Agent审计
- 作者仓库星标 361
- 作者更新于 实时读取
- 作者仓库 agentops
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @boshu2 · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- 无特殊要求
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-auditor
description: 'Audit an existing SKILL.md against the unified AgentOps template (15 Validates a skill's SKILL.…
category: 安全
runtime: 无特殊运行时
---
# skill-auditor 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“⚠️ Critical Constraints / What It Detects / Pass 1 — delegated to heal-skill”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“⚠️ Critical Constraints / What It Detects / Pass 1 — delegated to heal-skill”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/skill-auditor`、`/heal-skill`、`/tmp` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“⚠️ Critical Constraints / What It Detects / Pass 1 — delegated to heal-skill”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: skill-auditor
description: 'Audit an existing SKILL.md against the unified AgentOps template (15 Validates a skill's SKILL.…
category: 安全
source: boshu2/agentops
---
# skill-auditor
## 什么时候使用
- 把安全方向的常用动作沉淀成 Agent 可调用的技能 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「⚠️ Critical Constraints / What It Detects / Pass 1 — delegated to heal-skill」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "skill-auditor" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> ⚠️ Critical Constraints / What It Detects / Pass 1 — delegated to heal-skill
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> 无特殊运行时 | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} /skill-auditor — Three-pass skill quality audit
Validates a skill's SKILL.md against the unified AgentOps template. Pass 1
wraps heal-skill for structural hygiene; Pass 2 adds 8 content-discipline
checks not covered by heal; Pass 3 folds the 10-category Skill Quality Rubric
(docs/reference/skill-quality-rubric.md) into the report as a deterministic
0-30 productization score (advisory). The report also includes an advisory
Context Density Rule block for intent, boundary, evidence, decision,
constraint, and next action coverage.
⚠️ Critical Constraints
- Auditor is read-only. Reports findings; never modifies the target. Why: PR-002 (external validation) — the auditor must remain a separate gate from the implementer. To repair findings: use
heal-skill --fixfor Pass-1 issues, hand-edit for Pass-2 issues. - Pass 1 delegates, never reimplements. The auditor calls
/heal-skill --check <target>and parses its output. Why: PR-006 (cross-layer consistency) — heal-skill's checks are the source of truth for structural hygiene; reimplementation creates drift. - Pass 2 must accept AgentOps' existing conventions. Specifically
description-has-triggersaccepts THREE valid forms (YAML|block scalar ORTriggers:/Use when:markers ORmetadata.triggersarray with 3+ items). Why: findingf-2026-05-06-auditor-checks-must-fit-host-conventions— auditor checks must validate against the host substrate's existing valid artifacts before promotion to required gate. - Verdict aggregation rule: any check returns
fail→ FAIL; otherwise any returnswarn→ WARN; otherwise PASS. Why: prevents silent severity downgrade. - Density coverage is advisory-only. Missing density fields never changes
the PASS/WARN/FAIL verdict and does not satisfy packet-boundary enforcement
in
soc-2c1p.1. Why: the hard Context Density Rule belongs at execution packet boundaries; this skill only helps reviewers find low-signal prose. - Pass 3 rubric is advisory-only. The 0-30 rubric score never changes the PASS/WARN/FAIL verdict. Why: Pass 1+2 gate template conformance (does this ship); the rubric measures market-facing maturity (is this product-grade) — a low rubric score on a structurally-clean skill is a productization backlog signal, not a ship blocker (soc-ads5v).
- Pass 3 scoring is deterministic and rubric-sourced. The 10 categories
come verbatim from
docs/reference/skill-quality-rubric.md; each gets a 0-3 score plus an explainable reason derived only from the skill directory contents. Why: an explainable, reproducible score is auditable; an LLM-graded one is not.
What It Detects
Pass 1 — delegated to heal-skill
| heal.sh code | Check |
|---|---|
| MISSING_NAME | frontmatter name present |
| MISSING_DESC | frontmatter description present |
| NAME_MISMATCH | frontmatter name matches directory |
| UNLINKED_REF | references/*.md linked from SKILL.md |
| DEAD_REF | linked references actually exist |
| SCRIPT_REF_MISSING | scripts referenced exist |
| CATALOG_MISSING | user-invocable skills in using-agentops/ catalog |
Pass 2 — 8 NEW checks
| # | Check id | Severity |
|---|---|---|
| 1 | description-has-triggers |
WARN (downgraded from FAIL after pilot) |
| 2 | constraints-frontloaded |
WARN |
| 3 | rationale-present |
WARN |
| 4 | verification-checkpoints |
WARN |
| 5 | output-spec-explicit |
FAIL |
| 6 | quality-rubric |
WARN |
| 7 | references-modularization |
WARN (conditional, only if SKILL.md > 400 lines) |
| 8 | trigger-clarity |
WARN (downgraded from FAIL after pilot) |
Full check definitions and accepted forms in references/audit-checks.md.
Advisory density report
The JSON report includes a separate density block with six report-only fields:
intent, boundary, evidence, decision, constraint, and next_action.
Read references/context-density-checks.md
for detection rules, limits, and false-positive handling.
Pass 3 — rubric scoring (10 categories, advisory)
audit.sh runs scripts/score_agentops_skill.py --audit-block and folds the
result into audit-report.json under a rubric key. The 10 categories come
verbatim from docs/reference/skill-quality-rubric.md
(read it for the per-score 0/1/2/3 definitions): trigger_quality,
kernel_clarity, progressive_disclosure, helper_scripts, validation,
self_test, assets_templates, subagents_roles, safety_boundaries,
packaging.
Each category scores 0-3 (0 missing/unsafe → 3 product-grade and
mechanically validated) with an explainable reason. Total 0-30 maps to a
rating band: C (0-10), B (11-20), A (21-26), S (27-30). The score is
advisory — it never changes the PASS/WARN/FAIL verdict.
Standalone (markdown) for picking the smallest productization patch:
python3 skills/skill-auditor/scripts/score_agentops_skill.py skills/<name> --markdown
Use it to pick the smallest patch (SELF-TEST.md, linked references, helper
scripts, assets, subagents, safety boundaries, or validation), then re-run this
auditor and heal-skill.
Execution Steps
Step 1: Pass 1 (heal-skill delegation)
bash skills/heal-skill/scripts/heal.sh --check <target>
Capture stdout. Each line [CODE] <path>: <msg> becomes one Pass-1 finding.
Step 2: Pass 2 (8 NEW checks)
For each check_* function in scripts/audit.sh, run against <target>/SKILL.md. Each emits pass, warn, or fail to stdout.
Checkpoint: Pass 2 must run independently of Pass 1 (no shared state); a heal.sh failure does NOT short-circuit Pass 2.
Step 3: Pass 3 (rubric scoring)
python3 scripts/score_agentops_skill.py <target> --audit-block
audit.sh calls this and embeds the result under the report's rubric key.
Each of the 10 rubric categories gets a 0-3 score + reason; total 0-30, rating
band C/B/A/S. If python3 or the scorer is unavailable, rubric is emitted as
null (fail-open) and the JSON stays valid.
Checkpoint: Pass 3 is advisory — its score is computed but NOT counted in the verdict.
Step 4: Aggregate verdict
fails > 0 → FAIL
warns > 0 → WARN
otherwise → PASS
Density coverage and the Pass-3 rubric are computed before emission but are NOT counted in the verdict.
Step 5: Emit report
JSON conforming to schemas/audit-report.json to stdout (or to file with --json <path>); markdown summary (including the Pass-3 rubric line) to stderr.
Output Specification
Format: JSON conforming to schemas/audit-report.json (default) plus markdown text summary.
Filename: typically .agents/audits/<skill-name>-audit.json when --json <path> is supplied; otherwise stdout.
Exit code: 0 for PASS or WARN; 1 for FAIL; 2 for usage error or missing target.
Density advisory: JSON includes density.status, density.fields[], and
density.summary. Treat missing fields as review prompts, not gates.
Rubric (Pass 3): JSON includes rubric.total_score, rubric.max_score,
rubric.rating, rubric.advisory (always true), and rubric.categories[]
(10 entries, each {category, score, reason}). Emitted as null if the scorer
is unavailable. Treat the score as a productization backlog signal, not a gate.
Quality Rubric
- Auditor never modifies target SKILL.md or any other file
- Pass 1 invokes heal.sh with
--check(NOT--fix) - All 8 Pass-2 checks emit one of:
pass,warn,fail,n/a -
description-has-triggersaccepts all three valid forms (verified by running auditor against AgentOps' existing single-line-description skills likeforge,heal-skill,council) - Aggregate verdict applies max-severity rule (no silent downgrade)
- Density advisory reports all six fields without changing the aggregate verdict
- Pass 3 emits all 10 rubric categories (0-3 + reason) under
rubricwithout changing the aggregate verdict - Report JSON validates against
schemas/audit-report.json
Examples
Audit a single skill:
/skill-auditor skills/forge
# stdout: VERDICT: WARN (3 Pass-2 warns)
# exit: 0
Audit a candidate before promotion:
bash skills/skill-auditor/scripts/audit.sh skills/my-new-skill --json /tmp/audit.json
# JSON report at /tmp/audit.json
Strict mode (any finding → FAIL):
bash skills/skill-auditor/scripts/audit.sh --strict skills/my-skill
# exits 1 on any WARN-level finding
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| All AgentOps skills fail check #1 | Auditor using old description-multiline logic |
Verify check fn is check_description_has_triggers; should accept single-line + Triggers/Use-when markers + metadata.triggers array (per pre-mortem F1) |
heal.sh exits 1 even with --check |
heal.sh has its own --strict mode |
The auditor calls heal.sh WITHOUT --strict; if heal.sh exits non-zero, capture findings but continue Pass 2 |
references-modularization fails on a 200-line skill |
Check applies only when SKILL.md > 400 lines | Verify line count; status should be n/a for short skills |
See Also
- heal-skill — Pass 1 delegate; structural hygiene only
- skill-builder — companion; produces skills the auditor validates
- red-team — complementary; probes USABILITY (does the workflow actually work) vs auditor (is the structure correct)
References
- references/skill-template.md — canonical SKILL.md template (copy of skill-builder's; per CLAUDE.md no-symlinks rule)
- references/audit-checks.md — per-check detection logic + accepted forms + PRODUCT.md mapping
- references/context-density-checks.md — advisory density coverage logic and false-positive handling
- references/skill-auditor.feature — Executable spec: Pass 1 heal-skill delegation, Pass 2 structural checks, density report + productization score (soc-qk4b)
Scripts
scripts/audit.shscripts/score_agentops_skill.pyscripts/validate.sh
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核