code-audit

📁 3stonebrother/code-audit 📅 Feb 13, 2026

总安装量

周安装量

#18982

全站排名

安装命令

npx skills add https://github.com/3stonebrother/code-audit --skill code-audit

Agent 安装分布

gemini-cli 17

opencode 17

codex 16

cursor 16

github-copilot 15

amp 15

Skill 文档

Code Audit Skill

ä¸ä¸ä»£ç å®å¨å®¡è®¡æè½ | Professional Code Security Audit æ¯ææ¨¡å¼: quick / standard / deep

When to Use This Skill

This skill should be used when:

User requests code audit, security audit, or vulnerability scanning
User asks to check code security or find security issues
User mentions /audit or /code-audit
User wants to review code for vulnerabilities before deployment
User needs penetration testing preparation or security assessment

Trigger phrases:

“å®¡è®¡è¿ä¸ªé¡¹ç®” / “Audit this project”
“æ£æ¥ä»£ç å®å¨” / “Check code security”
“æ¾åºå®å¨æ¼æ´” / “Find security vulnerabilities”
“/audit”, “/code-audit”

Quick Reference

Scan Modes

Mode	Use Case	Scope
Quick	CI/CD, small projects	High-risk vulns, secrets, dependency CVEs
Standard	Regular audits	OWASP Top 10, auth, crypto
Deep	Critical projects, pentests	Full coverage, attack chains, business logic

Core Workflow

1. Reconnaissance   â Identify tech stack, map attack surface
2. Vulnerability Hunt â Search patterns, trace data flow
3. Verification    â Confirm exploitability, filter false positives
4. Docker Verify   â [NEW] Dynamic verification in sandbox (optional)
5. Report          â Document findings with PoC and fixes

Dockeré¨ç½²éªè¯

# çæéªè¯ç¯å¢
code-audit --generate-docker-env

# å¯å¨å¹¶éªè¯
docker-compose up -d
docker exec -it sandbox python /workspace/poc/verify_all.py

è¯¦è§: references/core/docker_verification.md

Execution Controllerï¼æ§è¡æ§å¶å¨ â å¿ç»è·¯å¾ï¼

â ï¸ ä»¥ä¸æ¥éª¤æ¯å®¡è®¡æ§è¡çå¿ç»è·¯å¾ï¼ä¸æ¯åèå»ºè®®ã æ¯æ¥æå¿é¡»äº§åºçè¾åºï¼åç»æ¥éª¤ä¾èµååºè¾åºãä¸äº§åº = ç¨æ·å¯è§ç¼ºå¤±ã

Step 1: æ¨¡å¼å¤å®

æ ¹æ®ç¨æ·æä»¤ç¡®å®å®¡è®¡æ¨¡å¼ï¼

ç¨æ·æä»¤å³é®è¯	æ¨¡å¼
“å¿«éæ«æ” “quick” “CIæ£æ¥”	quick
“å®¡è®¡” “æ«æ” “å®å¨æ£æ¥”ï¼æ ç¹æ®è¯´æï¼	standard
“æ·±åº¦å®¡è®¡” “deep” “æ¸éæµè¯åå¤” “å¨é¢å®¡è®¡”	deep
æ æ³å¤å®	é®ç¨æ·ï¼ä¸å¾èªè¡åè®¾

å¿é¡»è¾åº:

[MODE] {quick|standard|deep}

Step 2: ææ¡£å è½½

æ¨¡å¼	å¿é¡» Read çææ¡£
quick	å½å SKILL.md å·²å è½½ï¼æ éé¢å¤ææ¡£
standard	+ `references/checklists/coverage_matrix.md` + å¯¹åºè¯è¨ checklist
deep	+ `agent.md`ï¼å®æ´è¯»åï¼ä¸å¯è·³è¿ï¼ + `coverage_matrix.md` + å¯¹åºè¯è¨ checklist

deep æ¨¡å¼ä¸ agent.md æ¯å¿è¯»ææ¡£ â Step 4 çæ§è¡è®¡åæ¨¡æ¿åå«åªæ agent.md ä¸ææçåæ®µï¼ç»´åº¦æéãAgent ååæ¨¡æ¿ãé¨æ§æ¡ä»¶ãæ§è¡ç¶ææºï¼ã

å¿é¡»è¾åº:

[LOADED] {å®é Read çææ¡£åè¡¨ï¼å«è¡æ°}

Step 3: ä¾¦å¯ï¼Reconnaissanceï¼

å¯¹ç®æ é¡¹ç®æ§è¡æ»å»é¢æµç»ã

å¿é¡»è¾åº:

[RECON]
é¡¹ç®è§æ¨¡: {X files, Y directories}
ææ¯æ : {language, framework, version}
é¡¹ç®ç±»å: {CMS | éè | SaaS | æ°æ®å¹³å° | èº«ä»½è®¤è¯ | IoT | éç¨Web}
å¥å£ç¹: {Controller/Router/Handler æ°é}
å³é®æ¨¡å: {åè¡¨}

Step 4: æ§è¡è®¡å â STOP

quick/standard æ¨¡æ¿:

[PLAN]
æ¨¡å¼: {mode}
ææ¯æ : {from Step 3}
æ«æç»´åº¦: {è®¡åè¦çç D1-D10 ç»´åº¦}
å·²å è½½ææ¡£: {from Step 2}

[PLAN]
æ¨¡å¼: deep
é¡¹ç®è§æ¨¡: {from Step 3}
ææ¯æ : {from Step 3}
ç»´åº¦æé: {from agent.md ç¶ææº â é¡¹ç®ç±»åç»´åº¦æéï¼å¦ CMS: D5(++), D1(+), D3(+), D6(+)}
Agent æ¹æ¡: {from agent.md Agent æ¨¡æ¿ â æ¯ä¸ª Agent è´è´£çç»´åº¦å max_turns}
Agent æ°é: {from agent.md è§æ¨¡å»ºè®® â å°å(<10K) 2-3, ä¸å(10K-100K) 3-5, å¤§å(>100K) 5-9}
D9 è¦ççç¥: {è¥é¡¹ç®æåå°ç®¡ç/å¤è§è²/å¤ç§æ· â D9 å¿æ¥ï¼D3 Agent é¡»åæ¶è¦ç D9a(IDOR+æéä¸è´æ§+Mass Assignment)}
è½®æ¬¡è§å: R1 å¹¿åº¦æ«æ â R1 è¯ä¼° â R2 å¢éè¡¥æ¼(æé)
é¨æ§æ¡ä»¶: PHASE_1_RECON â ROUND_N_RUNNING â ROUND_N_EVALUATION â REPORT
é¢ä¼°æ» turns: {Agentæ° Ã max_turns}
å·²å è½½ææ¡£: {from Step 2}

Step 5: æ§è¡

ç¨æ·ç¡®è®¤åï¼ææ§è¡è®¡ååå·²å è½½ææ¡£æ§è¡ï¼

quick: é«å±æ¨¡å¼å¹éæ«æï¼ç´æ¥è¾åº
standard: æ Phase 1â5 é¡ºåºæ§è¡
deep: ä¸¥æ ¼æ agent.md æ§è¡ç¶ææº
- å¯å¨ Multi-Agent å¹¶è¡ï¼æ Step 4 ç¡®è®¤ç Agent æ¹æ¡ï¼
- éµå®æ¯ä¸ª State çé¨æ§æ¡ä»¶
- è½®æ¬¡è¯ä¼°ä½¿ç¨ agent.md ä¸é®æ³å

Step 6: æ¥åé¨æ§

çææ¥ååéªè¯ï¼

åç½®æ¡ä»¶	quick	standard	deep
é«å±æ¨¡å¼æ«æå®æ	â	â	â
D1-D10 è¦ççæ è®°ï¼âå·²è¦ç/â ï¸æµè¦ç/âæªè¦çï¼	â	â	â
ææ Agent å®ææè¶æ¶æ æ³¨	â	â	â
è½®æ¬¡è¯ä¼°ä¸é®éè¿	â	â	â

ä¸æ»¡è¶³åç½®æ¡ä»¶ â ä¸å¾çææç»æ¥åã

Anti-Hallucination Rules (MUST FOLLOW)

â ï¸ Every finding MUST be based on actual code read via tools

â Do NOT guess file paths based on "typical project structure"
â Do NOT fabricate code snippets from memory
â Do NOT report vulnerabilities in files you haven't read

â MUST use Read/Glob to verify file exists before reporting
â MUST quote actual code from Read tool output
â MUST match project's actual tech stack

Core principle: Better to miss a vulnerability than report a false positive.

Anti-Confirmation-Bias Rules (MUST FOLLOW)

â ï¸ Audit MUST be methodology-driven, NOT case-driven

â Do NOT say "åºäºä¹åçå®¡è®¡ç»éªï¼æå°éç¹å³æ³¨..."
â Do NOT prioritize certain vuln types based on "known CVEs"
â Do NOT skip checklist items because they seem "less likely"

â MUST enumerate ALL sensitive operations, then verify EACH one
â MUST complete the full checklist for EACH vulnerability type
â MUST treat all potential vulnerabilities with equal rigor

Core principle: Discover ALL potential vulnerabilities, not just familiar patterns.

Two-Layer Checklist (ä¸¤å±æ£æ¥æ¸å)

Layer 1: coverage_matrix.md â Phase 2Aåå è½½ï¼éªè¯10ä¸ªå®å¨ç»´åº¦è¦çç Layer 2: è¯è¨è¯ä¹æç¤º â ä»å¯¹æªè¦çç»´åº¦æéå è½½å¯¹åºæ®µè½

æä»¶	ç¨é
`references/checklists/coverage_matrix.md`	è¦ççç©éµ (D1-D10)
`references/checklists/universal.md`	éç¨æ¶æ/é»è¾çº§è¯ä¹æç¤º
`references/checklists/java.md`	Java è¯ä¹æç¤º (10ç»´åº¦)
`references/checklists/python.md`	Python è¯ä¹æç¤º
`references/checklists/php.md`	PHP è¯ä¹æç¤º
`references/checklists/javascript.md`	JavaScript/Node.js è¯ä¹æç¤º
`references/checklists/go.md`	Go è¯ä¹æç¤º
`references/checklists/dotnet.md`	.NET/C# è¯ä¹æç¤º
`references/checklists/ruby.md`	Ruby è¯ä¹æç¤º
`references/checklists/c_cpp.md`	C/C++ è¯ä¹æç¤º
`references/checklists/rust.md`	Rust è¯ä¹æç¤º

Module Reference

Core Modules (Load First)

Module	Path	Purpose
Capability Baseline	`references/core/capability_baseline.md`	é²æ¢è½åä¸¢å¤±çåå½æµè¯æ¡æ¶
Anti-Hallucination	`references/core/anti_hallucination.md`	Prevent false positives
Audit Methodology	`references/core/comprehensive_audit_methodology.md`	Systematic framework, coverage tracking
Taint Analysis	`references/core/taint_analysis.md`	Data flow tracking, LSP-enhanced tracking, Slot type classification
PoC Generation	`references/core/poc_generation.md`	Verification templates
External Tools	`references/core/external_tools_guide.md`	Semgrep/Bandit integration

Language Modules (Load by Tech Stack)

Language	Module	Key Vulnerabilities
Java	`references/languages/java.md`	SQL injection, XXE, deserialization
Python	`references/languages/python.md`	Pickle, SSTI, command injection
Go	`references/languages/go.md`	Race conditions, SSRF
PHP	`references/languages/php.md`	File inclusion, deserialization
JavaScript	`references/languages/javascript.md`	Prototype pollution, XSS

Security Domain Modules (Load as Needed)

Domain	Module	When to Load
API Security	`references/security/api_security.md`	REST/GraphQL APIs
LLM Security	`references/security/llm_security.md`	AI/ML applications
Serverless	`references/security/serverless.md`	AWS Lambda, Azure Functions
Cryptography	`references/security/cryptography.md`	Encryption, TLS, JWT
Race Conditions	`references/security/race_conditions.md`	Concurrent operations

Tool Priority Strategy

Priority 1: External Professional Tools (if available)
ââ semgrep scan --config auto          # Multi-language SAST
ââ bandit -r ./src                      # Python security
ââ gosec ./...                          # Go security
ââ gitleaks detect                      # Secret scanning

Priority 2: Built-in Analysis (always available)
ââ LSP semantic analysis                # goToDefinition, findReferences, incomingCalls
ââ Read + Grep pattern matching         # Core analysis
ââ Module knowledge base                # 55+ vuln patterns

Priority 3: Verification
ââ PoC templates from references/core/poc_generation.md
ââ Confidence scoring from references/core/verification_methodology.md

Detailed Documentation

For complete audit methodology, vulnerability patterns, and detection rules, see:

Full Workflow: agent.md – Complete audit process and detection commands
Vulnerability Details: references/ – Language/framework-specific patterns
Tool Integration: references/core/external_tools_guide.md
Report Templates: references/core/taint_analysis.md

Version

Current: 1.0
Updated: 2026-02-13

v1.0 (Initial Public Release)

9è¯è¨143é¡¹å¼ºå¶æ£æµæ¸å (references/checklists/)
åè½¨å¹¶è¡å®¡è®¡æ¡æ¶: Sink-driven + Control-driven + Config-driven
Dockeré¨ç½²éªè¯æ¡æ¶ (references/core/docker_verification.md)
WooYun 88,636æ¡ä¾åºéæ

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

code-audit

Agent 安装分布

Skill 文档

Code Audit Skill

When to Use This Skill

Quick Reference

Scan Modes

Core Workflow

Dockeré¨ç½²éªè¯

Execution Controllerï¼æ§è¡æ§å¶å¨ â å¿ ç»è·¯å¾ï¼

Step 1: æ¨¡å¼å¤å®

Step 2: ææ¡£å è½½

Step 3: ä¾¦å¯ï¼Reconnaissanceï¼

Step 4: æ§è¡è®¡å â STOP

Step 5: æ§è¡

Step 6: æ¥åé¨æ§

Anti-Hallucination Rules (MUST FOLLOW)

Anti-Confirmation-Bias Rules (MUST FOLLOW)

Two-Layer Checklist (ä¸¤å±æ£æ¥æ¸ å)

Module Reference

Core Modules (Load First)

Language Modules (Load by Tech Stack)

Security Domain Modules (Load as Needed)

Tool Priority Strategy

Detailed Documentation

Version

v1.0 (Initial Public Release)

Dockeré¨ç½²éªè¯

Execution Controllerï¼æ§è¡æ§å¶å¨ â å¿ç»è·¯å¾ï¼

Step 1: æ¨¡å¼å¤å®

Step 2: ææ¡£å è½½

Step 3: ä¾¦å¯ï¼Reconnaissanceï¼

Step 4: æ§è¡è®¡å â STOP

Step 5: æ§è¡

Step 6: æ¥åé¨æ§

Two-Layer Checklist (ä¸¤å±æ£æ¥æ¸å)