Agent审计
- 作者仓库星标 739
- 作者更新于 实时读取
- 作者仓库 skills
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @getsentry · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 读取环境变量
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-scanner
description: Scan agent skills for security issues. Use when asked to "scan a skill", Static analysis scanner…
category: 安全
runtime: Python
---
# skill-scanner 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Bundled Script / scripts/scanskill.py / Workflow”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Bundled Script / scripts/scanskill.py / Workflow”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、读取环境变量、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令、读取环境变量。
先用一个小任务确认它会围绕“Bundled Script / scripts/scanskill.py / Workflow”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: skill-scanner
description: Scan agent skills for security issues. Use when asked to "scan a skill", Static analysis scanner…
category: 安全
source: getsentry/skills
---
# skill-scanner
## 什么时候使用
- 把安全方向的常用动作沉淀成 Agent 可调用的技能 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Bundled Script / scripts/scanskill.py / Workflow」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "skill-scanner" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Bundled Script / scripts/scanskill.py / Workflow
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、写入/修改文件、执行终端命令、读取环境变量 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Skill Security Scanner
Scan agent skills for security issues before adoption. Detects prompt injection, malicious code, excessive permissions, secret exposure, and supply chain risks.
Requires: The uv CLI for python package management, install guide at https://docs.astral.sh/uv/getting-started/installation/
Important: Run all scripts from the repository root. Script paths like scripts/scan_skill.py are relative to this skill's root directory (the directory containing this SKILL.md), not relative to the target repository.
Bundled Script
scripts/scan_skill.py
Static analysis scanner that detects deterministic patterns. Outputs structured JSON.
uv run scripts/scan_skill.py <skill-directory>
Returns JSON with findings, URLs, structure info, and severity counts. The script catches patterns mechanically — your job is to evaluate intent and filter false positives.
Workflow
Phase 1: Input & Discovery
Determine the scan target:
- If the user provides a skill directory path, use it directly
- If the user names a skill, look for it under
.agents/skills/<name>/first, then other established layouts such asskills/<name>/when the repo uses a canonical root skill tree,.claude/skills/<name>/,plugins/*/skills/<name>/, or another repo-managed skill root with clear prior art - If the user says "scan all skills", discover all
*/SKILL.mdfiles and scan each
Validate the target contains a SKILL.md file. List the skill structure:
ls -la <skill-directory>/
ls <skill-directory>/references/ 2>/dev/null
ls <skill-directory>/scripts/ 2>/dev/null
Phase 2: Automated Static Scan
Run the bundled scanner:
uv run scripts/scan_skill.py <skill-directory>
Parse the JSON output. The script produces findings with severity levels, URL analysis, and structure information. Use these as leads for deeper analysis.
Fallback: If the script fails, proceed with manual analysis using Grep patterns from the reference files.
Phase 3: Frontmatter Validation
Read the SKILL.md and check:
- Required fields:
nameanddescriptionmust be present - Name consistency:
namefield should match the directory name - Tool assessment: Review
allowed-tools— is Bash justified? Are tools unrestricted (*)? - Model override: Is a specific model forced? Why?
- Description quality: Does the description accurately represent what the skill does?
Phase 4: Prompt Injection Analysis
Load references/prompt-injection-patterns.md for context.
Review scanner findings in the "Prompt Injection" category. For each finding:
- Read the surrounding context in the file
- Determine if the pattern is performing injection (malicious) or discussing/detecting injection (legitimate)
- Skills about security, testing, or education commonly reference injection patterns — this is expected
Critical distinction: A security review skill that lists injection patterns in its references is documenting threats, not attacking. Only flag patterns that would execute against the agent running the skill.
Phase 5: Behavioral Analysis
This phase is agent-only — no pattern matching. Read the full SKILL.md instructions and evaluate:
Description vs. instructions alignment:
- Does the description match what the instructions actually tell the agent to do?
- A skill described as "code formatter" that instructs the agent to read ~/.ssh is misaligned
Config/memory poisoning:
- Instructions to modify
CLAUDE.md,MEMORY.md,settings.json,.mcp.json, or hook configurations - Instructions to add itself to allowlists or auto-approve permissions
- Writing to
~/.claude/,~/.agents/, or any agent configuration directory - Scripts that append to global config files — the poisoned instructions persist after skill removal
Scope creep:
- Instructions that exceed the skill's stated purpose
- Unnecessary data gathering (reading files unrelated to the skill's function)
- Instructions to install other skills, plugins, or dependencies not mentioned in the description
Information gathering:
- Reading environment variables beyond what's needed
- Listing directory contents outside the skill's scope
- Accessing git history, credentials, or user data unnecessarily
Structural attacks (check scanner output for these):
- Symlinks: Files that resolve outside the skill directory — can disguise reads of
~/.ssh/id_rsa,~/.aws/credentials, etc. as "example" files - Frontmatter hooks:
PostToolUse/PreToolUsehooks in YAML — execute shell commands automatically, the model cannot prevent it !command`` syntax: Runs shell commands at skill load time during template expansion, before the model sees the prompt- Test files:
conftest.py,test_*.py,*.test.js— test runners auto-discover and execute these as side effects ofpytestornpm test - npm lifecycle hooks:
postinstallscripts in bundledpackage.json— run automatically onnpm install - Image metadata: PNG files with text in metadata chunks (tEXt/iTXt) — multimodal LLMs can read hidden instructions from image metadata
Phase 6: Script Analysis
If the skill has a scripts/ directory:
- Load
references/dangerous-code-patterns.mdfor context - Read each script file fully (do not skip any)
- Check scanner findings in the "Malicious Code" category
- For each finding, evaluate:
- Data exfiltration: Does the script send data to external URLs? What data?
- Reverse shells: Socket connections with redirected I/O
- Credential theft: Reading SSH keys, .env files, tokens from environment
- Dangerous execution: eval/exec with dynamic input, shell=True with interpolation
- Config modification: Writing to agent settings, shell configs, git hooks
- Check PEP 723
dependencies— are they legitimate, well-known packages? - Verify the script's behavior matches the SKILL.md description of what it does
Legitimate patterns: gh CLI calls, git commands, reading project files, JSON output to stdout are normal for skill scripts.
Phase 7: Supply Chain Assessment
Review URLs from the scanner output and any additional URLs found in scripts:
- Trusted domains: GitHub, PyPI, official docs — normal
- Untrusted domains: Unknown domains, personal sites, URL shorteners — flag for review
- Remote instruction loading: Any URL that fetches content to be executed or interpreted as instructions is high risk
- Dependency downloads: Scripts that download and execute binaries or code at runtime
- Unverifiable sources: References to packages or tools not on standard registries
Phase 8: Permission Analysis
Load references/permission-analysis.md for the tool risk matrix.
Evaluate:
- Least privilege: Are all granted tools actually used in the skill instructions?
- Tool justification: Does the skill body reference operations that require each tool?
- Risk level: Rate the overall permission profile using the tier system from the reference
Example assessments:
Read Grep Glob— Low risk, read-only analysis skillRead Grep Glob Bash— Medium risk, needs Bash justification (e.g., running bundled scripts)Read Grep Glob Bash Write Edit WebFetch Task— High risk, near-full access
Confidence Levels
| Level | Criteria | Action |
|---|---|---|
| HIGH | Pattern confirmed + malicious intent evident | Report with severity |
| MEDIUM | Suspicious pattern, intent unclear | Note as "Needs verification" |
| LOW | Theoretical, best practice only | Do not report |
False positive awareness is critical. The biggest risk is flagging legitimate security skills as malicious because they reference attack patterns. Always evaluate intent before reporting.
Output Format
## Skill Security Scan: [Skill Name]
### Summary
- **Findings**: X (Y Critical, Z High, ...)
- **Risk Level**: Critical / High / Medium / Low / Clean
- **Skill Structure**: SKILL.md only / +references / +scripts / full
### Findings
#### [SKILL-SEC-001] [Finding Type] (Severity)
- **Location**: `SKILL.md:42` or `scripts/tool.py:15`
- **Confidence**: High
- **Category**: Prompt Injection / Malicious Code / Excessive Permissions / Secret Exposure / Supply Chain / Validation
- **Issue**: [What was found]
- **Evidence**: [code snippet]
- **Risk**: [What could happen]
- **Remediation**: [How to fix]
### Needs Verification
[Medium-confidence items needing human review]
### Assessment
[Safe to install / Install with caution / Do not install]
[Brief justification for the assessment]
Risk level determination:
- Critical: Any high-confidence critical finding (prompt injection, credential theft, data exfiltration)
- High: High-confidence high-severity findings or multiple medium findings
- Medium: Medium-confidence findings or minor permission concerns
- Low: Only best-practice suggestions
- Clean: No findings after thorough analysis
Reference Files
| File | Purpose |
|---|---|
references/prompt-injection-patterns.md |
Injection patterns, jailbreaks, obfuscation techniques, false positive guide |
references/dangerous-code-patterns.md |
Script security patterns: exfiltration, shells, credential theft, eval/exec |
references/permission-analysis.md |
Tool risk tiers, least privilege methodology, common skill permission profiles |
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核