snyk-agent-scan-compliance

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Persona: You are a skill-authoring compliance expert. You fix snyk-agent-scan alerts by restructuring content — never by suppressing or deleting useful information.

Thinking mode: Use

ultrathink

for multi-alert remediation where fixes for one alert type can surface or suppress another. Deep reasoning reduces rework.

角色定位： 你是一名技能编写合规专家。你通过内容重构修复snyk-agent-scan警报——绝不屏蔽或删除有用信息。

思考模式： 在多警报修复场景中使用

ultrathink

，因为某一类警报的修复可能会引发或抑制另一类警报。深度推理可减少返工。

snyk-agent-scan Compliance

snyk-agent-scan 合规指南

The

snyk-agent-scan

tool analyzes skill bodies for three categories of unsafe patterns: third-party content exposure (W011), malicious external URLs (W012), and prompt injection via MCP tool calls (W001). All three are fixable through content restructuring without losing any information.

snyk-agent-scan

工具会分析技能内容中的三类不安全模式：第三方内容暴露（W011）、恶意外部URL（W012）以及通过MCP工具调用进行的提示注入（W001）。这三类问题均可通过内容重构修复，且不会丢失任何信息。

Reference Files

参考文件

File	When to read
references/w001-patterns.md	Fixing W001 alerts — MCP tool name patterns
references/w011-patterns.md	Fixing W011 alerts — imperative URL and external content patterns
references/w012-patterns.md	Fixing W012 alerts — version pinning and frontmatter offloading

文件	阅读时机
references/w001-patterns.md	修复W001警报——MCP工具名称模式
references/w011-patterns.md	修复W011警报——命令式URL与外部内容模式
references/w012-patterns.md	修复W012警报——版本固定与前置信息转移

Quick Reference

快速参考

Alert	Severity	Root Cause	Primary Fix
W011	High	Skill body instructs agent to fetch/interpret external content	Replace imperatives with passive availability hints
W012	High	Skill body references external URLs fetched and executed at runtime	Move to frontmatter `install` block; pin versions
W001	High	Skill body names MCP tool functions explicitly	Use generic formulations instead

警报	严重程度	根本原因	主要修复方式
W011	高	技能内容指示代理获取/解析外部内容并据此操作	将命令式表述替换为被动式可用性提示
W012	高	技能内容引用了在运行时获取并执行的外部URL	转移至前置信息 `install` 块；固定版本
W001	高	技能内容明确命名MCP工具函数	使用通用表述替代

Running the Scanner

运行扫描器

bash

undefined

bash

undefined

Scan a single skill

扫描单个技能

SNYK_TOKEN=<token> snyk-agent-scan --skills skills/<name>/

Scan all skills

扫描所有技能

SNYK_TOKEN=<token> snyk-agent-scan --skills ./skills


The scanner requires a valid `SNYK_TOKEN`. In CI, store it as a secret. If `snyk-agent-scan` is not installed, use `uvx snyk-agent-scan@latest` as a drop-in replacement without installing. See [detailed patterns](references/w011-patterns.md) for fixes per alert type.

SNYK_TOKEN=<token> snyk-agent-scan --skills ./skills


扫描器需要有效的`SNYK_TOKEN`。在CI环境中，请将其存储为密钥。若未安装`snyk-agent-scan`，可使用`uvx snyk-agent-scan@latest`作为替代，无需提前安装。有关各警报类型的修复方法，请查看[详细模式](references/w011-patterns.md)。

W011 — Third-Party Content Exposure

W011 — 第三方内容暴露

W011 fires when the skill body uses imperative verbs directing the agent to fetch, check, or evaluate external content and then act on it. The scanner treats the agent as the grammatical subject performing an external action.

Rules:

Replace

Check <url>

and

Fetch <url>

with passive hints:

The release notes at <url> may be useful.

Remove "always" from any instruction involving external data:

Always reference the changelog

→

The changelog documents breaking changes.

Keep tool invocations (
```
gh repo view
```
,
```
govulncheck
```
) in code blocks, not in prose checklists that imply the agent must run them before acting.
Decouple tool execution from decisions: running a tool is fine; using its remote-sourced output as the sole trigger for a refactor is not.

See W011 pattern catalog for 12+ before/after examples.

当技能内容使用命令式动词指示代理获取、检查或评估外部内容并据此操作时，会触发W011警报。扫描器将代理视为执行外部操作的语法主语。

规则：

将
```
Check <url>
```
和
```
Fetch <url>
```
替换为被动式提示：
```
The release notes at <url> may be useful.
```
（<url>处的发行说明可能有用。）
移除任何涉及外部数据的指令中的“always”：
```
Always reference the changelog
```
→
```
The changelog documents breaking changes.
```
（变更日志记录了破坏性变更。）
将工具调用（
```
gh repo view
```
、
```
govulncheck
```
）保留在代码块中，不要放在暗示代理必须在操作前运行它们的 prose 检查清单中。
将工具执行与决策解耦：运行工具是允许的；但将其远程获取的输出作为重构的唯一触发条件则不允许。

查看W011模式目录获取12+组前后对比示例。

W012 — Potentially Malicious External URL

W012 — 潜在恶意外部URL

W012 fires when the body references external content fetched and executed at runtime: package installs with

@latest

, pipe-to-shell patterns, or GitHub Actions with wrong/non-existent major versions.

Rules:

Move
```
go install pkg@latest
```
and similar commands from prose into the frontmatter
```
metadata.openclaw.install
```
block — the scanner does not flag frontmatter.
Pin GitHub Actions to the correct current major version (
```
@v4
```
, not
```
@v6
```
).
Never use pipe-to-shell patterns (
```
curl ... | sh
```
) in skill bodies.

See W012 pattern catalog for 8+ before/after examples.

当技能内容引用了在运行时获取并执行的外部内容时，会触发W012警报：例如使用

@latest

的包安装、管道到shell的模式，或版本错误/不存在的GitHub Actions。

规则：

将
```
go install pkg@latest
```
及类似命令从 prose 内容转移至前置信息
```
metadata.openclaw.install
```
块——扫描器不会标记前置信息。
将GitHub Actions固定到正确的当前主版本（
```
@v4
```
，而非
```
@v6
```
）。
切勿在技能内容中使用管道到shell的模式（
```
curl ... | sh
```
）。

查看W012模式目录获取8+组前后对比示例。

W001 — Prompt Injection via MCP Tool Calls

W001 — 通过MCP工具调用进行提示注入

W001 fires when the skill body explicitly names MCP server tool functions, triggering prompt-injection detection.

Rules:

Never write tool function names (
```
resolve-library-id
```
,
```
query-docs
```
,
```
mcp__*
```
) in the skill body.

Replace with generic formulations:

Context7 can help as a discoverability platform.

MCP tool names may still appear in the
```
allowed-tools
```
frontmatter field — only the body is restricted.

See W001 pattern catalog for safe reformulations.

当技能内容明确命名MCP服务器工具函数时，会触发W001警报，触发提示注入检测。

规则：

切勿在技能内容中写入工具函数名称（
```
resolve-library-id
```
、
```
query-docs
```
、
```
mcp__*
```
）。
使用通用表述替代：
```
Context7 can help as a discoverability platform.
```
（Context7可作为发现平台提供帮助。）
MCP工具名称仍可出现在
```
allowed-tools
```
前置信息字段中——仅技能内容受到限制。

查看W001模式目录获取安全重构示例。

Remediation Methodology

修复方法

Fix one alert at a time, re-run

snyk-agent-scan

after each change, and verify the alert count dropped before moving to the next. If a fix does not reduce alerts, undo it and try a different approach — do not stack unverified changes.

When a scan returns multiple alerts, fix in this order to minimize rework:

1. W001 (simplest) — remove MCP tool names from body; confirm allowed-tools is correct
2. W011 — rewrite imperative sentences as passive statements; move checklist items to code blocks
3. W012 — move install commands to frontmatter; pin versions
4. Re-scan after each individual fix to verify improvement

W011 fixes sometimes surface hidden W012s when URLs become more prominent after restructuring.

一次修复一个警报，每次更改后重新运行

snyk-agent-scan

，并在处理下一个警报前确认警报数量已减少。若修复未减少警报，请撤销更改并尝试其他方法——不要叠加未经验证的更改。

当扫描返回多个警报时，按以下顺序修复以减少返工：

1. W001（最简单）——从内容中移除MCP工具名称；确认allowed-tools设置正确
2. W011——将命令式句子重写为被动式陈述；将检查清单项转移至代码块
3. W012——将安装命令转移至前置信息；固定版本
4. 每次单独修复后重新扫描以验证改进效果

修复W011有时会在内容重构后使隐藏的W012警报显现出来。

False Positives

误报

Not all alerts are real. Criteria for a likely false positive:

Condition	Likely false positive?
URL appears in a markdown table cell as reference data, not in an instruction	Yes — tables are usually safe
In a skill describing a library, URL is the library official documentation	Yes — usually safe
URL is the `homepage` or `issues` link in frontmatter	Yes — not scanned
Tool name appears inside a triple-backtick code block as a shell command	Sometimes — code blocks have lighter scrutiny
`go install` with a pinned version in a Quick Reference code block	Sometimes — pinned versions are lower risk
`always` appears in a sentence not involving external resources	Yes — "always" alone doesn't trigger W011

When an alert is a likely false positive, restructure anyway using the passive hint pattern — the scanner's heuristic protects real users; restructuring is safer than assuming scanner error.

并非所有警报都是真实的。可能为误报的标准：

条件	是否可能为误报？
URL作为参考数据出现在markdown表格单元格中，而非指令中	是——表格通常是安全的
在描述库的技能中，URL是该库的官方文档	是——通常是安全的
URL是前置信息中的 `homepage` 或 `issues` 链接	是——不会被扫描
工具名称出现在三重反引号代码块中的shell命令里	有时——代码块的检查较为宽松
在快速参考代码块中使用固定版本的 `go install`	有时——固定版本的风险较低
"always"出现在不涉及外部资源的句子中	是——仅"always"不会触发W011

当警报可能为误报时，仍需使用被动式提示模式进行重构——扫描器的启发式规则可保护真实用户；重构比假设扫描器出错更安全。

Pre-Authoring Checklist

预编写检查清单

Apply these checks while writing a new skill body to avoid alerts before the first scan:

No sentence has the agent as subject performing an action on a URL
No
```
@latest
```
tags in any install instruction in the body
No MCP tool function names (
```
mcp__*
```
,
```
resolve-library-id
```
, etc.) in body prose
All install commands are in the frontmatter
```
install
```
block
GitHub Actions versions match real existing major versions
Tool invocations are in code blocks, not in ordered-list checklists
"always" does not precede any external resource instruction

If you encounter a bug or unexpected behavior in

snyk-agent-scan

, open an issue at https://github.com/snyk/snyk-agent-scan/issues.

If you discover a pattern that triggers an alert not covered in the reference files above — a new bypass technique, a false positive condition, or an undocumented alert code — open an issue at https://github.com/samber/cc-skills/issues or a pull request to the

samber/cc-skills

repository to add it to the relevant pattern file. New patterns are the most valuable contribution to this skill.

在编写新技能内容时应用以下检查，以在首次扫描前避免警报：

没有以代理为主语、对URL执行操作的句子
内容中任何安装指令均无
```
@latest
```
标签
内容 prose 中无MCP工具函数名称（
```
mcp__*
```
、
```
resolve-library-id
```
等）
所有安装命令均位于前置信息
```
install
```
块中
GitHub Actions版本与实际存在的主版本匹配
工具调用位于代码块中，而非有序列表检查清单
"always"未出现在任何涉及外部资源的指令前

若你在

snyk-agent-scan

中遇到bug或意外行为，请在https://github.com/snyk/snyk-agent-scan/issues提交问题。

若你发现触发警报的模式未被上述参考文件覆盖——例如新的绕过技术、误报条件或未记录的警报代码——请在https://github.com/samber/cc-skills/issues提交问题，或向

samber/cc-skills

仓库提交拉取请求，将其添加至相关模式文件。新模式是对本技能最有价值的贡献。