安全审查
- 作者仓库星标 14,101
- 许可证 Complete terms in LICENSE.txt
- 作者更新于 实时读取
- 作者仓库 eigent
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 94 / 100 · 已通过审计
- 作者 / 版本 / 许可
- @eigent-ai · Complete terms in LICENSE.txt
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需手动接入
- 是否需要外部 API Key
- 需要 · Vendor-specific
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js · Python
- 文件与系统权限
-
- 只读
- Shell 执行
- 读取环境变量
- 允许写入 / 修改
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skill-security-auditor
description: Security auditing for code, configs, and infrastructure. Use when the user wants to audit or imp…
category: 安全
runtime: Node.js / Python
---
# skill-security-auditor 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Overview / Quick Start / Testing the scripts”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Overview / Quick Start / Testing the scripts”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、执行终端命令、读取环境变量、写入/修改文件、会按任务需要访问外部网络、需要准备 Vendor-specific API Key 给出执行前确认项。
## Running Rules
- 读取文件、执行终端命令、读取环境变量、写入/修改文件;会按任务需要访问外部网络;需要准备 Vendor-specific API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/path` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、执行终端命令、读取环境变量、写入/修改文件。
先用一个小任务确认它会围绕“Overview / Quick Start / Testing the scripts”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: skill-security-auditor
description: Security auditing for code, configs, and infrastructure. Use when the user wants to audit or imp…
category: 安全
source: eigent-ai/eigent
---
# skill-security-auditor
## 什么时候使用
- 用于审阅代码、文档或方案并给出可执行反馈 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;使用前要准备 Ve…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Overview / Quick Start / Testing the scripts」组织步骤,不把推断写成作者事实。
- 读取文件、执行终端命令、读取环境变量、写入/修改文件;会按任务需要访问外部网络;需要准备 Vendor-specific API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "skill-security-auditor" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Overview / Quick Start / Testing the scripts
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js / Python | 读取文件、执行终端命令、读取环境变量、写入/修改文件 | 会按任务需要访问外部网络
安全层 -> 需要准备 Vendor-specific API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Security Auditor Guide
Overview
This guide covers security auditing workflows for source code, dependencies, and configurations. For detailed vulnerability patterns and detection rules, see references/vulnerability-patterns.md. For secrets detection patterns, see references/secrets-patterns.md.
Quick Start
Run the bundled scan script against a project directory:
python scripts/scan_project.py /path/to/project
This performs a lightweight scan for common issues: hardcoded secrets, dangerous function calls, and insecure patterns. For deeper analysis, follow the workflows below.
Testing the scripts
python scripts/scan_project.py /path/to/some/project --format text
python scripts/scan_secrets.py /path/to/some/project --format text
Audit Workflow
1. Reconnaissance
Before auditing, understand the project:
# Identify languages, frameworks, and entry points
find . -type f -name "*.py" -o -name "*.js" -o -name "*.ts" -o -name "*.go" -o -name "*.java" | head -20
cat package.json pyproject.toml requirements.txt go.mod pom.xml 2>/dev/null
Key questions:
- What frameworks are used? (Express, Django, Flask, Spring, etc.)
- Where are the entry points? (routes, controllers, API handlers)
- How is authentication handled?
- What external services are called?
- Is user input accepted? Where?
2. Secrets Detection
Scan for hardcoded credentials, API keys, and tokens. See references/secrets-patterns.md for the full pattern list.
python scripts/scan_secrets.py /path/to/project
Common patterns to check:
- API keys and tokens in source files
- Database connection strings with embedded passwords
- Private keys or certificates committed to the repo
.envfiles or config files with plaintext secrets- Secrets in CI/CD configuration files
3. Vulnerability Scanning
OWASP Top 10 Checklist
| # | Category | What to Look For |
|---|---|---|
| A01 | Broken Access Control | Missing auth checks, IDOR, privilege escalation |
| A02 | Cryptographic Failures | Weak algorithms, plaintext storage, missing TLS |
| A03 | Injection | SQL, NoSQL, OS command, LDAP, XSS |
| A04 | Insecure Design | Missing rate limits, business logic flaws |
| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies with known CVEs |
| A07 | Auth Failures | Weak passwords, missing MFA, session issues |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | Missing audit logs, sensitive data in logs |
| A10 | SSRF | Unvalidated URLs in server-side requests |
Language-Specific Checks
Python
# Dangerous: SQL injection
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# Safe: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# Dangerous: Command injection
os.system(f"ping {hostname}")
# Safe: Use subprocess with list args
subprocess.run(["ping", hostname], capture_output=True)
# Dangerous: Path traversal
open(f"/data/{user_input}")
# Safe: Validate and resolve path
path = pathlib.Path("/data") / user_input
path.resolve().relative_to(pathlib.Path("/data").resolve())
JavaScript/TypeScript
// Dangerous: XSS via innerHTML
element.innerHTML = userInput;
// Safe: Use textContent or sanitize
element.textContent = userInput;
// Dangerous: Prototype pollution
Object.assign(target, JSON.parse(userInput));
// Safe: Validate input structure
const parsed = JSON.parse(userInput);
if (typeof parsed !== 'object' || Array.isArray(parsed)) throw new Error();
const sanitized = Object.fromEntries(
Object.entries(parsed).filter(([k]) => !k.startsWith('__'))
);
// Dangerous: eval or Function constructor
eval(userInput);
// Safe: Never use eval with user input
Go
// Dangerous: SQL injection
db.Query("SELECT * FROM users WHERE id = " + id)
// Safe: Parameterized query
db.Query("SELECT * FROM users WHERE id = $1", id)
// Dangerous: Path traversal
http.ServeFile(w, r, filepath.Join(baseDir, r.URL.Path))
// Safe: Clean and validate path
cleaned := filepath.Clean(r.URL.Path)
full := filepath.Join(baseDir, cleaned)
if !strings.HasPrefix(full, baseDir) { http.Error(...) }
4. Dependency Audit
Check for known vulnerabilities in project dependencies:
# Python
pip audit
safety check -r requirements.txt
# Node.js
npm audit
npx auditjs ossi
# Go
govulncheck ./...
# General (if Trivy is available)
trivy fs --scanners vuln /path/to/project
Review the output and categorize by severity (critical, high, medium, low). Critical and high severity findings should be addressed before deployment.
5. Configuration Review
Check for insecure defaults in configuration files:
# Common misconfigurations to flag:
DEBUG: true # Debug mode in production
ALLOWED_HOSTS: ["*"] # Unrestricted host access
CORS_ALLOW_ALL_ORIGINS: true # Open CORS policy
SECRET_KEY: "default" # Default or weak secret key
SSL_VERIFY: false # Disabled TLS verification
Check infrastructure configs:
- Dockerfiles: Running as root, exposing unnecessary ports
- CI/CD: Secrets in plaintext, overly permissive permissions
- Cloud configs: Public S3 buckets, open security groups
6. Authentication and Authorization Review
Key areas to verify:
- Password hashing uses strong algorithms (bcrypt, argon2, scrypt)
- Sessions have appropriate timeouts and rotation
- JWT tokens are validated properly (algorithm, expiry, signature)
- API endpoints enforce authorization checks
- Role-based access control is consistently applied
- Rate limiting is in place for login and sensitive endpoints
Report Format
When generating a security audit report, use this structure:
# Security Audit Report
## Summary
- **Project**: [name]
- **Date**: [date]
- **Scope**: [what was audited]
- **Risk Level**: [Critical/High/Medium/Low]
## Findings
### [SEVERITY] Finding Title
- **Category**: [OWASP category]
- **Location**: [file:line]
- **Description**: [what the issue is]
- **Impact**: [what could happen if exploited]
- **Recommendation**: [how to fix]
## Statistics
- Total findings: [count]
- Critical: [count] | High: [count] | Medium: [count] | Low: [count]
Next Steps
- For detailed vulnerability patterns and code examples, see references/vulnerability-patterns.md
- For secrets detection regex patterns, see references/secrets-patterns.md
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核