安全审计
- 作者仓库星标 0
- 作者更新于 实时读取
- 作者仓库 AI-Agent-Skills
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @Ceratops-Code · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- Python
- 文件与系统权限
-
- 只读
- Shell 执行
- 允许写入 / 修改
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: ceratops-code-consistency-audit
description: Audit a repository after large refactors, branch merges, or parallel agent threads for contradic…
category: 安全
runtime: Python
---
# ceratops-code-consistency-audit 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Goal / Context / Inputs To Capture”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Goal / Context / Inputs To Capture”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、执行终端命令、写入/修改文件、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、执行终端命令、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、执行终端命令、写入/修改文件。
先用一个小任务确认它会围绕“Goal / Context / Inputs To Capture”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: ceratops-code-consistency-audit
description: Audit a repository after large refactors, branch merges, or parallel agent threads for contradic…
category: 安全
source: Ceratops-Code/AI-Agent-Skills
---
# ceratops-code-consistency-audit
## 什么时候使用
- ceratops-code-consistency-audit 是安全方向的技能,由 Agent 做扫描 / 风险检查 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agen…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Goal / Context / Inputs To Capture」组织步骤,不把推断写成作者事实。
- 读取文件、执行终端命令、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "ceratops-code-consistency-audit" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Goal / Context / Inputs To Capture
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、执行终端命令、写入/修改文件 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Ceratops Code Consistency Audit
Goal
Audit repository coherence after combined changes. Across teams this work is usually split across post-merge validation, integration and regression testing, release-readiness review, documentation-drift checks, and architectural fitness functions. Use this skill to run the cross-cutting consistency pass those labels only partially cover.
Context
Inputs To Capture
- Repo or subtree under audit and whether the task is audit-only or audit-and-fix.
- Recent refactors, branches, PRs, or agent-thread outputs most likely to have interacted.
- Expected sources of truth such as README files, docs, examples, configs, tests, manifests, generated metadata, automation, or control files.
- Local comment standards such as
skills/ceratops-gh-repo-lifecycle/references/code-comment-nondeterministic-contract.md, README guidance, or language-specific conventions already present in the repo. - High-risk surfaces such as public APIs, migrations, feature flags, rename waves, packaging, install flows, or generated artifacts.
Infer missing inputs from repo state before asking.
Constraints
Skill-Specific Rules
- Treat repository coherence as the goal. Do not turn the task into a generic style or code-quality review.
- Start from declared behavior and sources of truth before judging implementation details.
- Treat conflicts between two declared sources of truth as findings even when the code still happens to work.
- Prefer concrete contradictions, stale follow-through, and merged-only interaction bugs over speculative architecture advice.
- Treat comment sufficiency as a non-deterministic maintainability consistency issue when scripts, public APIs, automation helpers, contract checkers, or non-obvious safety logic are in scope.
- Use local project conventions and
skills/ceratops-gh-repo-lifecycle/references/code-comment-nondeterministic-contract.mdwhen present; do not research current language comment standards unless the user explicitly asks for a standards refresh. - When git history or recent merge context is available, judge the current merged result against the latest target-branch state, not each branch in isolation.
- Do not ask for credentials for normal local repo audits.
- If external systems are genuinely needed, first exhaust local repo state, local git history, and no-auth metadata.
Boundaries
- Use this skill when a repo may have semantic drift after merges, refactors, migrations, or parallel agent work and the user wants a consistency audit rather than style feedback.
- If the user wants only a code review for bugs or regressions inside a bounded patch, use normal review flow instead of this whole-repo audit.
- If the task is only diagnosing and fixing one current breakage, stop and use
$ceratops-task-lifecyclewith theexecute-in-stagesaction. - If the task is only documentation maintenance without broader repository coherence concerns, narrow the work to documentation drift rather than running the full audit.
Workflow
1. Define intended behavior first
- Identify declared behavior from the highest-signal local sources: README files, docs, examples, tests, configs, manifests, automation, control files, naming, and contracts.
- For skill repos or agent repos, treat
SKILL.md,agents/openai.yaml, README tables, bundled resources, and any install metadata as first-class sources of truth. - If multiple artifacts disagree about the intended behavior, record that conflict explicitly instead of guessing which one is correct.
2. Map merged interaction surfaces
- Inspect adjacent modules, flags, configs, scripts, templates, tests, and examples that were likely touched by separate refactors or threads.
- Use git history, diff context, or merge context when available to find where independently reasonable changes now interact.
- Prioritize hidden coupling, duplicated logic that drifted, partial renames, stale options, orphaned files, and follow-through gaps.
3. Run consistency passes
Check as many of these as the repo justifies:
- implementation vs README and docs
- implementation vs examples, scripts, and run instructions
- file names and stated purpose vs actual behavior
- tests vs current intended behavior
- configs, manifests, automation, and control files vs implementation
- public interfaces vs internal assumptions
- comments vs non-obvious behavior, safety boundaries, external side effects, script usage, and README-maintained workflow expectations
- merged-only edge cases that appear when features or refactors combine
- stale artifacts, dead references, partial migrations, and unused compatibility shims
- documented validation commands only for touched surfaces: Markdown or docs, YAML or workflows, Python helpers or validators, and skill source or governance files. Treat lint or type output as consistency evidence, not as generic style findings.
4. Validate findings before reporting
- Prefer findings that point to exact conflicting artifacts, exact inconsistency, actual risk, and the smallest credible fix.
- Avoid style nits, naming preferences, or refactor suggestions unless they are needed to resolve a real contradiction.
- Distinguish confirmed findings from plausible but unverified risk areas.
5. Fix only when asked or clearly justified
- Default to audit and report.
- If the user asked to repair the repo or the smallest safe fix is already in scope, apply the narrowest credible correction and rerun the relevant checks.
- Escalate before risky deletions, broad rewrites, or behavior-changing interpretation choices.
6. Close with explicit coverage
- Classify important checked surfaces as consistent, conflicting, blocked, or not verified.
- If no findings remain, say so explicitly and note the residual coverage limits instead of implying exhaustive certainty.
Done When
Completion Gate
- Verify the audit inspected the repo's declared sources of truth, not only the implementation files.
- Verify merged interaction surfaces and likely cross-thread integration seams were checked where evidence existed.
- Verify comments and README coverage are sufficient for important scripts, public interfaces, automation helpers, and non-obvious safety or contract logic when those surfaces were part of the audit.
- Verify every reported finding ties back to concrete conflicting artifacts or an explicitly stated verification gap.
- Verify the final answer reports findings, important consistent areas, and important verification limits without drifting into generic review commentary.
- Verify relevant documented validation commands were run or explicitly scoped out for touched Markdown, YAML, Python, and skill-source surfaces.
Output Contract
Report only:
- findings ordered by severity
- for each finding: conflicting artifacts, exact inconsistency, risk, and the smallest credible fix
- important areas checked and found consistent
- anything important not verified
If no findings remain, say so explicitly and mention the main residual risk areas or coverage limits.
Example Invocation
Use $ceratops-code-consistency-audit on this repo. Ignore style. Find post-merge contradictions, docs-to-code drift, stale assumptions, and merged-only edge cases.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核