Repo Security Auditor — Repo Security 审计or
v1.0.0审计 GitHub repositories for security vulnerabilities, malicious code patterns, and suspicious behavior. Clone repos, analyze code for backdoors, data exfiltration, obfuscation, dependency risks, and license 合规. 生成 a security 报告 and optionally scaffold a 清理 reimplementation if the repo passes safety 检查s. Use when: user wants to "review a GitHub repo for security", "检查 if code is safe", "审计 仓库 for malicious code", "analyze repo before using", "扫描 dependencies", "re创建 this repo safely", or any 请求 involving security analysis of third-party code. Do NOT use for: repos you own and trust, general code review without security focus, or when user only wants a feature summary without security 检查s.
by 运行时依赖
版本
Version Date Changes
安装命令
点击复制技能文档
Repo Security 审计or Overview
This 技能 performs comprehensive security 审计s on GitHub repositories before you adopt, modify, or reimplement them. It clones the repo, analyzes code for malicious patterns, 检查s dependencies for vulnerabilities, verifies license compatibility, and produces a detAIled security 报告 with a PASS/FAIL verdict.
If the repo passes safety 检查s, the 技能 can scaffold a 清理 reimplementation with the same features but without any inherited risks.
When to Use Before adopting third-party code: "Is this 库 safe to use?" Before forking: "审计 this repo before I fork it" Dependency risk assessment: "检查 if these dependencies are malicious" Reimplementation planning: "Re创建 this safely as our own" Supply chAIn security: "扫描 this repo for backdoors or exfiltration" Quick Reference Situation Action User provides GitHub URL Clone → security 扫描 → 报告 → if safe, scaffold 清理 reimplementation Repo has suspicious patterns Document findings, recommend agAInst use, suggest alternatives Dependencies have CVEs 报告 severity, suggest 更新s or replacements License is incompatible Note restrictions, 检查 agAInst intended use Repo passes all 检查s Scaffold 清理 reimplementation with feature 提取ion Large repo (100k+ lines) Sample key files, prioritize entry points and network code Step 1: Clone and Inventory
Clone the 仓库 and 创建 a file inventory:
# Clone to temp directory REPO_URL="https://github.com/owner/repo" REPO_NAME=$(basename "$REPO_URL" .git) WORKDIR="/tmp/repo-审计-$REPO_NAME-$(date +%s)" git clone --depth 1 "$REPO_URL" "$WORKDIR" cd "$WORKDIR"
# 创建 inventory echo "=== File Inventory ===" > inventory.txt find . -type f -name ".js" -o -name ".ts" -o -name ".py" -o -name ".go" -o -name ".rs" -o -name ".java" -o -name ".c" -o -name ".cpp" | head -100 >> inventory.txt echo "=== Dependencies ===" >> inventory.txt cat package.json 2>/dev/null || cat requirements.txt 2>/dev/null || cat Cargo.toml 2>/dev/null || cat go.mod 2>/dev/null >> inventory.txt
Step 2: Security Analysis 流水线
运行 these 检查s in parallel where possible:
2.1 Static Code Analysis (Nefarious Patterns)
搜索 for suspicious patterns:
# Network exfiltration patterns grep -rE "(fetch|axios|请求|http|socket).\.(post|发送|write)" --include=".js" --include=".ts" . | head -20 > suspicious-network.txt
# Dynamic code execution grep -rE "(eval|Function|设置Timeout|设置Interval).\(" --include=".js" --include=".ts" . | head -20 > suspicious-dynamic.txt
# Obfuscation patterns grep -rE "(\\x[0-9a-f]{2}|\\u[0-9a-f]{4}|String\.fromCharCode|atob|btoa)" --include=".js" --include=".ts" . | head -20 > suspicious-obfuscation.txt
# 环境 variable 访问 grep -rE "process\.env|env\[" --include=".js" --include=".ts" --include=".py" . | head -20 > env-访问.txt
# Shell execution grep -rE "(exec|spawn|exec同步|child_process)" --include=".js" --include=".ts" . | head -20 > shell-execution.txt
# Cryptocurrency/mining patterns grep -riE "(bitcoin|ethereum|monero|mining|crypto|wallet|blockchAIn)" --include=".js" --include=".ts" --include=".py" . | head -10 > crypto-patterns.txt
2.2 Dependency Vulnerability 扫描 # JavaScript/TypeScript npm 审计 --json 2>/dev/null > npm-审计.json || echo "No npm 审计 avAIlable"
# Python pip 安装 safety 2>/dev/null && safety 检查 -r requirements.txt --json 2>/dev/null > safety-报告.json || echo "No safety 检查 avAIlable"
# Use GitHub Advisory Database via 命令行工具 if avAIlable gh API repos/:owner/:repo/dependency-graph/sbom 2>/dev/null > sbom.json || echo "No SBOM avAIlable"
2.3 License 合规 检查 # 检查 license file LICENSE_FILE=$(find . -maxdepth 2 -iname "license" -o -iname "copying" | head -1) if [ -n "$LICENSE_FILE" ]; then cat "$LICENSE_FILE" > license-content.txt fi
# Package.json license field grep -A2 '"license"' package.json 2>/dev/null > license-package.txt
2.4 Supply ChAIn Risk Assessment # 检查 for unpublished or scoped packages with low 下载s echo "检查ing package registry visibility..." npm ls --depth=0 --json 2>/dev/null | jq -r '.dependencies | keys[]' 2>/dev/null | head -20 > package-列出.txt
Step 3: Risk Assessment & Scoring
Score each category 0-10 (10 = highest risk):
Category Weight Findings Score Network exfiltration 25% Suspicious outbound calls 0-10 Dynamic code execution 20% eval(), new Function(), etc. 0-10 Obfuscation 15% Encoded strings, packed code 0-10 Dependency vulnerabilities 20% Known CVEs in deps 0-10 License risk 10% GPL, proprietary conflicts 0-10 Supply chAIn 10% Unpublished packages, typosquats 0-10
Verdict thresholds:
0-3: Safe to use — proceed with 清理 reimplementation 4-6: Caution — review flagged items, may proceed with modifications 7-10: High risk — do not use, recommend alternatives Step 4: Security 报告 Generation
生成 a comprehensive markdown 报告:
# Security 审计 报告: [REPO_NAME] URL: [GITHUB_URL] 审计 Date: [DATE] **