From b03dd112c8ee704f252f4b7aa6360ff6aae7be4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:17:25 +0800 Subject: [PATCH 1/7] docs: add agent-led skill review workflow --- docs/AGENT_REVIEW_WORKFLOW.md | 106 ++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 docs/AGENT_REVIEW_WORKFLOW.md diff --git a/docs/AGENT_REVIEW_WORKFLOW.md b/docs/AGENT_REVIEW_WORKFLOW.md new file mode 100644 index 00000000..cf7d9303 --- /dev/null +++ b/docs/AGENT_REVIEW_WORKFLOW.md @@ -0,0 +1,106 @@ +# Agent-led Skill Review Workflow + +SkillSpector can be used as the static evidence layer in an agent-led review +workflow. This is useful when an agent runtime can read source files and reason +about whether a flagged behavior is expected for a skill's stated purpose. + +The workflow is intentionally simple: + +1. Run a static SkillSpector scan. +2. Read the JSON report. +3. Inspect the skill source around each important finding. +4. Decide whether the behavior is expected, suspicious, or unacceptable. + +This keeps the fast, deterministic scanner in the loop while still requiring a +contextual review before installing a skill. + +## Why use an agent-led review? + +Risk scores are evidence, not a complete decision. Some skills legitimately need +sensitive capabilities. For example, a deployment skill may need shell access, +and a web-search skill may need network access. The reviewer still needs to ask: + +- Does the skill description explain this capability? +- Is the destination or file access documented? +- Is the behavior necessary for the skill's purpose? +- Are permissions broader than the implementation needs? +- Is there hidden behavior such as credential harvesting, persistence, or + unexpected external transmission? + +## Recommended scan command + +Use static analysis as the default evidence pass: + +```bash +skillspector scan ./my-skill --no-llm --format json --output /tmp/skillspector-report.json +``` + +Then have the agent read `/tmp/skillspector-report.json` and inspect the files +referenced by HIGH, CRITICAL, and sensitive MEDIUM findings. + +Sensitive MEDIUM findings usually include: + +- network requests or uploads +- environment variables, tokens, passwords, or local config +- file writes or deletes +- shell execution, subprocesses, or dynamic code execution +- MCP permission mismatches or tool metadata issues +- persistence, self-modification, or downloaded code + +## Suggested verdicts + +A simple three-state verdict is usually enough: + +| Verdict | Meaning | +|---|---| +| `APPROVE` | No meaningful security concern; behavior matches the skill's stated purpose. | +| `CAUTION` | Sensitive behavior exists, but it is documented, necessary, and bounded. | +| `REJECT` | Malicious, deceptive, unexplained, or overly broad behavior was found. | + +## Score guidance + +SkillSpector's risk score should guide review priority, not replace review: + +| Score | Suggested posture | +|---|---| +| `0-20` | Usually acceptable after a quick source check. | +| `21-35` | Findings should be explained by the skill's purpose. | +| `36-50` | Manual review required; default to caution. | +| `51-80` | Default reject unless the source is trusted and every sensitive behavior is necessary. | +| `81-100` | Reject. | + +## Output shape + +Agents should summarize both evidence and judgment: + +```markdown +## Skill Review: `` + +**Verdict:** CAUTION +**Risk:** 33/100 · MEDIUM +**Install posture:** trusted workstation only + +### Signal Overview +| Source | Result | Interpretation | +|---|---|---| +| SkillSpector static scan | 2 findings | network and env/config access | +| Agent source review | justified | behavior matches stated purpose | +| Sensitive surface | token cache, external API | requires trusted environment | + +### Key Evidence +| Rule | Severity | Location | Review judgment | +|---|---|---|---| +| E1 | MEDIUM | scripts/main.sh:42 | expected API call for documented feature | + +### Decision +Explain whether the static evidence is consistent with the skill's purpose and +which guardrails are required before installation. +``` + +## Optional skill wrapper + +Agent runtimes that support skill-style workflows can encode the steps above in +a small companion skill. One community example is +[skill-inspector](https://github.com/Dxboy266/skill-inspector), which runs a +static SkillSpector pass and then asks the active agent to perform source-level +semantic review. From db8f1fdfefec658bb116f1d867888ec4611c218c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:19:02 +0800 Subject: [PATCH 2/7] docs: link agent-led review workflow --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4a09b50b..66b4e3a6 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ SkillSpector helps you answer: **"Is this skill safe to install?"** - **[Development guide](docs/DEVELOPMENT.md)** — Architecture, package layout, and how to extend the analyzer pipeline. - **[Pi extension](docs/PI_EXTENSION.md)** — Install SkillSpector as a Pi tool for scanning skills from inside agent sessions. +- **[Agent-led review workflow](docs/AGENT_REVIEW_WORKFLOW.md)** — Use SkillSpector static findings as evidence for source-aware agent review before installing skills. ## Features From 92cdb788249bd6c5a6fe3f9ca809857c26a7c5f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:34:52 +0800 Subject: [PATCH 3/7] docs: restore upstream README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 66b4e3a6..4a09b50b 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,6 @@ SkillSpector helps you answer: **"Is this skill safe to install?"** - **[Development guide](docs/DEVELOPMENT.md)** — Architecture, package layout, and how to extend the analyzer pipeline. - **[Pi extension](docs/PI_EXTENSION.md)** — Install SkillSpector as a Pi tool for scanning skills from inside agent sessions. -- **[Agent-led review workflow](docs/AGENT_REVIEW_WORKFLOW.md)** — Use SkillSpector static findings as evidence for source-aware agent review before installing skills. ## Features From c8bdf2f052317186cfec1a75378588cdc245f855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:34:54 +0800 Subject: [PATCH 4/7] docs: remove workflow-only guide --- docs/AGENT_REVIEW_WORKFLOW.md | 106 ---------------------------------- 1 file changed, 106 deletions(-) delete mode 100644 docs/AGENT_REVIEW_WORKFLOW.md diff --git a/docs/AGENT_REVIEW_WORKFLOW.md b/docs/AGENT_REVIEW_WORKFLOW.md deleted file mode 100644 index cf7d9303..00000000 --- a/docs/AGENT_REVIEW_WORKFLOW.md +++ /dev/null @@ -1,106 +0,0 @@ -# Agent-led Skill Review Workflow - -SkillSpector can be used as the static evidence layer in an agent-led review -workflow. This is useful when an agent runtime can read source files and reason -about whether a flagged behavior is expected for a skill's stated purpose. - -The workflow is intentionally simple: - -1. Run a static SkillSpector scan. -2. Read the JSON report. -3. Inspect the skill source around each important finding. -4. Decide whether the behavior is expected, suspicious, or unacceptable. - -This keeps the fast, deterministic scanner in the loop while still requiring a -contextual review before installing a skill. - -## Why use an agent-led review? - -Risk scores are evidence, not a complete decision. Some skills legitimately need -sensitive capabilities. For example, a deployment skill may need shell access, -and a web-search skill may need network access. The reviewer still needs to ask: - -- Does the skill description explain this capability? -- Is the destination or file access documented? -- Is the behavior necessary for the skill's purpose? -- Are permissions broader than the implementation needs? -- Is there hidden behavior such as credential harvesting, persistence, or - unexpected external transmission? - -## Recommended scan command - -Use static analysis as the default evidence pass: - -```bash -skillspector scan ./my-skill --no-llm --format json --output /tmp/skillspector-report.json -``` - -Then have the agent read `/tmp/skillspector-report.json` and inspect the files -referenced by HIGH, CRITICAL, and sensitive MEDIUM findings. - -Sensitive MEDIUM findings usually include: - -- network requests or uploads -- environment variables, tokens, passwords, or local config -- file writes or deletes -- shell execution, subprocesses, or dynamic code execution -- MCP permission mismatches or tool metadata issues -- persistence, self-modification, or downloaded code - -## Suggested verdicts - -A simple three-state verdict is usually enough: - -| Verdict | Meaning | -|---|---| -| `APPROVE` | No meaningful security concern; behavior matches the skill's stated purpose. | -| `CAUTION` | Sensitive behavior exists, but it is documented, necessary, and bounded. | -| `REJECT` | Malicious, deceptive, unexplained, or overly broad behavior was found. | - -## Score guidance - -SkillSpector's risk score should guide review priority, not replace review: - -| Score | Suggested posture | -|---|---| -| `0-20` | Usually acceptable after a quick source check. | -| `21-35` | Findings should be explained by the skill's purpose. | -| `36-50` | Manual review required; default to caution. | -| `51-80` | Default reject unless the source is trusted and every sensitive behavior is necessary. | -| `81-100` | Reject. | - -## Output shape - -Agents should summarize both evidence and judgment: - -```markdown -## Skill Review: `` - -**Verdict:** CAUTION -**Risk:** 33/100 · MEDIUM -**Install posture:** trusted workstation only - -### Signal Overview -| Source | Result | Interpretation | -|---|---|---| -| SkillSpector static scan | 2 findings | network and env/config access | -| Agent source review | justified | behavior matches stated purpose | -| Sensitive surface | token cache, external API | requires trusted environment | - -### Key Evidence -| Rule | Severity | Location | Review judgment | -|---|---|---|---| -| E1 | MEDIUM | scripts/main.sh:42 | expected API call for documented feature | - -### Decision -Explain whether the static evidence is consistent with the skill's purpose and -which guardrails are required before installation. -``` - -## Optional skill wrapper - -Agent runtimes that support skill-style workflows can encode the steps above in -a small companion skill. One community example is -[skill-inspector](https://github.com/Dxboy266/skill-inspector), which runs a -static SkillSpector pass and then asks the active agent to perform source-level -semantic review. From 756f875a219f309be90dfa84a18691059a234323 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:36:54 +0800 Subject: [PATCH 5/7] skills: add skill-inspector README --- skills/skill-inspector/README.md | 280 +++++++++++++++++++++++++++++++ 1 file changed, 280 insertions(+) create mode 100644 skills/skill-inspector/README.md diff --git a/skills/skill-inspector/README.md b/skills/skill-inspector/README.md new file mode 100644 index 00000000..476f74b9 --- /dev/null +++ b/skills/skill-inspector/README.md @@ -0,0 +1,280 @@ +
+ +# Skill Inspector + +> *「别急着安装。先让 skill 解释清楚自己。」* + +[![Agent Skills](https://img.shields.io/badge/Agent%20Skills-Compatible-green)](https://agentskills.io) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) +[![Runtime](https://img.shields.io/badge/Runtime-Claude%20Code%20·%20Codex%20·%20WorkBuddy-blueviolet)](#安装本-skill) +[![Powered by SkillSpector](https://img.shields.io/badge/Scanner-NVIDIA%20SkillSpector-76B900)](https://github.com/NVIDIA/SkillSpector) +[![Default Mode](https://img.shields.io/badge/Default-Static%20Scan%20%2B%20Agent%20Review-blue)](#工作原理) + +**一个用于审查 AI Agent Skill 的安装前安全工作流。** + +Skill Inspector 先调用 NVIDIA SkillSpector 做静态扫描,再让当前 Agent 读取源码做语义复核,最后给出 `APPROVE` / `CAUTION` / `REJECT`。 + +基于通用 Agent Skills 目录结构,可用于 Claude Code、Codex、WorkBuddy 以及其他支持 `SKILL.md` 的 runtime。 + +[安装前置](#安装前置) · [安装本 Skill](#安装本-skill) · [使用](#使用) · [工作原理](#工作原理) · [判定标准](#判定标准) + +
+ +--- + +## 它解决什么问题 + +Agent skill 本质上是一组会影响 Agent 行为的说明、脚本和工具定义。安装一个第三方 skill,等于让它进入你的工作流。 + +Skill Inspector 用来回答三个问题: + +1. 这个 skill 有没有读凭据、发网络请求、执行 shell、写文件或声明过宽权限? +2. 这些敏感行为是否和它的用途一致? +3. 它应该被安装、谨慎使用,还是拒绝? + +它不是替代 SkillSpector 的扫描器。它是一个审查编排层:**静态扫描抓证据,Agent 复核判断意图。** + +--- + +## 安装前置 + +Skill Inspector 依赖 NVIDIA SkillSpector CLI。请先安装它。 + +### 给人看的入口 + +- 项目主页:[NVIDIA/SkillSpector](https://github.com/NVIDIA/SkillSpector) + +先打开官方 README,按里面的说明安装。常见安装方式: + +```bash +pipx install 'git+https://github.com/NVIDIA/SkillSpector.git' +``` + +确认安装成功: + +```bash +skillspector --version +``` + +### 给 Agent 用的入口 + +把下面这段发给你的 Agent,让它帮你安装并验证: + +```text +请安装 NVIDIA SkillSpector CLI,并确认 `skillspector --version` 可用。 +项目地址:https://github.com/NVIDIA/SkillSpector +推荐命令:pipx install 'git+https://github.com/NVIDIA/SkillSpector.git' +安装后运行:skillspector --version +``` + +Skill Inspector 本身不会自动安装 SkillSpector。没有 `skillspector` 命令时,它只能退化为手工源码审查,并会在报告里说明降级。 + +--- + +## 安装本 Skill + +把本目录放到你正在使用的 runtime 的 skills 目录即可。Skill Inspector 只依赖标准 `SKILL.md`,不是 Codex 专用 skill。 + +### 给 Agent 用 + +把下面这段发给 Claude Code、Codex、WorkBuddy 或其他支持 skills 的 Agent: + +```text +请把这个 skill 安装到当前 runtime 的 skills 目录: +/path/to/skill-inspector + +安装后请确认能通过 skill 名称 `skill-inspector` 触发。 +``` + +### 手动安装 + +不同 runtime 的目录可能不同,常见路径如下: + +| Runtime | 常见安装目录 | +|---|---| +| Claude Code | `~/.claude/skills/skill-inspector/` | +| Codex | `~/.codex/skills/skill-inspector/` | +| WorkBuddy | 使用 WorkBuddy 的 skills 目录 | +| 其他 runtime | 对应 runtime 的 skills 目录 | + +示例: + +```bash +# Codex +cp -R skill-inspector ~/.codex/skills/ + +# Claude Code +cp -R skill-inspector ~/.claude/skills/ +``` + +如果你的 runtime 支持 Agent Skills 风格的 `SKILL.md` 加载,就可以使用;不需要固定安装到 `.codex`。 + +--- + +## 使用 + +装好后,直接让 Agent 审查目标 skill: + +```text +用 skill-inspector 审查 /path/to/skill +``` + +或者: + +```text +这个 skill 安全吗?/path/to/skill +``` + +也可以审查从 GitHub 下载到本地的 skill 目录: + +```text +帮我看看 ~/Downloads/some-skill 能不能装 +``` + +--- + +## 工作原理 + +Skill Inspector 有两条审查线:一条负责找证据,一条负责判断证据是否合理。最后再把两条线合并成安装建议。 + +### 1. 证据线:SkillSpector 静态扫描 + +默认运行: + +```bash +skillspector scan "$TARGET" --no-llm --format json --output /tmp/skill-inspector-report.json +``` + +这一层不理解业务意图,只负责抓硬风险信号。它的输入是目标 skill 目录,输出是结构化 JSON 报告,包括风险分、严重级别、命中规则、文件位置和证据片段。 + +| 风险面 | 例子 | +|---|---| +| 外部传输 | `curl -d`、`requests.post`、远程 API | +| 凭据访问 | 环境变量、token、密码、本地配置 | +| 执行风险 | shell、subprocess、eval、exec | +| 文件风险 | 写入、删除、持久化、自修改 | +| MCP 风险 | 权限声明和实际行为不一致、tool poisoning | +| 供应链风险 | 下载后执行、混淆、未固定依赖 | + +这一线回答的是: + +> 代码里出现了哪些值得警惕的行为? + +它不负责最终裁决。比如网络请求可能是数据外传,也可能是一个 API skill 的正常能力。 + +### 2. 判断线:Agent 语义复核 + +静态扫描之后,Agent 必须读取: + +- 目标 `SKILL.md` +- 可执行脚本 +- MCP 配置和 tool 描述 +- SkillSpector 命中的文件和行号附近源码 + +这一层会把静态证据放回源码上下文里看: + +- skill 声称自己做什么? +- 实际代码是否只做这些事? +- 敏感能力是否被文档明示? +- 权限声明和实际行为是否一致? +- 网络请求的目的地是否可信、必要? +- 读取 env、token、本地配置是否符合用途? +- 是否存在隐藏指令、触发词污染、未知外发、持久化或混淆执行? + +这一线回答的是: + +> 这些风险行为是否合理、必要、可控? + +### 3. 合并线:综合 verdict + +最终结论不是简单按分数走,而是按下面的顺序合并: + +| 输入 | 作用 | +|---|---| +| SkillSpector 分数 | 给出总体风险姿态 | +| 命中规则和严重级别 | 标出需要优先看的风险点 | +| 源码上下文 | 判断 finding 是真实问题还是合理能力 | +| skill 描述和权限 | 判断是否有描述-行为不一致 | +| Agent 语义复核 | 形成最终安装建议 | + +低分不自动通过,因为自然语言里可能有隐藏指令或过宽触发。高分也不机械拒绝,因为某些 skill 天然需要网络、env 或 shell 能力。 + +最终只输出三个 verdict: + +- `APPROVE`:证据干净,或敏感行为很轻且完全符合用途。 +- `CAUTION`:有敏感能力,但明示、必要、可控。 +- `REJECT`:发现恶意、欺骗、未知外发、凭据风险、混淆执行,或无法解释的 HIGH / CRITICAL。 + +--- + +## 报告格式 + +报告使用 triage 风格,适合快速判断: + +```markdown +## 🛡️ Skill Inspector: `` + +**来源:** +**结论:** +**风险:** /100 · · +**使用姿态:** <适合什么环境,不适合什么环境> + +### 🧭 快速判断 +<核心判断> + +### 📡 信号概览 +| 来源 | 结果 | 解读 | +|---|---|---| +| SkillSpector 静态扫描 | | | +| Agent 语义复核 | | | +| 敏感面 | | | + +### 🔎 关键证据 +| 规则 | 级别 | 位置 | 复核判断 | +|---|---|---|---| +| | | | | + +### 🧠 诊断 +<综合分析> + +### ✅ 建议护栏 +1. +2. +``` + +--- + +## 判定标准 + +| Verdict | 含义 | +|---|---| +| `APPROVE` | 未发现实质安全问题,行为和描述一致 | +| `CAUTION` | 存在敏感能力,但用途明确、必要、可控 | +| `REJECT` | 存在恶意、欺骗、未知外发、凭据风险、混淆执行,或无法解释的 HIGH / CRITICAL | + +SkillSpector 分数只是输入信号,不是最终裁决: + +| Score | 默认姿态 | +|---|---| +| `0-20` | 快速复核后通常可接受 | +| `21-35` | 命中项必须能被 skill 目的解释 | +| `36-50` | 必须人工复核,默认谨慎 | +| `51-80` | 默认拒绝,除非来源可信且敏感行为全部必要 | +| `81-100` | 拒绝 | + +--- + +## 设计原则 + +- **不执行目标 skill 的脚本**:只读取源码和扫描报告。 +- **不只看分数**:必须结合 skill 描述和源码语义判断。 +- **不静默降级 HIGH / CRITICAL**:无法解释的高危 finding 直接进入拒绝路径。 +- **允许合理敏感能力**:网络、env、文件、shell 并非天然恶意,但必须明示、必要、可控。 + +--- + +## 为什么不用 SkillSpector LLM 作为必需项 + +SkillSpector 支持 LLM 语义分析,但需要额外配置 provider。Skill Inspector 默认使用 `--no-llm`,让 SkillSpector 专注静态证据,再由当前 Agent 读源码做语义判断。 + +这降低了使用门槛,也避免因为 LLM provider 未配置而无法审查。 From 1991f0ad31799f7b0264549ec68277909de0c1a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:36:56 +0800 Subject: [PATCH 6/7] skills: add skill-inspector definition --- skills/skill-inspector/SKILL.md | 169 ++++++++++++++++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 skills/skill-inspector/SKILL.md diff --git a/skills/skill-inspector/SKILL.md b/skills/skill-inspector/SKILL.md new file mode 100644 index 00000000..e7d52ecc --- /dev/null +++ b/skills/skill-inspector/SKILL.md @@ -0,0 +1,169 @@ +--- +name: skill-inspector +description: Review AI agent skills before installation by combining SkillSpector static scanning with agent-led semantic review. Use when asked whether a skill is safe, trustworthy, installable, malicious, over-permissioned, or worth accepting. +allowed-tools: + - Bash + - Read +--- + + +Decide whether an AI agent skill is safe to install or keep installed. + +Use two independent lines of review: +- SkillSpector static scan for hard evidence. +- Agent semantic review for intent, permission fit, hidden behavior, and trust judgment. + +Do not rely on risk score alone. A low score can still hide semantic risk. + + + +- Run static scan first. Use it as evidence, not as the final verdict. +- Review source yourself after the scan. Read `SKILL.md`, executable scripts, MCP manifests/configs, and every file referenced by HIGH/CRITICAL/MEDIUM findings. +- Never let an LLM downgrade unexplained HIGH/CRITICAL findings. If a sensitive behavior cannot be explained by the skill purpose, reject. +- Prefer the smallest useful verdict: `APPROVE`, `CAUTION`, or `REJECT`. +- If `skillspector` is missing, say so and continue with manual review instead of installing tools silently. +- Do not execute the target skill's scripts. Reading and static commands are allowed; running untrusted skill code is not. + + + +1. Resolve the target path or URL. + +2. Run SkillSpector static scan: + +```bash +skillspector scan "$TARGET" --no-llm --format json --output /tmp/skill-inspector-report.json +``` + +If the command exits non-zero, read any partial output and continue manually. + +3. Read `/tmp/skill-inspector-report.json`. + +4. Read source: +- Always read the target `SKILL.md`. +- Read all executable files reported by SkillSpector. +- Read files and nearby lines for every HIGH or CRITICAL finding. +- Read MEDIUM findings when they involve network, credentials, env vars, file writes, shell execution, MCP permissions, persistence, obfuscation, or user/context leakage. +- Read MCP server/tool definitions if present: `mcp.json`, `server.py`, `server.ts`, `package.json`, tool descriptions, parameter descriptions. + +5. Apply semantic review: +- Purpose fit: Does the code do only what the description promises? +- Permission fit: Do declared tools/permissions match actual behavior? +- Sensitive access: Are env vars, tokens, credential files, home directories, agent config directories, or installed skills accessed? +- External transmission: What leaves the machine, where does it go, and is that destination documented? +- Execution risk: Any `eval`, `exec`, dynamic import, shell execution, downloaded code, base64/ROT13/zlib payload, or subprocess chain? +- Persistence: Any cron, launch agent, shell profile, startup hook, code that changes itself, auto-updater behavior, or hidden state? +- Prompt risk: Any instruction that weakens safety boundaries, hides actions, exposes internal instructions, or steers future conversations? +- Trigger risk: Are triggers broad enough to hijack unrelated user requests? +- Supply chain: Unpinned installs, typosquatting-looking imports, remote install scripts, or dependency downloads? +- User control: Does sensitive/destructive behavior require clear user consent? + +6. Decide: +- `APPROVE`: no CRITICAL/HIGH, no unexplained sensitive behavior, code matches stated purpose. +- `CAUTION`: sensitive behavior exists but is documented, necessary, and bounded. +- `REJECT`: any malicious/deceptive behavior, unexplained HIGH/CRITICAL, hidden prompt injection, credential theft, unknown exfiltration, obfuscated execution, persistence, or description-code mismatch. + +Score guidance: +- `0-20`: usually acceptable after quick source check. +- `21-35`: acceptable only if findings are clearly justified. +- `36-50`: manual review required; default to CAUTION unless every concern is explained. +- `51-80`: default REJECT unless source is trusted and every sensitive behavior is necessary. +- `81-100`: REJECT. + + + +Return a friendly security report, not a raw bullet dump. + +Language: +- Match the user's language. +- For Chinese users, use Chinese section titles and Chinese explanations. +- Keep machine verdict labels as `APPROVE`, `CAUTION`, `REJECT`; translate their meaning in prose when useful. +- Keep SkillSpector rule IDs, severities, file paths, and commands unchanged. +- Use a few purposeful emoji in report headings/status markers. Keep them sparse + and professional: one in the title, one for verdict/risk, and optional warning + markers for serious findings. Do not decorate every bullet. + +For Chinese output, use this triage-report style. Keep the sections, but write +naturally; avoid stiff table-like filler. + +```text +## 🛡️ Skill Inspector: `` + +**来源:** +**结论:** +**风险:** /100 · · +**使用姿态:** <一句话说明适合什么环境,不适合什么环境> + +### 🧭 快速判断 +<2-3 句说明能不能装、主要风险是什么、为什么不是只按分数判断。> + +### 📡 信号概览 +| 来源 | 结果 | 解读 | +|---|---|---| +| SkillSpector 静态扫描 | | | +| Agent 语义复核 | | | +| 敏感面 | | | + +### 🔎 关键证据 +| 规则 | 级别 | 位置 | 复核判断 | +|---|---|---|---| +| | | : | | + +### 🧠 诊断 +<2-4 句解释综合 verdict。把静态证据和语义复核连起来,不要只按分数下结论。> + +### ✅ 建议护栏 +1. +2. +``` + +For non-Chinese output, use this triage-report style. Keep the sections, but +write naturally; avoid stiff table-like filler. + +```text +## 🛡️ Skill Inspector: `` + +**Source:** +**Verdict:** +**Risk:** /100 · · +**Install posture:** + +### 🧭 Bottom Line +<2-3 sentences saying whether to install/use it, the main risk, and why score +alone is not enough.> + +### 📡 Signal Overview +| Source | Result | Interpretation | +|---|---|---| +| SkillSpector static scan | | | +| Agent semantic review | | | +| Sensitive surface | | | + +### 🔎 Key Evidence +| Rule | Severity | Location | Review judgment | +|---|---|---|---| +| | | : | | + +### 🧠 Diagnosis +<2-4 sentences explaining the combined verdict. Connect static evidence with +semantic review. Do not rely on score alone.> + +### ✅ Guardrails +1. +2. +``` + +Omit empty sections. Keep evidence short and avoid pasting full reports. Prefer +specific, grounded prose over generic security boilerplate. Use tables only when +they improve scanning; if there are many findings, group them by risk theme. + + + +If SkillSpector is unavailable, still inspect: +- `SKILL.md` frontmatter and body +- scripts and executable files +- dependency files +- MCP configs and tool descriptions +- network/env/file/shell/persistence patterns + +State clearly that no SkillSpector scan ran. + From 5312d931af75e11df0bc743100b7fa389437e85c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=9D=92=E8=A1=AB?= Date: Sun, 5 Jul 2026 14:36:57 +0800 Subject: [PATCH 7/7] skills: add skill-inspector license --- skills/skill-inspector/LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 skills/skill-inspector/LICENSE diff --git a/skills/skill-inspector/LICENSE b/skills/skill-inspector/LICENSE new file mode 100644 index 00000000..5057b689 --- /dev/null +++ b/skills/skill-inspector/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Dxboy266 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE.