skill-security-checker

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Skill Security Checker

检查 Skill/代码仓库是否存在安全风险，在下载前和运行时进行多维度安全评估。

Check for security risks in Skills/code repositories, and conduct multi-dimensional security assessments before download and during runtime.

When to Use This Skill

当用户提到以下情况时使用此技能：

检查某个 skill 是否安全
扫描仓库是否有恶意代码
验证代码安全性
检查 npm 包是否有威胁
询问某个下载是否安全

Use this skill when the user mentions the following:

Check if a skill is safe
Scan repositories for malicious code
Verify code security
Check npm packages for threats
Ask if a download is safe

Usage

支持的输入类型

Supported Input Types

GitHub 仓库:

检查这个仓库安全性: https://github.com/user/repo
检查 skill: github.com/user/repo

本地文件夹检查本地:
```
undefined
```

skill: /path/to/skill 扫描这个文件夹


3. **npm 包**:

检查这个 npm 包安全性: lodash 检查 npm 包: some-package

undefined

GitHub Repositories:

检查这个仓库安全性: https://github.com/user/repo
检查 skill: github.com/user/repo

Local Folders / Check Local:
```
undefined
```

skill: /path/to/skill 扫描这个文件夹


3. **npm Packages**:

检查这个 npm 包安全性: lodash 检查 npm 包: some-package

undefined

输出格式

Output Format

用户可以选择输出格式：

```
json
```
- 结构化 JSON 报告
```
friendly
```
- 带 emoji 的友好界面
```
concise
```
- 简洁摘要（默认）

Users can choose the output format:

```
json
```
- Structured JSON report
```
friendly
```
- Friendly interface with emojis
```
concise
```
- Concise summary (default)

可选参数

Optional Parameters

```
--runtime
```
- 启用运行时行为监控（检测 package.json 中的危险脚本）

```
--runtime
```
- Enable runtime behavior monitoring (detect dangerous scripts in package.json)

How It Works

第一阶段：下载前检查（必选）

Phase 1: Pre-Download Check (Mandatory)

静态代码分析 - 检测以下模式：
- 恶意代码：base64 编码 payload、eval/exec 调用、加密字符串、反调试技术
- 敏感信息窃取：读取 SSH keys、API tokens、环境变量
- 环境破坏：修改系统配置、删除文件
- 网络可疑：向未知域名发送数据、反弹 shell
仓库信誉度评估：
- GitHub stars 数量
- fork 数量
- 创建时间
- 最后更新时间
- 贡献者数量

Static Code Analysis - Detect the following patterns:
- Malicious code: base64 encoded payloads, eval/exec calls, encrypted strings, anti-debugging techniques
- Sensitive information theft: reading SSH keys, API tokens, environment variables
- Environment damage: modifying system configurations, deleting files
- Suspicious network behavior: sending data to unknown domains, reverse shells
Repository Reputation Evaluation:
- GitHub stars count
- Fork count
- Creation time
- Last update time
- Contributor count

第二阶段：运行时监控（可选）

Phase 2: Runtime Monitoring (Optional)

当用户添加

--runtime

参数时：

检测 package.json 中的危险脚本（preinstall, postinstall 等）
检测可疑依赖包
在沙箱环境中短暂执行观察行为

When the user adds the

--runtime

parameter:

Detect dangerous scripts in package.json (preinstall, postinstall, etc.)
Detect suspicious dependency packages
Briefly execute in a sandbox environment to observe behavior

综合评估

Comprehensive Assessment

计算安全评分（0-100）
风险等级：高/中/低
推荐结果：可下载/不建议下载
详细说明原因

Calculate security score (0-100)
Risk level: High/Medium/Low
Recommendation: Downloadable/Not recommended for download
Detailed explanation of reasons

Example Commands

bash

undefined

bash

undefined

检查 GitHub 仓库（友好输出）

skill-security-checker github octocat/Hello-World friendly

检查 GitHub 仓库（JSON 格式）

skill-security-checker github https://github.com/lodash/lodash json

检查本地文件夹

skill-security-checker local /path/to/my-skill

检查 npm 包

skill-security-checker npm express

启用运行时检查

skill-security-checker github user/repo friendly --runtime

undefined

skill-security-checker github user/repo friendly --runtime

undefined

Output Example

Friendly 格式输出：

Friendly Format Output:

╔══════════════════════════════════════════════════════╗
║              Skill 安全检查报告                      ║
╠══════════════════════════════════════════════════════╣
  ✅ 风险等级: LOW
  📊 安全评分: 85/100
  ✅ 推荐: 可下载
╠══════════════════════════════════════════════════════╣
📈 仓库信息:
   ⭐ Stars: 50000+
   🍴 Forks: 5000+
   👥 贡献者: 200+
   📅 创建时间: 2012-01-01
╚══════════════════════════════════════════════════════╝

╔══════════════════════════════════════════════════════╗
║              Skill Security Check Report             ║
╠══════════════════════════════════════════════════════╣
  ✅ Risk Level: LOW
  📊 Security Score: 85/100
  ✅ Recommendation: Downloadable
╠══════════════════════════════════════════════════════╣
📈 Repository Information:
   ⭐ Stars: 50000+
   🍴 Forks: 5000+
   👥 Contributors: 200+
   📅 Creation Date: 2012-01-01
╚══════════════════════════════════════════════════════╝

危险情况输出：

High-Risk Scenario Output:

╔══════════════════════════════════════════════════════╗
║              Skill 安全检查报告                      ║
╠══════════════════════════════════════════════════════╣
  🔴 风险等级: HIGH
  📊 安全评分: 15/100
  ❌ 推荐: 不建议下载
╠══════════════════════════════════════════════════════╣
⚠️ 风险原因:
   - 检测到恶意代码模式（base64 编码 payload）
   - 检测到访问 SSH 密钥
   - 仓库缺乏社会监督（stars < 10）
📈 仓库信息:
   ⭐ Stars: 5
   🍴 Forks: 0
   👥 贡献者: 1
╚══════════════════════════════════════════════════════╝

╔══════════════════════════════════════════════════════╗
║              Skill Security Check Report             ║
╠══════════════════════════════════════════════════════╣
  🔴 Risk Level: HIGH
  📊 Security Score: 15/100
  ❌ Recommendation: Not recommended for download
╠══════════════════════════════════════════════════════╣
⚠️ Risk Reasons:
   - Detected malicious code patterns (base64 encoded payload)
   - Detected access to SSH keys
   - Repository lacks social oversight (stars < 10)
📈 Repository Information:
   ⭐ Stars: 5
   🍴 Forks: 0
   👥 Contributors: 1
╚══════════════════════════════════════════════════════╝

Implementation Notes

此技能使用以下技术实现：

Node.js + TypeScript
simple-git: Git 仓库操作
glob: 文件模式匹配
GitHub API: 仓库信息获取
正则表达式: 恶意代码模式检测

核心检测规则位于

detectionPatterns.ts

，可以扩展更多检测模式。

This skill is implemented using the following technologies:

Node.js + TypeScript
simple-git: Git repository operations
glob: File pattern matching
GitHub API: Repository information retrieval
Regular expressions: Malicious code pattern detection

Core detection rules are located in

detectionPatterns.ts

, and more detection patterns can be extended.