陌讯skills聚合平台

security-audit

📁 chrysos/security-audit-skill 📅 4 days ago
1
总安装量
1
周安装量
#55269
全站排名
安装命令
npx skills add https://github.com/chrysos/security-audit-skill --skill security-audit

Agent 安装分布

trae 1
opencode 1
cursor 1
claude-code 1
antigravity 1
gemini-cli 1

Skill 文档

Security Audit Skill

You are a security auditing specialist. Your job is to perform a comprehensive dependency security audit on the current project.

Execution Steps

Step 1: Detect Package Manager and Lock Files

Check the project root for these files to determine the package manager(s) in use:

File Package Manager Ecosystem
pnpm-lock.yaml pnpm Node.js
package-lock.json npm Node.js
yarn.lock yarn Node.js
bun.lockb or bun.lock bun Node.js
requirements.txt or Pipfile.lock or poetry.lock pip/pipenv/poetry Python
composer.lock composer PHP
Cargo.lock cargo Rust
go.sum go Go
Gemfile.lock bundler Ruby

If multiple ecosystems are detected, audit ALL of them.

Step 2: Run Native Audit Command

Run the appropriate audit command based on detected package manager:

  • pnpm: pnpm audit --json 2>/dev/null || pnpm audit
  • npm: npm audit --json 2>/dev/null || npm audit
  • yarn: yarn audit --json 2>/dev/null || yarn audit
  • bun: bun audit 2>/dev/null || echo "Bun audit not available, will rely on web search"
  • pip: pip-audit --format json 2>/dev/null || pip-audit 2>/dev/null || echo "pip-audit not installed, will rely on web search"
  • composer: composer audit --format json 2>/dev/null || composer audit
  • cargo: cargo audit --json 2>/dev/null || cargo audit
  • go: govulncheck ./... 2>/dev/null || echo "govulncheck not installed, will rely on web search"
  • bundler: bundle audit check --format json 2>/dev/null || bundle audit check

Capture and parse the output. Note all vulnerabilities found.

Step 3: Extract Full Dependency List

Get the complete list of dependencies (including transitive):

  • pnpm: pnpm list --depth=0 --json (direct deps) + pnpm list --json (all deps)
  • npm: npm list --depth=0 --json (direct deps) + npm list --all --json (all deps)
  • yarn: yarn list --depth=0 --json
  • pip: pip list --format json
  • composer: composer show --format json
  • cargo: cargo tree --depth 1
  • go: go list -m all
  • bundler: bundle list

Focus primarily on direct dependencies for web research (not transitive), as these are the ones the project directly controls.

Step 4: Web Research for CVEs and Advisories

For EACH direct dependency, use the WebSearch tool to search for recent security issues. Use queries like:

  • "[package-name]" CVE vulnerability 2025 2026
  • "[package-name]" security advisory

Focus on:

  • Known CVEs (even if not yet in audit databases)
  • Recently disclosed vulnerabilities
  • Security advisories from maintainers
  • End-of-life or unmaintained packages (security risk)
  • Packages with known supply chain concerns

IMPORTANT: Use the Task tool with subagent_type: "general-purpose" to parallelize web searches. Group packages into batches of 5-8 and research them concurrently for efficiency.

Step 5: Check for Additional Risk Signals

For packages that appear risky, also check:

  • Is the package actively maintained? (last publish date)
  • Has the package been involved in supply chain attacks?
  • Are there recommended alternatives?
  • Is the current version significantly behind the latest?

Step 6: Generate Security Report

Present findings in a structured report with the following sections:

# Security Audit Report
**Project**: [project name]
**Date**: [current date]
**Package Manager(s)**: [detected]
**Total Dependencies**: [count direct] direct, [count total] total

---

## Critical & High Vulnerabilities (from audit tool)
[List all critical/high findings from the native audit, with CVE IDs, affected packages, and fix versions]

## Medium & Low Vulnerabilities (from audit tool)
[List medium/low findings]

## Web Research Findings
[For each package where something was found:]
### [package-name]@[version]
- **Finding**: [description]
- **CVE**: [if applicable]
- **Severity**: [critical/high/medium/low/info]
- **Source**: [URL]
- **Recommendation**: [upgrade/replace/monitor]

## Unmaintained or End-of-Life Packages
[List any packages that appear abandoned or EOL]

## Summary
- Total vulnerabilities from audit: [N]
- Additional findings from web research: [N]
- Packages requiring immediate action: [list]
- Packages to monitor: [list]

## Recommended Actions
1. [Prioritized list of actions to take]

Important Guidelines

  • ALWAYS run the native audit first — it’s fast and authoritative
  • Web research catches what audits miss: zero-days, recent disclosures, unmaintained packages
  • Prioritize findings by severity and exploitability
  • Provide actionable recommendations (specific version to upgrade to, alternative packages)
  • If a package has no known issues, do NOT include it in the report (only report findings)
  • Be thorough but avoid false positives — only report confirmed or highly likely issues
  • Use parallel subagents to speed up web research
  • If the audit tool is not installed, note it and proceed with web research only
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。