安全测试
- 作者仓库星标 0
- 作者更新于 实时读取
- 作者仓库 skills-registry
- 领域
- AI 智能
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @tomevault-io · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 允许外网请求
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: verify-language
description: Language-specific verification for Python, TypeScript/JavaScript, and Go. Checks type safety, la…
category: AI 智能
runtime: Python
---
# verify-language 输出预览
## PART A: 任务判断
- 适用问题:提示词、Agent 工作流、模型评估或自动化推理。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Purpose / When to Use / Process”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于提示词、Agent 工作流、模型评估或自动化推理,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Purpose / When to Use / Process”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、会按任务需要访问外部网络、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/users` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Purpose / When to Use / Process”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: verify-language
description: Language-specific verification for Python, TypeScript/JavaScript, and Go. Checks type safety, la…
category: AI 智能
source: tomevault-io/skills-registry
---
# verify-language
## 什么时候使用
- 把「验证」相关任务沉淀成 Agent 可调用的技能 适合处理AI Agent、提示词、模型评估与自动化推理,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤…
- 面向提示词、Agent 工作流、模型评估或自动化推理,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Purpose / When to Use / Process」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;会按任务需要访问外部网络;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "verify-language" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Purpose / When to Use / Process
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Python | 读取文件、写入/修改文件、执行终端命令 | 会按任务需要访问外部网络
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Language-Specific Verification
Purpose
Verify code against language-specific best practices and idioms for Python, TypeScript/JavaScript, and Go. All analysis happens locally.
When to Use
Trigger this skill when the user asks to:
- "verify agent language"
- "verify language"
- "check types"
- "check Python/TypeScript/Go code"
This skill is also auto-invoked by the main verification orchestrator based on detected language.
Note: For full verification including security, patterns, and quality checks, tell the user to say "verify agent".
Process
Step 1: Detect Language
Identify the primary language by checking:
| Indicator | Language |
|---|---|
pyproject.toml, requirements.txt, setup.py |
Python |
package.json, tsconfig.json |
TypeScript/JavaScript |
go.mod, go.sum |
Go |
Cargo.toml |
Rust |
Also check file extensions in src/ or project root:
.py→ Python.ts,.tsx,.js,.jsx→ TypeScript/JavaScript.go→ Go.rs→ Rust
Step 2: Run Language-Specific Checks
Apply checks based on detected language. Each section below is only applicable for its language.
Python Checks
[PATTERN] Type Hints on Public Functions
Flag any def function in public scope (no leading _) that has parameters without type annotations.
Examples:
# ⚠️ Warning - Missing type hints
def get_user(user_id):
return db.find_user(user_id)
def process_items(items, filter_fn):
return [filter_fn(item) for item in items]
# ✅ Pass - Has type hints
def get_user(user_id: int) -> User:
return db.find_user(user_id)
def process_items(items: list[Item], filter_fn: Callable[[Item], bool]) -> list[Item]:
return [filter_fn(item) for item in items]
Scope:
- Public functions (no leading
_) - Class methods (except
__init__can skip return type) - Module-level functions
Severity: ⚠️ Warning
[HEURISTIC] Docstrings
Check for missing docstrings:
| Location | Requirement |
|---|---|
| Module | Top-level docstring explaining purpose |
| Class | Docstring explaining class responsibility |
| Public function | Docstring explaining args, returns, raises |
Examples:
# ⚠️ Warning - Missing docstrings
class UserService:
def get_user(self, user_id: int) -> User:
return self.db.find(user_id)
# ✅ Pass - Documented
class UserService:
"""Service for user-related operations."""
def get_user(self, user_id: int) -> User:
"""
Retrieve a user by ID.
Args:
user_id: The unique identifier of the user
Returns:
User object if found
Raises:
UserNotFoundError: If user doesn't exist
"""
return self.db.find(user_id)
Severity: ⚠️ Warning
[PATTERN] Requirements Pinning
Check requirements.txt and pyproject.toml dependencies:
| Pattern | Severity |
|---|---|
package>=1.0 |
❌ Issue |
package>1.0 |
❌ Issue |
package (no version) |
❌ Issue |
package==1.0.0 |
✅ Pass |
package~=1.0 |
✅ Pass |
In pyproject.toml:
# ❌ Issue
[project]
dependencies = [
"langchain>=0.1.0",
"openai",
]
# ✅ Pass
[project]
dependencies = [
"langchain==0.1.0",
"openai==1.12.0",
]
Severity: ❌ Issue
[HEURISTIC] Python Idioms
Check for non-idiomatic patterns:
| Anti-pattern | Idiomatic |
|---|---|
if len(list) > 0: |
if list: |
if x == True: |
if x: |
list = list + [item] |
list.append(item) |
for i in range(len(list)): |
for item in list: or enumerate() |
dict.keys() iteration |
Direct dict iteration |
Severity: ⚠️ Warning
TypeScript/JavaScript Checks
[PATTERN] Strict Mode
Check tsconfig.json for strict type checking:
// ❌ Issue - Not strict
{
"compilerOptions": {
"strict": false
}
}
// ❌ Issue - Strict not set
{
"compilerOptions": {
"target": "ES2020"
}
}
// ✅ Pass
{
"compilerOptions": {
"strict": true
}
}
Severity: ❌ Issue (if strict is false or absent)
[PATTERN] No any Types
Flag unqualified : any type annotations:
// ⚠️ Warning
function process(data: any): any {
return data.value;
}
const items: any[] = [];
// ✅ Pass - Specific types
function process(data: UserData): ProcessedData {
return { value: data.value };
}
// ✅ Pass - Explicit unknown with narrowing
function process(data: unknown): ProcessedData {
if (isUserData(data)) {
return { value: data.value };
}
throw new Error("Invalid data");
}
Severity: ⚠️ Warning
[HEURISTIC] Async/Await Error Handling
Check that async functions handle errors:
// ⚠️ Warning - No error handling
async function fetchUser(id: string): Promise<User> {
const response = await fetch(`/users/${id}`);
return response.json();
}
// ✅ Pass - Has error handling
async function fetchUser(id: string): Promise<User> {
try {
const response = await fetch(`/users/${id}`);
if (!response.ok) {
throw new Error(`HTTP ${response.status}`);
}
return response.json();
} catch (error) {
logger.error("Failed to fetch user", { id, error });
throw new UserFetchError(id, error);
}
}
Severity: ⚠️ Warning
[HEURISTIC] Promise Handling
Check for common Promise anti-patterns:
| Anti-pattern | Issue |
|---|---|
Missing .catch() |
Unhandled rejection |
new Promise() with async executor |
Anti-pattern |
| Fire-and-forget promises | No await, no handling |
// ⚠️ Warning - No catch
fetchData().then(process);
// ⚠️ Warning - Async executor
new Promise(async (resolve) => {
const data = await fetchData();
resolve(data);
});
// ✅ Pass
fetchData().then(process).catch(handleError);
// ✅ Pass - Using async/await
const data = await fetchData();
process(data);
Severity: ⚠️ Warning
Go Checks
[PATTERN] No Ignored Errors
Flag any _ = assignments where the right-hand side returns error:
// ❌ Issue - Ignored error
_ = file.Close()
_ = json.Unmarshal(data, &result)
result, _ := db.Query(sql)
// ✅ Pass - Error handled
if err := file.Close(); err != nil {
log.Printf("failed to close file: %v", err)
}
result, err := db.Query(sql)
if err != nil {
return nil, fmt.Errorf("query failed: %w", err)
}
Severity: ❌ Issue
[HEURISTIC] Context Propagation
Check that context.Context is passed through call chains:
// ⚠️ Warning - Context not passed
func ProcessData(data []byte) error {
result, err := externalAPI.Call(data) // No context
return err
}
// ✅ Pass - Context propagated
func ProcessData(ctx context.Context, data []byte) error {
result, err := externalAPI.Call(ctx, data)
return err
}
Check for:
- HTTP handlers that don't use
r.Context() - Functions that call external services without context
- Long-running operations without context cancellation support
Severity: ⚠️ Warning
[HEURISTIC] Proper Package Structure
Check Go project structure:
| Issue | Description |
|---|---|
package main with many files |
Should split into packages |
| Circular imports | Package A imports B, B imports A |
| Internal packages exposed | Internal code in public packages |
Missing internal/ |
Shared code that shouldn't be public |
Severity: ⚠️ Warning
[HEURISTIC] Go Idioms
Check for non-idiomatic patterns:
| Anti-pattern | Idiomatic |
|---|---|
if err != nil { return err } repeatedly |
Consider helper or wrap |
| Naked returns in long functions | Explicit returns |
interface{} without type assertions |
Use generics or specific types |
Getters named GetX() |
Just X() |
Severity: ⚠️ Warning
Step 3: Generate Report
# Language Verification Report
**Project:** [name or path]
**Date:** [current date]
**Language detected:** [Python | TypeScript | JavaScript | Go]
**Files analyzed:** [count]
## Summary
✅ X checks passed | ⚠️ Y warnings | ❌ Z issues
## Type Safety
- [x] Types properly defined
- [ ] ⚠️ Missing type hints at `[file:line]`
- [ ] ❌ Strict mode not enabled in `tsconfig.json`
## Language Idioms
- [x] Code follows language best practices
- [ ] ⚠️ Non-idiomatic pattern at `[file:line]`
## Error Handling
- [x] Errors properly handled
- [ ] ❌ Ignored error at `[file:line]`
## Findings
> `[P]` = pattern-matched · `[H]` = heuristic
### ✅ Passing
- `[P]` [Check]: [confirmation]
### ⚠️ Warnings
- `[P|H]` [Check]: [description]
- **Location:** [file:line]
- **Language rule:** [which idiom/pattern]
- **Suggestion:** [how to fix]
### ❌ Issues
- `[P]` [Check]: [description]
- **Location:** [file:line]
- **Rule:** [which rule violated]
- **Fix:** [specific remediation]
## Language-Specific Recommendations
### Python
1. Add type hints to public functions
2. Include docstrings for classes and functions
### TypeScript
1. Enable strict mode in tsconfig.json
2. Replace `any` with specific types
### Go
1. Handle all returned errors
2. Propagate context through call chains
For full verification including security, patterns, and quality checks, say "verify agent".
Source: Aurite-ai/agent-verifier — distributed by TomeVault.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核