安全审计
- 作者仓库星标 1,897
- 作者更新于 实时读取
- 作者仓库 skillshare
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @runkids · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 即装即用
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- 无特殊要求
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: skillshare-codebase-audit
description: >- Read-only consistency audit across the skillshare codebase. $ARGUMENTS specifies focus area (…
category: 安全
runtime: 无特殊运行时
---
# skillshare-codebase-audit 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Audit Dimensions / 1. CLI Flag Audit / 2. Spec vs Code”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Audit Dimensions / 1. CLI Flag Audit / 2. Spec vs Code”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件。
先用一个小任务确认它会围绕“Audit Dimensions / 1. CLI Flag Audit / 2. Spec vs Code”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: skillshare-codebase-audit
description: >- Read-only consistency audit across the skillshare codebase. $ARGUMENTS specifies focus area (…
category: 安全
source: runkids/skillshare
---
# skillshare-codebase-audit
## 什么时候使用
- 用于提炼长内容、变更或对话里的关键信息 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常不需要额外 AP…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Audit Dimensions / 1. CLI Flag Audit / 2. Spec vs Code」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "skillshare-codebase-audit" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Audit Dimensions / 1. CLI Flag Audit / 2. Spec vs Code
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> 无特殊运行时 | 读取文件、写入/修改文件 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Read-only consistency audit across the skillshare codebase. $ARGUMENTS specifies focus area (e.g., "flags", "tests", "targets") or omit for full audit.
Scope: This skill only READS and REPORTS. It does not modify any files. Use implement-feature to fix issues or update-docs to fix documentation gaps.
Audit Dimensions
Run all 4 dimensions in parallel where possible. For each, produce a summary table.
1. CLI Flag Audit
Compare every flag defined in cmd/skillshare/*.go against website/docs/commands/*.md.
# Find all flags in Go source
grep -rn 'flag\.\(String\|Bool\|Int\)' cmd/skillshare/
grep -rn 'Args\|Usage' cmd/skillshare/
Report:
- UNDOCUMENTED: Flag exists in code but not in docs
- STALE: Flag documented but not found in code
- OK: Flag matches between code and docs
2. Spec vs Code
For each spec in specs/ marked as completed/done:
- Verify the described feature exists in source code
- Check that the spec's acceptance criteria are testable
Report:
- IMPLEMENTED: Spec complete, code exists
- MISMATCH: Spec says done but code missing or partial
- PENDING: Spec not yet marked complete (informational)
3. Test Coverage
For each command handler in cmd/skillshare/<cmd>.go:
- Check if
tests/integration/<cmd>_test.goexists - Check if key behaviors have test cases
# List all command handlers
ls cmd/skillshare/*.go | grep -v '_test.go\|main.go\|helpers.go\|mode.go'
# List all integration tests
ls tests/integration/*_test.go
Report:
- COVERED: Command has integration test file with test cases
- PARTIAL: Test file exists but missing key scenarios
- MISSING: No integration test for this command
4. Target Audit
Verify internal/config/targets.yaml entries:
- Each target has both
global_pathandproject_path - Aliases are consistent
- No duplicate entries
Report:
- OK: Target entry complete and valid
- INCOMPLETE: Missing required fields
- DUPLICATE: Name or alias collision
Output Format
== Skillshare Codebase Audit ==
### CLI Flags (N issues)
| Command | Flag | Status |
|-----------|-------------|--------------|
| install | --force | OK |
| install | --into | UNDOCUMENTED |
### Specs (N issues)
| Spec File | Status |
|----------------------|-------------|
| copy-sync-mode.md | IMPLEMENTED |
| some-feature.md | MISMATCH |
### Test Coverage (N issues)
| Command | Status | Notes |
|-----------|---------|--------------------|
| sync | COVERED | |
| audit | PARTIAL | missing edge cases |
| target | MISSING | |
### Targets (N issues)
| Target | Status | Notes |
|-----------|------------|---------------|
| claude | OK | |
| newagent | INCOMPLETE | no project_path |
== Summary: X OK / Y issues found ==
5. Handler Split Audit
For commands with >300 lines in cmd/skillshare/<cmd>.go, verify the handler split convention is followed:
# Find large command files
wc -l cmd/skillshare/*.go | sort -rn | head -20
Check that large commands are properly split:
| Suffix | Expected for large commands |
|---|---|
_handlers.go |
Core logic extracted |
_render.go |
Output rendering separated |
_tui.go |
TUI components isolated |
Report:
- SPLIT: Large command properly follows handler split convention
- MONOLITH: >300 lines without split (should be refactored)
- N/A: Small command, no split needed
6. Oplog Coverage
Verify all mutating commands have oplog instrumentation:
# Find commands that modify state
grep -rn 'func handle\|func cmd' cmd/skillshare/*.go
# Check for oplog.Write calls
grep -rn 'oplog.Write' cmd/skillshare/
Mutating commands (install, uninstall, sync, update, init, collect, backup, restore, trash) should all write to oplog. Read-only commands (list, status, check, search, audit, log, version) should not.
Report:
- INSTRUMENTED: Mutating command has oplog.Write
- MISSING: Mutating command lacks oplog instrumentation
- N/A: Read-only command (no oplog expected)
7. Web API Consistency
Verify internal/server/handler_*.go routes match CLI commands:
# List all handler files
ls internal/server/handler_*.go | grep -v _test.go
# Check route registration in server.go
grep -n 'HandleFunc\|Handle(' internal/server/server.go
Report:
- SYNCED: CLI command has corresponding API handler
- CLI-ONLY: Command exists in CLI but not in Web API (may be intentional)
- API-ONLY: API handler without CLI counterpart (unusual)
Output Format
== Skillshare Codebase Audit ==
### CLI Flags (N issues)
| Command | Flag | Status |
|-----------|-------------|--------------|
| install | --force | OK |
| install | --into | UNDOCUMENTED |
### Specs (N issues)
| Spec File | Status |
|----------------------|-------------|
| copy-sync-mode.md | IMPLEMENTED |
| some-feature.md | MISMATCH |
### Test Coverage (N issues)
| Command | Status | Notes |
|-----------|---------|--------------------|
| sync | COVERED | |
| audit | PARTIAL | missing edge cases |
| target | MISSING | |
### Targets (N issues)
| Target | Status | Notes |
|-----------|------------|---------------|
| claude | OK | |
| newagent | INCOMPLETE | no project_path |
### Handler Split (N issues)
| Command | Lines | Status | Notes |
|-----------|-------|-----------|--------------------|
| install | 450 | SPLIT | 6 sub-files |
| audit | 320 | MONOLITH | should split render |
| status | 80 | N/A | |
### Oplog (N issues)
| Command | Mutating? | Status |
|-----------|-----------|---------------|
| install | Yes | INSTRUMENTED |
| trash | Yes | MISSING |
| list | No | N/A |
### Web API (N issues)
| Command | CLI | API | Status |
|-----------|-----|-----|----------|
| install | Yes | Yes | SYNCED |
| diff | Yes | No | CLI-ONLY |
== Summary: X OK / Y issues found ==
Rules
- Read-only — never modify files, only report
- Evidence-based — every finding must include file path and line number
- No false positives — verify with grep before flagging
- Scope $ARGUMENTS — if user specifies "flags", only run dimension 1; "handlers" for dimension 5, "oplog" for dimension 6, "api" for dimension 7
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核