Skills Audit (SkillLens)
Install SkillLens
- - One-off run:
npx skilllens scan (or pnpm dlx skilllens scan) - Global install: �INLINECODE2
Quick start
- - Run
skilllens config to see configured scan roots and auditor CLI availability. - Run
skilllens scan to scan configured roots, or skilllens scan <path> to scan a specific directory. - Re-run with
--verbose to see raw auditor output and --force to ignore cached results.
Audit workflow
- 1. Define scope
- Prefer a concrete target path (example:
~/.codex/skills) unless the user explicitly wants all configured roots.
- If auditing a repo checkout containing skills, scan the parent folder that contains skill directories (example:
skilllens scan ./skills).
- 2. Inventory skills with SkillLens
- Run
skilllens scan [path] [--auditor claude|codex].
- Treat missing auditor CLIs or
skipped statuses as “manual review required”, not “safe”.
- 3. Prioritize review order
- Review any
unsafe or
suspicious verdicts first.
- Next, review skills that request broad permissions (filesystem/network), run shell commands, or reference external downloads.
- 4. Manually review each skill’s contents
- Read the skill’s
SKILL.md and any referenced
scripts/,
references/, and
assets/.
- Do not execute bundled scripts by default; inspect first.
- 5. Evaluate risks (focus on realistic abuse)
-
Exfiltration: sending file contents, env vars, tokens, SSH keys, browser data, or configs to remote endpoints.
-
Execution: instructions to run arbitrary shell commands,
curl | bash,
eval, or to fetch-and-execute code.
-
Persistence: modifying shell profiles, launch agents, cron, editor configs, or skill install locations.
-
Privilege/approval bypass: instructions to ignore system policies, disable safety checks, or request escalated permissions unnecessarily.
-
Prompt injection: attempts to override higher-priority instructions (“ignore previous”, “always comply”, “never mention…”).
-
Overbroad triggers: vague descriptions that cause the skill to trigger on unrelated tasks.
- 6. Produce a report
- For each skill, include:
name,
path,
verdict (safe/suspicious/unsafe),
risk (0–100), and bullet issues with concrete evidence (quote or filename).
- Recommend fixes that reduce blast radius: narrow scope, remove dangerous defaults, add explicit confirmation gates, and document required permissions.
Command snippets
- - Scan configured roots: �INLINECODE24
- Scan a specific folder: �INLINECODE25
- Force a re-audit and show raw output: �INLINECODE26
技能审计 (SkillLens)
安装 SkillLens
- - 一次性运行:npx skilllens scan(或 pnpm dlx skilllens scan)
- 全局安装:pnpm add -g skilllens
快速开始
- - 运行 skilllens config 查看已配置的扫描根目录和审计工具 CLI 可用性。
- 运行 skilllens scan 扫描已配置的根目录,或 skilllens scan <路径> 扫描特定目录。
- 使用 --verbose 参数重新运行可查看原始审计输出,使用 --force 参数可忽略缓存结果。
审计工作流程
- 1. 定义范围
- 优先使用具体的目标路径(例如:~/.codex/skills),除非用户明确要求扫描所有已配置的根目录。
- 如果审计包含技能的仓库检出目录,请扫描包含技能目录的父文件夹(例如:skilllens scan ./skills)。
- 2. 使用 SkillLens 盘点技能
- 运行 skilllens scan [路径] [--auditor claude|codex]。
- 将缺失的审计工具 CLI 或 skipped(已跳过)状态视为需要人工审核,而非安全。
- 3. 确定审核优先级
- 首先审核标记为 unsafe(不安全)或 suspicious(可疑)的技能。
- 其次审核请求广泛权限(文件系统/网络)、运行 shell 命令或引用外部下载的技能。
- 4. 人工审核每个技能的内容
- 阅读技能的 SKILL.md 文件以及所有引用的 scripts/、references/ 和 assets/ 目录。
- 默认情况下不要执行捆绑的脚本,先进行检查。
- 5. 评估风险(重点关注实际滥用场景)
-
数据泄露:将文件内容、环境变量、令牌、SSH 密钥、浏览器数据或配置文件发送到远程端点。
-
执行风险:指示运行任意 shell 命令、curl | bash、eval 或获取并执行代码。
-
持久化风险:修改 shell 配置文件、启动代理、定时任务、编辑器配置或技能安装位置。
-
权限/审批绕过:指示忽略系统策略、禁用安全检查或不必要地请求提升权限。
-
提示注入:尝试覆盖更高优先级的指令(忽略之前的指令、始终遵从、永远不要提及...)。
-
过度触发:模糊的描述导致技能在不相关的任务上被触发。
- 6. 生成报告
- 对于每个技能,包括:名称、路径、判定结果(安全/可疑/不安全)、风险等级(0–100),以及带有具体证据(引用或文件名)的要点问题。
- 建议减少影响范围的修复措施:缩小范围、移除危险的默认设置、添加明确的确认关卡、记录所需的权限。
命令示例
- - 扫描已配置的根目录:skilllens scan
- 扫描特定文件夹:skilllens scan ~/.codex/skills
- 强制重新审计并显示原始输出:skilllens scan ~/.codex/skills --force --verbose
