix by adding the missing field to the YAML frontmatter.
⚠️ Warnings:
  • Unclear description: Improve by making it more specific about when to use the skill.
  • Duplicate instructions detected in SKILL.md and references/workflow.md: Consolidate by moving to one location and cross-referencing.
ℹ️ Info:
  • Minor readability suggestions: Consider shortening verbose sections for conciseness.
  • Skill weight: Medium (6,500 tokens) - Consider breaking into smaller, focused skills if it grows beyond 8,000 tokens.
🚨 严重问题
  • 缺少必填前置元数据(如无
    name
    字段):修复方法是在YAML前置元数据中添加缺失字段。
⚠️ 警告
  • 描述不清晰:改进方法是更具体地说明何时使用该技能。
  • SKILL.md
    references/workflow.md
    中检测到重复说明:整合内容,移至同一位置并添加交叉引用。
ℹ️ 信息
  • 可读性小建议:考虑缩短冗长章节以提升简洁性。
  • 技能权重:中型(6500令牌)- 如果超过8000令牌,考虑拆分为更小、更聚焦的技能。

When no issues are found:

未发现问题时:

No issues found. The skill is valid and ready for use.
  • Skill weight: Lightweight (1,200 tokens) - Efficient for loading and execution.
未发现问题。该技能有效,可投入使用。
  • 技能权重:轻量(1200令牌)- 加载和执行效率高。

Duplicate Content Detection

重复内容检测

Detection Strategy

检测策略

  1. Identify sections: Extract all major sections (headers) from SKILL.md and all supporting files
  2. Extract content blocks: For each section, identify paragraphs, lists, code blocks, and examples
  3. Semantic comparison: Compare content blocks across files for:
    • Exact duplicates (word-for-word matches)
    • Near-duplicates (same concept, slightly different wording, > 80% similarity)
    • Partial duplicates (repeated phrases or examples within a file)
  4. Context analysis: Determine if duplication serves a purpose or is redundant
  5. Report findings: List all duplicates with file locations and consolidation suggestions
  1. 识别章节:从
    SKILL.md
    和所有支持文件中提取所有主要章节(标题)
  2. 提取内容块:为每个章节识别段落、列表、代码块和示例
  3. 语义比较:跨文件比较内容块,检查:
    • 完全重复(逐字匹配)
    • 近似重复(同一概念,措辞略有不同,相似度>80%)
    • 部分重复(同一文件内重复的短语或示例)
  4. 上下文分析:判断重复是否有必要,还是冗余内容
  5. 报告发现:列出所有重复内容的文件位置和整合建议

Common Duplication Patterns to Flag

需标记的常见重复模式

PatternExampleAction
Repeated workflow stepsStep description appears in both SKILL.md and references/workflow.mdConsolidate; cross-reference
Duplicate examplesSame code example shown in multiple sectionsKeep in one place; reference from others
Overlapping explanationsSame concept explained twice with different wordingMerge explanations; remove redundancy
Repeated guidelinesSame best practices listed in two sectionsSingle source of truth; reference
Tool descriptionsSame tool explained in multiple filesDefine once; reference elsewhere
模式示例操作
重复工作流步骤步骤描述同时出现在
SKILL.md
references/workflow.md
整合内容;添加交叉引用
重复示例同一代码示例出现在多个章节中保留在一个位置;从其他位置引用
重叠解释同一概念用不同措辞解释两次合并解释;移除冗余
重复指南同一最佳实践在两个章节中列出建立单一可信来源;添加引用
工具描述同一工具在多个文件中被解释定义一次;在其他地方引用

Token Cost Estimation

令牌成本估算

Token Calculation Method

令牌计算方法

  1. Estimate word count: Count all words across all skill files
  2. Apply conversion ratio: Use ~1.3 tokens per word for English text (average for LLM tokenization)
  3. Add overhead: Account for:
    • YAML frontmatter (50 tokens base)
    • Markdown formatting overhead (+10% of content tokens)
    • Code blocks (count as 1.0 tokens per word due to tokenization patterns)
  4. Total calculation: 
    Total Tokens = (SKILL.md words × 1.3) + (Reference files words × 1.3) + 
               (Code blocks words × 1.0) + (Formatting overhead 10%) + 50
  1. 估算单词数:统计所有技能文件中的单词总数
  2. 应用转换比率:英文文本使用约1.3令牌/单词(LLM令牌化的平均值)
  3. 添加额外开销:考虑:
    • YAML前置元数据(基础50令牌)
    • Markdown格式开销(内容令牌的+10%)
    • 代码块(按1.0令牌/单词计算,因令牌化模式不同)
  4. 总计算 
    总令牌数 = (SKILL.md单词数 × 1.3) + (引用文件单词数 × 1.3) + 
          (代码块单词数 × 1.0) + (格式开销10%) + 50

Weight Classification

权重分类

WeightToken RangeDescriptionAgent Impact
🟢 Lightweight< 2,000Simple, focused skillMinimal context usage; fast loading
🟢 Small2,000-4,000Moderate skill with examplesLow context overhead; responsive
🟡 Medium4,000-8,000Comprehensive skillBalanced context usage; standard
🟠 Large8,000-15,000Extensive skill with many examplesSignificant context usage
🔴 Heavy15,000-25,000Very comprehensive skillHigh context consumption
🔴 Overweight> 25,000Too large; consider splittingProblematic for context limits
权重令牌范围描述对Agent的影响
🟢 轻量< 2000简单、聚焦的技能上下文占用极小;加载快速
🟢 小型2000-4000带示例的中等复杂度技能上下文开销低;响应迅速
🟡 中型4000-8000全面的技能上下文使用平衡;标准水平
🟠 大型8000-15000带大量示例的扩展技能上下文占用显著
🔴 重型15000-25000非常全面的技能上下文消耗高
🔴 超量>25000过大;考虑拆分受上下文限制影响大

Weight Assessment Examples

权重评估示例

Example 1: Lightweight Skill (1,200 tokens)
  • Simple workflow: 3-4 steps
  • Minimal supporting files
  • Few examples (1-2)
  • Limited configuration options
Example 2: Medium Skill (6,500 tokens)
  • Comprehensive workflow: 6-8 steps
  • 2-3 reference files
  • Multiple examples (4-6)
  • Detailed configuration guide
  • Best practices section
Example 3: Heavy Skill (18,000 tokens)
  • Complex multi-phase workflow: 10+ steps
  • 4-5 reference files with extensive content
  • Many examples (8+) with detailed output
  • Comprehensive configuration guide
  • Multiple use cases and edge cases
  • Troubleshooting section
  • Recommendation: Consider splitting into focused sub-skills
示例1:轻量技能(1200令牌)
  • 简单工作流:3-4个步骤
  • 支持文件极少
  • 示例少(1-2个)
  • 配置选项有限
示例2:中型技能(6500令牌)
  • 全面工作流:6-8个步骤
  • 2-3个引用文件
  • 多个示例(4-6个)
  • 详细配置指南
  • 最佳实践章节
示例3:重型技能(18000令牌)
  • 复杂多阶段工作流:10+步骤
  • 4-5个内容丰富的引用文件
  • 大量示例(8+个),含详细输出
  • 全面配置指南
  • 多个用例和边缘情况
  • 故障排除章节
  • 建议:考虑拆分为聚焦的子技能

Output Format Example

输出格式示例

Skill Validation Report

技能验证报告

═══════════════════════════════════════════════════════════
SKILL VALIDATION REPORT
═══════════════════════════════════════════════════════════

Skill: custom-agent-creator
Validation Date: 2024-02-21

───────────────────────────────────────────────────────────
GENERAL INFORMATION
───────────────────────────────────────────────────────────

Status: ✅ VALID
Skill Weight: 🟡 Medium (6,800 tokens)
Files Analyzed: 4
  - SKILL.md (3,200 tokens)
  - references/copilot-agents.md (1,500 tokens)
  - references/opencode-agents.md (1,400 tokens)
  - assets/ (2 templates, 700 tokens)

───────────────────────────────────────────────────────────
VALIDATION RESULTS
───────────────────────────────────────────────────────────

✅ Frontmatter: Valid
✅ Cross-References: All valid (3 internal, 2 file refs)
✅ Readability: Clear and concise
✅ Workflow: Well-defined (6 steps)
✅ Validation Steps: Comprehensive (5 categories)
✅ No Hallucinations: All tools/libraries verified
✅ Isolation: Self-contained (no skill dependencies)
✅ User Examples: 4 concrete examples with output
⚠️ Duplicate Content: 1 minor (see below)

───────────────────────────────────────────────────────────
DUPLICATE CONTENT DETECTED
───────────────────────────────────────────────────────────

⚠️ WARNING: Overlapping tool descriptions found

Location 1: SKILL.md, line 47 (OpenCode tools section)
Location 2: references/opencode-agents.md, line 282 (tools config section)

Issue: "Tool permissions are boolean or ask/allow/deny" 
       described in both locations with 85% similarity

Recommendation: Keep in SKILL.md (main reference), add cross-link 
              in references file for clarity

───────────────────────────────────────────────────────────
WEIGHT ANALYSIS
───────────────────────────────────────────────────────────

Total Content: 6,800 tokens
Content Distribution:
  - Instructions: 35% (2,380 tokens)
  - Examples: 40% (2,720 tokens)
  - References: 20% (1,360 tokens)
  - Formatting: 5% (340 tokens)

Classification: 🟡 MEDIUM
Impact: Balanced context usage; suitable for most use cases
Recommendation: Current size is optimal. No splitting needed.

If future expansion needed, consider:
- Moving Copilot agent examples to separate skill
- Creating OpenCode-specific variant
- Extracting template examples to assets folder

───────────────────────────────────────────────────────────
ISSUES SUMMARY
───────────────────────────────────────────────────────────

🚨 Critical Issues: 0
⚠️ Warnings: 1 (duplicate content - minor)
ℹ️ Info: 0

───────────────────────────────────────────────────────────
CONCLUSION
───────────────────────────────────────────────────────────

Status: ✅ APPROVED FOR PRODUCTION

The skill is well-structured, comprehensive, and ready for use.
Recommend addressing the minor duplicate content warning in the
next maintenance cycle for optimization.

═══════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════
SKILL VALIDATION REPORT
═══════════════════════════════════════════════════════════

Skill: custom-agent-creator
Validation Date: 2024-02-21

───────────────────────────────────────────────────────────
GENERAL INFORMATION
───────────────────────────────────────────────────────────

Status: ✅ VALID
Skill Weight: 🟡 Medium (6,800 tokens)
Files Analyzed: 4
  - SKILL.md (3,200 tokens)
  - references/copilot-agents.md (1,500 tokens)
  - references/opencode-agents.md (1,400 tokens)
  - assets/ (2 templates, 700 tokens)

───────────────────────────────────────────────────────────
VALIDATION RESULTS
───────────────────────────────────────────────────────────

✅ Frontmatter: Valid
✅ Cross-References: All valid (3 internal, 2 file refs)
✅ Readability: Clear and concise
✅ Workflow: Well-defined (6 steps)
✅ Validation Steps: Comprehensive (5 categories)
✅ No Hallucinations: All tools/libraries verified
✅ Isolation: Self-contained (no skill dependencies)
✅ User Examples: 4 concrete examples with output
⚠️ Duplicate Content: 1 minor (see below)

───────────────────────────────────────────────────────────
DUPLICATE CONTENT DETECTED
───────────────────────────────────────────────────────────

⚠️ WARNING: Overlapping tool descriptions found

Location 1: SKILL.md, line 47 (OpenCode tools section)
Location 2: references/opencode-agents.md, line 282 (tools config section)

Issue: "Tool permissions are boolean or ask/allow/deny" 
       described in both locations with 85% similarity

Recommendation: Keep in SKILL.md (main reference), add cross-link 
              in references file for clarity

───────────────────────────────────────────────────────────
WEIGHT ANALYSIS
───────────────────────────────────────────────────────────

Total Content: 6,800 tokens
Content Distribution:
  - Instructions: 35% (2,380 tokens)
  - Examples: 40% (2,720 tokens)
  - References: 20% (1,360 tokens)
  - Formatting: 5% (340 tokens)

Classification: 🟡 MEDIUM
Impact: Balanced context usage; suitable for most use cases
Recommendation: Current size is optimal. No splitting needed.

If future expansion needed, consider:
- Moving Copilot agent examples to separate skill
- Creating OpenCode-specific variant
- Extracting template examples to assets folder

───────────────────────────────────────────────────────────
ISSUES SUMMARY
───────────────────────────────────────────────────────────

🚨 Critical Issues: 0
⚠️ Warnings: 1 (duplicate content - minor)
ℹ️ Info: 0

───────────────────────────────────────────────────────────
CONCLUSION
───────────────────────────────────────────────────────────

Status: ✅ APPROVED FOR PRODUCTION

The skill is well-structured, comprehensive, and ready for use.
Recommend addressing the minor duplicate content warning in the
next maintenance cycle for optimization.

═══════════════════════════════════════════════════════════

Security Audit Module

安全审计模块

The skill-validator now includes a built-in security audit module (
scripts/security_audit.py
) that checks for common security vulnerabilities. This module implements six comprehensive validation rules:
Skill验证器现在内置了安全审计模块(
scripts/security_audit.py
),用于检查常见安全漏洞。该模块实现了六项全面的验证规则:

Security Rules

安全规则

Rule 1: Untrusted Data Detection
  • Identifies external data sources (git, subprocess, files, APIs, user input)
  • Flags sources that need sanitization
  • Severity: HIGH (CRITICAL for git data and subprocess)
Rule 2: Sanitization Requirement Verification
  • Verifies untrusted data is sanitized before use
  • Checks for sanitization functions in the skill code
  • Severity: CRITICAL if untrusted data found without sanitization
Rule 3: High-Privilege Operation Detection
  • Identifies dangerous operations: file deletion, git push, shell execution
  • Requires human confirmation for these operations
  • Severity: CRITICAL for force operations
Rule 4: Injection Risk Analysis
  • Detects potential injection vulnerabilities: prompt, shell, SQL, code
  • Flags suspicious keywords that indicate attack attempts
  • Severity: CRITICAL
Rule 5: Error Handling Completeness
  • Verifies try/catch blocks for external operations
  • Checks for timeout protection
  • Ensures no sensitive data in error messages
  • Severity: HIGH
Rule 6: Secrets Protection
  • Detects hardcoded credentials
  • Verifies .env and environment variables are documented
  • Flags missing secrets protection
  • Severity: CRITICAL for hardcoded secrets
规则1:不可信数据检测
  • 识别外部数据源(git、子进程、文件、API、用户输入)
  • 标记需要清理的数据源
  • 严重程度:高(git数据和子进程为严重级别)
规则2:清理要求验证
  • 验证不可信数据在使用前已被清理
  • 检查技能代码中是否存在清理函数
  • 严重程度:如果发现未清理的不可信数据,为严重级别
规则3:高权限操作检测
  • 识别危险操作:文件删除、git推送、Shell执行
  • 这些操作需要人工确认
  • 严重程度:强制操作为严重级别
规则4:注入风险分析
  • 检测潜在注入漏洞:提示注入、Shell注入、SQL注入、代码注入
  • 标记表明攻击尝试的可疑关键词
  • 严重程度:严重
规则5:错误处理完整性
  • 验证外部操作的try/catch块
  • 检查是否有超时保护
  • 确保错误消息中无敏感数据
  • 严重程度:高
规则6:密钥保护
  • 检测硬编码凭证
  • 验证
    .env
    和环境变量已被文档化
  • 标记缺失的密钥保护措施
  • 严重程度:硬编码密钥为严重级别

Running Security Audit

运行安全审计

bash
undefined
bash
undefined

Basic usage

Basic usage

python3 scripts/security_audit.py /path/to/SKILL.md
python3 scripts/security_audit.py /path/to/SKILL.md

Example output

Example output

════════════════════════════════════════════════════════════ SECURITY AUDIT REPORT ════════════════════════════════════════════════════════════
Skill: /path/to/SKILL.md Status: ✅ PASSED
──────────────────────────────────────────────────────────── SUMMARY ──────────────────────────────────────────────────────────── 🚨 Critical Issues: 0 ⚠️ High Priority: 0 ℹ️ Medium Priority: 0 Total Issues: 0
✅ No security issues detected! ════════════════════════════════════════════════════════════
undefined
════════════════════════════════════════════════════════════ SECURITY AUDIT REPORT ════════════════════════════════════════════════════════════
Skill: /path/to/SKILL.md Status: ✅ PASSED
──────────────────────────────────────────────────────────── SUMMARY ──────────────────────────────────────────────────────────── 🚨 Critical Issues: 0 ⚠️ High Priority: 0 ℹ️ Medium Priority: 0 Total Issues: 0
✅ No security issues detected! ════════════════════════════════════════════════════════════
undefined

Integration with Validation Workflow

与验证工作流的集成

The security audit is automatically run as Step 11 of the validation process. Security issues are categorized by severity:
  • 🚨 Critical: Must be fixed before production deployment
  • ⚠️ Warning: Should be reviewed and justified
  • ℹ️ Info: Recommendations for future improvements
安全审计会自动作为验证流程的第11步运行。安全问题按严重程度分类:
  • 🚨 严重:生产部署前必须修复
  • ⚠️ 警告:应被审查并说明理由
  • ℹ️ 信息:未来改进的建议

Tools to use

可使用的工具

  • File reading and parsing tools to examine 
    SKILL.md
    and associated files.
  • Markdown parsing for cross-reference checking and header extraction.
  • Text analysis for readability assessment and duplicate detection.
  • Token counting for weight estimation (approximate: 1.3 tokens/word).
  • Security audit: 
    scripts/security_audit.py
    for automated vulnerability scanning (NEW)
  • 文件读取和解析工具,用于检查
    SKILL.md
    及关联文件。
  • Markdown解析工具,用于交叉引用检查和标题提取。
  • 文本分析工具,用于可读性评估和重复内容检测。
  • 令牌计数工具,用于权重估算(近似值:1.3令牌/单词)。
  • 安全审计:使用
    scripts/security_audit.py
    进行自动漏洞扫描(新增)