audit-plugin

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Ecosystem Auditor

生态审计器

Overview

概述

This skill acts as the final CI/CD review gate for the agent ecosystem. It delegates to the

agent-plugin-analyzer

to execute a deep, multi-dimensional semantic scrub of a target plugin against our strict Level 4 specifications.

该Skill作为Agent生态的最终CI/CD审查关口。它委托

agent-plugin-analyzer

对目标插件执行深度多维度语义审查，确保其符合我们严格的Level 4规范。

Instructions

使用说明

When instructed to audit or validate a plugin, or to verify if a skill is compliant, use the Python analyzer script. Do not use legacy basic audit scripts.

Usage:

bash

python3 "plugins reference/agent-plugin-analyzer/skills/analyze-plugin/scripts/analyze_plugin.py" --dir <path-to-plugin> --security

(Note: Always run with the
--security
flag to catch P0 malware heuristics before reviewing architecture.)

Parameters:

```
--dir
```
: The absolute or relative path to the root of the plugin being audited.

Audit Checks Include:

Open Standards Validation: Run
```
skills-ref validate <path-to-skill>
```
to definitively catch frontmatter parse errors, length constraints, and required fields (
```
name
```
,
```
description
```
).
Naming & Content Constraints: Verify the skill name uses the gerund form (
```
verb + -ing
```
, e.g.,
```
analyzing-spreadsheets
```
). Reject generic nouns. Ensure the
```
name
```
exactly matches the parent directory. Verify
```
description
```
is written strictly in the third person.
Execution Patterns (L4): Checks for Graduated Autonomy, Source Transparency, Escalation Triggers.
State Management: Checks for conditional inclusions and explicit state checklists.
Architectural Strictness: Validates
```
CONNECTORS.md
```
,
```
README.md
```
, YAML frontmatter purity. Verifies
```
SKILL.md
```
uses 1-level deep relative file references ONLY and is < 500 lines. Enforces that all supporting files are strictly organized into the official
```
scripts/
```
,
```
references/
```
, or
```
assets/
```
directories.
Security Vectors: Flags un-sandboxed execution, prompt injection vulnerabilities, and raw binary execution. Ensure utility scripts use explicit error handling, not silent punting or voodoo constants.

Remediation & Next Steps: If the script outputs a low Maturity Score or fails the

--security

gate (which forces an immediate

sys.exit(1)

), you MUST read the generated output report and actively use your file editing tools to fix the compliance issues in the target plugin. Run the audit again until it achieves Level 3 or higher.

当收到审计或验证插件、或校验Skill是否合规的指令时，请使用Python分析器脚本，不要使用旧版的基础审计脚本。

用法：

bash

python3 "plugins reference/agent-plugin-analyzer/skills/analyze-plugin/scripts/analyze_plugin.py" --dir <path-to-plugin> --security

(注意：请始终携带
--security
参数运行，以便在审查架构前识别P0恶意软件特征。)

参数：

```
--dir
```
：待审计插件根目录的绝对路径或相对路径。

审计检查项包括：

开放标准验证： 运行
```
skills-ref validate <path-to-skill>
```
精准识别前置元数据解析错误、长度约束问题以及必填字段（
```
name
```
、
```
description
```
）缺失问题。
命名与内容约束： 校验Skill名称使用动名词形式（
```
动词 + -ing
```
，例如
```
analyzing-spreadsheets
```
），拒绝通用名词。确保
```
name
```
与父目录名称完全一致。校验
```
description
```
严格使用第三人称编写。
执行模式（L4）： 检查分级自主能力、来源透明度、升级触发条件。
状态管理： 检查条件引入逻辑和显式状态检查清单。
架构严格性: 校验
```
CONNECTORS.md
```
、
```
README.md
```
、YAML前置元数据的纯净性。校验
```
SKILL.md
```
仅使用一级深度相对文件引用，且行数<500。强制要求所有支撑文件严格归放在官方指定的
```
scripts/
```
、
```
references/
```
或
```
assets/
```
目录下。
安全风险： 标记未沙箱化执行、提示注入漏洞、原始二进制执行风险。确保工具脚本使用显式错误处理，禁止静默丢弃错误或使用含义不明的常量。

修复与后续步骤： 如果脚本输出的成熟度评分较低，或未通过

--security

关口（会强制立即执行

sys.exit(1)

），你必须读取生成的输出报告，并主动使用文件编辑工具修复目标插件中的合规问题。重新运行审计，直到其达到Level 3或更高等级。

Next Actions

后续操作

Offer to run
```
create-skill
```
to fix identified gaps.
Offer to run
```
create-stateful-skill
```
to upgrade to L4 maturity.

提供运行
```
create-skill
```
修复已识别问题的选项。
提供运行
```
create-stateful-skill
```
升级至L4成熟度的选项。