Agent测试
- 作者仓库星标 177
- 作者更新于 实时读取
- 作者仓库 skill-check
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 83 / 100 · 社区维护
- 作者 / 版本 / 许可
- @thedaviddias · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 即装即用
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。;检出高风险片段:pipe_curl_to_shell
---
name: skill-check
description: Use when the user wants to validate, lint, or audit agent skill files (SKILL.md). Use when they…
category: 安全
runtime: Node.js
---
# skill-check 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Installation / When to use / Local validation”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Installation / When to use / Local validation”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、会按任务需要访问外部网络、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/tmp` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件。
先用一个小任务确认它会围绕“Installation / When to use / Local validation”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: skill-check
description: Use when the user wants to validate, lint, or audit agent skill files (SKILL.md). Use when they…
category: 安全
source: thedaviddias/skill-check
---
# skill-check
## 什么时候使用
- 用于提炼长内容、变更或对话里的关键信息 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不需要额外 AP…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Installation / When to use / Local validation」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "skill-check" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Installation / When to use / Local validation
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js | 读取文件、写入/修改文件 | 会按任务需要访问外部网络
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} skill-check
Validate agent skill files (SKILL.md) using the skill-check tool. Support both local paths and GitHub repos.
Installation
Ensure skill-check is available before running checks:
- No install (recommended for one-off or agent use):
npx skill-check— uses npm to run the latest version; requires Node.js and network on first run. - Global install (curl):
curl -fsSL https://raw.githubusercontent.com/thedaviddias/skill-check/main/scripts/install.sh | bash— installs a globalskill-checkbinary. - Homebrew:
brew tap thedaviddias/skill-check https://github.com/thedaviddias/skill-checkthenbrew install skill-check.
If the user has not installed skill-check, use npx skill-check so no prior install is needed. To confirm the tool is available, run npx skill-check rules and expect a list of built-in rule IDs.
When to use
- User asks to validate, lint, or check skill files
- User provides a local path (e.g.
~/.cursor/skills,./skills, or a repo root) - User provides a GitHub repo URL and wants skills in that repo validated
Local validation
- Run skill-check against the given path:
- Quick lint only:
npx skill-check check <path> --no-security-scan --format json - Full check (includes security scan):
npx skill-check check <path> --format json
- Quick lint only:
- Parse the JSON output to get diagnostics (ruleId, severity, message, file, line).
- Summarize results for the user: number of skills found, errors vs warnings, and any suggested fixes.
Use --format json when you need to parse output programmatically. Use default text format when showing output directly to the user.
GitHub repo validation
- Clone the repo shallowly into a temp directory, e.g.
git clone --depth 1 <url> /tmp/skill-check-<short-hash>(or use a system temp path). - Run
npx skill-check check /tmp/skill-check-<hash>(with--format jsonif you will parse results). - Report findings to the user.
- Remove the temp directory when done.
Commands reference
npx skill-check check [path]— run validation (+ optional security scan). Default path is.npx skill-check check [path] --no-security-scan— lint only, skip security scannpx skill-check check [path] --format json— machine-readable output with quality scoresnpx skill-check check [path] --format github— GitHub Actions::error/::warningannotationsnpx skill-check check [path] --format html --no-open— self-contained HTML reportnpx skill-check check [path] --fix— auto-fix supported findingsnpx skill-check check [path] --fix --interactive— prompt before each fix (TTY only)npx skill-check check [path] --baseline baseline.json— compare against previous runnpx skill-check new <name>— scaffold a new skill directorynpx skill-check watch [path]— re-run on file changesnpx skill-check diff <pathA> <pathB>— compare diagnostics between two directoriesnpx skill-check rules— list all built-in rules with severity and fixable statusnpx skill-check rules <id>— show detail for a specific rulenpx skill-check report [path]— generate a markdown health report
Interpreting results
- error — spec or rule violation; should be fixed.
- warn — recommendation; may be acceptable depending on context.
- suggestion — every diagnostic includes an actionable suggestion text.
- quality score — 0-100 per skill, weighted across frontmatter (30%), description (30%), body (20%), links (10%), file (10%).
- duplicates —
duplicates.name/duplicates.descriptionwarnings when multiple skills share the same name or description. - Exit code 0 means no errors; non-zero means validation failed or security scan found issues.
Testing this skill
To verify this skill and the skill-check CLI work:
- Check CLI is available: Run
npx skill-check rules. You should see a list of built-in rules (e.g.frontmatter.required,body.max_tokens, etc.). - Validate this repo's skills: From the skill-check repo root, run
npx skill-check check skills/ --no-security-scan. Expect one skill (skills/skill-check/SKILL.md) and zero diagnostics (PASS). - Scaffold a test skill: Run
npx skill-check new test-skill --dir /tmp. Verify/tmp/test-skill/SKILL.mdwas created, thennpx skill-check check /tmp/test-skill --no-security-scanshould pass. - Optional — validate with security scan: Run
npx skill-check check skills/(no--no-security-scan). Requiresmcp-scanoruv/pipxfor the security scan step.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核