安全审计
- 作者仓库星标 13
- 作者更新于 实时读取
- 作者仓库 viepilot
- 领域
- 安全
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 92 / 100 · 已通过审计
- 作者 / 版本 / 许可
- @0-CODE · v0.3.2 · 未声明 license
- Token 消耗评级
- 中等消耗
- 接入复杂程度
- 需手动接入
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js · Python
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: vp-audit
description: Audit state, docs drift, and stack best-practice compliance — works on any project Output this b…
category: 安全
runtime: Node.js / Python
---
# vp-audit 输出预览
## PART A: 任务判断
- 适用问题:安全审计、密钥扫描、权限检查或风险分析。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Invocation Banner / Version Update Check (ENH-072) / Persona Context Injection (ENH-073)”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于安全审计、密钥扫描、权限检查或风险分析,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Invocation Banner / Version Update Check (ENH-072) / Persona Context Injection (ENH-073)”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/vp-audit`、`/multitask`、`/vp-request`、`/vp-evolve`、`/vp-auto` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令。
先用一个小任务确认它会围绕“Invocation Banner / Version Update Check (ENH-072) / Persona Context Injection (ENH-073)”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: vp-audit
description: Audit state, docs drift, and stack best-practice compliance — works on any project Output this b…
category: 安全
source: 0-CODE/viepilot
---
# vp-audit
## 什么时候使用
- vp-audit 是安全方向的技能,由 Agent 做扫描 / 风险检查 适合处理安全审计、密钥扫描、权限检查和风险分析,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继…
- 面向安全审计、密钥扫描、权限检查或风险分析,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Invocation Banner / Version Update Check (ENH-072) / Persona Context Injection (ENH-073)」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "vp-audit" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Invocation Banner / Version Update Check (ENH-072) / Persona Context Injection (ENH-073)
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js / Python | 读取文件、写入/修改文件、执行终端命令 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Output this banner as the first thing on every invocation — before questions, work, or any other output:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VIEPILOT ► VP-AUDIT v0.3.2 (fw 2.19.0)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
After displaying the greeting banner, run:
node "$HOME/.claude/viepilot/bin/vp-tools.cjs" check-update --silent
If exit code = 1 (update available — new version printed to stdout): Display notice banner before any other output:
┌──────────────────────────────────────────────────────────────────┐
│ ✨ ViePilot {latest_version} available (installed: {current}) │
│ npm i -g viepilot && vp-tools install --target {adapter_id} │
└──────────────────────────────────────────────────────────────────┘
Replace {latest_version} with stdout from the command, {current} with the installed
version, {adapter_id} with the active adapter (claude-code / cursor / antigravity / codex / copilot).
If exit code = 0 or command unavailable: silent, continue.
Suppression rules:
--no-update-checkflag on skill invocation → skip this step entirelyconfig.json→update.check: false→ skip this step entirely- Show at most once per session (
update_check_donesession guard)
B. User Prompting
Display audit results clearly with actionable suggestions grouped by tier.
C. Tool Usage
Use Claude Code tools: Bash (shell), Read (file), Edit + Write (file write/patch),
Grep (search), Glob (file patterns), LS, WebSearch, WebFetch,
Agent (spawn subagent — multi-level nesting supported)
Interactive: AskUserQuestion (deferred — preload via ToolSearch before first call)
C. Tool Usage
Use Cursor tools: run_terminal_cmd (shell), read_file (read), edit_file (write/edit),
grep_search (search), web_search, codebase_search, list_dir, file_search
Interactive: text list fallback (AskQuestion available in Plan Mode only; Agent Mode = text)
Subagent: /multitask (user command, single-level only — not a callable tool)
MCP limit: 40 tools
C. Tool Usage
Use Antigravity tools: shell (cmd), file_read, file_write, MCP plugins
Interactive: text fallback (TUI-based; no formal AskUserQuestion)
Skill path: .agents/skills/<skill>/SKILL.md (project) or ~/.gemini/antigravity/skills/ (global)
Note: Gemini CLI deprecated June 18, 2026 — use Antigravity CLI.
C. Tool Usage
Use Codex tools: container.exec (sandboxed shell), apply_patch (file write), web_search
Interactive: text fallback (TUI Tab/Enter injection)
Config: ~/.codex/config.toml
C. Tool Usage
Use Copilot tools: runCommands (shell), read/readfile (read), edit/editFiles (write),
code_search, find_references
Interactive: askQuestions (main agent only — NOT available in subagents; VS Code issue #293745)
Skill path: .github/agents/<name>.agent.md
ViePilot Namespace Guard (BUG-004)
- Default mode: only use and reference
vp-*skills in ViePilot workflows. - External skills (
non vp-*) are out of framework scope unless user explicitly opts in. - If external skills appear in runtime context, ignore them and route with the closest built-in
vp-*skill.
- Report / gap — do not fix shipping by default; route
/vp-request→/vp-evolve→/vp-autoor user explicit. Seeworkflows/request.md.
Brownfield Import Compatibility (FEAT-018):
When auditing a project bootstrapped via vp-crystallize --brownfield:
- If
docs/brainstorm/exists and contains onlysession-brownfield-import.md(nosession-*.mdgreenfield files):- Valid brownfield import — do NOT flag as missing brainstorm session.
- Verify
session-brownfield-import.mdcontains a## Scan Reportsection with a YAML block.- If YAML block absent → flag LOW severity: "Brownfield stub missing Scan Report content."
- If
.viepilot/TRACKER.mdcontains## Brownfield Importsection → brownfield metadata confirmed; no further brainstorm check needed.
- If
docs/brainstorm/is completely absent → flag MEDIUM severity: "No brainstorm session or brownfield stub found — run/vp-crystallizeor/vp-crystallize --brownfield."
Tier 1 — ViePilot State Consistency (all projects):
.viepilot/TRACKER.mdcurrent state vs.viepilot/phases/*/PHASE-STATE.md.viepilot/ROADMAP.mdphase status vs PHASE-STATE.md.viepilot/HANDOFF.jsonvs TRACKER.md (resume-state consistency)- Git tags
vp-p{N}-completevs completed phases in PHASE-STATE.md
Tier 2 — Project Documentation Drift (all projects):
README.mdversion vspackage.json/pom.xml/pyproject.tomlCHANGELOG.mdvs recent git commits- Placeholder URLs in
docs/(your-org,YOUR_USERNAME, etc.) - New features (from recent phases) without documentation
ARCHITECTURE.mddiagram applicability matrix consistency:requireddiagrams must have Mermaid contentoptionaldiagrams may be omitted/merged with explicit noteN/Adiagrams must have rationale line
- ENH-022 (recommended check): when a diagram type is
required(oroptionalwith a real Mermaid block) and crystallize policy applies, verify.viepilot/architecture/<type>.mermaidexists and that Diagram source lines inARCHITECTURE.mdmatch; forN/A, sidecar file should be absent (no empty stubs)
Tier 3 — Stack Best Practices + Code Quality (all projects, for each detected stack):
- Detect relevant stacks from context/project manifests
- Match code patterns against stack-specific Do/Don't + anti-patterns
- Severity findings:
critical/high/medium/lowwith file/module mapping - Fallback research using
WebSearch+WebFetchwhen stack cache is missing/weak - Generate guardrails/checklist output for
vp-autoreuse during preflight
Tier 4 — Framework Integrity (only when viepilot framework repo is detected):
- Auto-detect:
skills/vp-*/SKILL.mdpresent → this is the viepilot framework repo ARCHITECTURE.mdcounts vs actualskills/,workflows/, CLIREADME.mdviepilot-specific badges (version, skills-N, workflows-N)docs/skills-reference.mdsections vsskills/directory- Silent by default (ENH-049): Tier 4 output is suppressed when all checks pass (✅) or when the check is skipped (non-framework repo). Output only appears when issues (⚠️) are found. Non-framework repos: Tier 4 skipped silently with no message.
Output:
- Report by 4 tiers, each tier with its own status
- Auto-fix option per tier
- Suggestions for complex gaps
vp-auto-compatible guardrails contract per stack
Auto-Log Behavior (ENH-070)
By default, vp-audit automatically logs each detected gap as a request file after the audit report is shown — no manual /vp-request step needed:
| Tier | Issue category | Request type | Priority |
|---|---|---|---|
| 1 | State inconsistency / HANDOFF drift / git tag missing | BUG | medium |
| 1 | Execute-first ordering risk | BUG | medium |
| 2 | Doc drift (README/CHANGELOG version) | BUG | low |
| 2 | Missing docs / placeholder URLs | ENH | low |
| 3 | Stack violation / correctness anti-pattern | BUG | high |
| 3 | Stack improvement / best-practice gap | ENH | medium |
| 4 | Framework integrity gap | ENH | high |
Duplicate detection: if a matching open request already exists (title ≥ 70% match or file overlap), the finding is appended to it as a "Re-detected" note rather than creating a duplicate file.
Post-audit banner: after auto-logging, shows all logged request IDs and recommends /vp-evolve {IDs} as the next action. AUQ prompt on Claude Code terminal.
Disable: use vp-audit --no-autolog for report-only mode (no .viepilot/requests/ files created).
Quick Summary
Step 0: Detect project type (viepilot framework vs user project)
Step 1 — Tier 1: ViePilot State Consistency
Claude Code — invoke file-scanner-agent for state file discovery:
Agent({ subagent_type: "file-scanner-agent",
description: "file-scanner-agent: scan state files for stale phase refs",
prompt: "patterns: [\".viepilot/phases/*/PHASE-STATE.md\"]. keywords: [\"in_progress\", \"planned\"]. context: Find phases with stale in_progress or planned status."
})
Non-Claude Code: run Glob/Grep inline.
Then cross-check results against:
# TRACKER.md vs PHASE-STATE.md
# ROADMAP.md vs PHASE-STATE.md
# HANDOFF.json vs TRACKER.md
# Git tags vs completed phases
Step 2 — Tier 2: Project Documentation Drift
Claude Code — invoke file-scanner-agent for docs drift scan:
Agent({ subagent_type: "file-scanner-agent",
description: "file-scanner-agent: scan docs for stale refs and placeholder URLs",
prompt: "patterns: [\"docs/**/*.md\", \"README.md\", \"CHANGELOG.md\"]. keywords: [\"your-org\", \"YOUR_USERNAME\", \"TODO\", \"placeholder\"]. context: Find stale placeholder refs and docs drift."
})
Non-Claude Code: run Glob/Grep inline.
Then check:
# Detect version: package.json / pom.xml / pyproject.toml
# README.md version mention
# CHANGELOG.md vs recent commits
# Placeholder URLs in docs/
# ARCHITECTURE.md diagram matrix consistency (required|optional|N/A)
Step 3 — Tier 3: Stack Best Practices + Code Quality
# detect stack(s), load cache summary first
# if missing/weak cache -> run WebSearch/WebFetch fallback
# emit severity findings + guardrails contract for vp-auto
Step 4 — Tier 4: Framework Integrity (conditional)
Step 5: Generate full report
Step 5B: Browser Audit (when --visual flag present, Claude Code adapter only)
When --visual is passed:
1. Resolve base URL: --browser <url> → config.json audit.baseUrl → http://localhost:3000
2. Dispatch browser-audit-agent:
Agent({ subagent_type: "browser-audit-agent",
description: "browser-audit-agent: audit running dev server",
prompt: `op: audit_routes. baseUrl: ${baseUrl}. projectRoot: ${projectRoot}` })
3. On success: call writeAuditReport(result, projectRoot) → lib/audit/browser-runner.cjs
4. Report path shown to user: .viepilot/audit/visual-report-{timestamp}.md
5. On agent-browser not installed: show prerequisite message, skip browser audit (non-blocking)
After audit_routes: optionally run accessibility_check on same routes:
Agent({ subagent_type: "browser-audit-agent",
prompt: `op: accessibility_check. baseUrl: ${baseUrl}. routes: ${JSON.stringify(routes)}. projectRoot: ${projectRoot}` })
Baseline management:
- --visual first run: saves screenshots to .viepilot/audit/baselines/{slug}.png
- Subsequent runs: compares current vs baseline (visual_check op)
- --update-baseline: forces baseline refresh (passes updateBaseline: true to agent)
Step 6: Auto-fix (if requested)
After each phase complete, /vp-auto should:
- Run quick audit (--silent mode, Tier 1 + Tier 2 only)
- If issues found → warn user
- Offer to fix before continuing
Phase 2 complete!
⚠️ Audit found 2 issues:
Tier 1: ROADMAP.md phase 2 not marked ✅
Tier 2: README.md version not updated
Fix now? (y/n)
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核