Back to Details

audit-context-building

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Deep Context Builder Skill

深度上下文构建Skill

1. Purpose

1. 用途

This skill governs how Claude thinks during the context-building phase of an audit.
When active, Claude will:
  • Perform line-by-line / block-by-block code analysis by default.
  • Apply First Principles, 5 Whys, and 5 Hows at micro scale.
  • Continuously link insights -> functions -> modules -> entire system.
  • Maintain a stable, explicit mental model that evolves with new evidence.
  • Identify invariants, assumptions, flows, and reasoning hazards.
This skill defines a structured analysis format and runs before the vulnerability-hunting phase.
本Skill用于规范Claude在审计的上下文构建阶段的思考方式
激活后,Claude将:
  • 默认执行逐行/逐块代码分析。
  • 在微观层面应用First Principles5 Whys5 Hows方法。
  • 持续将洞察关联到函数、模块乃至整个系统。
  • 维护一个随新证据不断演化的稳定、明确的心智模型。
  • 识别不变量、假设、流程和推理风险。
本Skill定义了结构化的分析格式,且运行于漏洞排查阶段之前

2. When to Use This Skill

2. 适用场景

Use when:
  • Deep comprehension is needed before bug or vulnerability discovery.
  • You want bottom-up understanding instead of high-level guessing.
  • Reducing hallucinations, contradictions, and context loss is critical.
  • Preparing for security auditing, architecture review, or threat modeling.
Do not use for:
  • Vulnerability findings
  • Fix recommendations
  • Exploit reasoning
  • Severity/impact rating
在以下场景中使用:
  • 在发现Bug或漏洞前需要深度理解代码时。
  • 希望通过自下而上的方式理解系统,而非仅做高层猜测时。
  • 减少幻觉、矛盾和上下文丢失至关重要时。
  • 为安全审计、架构评审或威胁建模做准备时。
请勿在以下场景中使用:
  • 漏洞发现
  • 修复建议
  • 漏洞利用推理
  • 严重程度/影响评级

3. How This Skill Behaves

3. 行为方式

When active, Claude will:
  • Default to ultra-granular analysis of each block and line.
  • Apply micro-level First Principles, 5 Whys, and 5 Hows.
  • Build and refine a persistent global mental model.
  • Update earlier assumptions when contradicted ("Earlier I thought X; now Y.").
  • Periodically anchor summaries to maintain stable context.
  • Avoid speculation; express uncertainty explicitly when needed.
Goal: deep, accurate understanding, not conclusions.
激活后,Claude将:
  • 默认对每个代码块和代码行进行超精细化分析
  • 在微观层面应用First Principles、5 Whys和5 Hows方法。
  • 构建并完善一个持久的全局心智模型。
  • 当之前的假设被推翻时进行更新(例如:“此前我认为是X;现在修正为Y。”)。
  • 定期生成锚定摘要以维持稳定的上下文。
  • 避免推测;必要时明确表达不确定性。
目标:深度、准确的理解,而非得出结论。

Rationalizations (Do Not Skip)

合理性说明(请勿跳过)

RationalizationWhy It's WrongRequired Action
"I get the gist"Gist-level understanding misses edge casesLine-by-line analysis required
"This function is simple"Simple functions compose into complex bugsApply 5 Whys anyway
"I'll remember this invariant"You won't. Context degrades.Write it down explicitly
"External call is probably fine"External = adversarial until proven otherwiseJump into code or model as hostile
"I can skip this helper"Helpers contain assumptions that propagateTrace the full call chain
"This is taking too long"Rushed context = hallucinated vulnerabilities laterSlow is fast
错误合理化理由错误原因要求操作
“我懂个大概”表层理解会遗漏边缘情况必须执行逐行分析
“这个函数很简单”简单函数组合后可能产生复杂Bug仍需应用5 Whys方法
“我会记住这个不变量”上下文会逐渐退化必须明确记录下来
“外部调用应该没问题”外部组件在被验证前应视为具有攻击性深入代码分析或假设其为敌对组件
“我可以跳过这个辅助函数”辅助函数中包含的假设会传播到上层追踪完整的调用链
“这太耗时了”仓促构建的上下文会导致后续出现幻觉式漏洞慢即是快

4. Phase 1 -- Initial Orientation (Bottom-Up Scan)

4. 阶段1 -- 初始定位(自下而上扫描)

Before deep analysis, perform a minimal mapping:
  1. Detect the tech stack -- identify languages, frameworks, databases, auth providers, package managers.
  2. Identify major modules/files/contracts.
  3. Note obvious public/external entrypoints (HTTP routes, RPC handlers, CLI commands, webhooks).
  4. Identify likely actors (users, admins, services, external integrations).
  5. Identify important storage (database tables, state structs, config, env vars).
  6. Build a preliminary structure without assuming behavior.
This establishes anchors for detailed analysis.
在进行深度分析前,先完成最小化映射:
  1. 检测技术栈 -- 识别编程语言、框架、数据库、认证提供商、包管理器。
  2. 识别主要模块/文件/合约。
  3. 标记明显的公共/外部入口点(HTTP路由、RPC处理器、CLI命令、Webhook)。
  4. 识别可能的参与者(用户、管理员、服务、外部集成)。
  5. 识别重要的存储组件(数据库表、状态结构体、配置、环境变量)。
  6. 在不假设行为的前提下构建初步结构。
此步骤为后续的详细分析建立锚点。

5. Phase 2 -- Ultra-Granular Function Analysis (Default Mode)

5. 阶段2 -- 超精细化函数分析(默认模式)

Every non-trivial function receives full micro analysis.
每个非平凡函数都需进行完整的微观分析。

5.1 Per-Function Microstructure Checklist

5.1 函数微观结构检查清单

For each function:
  1. Purpose
    • Why the function exists and its role in the system.
  2. Inputs & Assumptions
    • Parameters and implicit inputs (state, sender, env).
    • Preconditions and constraints.
  3. Outputs & Effects
    • Return values.
    • State/storage writes.
    • Events/messages.
    • External interactions.
  4. Block-by-Block / Line-by-Line Analysis For each logical block:
    • What it does.
    • Why it appears here (ordering logic).
    • What assumptions it relies on.
    • What invariants it establishes or maintains.
    • What later logic depends on it.
    Apply per-block:
    • First Principles
    • 5 Whys
    • 5 Hows
针对每个函数:
  1. 用途
    • 函数存在的原因及其在系统中的角色。
  2. 输入与假设
    • 参数和隐式输入(状态、调用方、环境)。
    • 前置条件和约束。
  3. 输出与影响
    • 返回值。
    • 状态/存储写入操作。
    • 事件/消息。
    • 外部交互。
  4. 逐块/逐行分析 针对每个逻辑块:
    • 该块的功能。
    • 该块在此处的存在原因(排序逻辑)。
    • 该块依赖的假设。
    • 该块确立或维护的不变量。
    • 后续逻辑对该块的依赖。
    在每个块上应用:
    • First Principles
    • 5 Whys
    • 5 Hows

5.2 Cross-Function & External Flow Analysis

5.2 跨函数与外部流程分析

When encountering calls, continue the same micro-first analysis across boundaries.
遇到函数调用时,跨边界继续采用相同的微观优先分析方法

Internal Calls

内部调用

  • Jump into the callee immediately.
  • Perform block-by-block analysis of relevant code.
  • Track flow of data, assumptions, and invariants: caller -> callee -> return -> caller.
  • Note if callee logic behaves differently in this specific call context.
  • 立即跳转到被调用函数。
  • 对相关代码进行逐块分析。
  • 追踪数据、假设和不变量的流转: 调用方 -> 被调用方 -> 返回 -> 调用方。
  • 注意被调用函数在此特定调用上下文中的行为是否有所不同。

External Calls -- Two Cases

外部调用 -- 两种情况

Case A -- External Call to Code That Exists in the Codebase Treat as an internal call:
  • Jump into the target function.
  • Continue block-by-block micro-analysis.
  • Propagate invariants and assumptions seamlessly.
  • Consider edge cases based on the actual code, not a black-box guess.
Case B -- External Call Without Available Code (True External / Black Box) Analyze as adversarial:
  • Describe payload/parameters sent.
  • Identify assumptions about the target.
  • Consider all outcomes: failure, incorrect return values, unexpected state changes, misbehavior.
情况A -- 调用代码库中存在的外部代码 视为内部调用:
  • 跳转到目标函数。
  • 继续进行逐块微观分析。
  • 无缝传递不变量和假设。
  • 根据实际代码考虑边缘情况,而非黑盒猜测。
情况B -- 调用无可用代码的外部组件(真正的外部/黑盒) 以对抗性视角分析:
  • 描述发送的负载/参数。
  • 识别对目标组件的假设。
  • 考虑所有可能的结果:失败、返回值错误、意外状态变更、行为异常。

Continuity Rule

连续性规则

Treat the entire call chain as one continuous execution flow. Never reset context. All invariants, assumptions, and data dependencies must propagate across calls.
将整个调用链视为一个连续的执行流程。 永远不要重置上下文。 所有不变量、假设和数据依赖必须在调用间传递。

5.3 Complete Analysis Example

5.3 完整分析示例

See FUNCTION_MICRO_ANALYSIS_EXAMPLE.md for a complete walkthrough.
完整的演练示例请参见 FUNCTION_MICRO_ANALYSIS_EXAMPLE.md

5.4 Output Requirements

5.4 输出要求

Structure output following OUTPUT_REQUIREMENTS.md.
Quality thresholds:
  • Minimum 3 invariants per function
  • Minimum 5 assumptions documented
  • Minimum 3 risk considerations for external interactions
  • At least 1 First Principles application
  • At least 3 combined 5 Whys/5 Hows applications
请遵循 OUTPUT_REQUIREMENTS.md 组织输出内容。
质量阈值:
  • 每个函数至少记录3个不变量
  • 至少记录5个假设
  • 外部交互至少记录3个风险考量
  • 至少应用1次First Principles方法
  • 至少组合应用3次5 Whys/5 Hows方法

5.5 Completeness Checklist

5.5 完整性检查清单

Verify against COMPLETENESS_CHECKLIST.md before concluding.
结束分析前,请对照 COMPLETENESS_CHECKLIST.md 进行验证。

6. Phase 3 -- Global System Understanding

6. 阶段3 -- 全局系统理解

After sufficient micro-analysis:
  1. State & Invariant Reconstruction -- Map reads/writes of each state variable. Derive multi-function invariants.
  2. Workflow Reconstruction -- Identify end-to-end flows. Track state transforms. Record persistent assumptions.
  3. Trust Boundary Mapping -- Actor -> entrypoint -> behavior. Identify untrusted input paths.
  4. Complexity & Fragility Clustering -- Functions with many assumptions, high branching, coupled state changes.
在完成足够的微观分析后:
  1. 状态与不变量重构 -- 映射每个状态变量的读写操作,推导跨函数的不变量。
  2. 工作流重构 -- 识别端到端流程,追踪状态转换,记录持久化假设。
  3. 信任边界映射 -- 参与者 -> 入口点 -> 行为。识别不可信输入路径。
  4. 复杂度与脆弱性聚类 -- 标记具有大量假设、高分支度、状态变更耦合的函数。

7. Stability & Consistency Rules

7. 稳定性与一致性规则

  • Never reshape evidence to fit earlier assumptions. Update the model and state corrections explicitly.
  • Periodically anchor key facts. Summarize invariants, state relationships, actor roles, workflows.
  • Avoid vague guesses. Use "Unclear; need to inspect X." instead of "It probably..."
  • Cross-reference constantly. Connect new insights to previous state, flows, and invariants.
  • 绝不要为了迎合早期假设而歪曲证据。明确更新模型并记录修正内容。
  • 定期锚定关键事实。总结不变量、状态关系、参与者角色和工作流。
  • 避免模糊猜测。使用“不明确;需要检查X。”而非“可能是……”。
  • 持续交叉引用。将新洞察与之前的状态、流程和不变量关联起来。

8. Subagent Usage

8. 子Agent使用

Use the 
function-analyzer
 agent for per-function deep analysis of dense or complex functions, long data-flow chains, cryptographic logic, or state machines.
对于密集或复杂的函数、长数据流链、密码学逻辑或状态机,请使用**
function-analyzer
** Agent进行逐函数深度分析。

9. Non-Goals

9. 非目标

While active, Claude should NOT: identify vulnerabilities, propose fixes, generate PoCs, model exploits, or assign severity.
This is pure context building only.
激活本Skill时,Claude不得:识别漏洞、提出修复方案、生成PoC、建模漏洞利用方式或评估严重程度。
本Skill仅用于纯上下文构建