安全安装
- 作者仓库星标 0
- 作者更新于 实时读取
- 作者仓库 skills-registry
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @tomevault-io · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Python >=3.11
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: onboard
description: Agent-driven cold-start onboarding. Use the repo shell entrypoint to find or install Python 3.11…
category: 安全
runtime: Python
---
# onboard 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Hard Rules / Workflow / 1. Start With The Shell Entry Point”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Hard Rules / Workflow / 1. Start With The Shell Entry Point”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Hard Rules / Workflow / 1. Start With The Shell Entry Point”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: onboard
description: Agent-driven cold-start onboarding. Use the repo shell entrypoint to find or install Python 3.11…
category: 安全
source: tomevault-io/skills-registry
---
# onboard
## 什么时候使用
- 把安全方向的常用动作沉淀成 Agent 可调用的技能 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Hard Rules / Workflow / 1. Start With The Shell Entry Point」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "onboard" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Hard Rules / Workflow / 1. Start With The Shell Entry Point
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} User Onboarding
Use the shared repo-local onboarding flow:
tools/onboard.ps1ortools/onboard.shfor the pre-Python cold-start steptools/onboard_driver.pyfor agent orchestration once Python existstools/bootstrap.pyas the shared Python-level audit/plan/apply engine
Do not duplicate bootstrap logic here when the repo scripts already handle it.
Hard Rules
- Print
Scanning your environment...before discovery. - Print
Testing WRDS connectivity...before livepsqlchecks. - Never assume bare
pythonor barepipare valid on Windows. - Prefer
uv pip install --python "<PYTHON>"when uv is available; fall back to"<PYTHON>" -m pip install. - Prefer
tools/bootstrap.py audit, the emittedbootstrap_plan, andtools/bootstrap.py applyover ad hoc local-file generation. - Treat canonical local state as external to the repo. Repo-root
LOCAL_ENV.md,CLAUDE.local.md, and.claude/settings.local.jsonare compatibility shims only. - Let
tools/bootstrap.py applymanage canonical local state. Use--write-compat-shimsonly for private single-user backward compatibility. - If an install path needs admin privileges or a missing package manager, stop and give exact instructions.
- If a bootstrap-plan command needs approval, request it and continue with that exact command.
- Ask once whether the user has a WRDS account and wants it configured now. If the answer is no, skip WRDS setup and still treat onboarding as complete once the base repo is ready.
- Treat SSH key setup as optional for basic PostgreSQL access.
- Never use
conda installfor system tools (psql, pdflatex, R, git). Use the OS package manager (winget/brew/apt). Conda is for Python packages only.
Workflow
1. Start With The Shell Entry Point
Use the repo-local shell entrypoint, not tools/bootstrap.py directly, when the
machine may not have Python yet.
powershell -ExecutionPolicy Bypass -File tools/onboard.ps1
bash tools/onboard.sh
Those entrypoints should:
- find a usable Python 3.11+ interpreter
- install Miniforge automatically when no acceptable Python exists and a supported installer path is available
- hand off to
tools/onboard_driver.py
If the package manager or installer path is unavailable, stop and give the exact manual Miniforge command for the current platform.
2. Resolve WRDS Scope Once
If the user already answered in chat, pass that through to the driver. If not, ask once:
Do you have a WRDS account and want it configured now?
Outcomes:
yes: collect username when needed, create WRDS files, and run live WRDS checksno: skip WRDS setup entirely- later / declined: also skip WRDS setup entirely
WRDS is optional. Lack of a WRDS account must not make onboarding fail.
3. Audit With The Shared Engine
Once Python exists, run the shared audit:
"<PYTHON>" tools/bootstrap.py audit --json --wrds yes|no
Read the audit output and summarize the gaps before changing anything.
4. Execute The Bootstrap Plan
Read bootstrap_plan.steps from the audit payload and execute each step with
auto_run=true for the current shell in order.
The plan is the source of truth for:
- blocking base-repo setup
- optional WRDS setup
- optional writing and R setup
tools/bootstrap.py apply- the final rerun of
tools/bootstrap.py audit
If direct command execution is not available because you are running in a plain local terminal without agent approvals, you may use the best-effort convenience fallback:
"<PYTHON>" tools/bootstrap.py repair --write-canonical-state --wrds yes|no
5. Manual Gaps The Shared Engine Cannot Finish Alone
If the bootstrap plan or fallback repair step cannot install Python packages automatically:
# With uv (preferred):
uv pip install --no-compile --python "<PYTHON>" pandas psycopg2-binary pyarrow numpy matplotlib statsmodels
# Without uv:
"<PYTHON>" -m pip install --no-compile pandas psycopg2-binary pyarrow numpy matplotlib statsmodels
If the bootstrap plan or fallback repair step cannot reinstall repo packages automatically:
# With uv (preferred):
uv pip install --no-compile --python "<PYTHON>" -e .
cd packages/PyBondLab && uv pip install --no-compile --python "<PYTHON>" -e ".[performance]"
# Without uv:
"<PYTHON>" -m pip install --no-compile -e .
cd packages/PyBondLab && "<PYTHON>" -m pip install --no-compile -e ".[performance]"
If psql is missing and the user said no to WRDS, onboarding can still be
complete. psql is only needed for WRDS data extraction.
If the user wants WRDS access later, recommend:
- Windows: Download the PostgreSQL zip archive from postgresql.org and extract to
~/tools/pgsql/(the probe already checks this path). - macOS:
brew install libpq - Linux:
apt install postgresql-clientordnf install postgresql
Then rerun:
"<PYTHON>" tools/bootstrap.py audit --wrds yes
NEVER use conda to install psql, PostgreSQL, LaTeX, or other system tools. Conda's dependency solver hangs on these packages and can corrupt the Python environment. Conda is for Python packages only.
If WRDS is enabled and files are missing, create or repair:
~/.pg_service.conf~/.pgpass~/.ssh/configentry forHost wrdsif SSH or TAQ workflows are needed
Use the username from $ARGUMENTS if provided, otherwise ask once. If
~/.pgpass is missing, ask for the WRDS password and do not echo it back.
Prefer the shared helper:
AI_ASSET_PRICING_WRDS_PASSWORD="<SECRET>" "<PYTHON>" tools/bootstrap.py wrds-files --username THEIR_USERNAME
DUO 2FA: The first
psql service=wrdsconnection from a new IP triggers a DUO push notification. Tell the user to check their phone and approve it. The connection will time out if not approved.
When testing WRDS connectivity, use a date range guaranteed to have data (for example 2022). Do not use the current year. A query returning 0 rows is not a valid connectivity confirmation.
Example:
psql service=wrds -c "SELECT COUNT(*) FROM crsp.dsi WHERE date >= '2022-01-01' AND date < '2023-01-01';"
Expected result: about 251 rows.
6. Refresh Local Files Only
If you only need to refresh canonical local state after environment changes, run:
"<PYTHON>" tools/bootstrap.py apply
This writes or refreshes canonical external files:
local_env.mdclaude.local.mdsettings.local.json
7. Final Summary
End with a short status table covering:
- base repo
- WRDS
- writing
- R
- Python
- repo packages
If WRDS shows as skipped because the user has no account, say clearly that onboarding is still complete once the base repo is ready.
Then list the files written and any remaining manual steps.
Post-Onboard Note
Tools like psql may not be on the shell PATH even when installed. After
onboarding, always use the absolute paths recorded in canonical local state
(or a repo-root compatibility shim if one was explicitly generated) rather
than bare command names. The bootstrap engine discovers these paths
automatically and writes them to the local files.
Source: Alexander-M-Dickerson/ai-asset-pricing — distributed by TomeVault.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核