功能描述

Audit GitHub repositories for security vulnerabilities, malicious code patterns, and suspicious behavior. Clone repos, analyze code for backdoors, data exfil...

使用说明 (SKILL.md)

Repo Security Auditor

Name: Repo Security Auditor
Author: erickgrau

Overview

This skill performs comprehensive security audits on GitHub repositories before you adopt, modify, or reimplement them. It clones the repo, analyzes code for malicious patterns, checks dependencies for vulnerabilities, verifies license compatibility, and produces a detailed security report with a PASS/FAIL verdict.

If the repo passes safety checks, the skill can scaffold a clean reimplementation with the same features but without any inherited risks.

When to Use

Before adopting third-party code: "Is this library safe to use?"
Before forking: "Audit this repo before I fork it"
Dependency risk assessment: "Check if these dependencies are malicious"
Reimplementation planning: "Recreate this safely as our own"
Supply chain security: "Scan this repo for backdoors or exfiltration"

Quick Reference

Situation	Action
User provides GitHub URL	Clone → security scan → report → if safe, scaffold clean reimplementation
Repo has suspicious patterns	Document findings, recommend against use, suggest alternatives
Dependencies have CVEs	Report severity, suggest updates or replacements
License is incompatible	Note restrictions, check against intended use
Repo passes all checks	Scaffold clean reimplementation with feature extraction
Large repo (100k+ lines)	Sample key files, prioritize entry points and network code

Step 1: Clone and Inventory

Clone the repository and create a file inventory:

# Clone to temp directory
REPO_URL="https://github.com/owner/repo"
REPO_NAME=$(basename "$REPO_URL" .git)
WORKDIR="/tmp/repo-audit-$REPO_NAME-$(date +%s)"
git clone --depth 1 "$REPO_URL" "$WORKDIR"
cd "$WORKDIR"

# Create inventory
echo "=== File Inventory ===" > inventory.txt
find . -type f -name "*.js" -o -name "*.ts" -o -name "*.py" -o -name "*.go" -o -name "*.rs" -o -name "*.java" -o -name "*.c" -o -name "*.cpp" | head -100 >> inventory.txt
echo "=== Dependencies ===" >> inventory.txt
cat package.json 2>/dev/null || cat requirements.txt 2>/dev/null || cat Cargo.toml 2>/dev/null || cat go.mod 2>/dev/null >> inventory.txt

Step 2: Security Analysis Pipeline

Run these checks in parallel where possible:

2.1 Static Code Analysis (Nefarious Patterns)

Search for suspicious patterns:

# Network exfiltration patterns
grep -rE "(fetch|axios|request|http|socket).*\.(post|send|write)" --include="*.js" --include="*.ts" . | head -20 > suspicious-network.txt

# Dynamic code execution
grep -rE "(eval|Function|setTimeout|setInterval).*\(" --include="*.js" --include="*.ts" . | head -20 > suspicious-dynamic.txt

# Obfuscation patterns
grep -rE "(\\x[0-9a-f]{2}|\\u[0-9a-f]{4}|String\.fromCharCode|atob|btoa)" --include="*.js" --include="*.ts" . | head -20 > suspicious-obfuscation.txt

# Environment variable access
grep -rE "process\.env|env\[" --include="*.js" --include="*.ts" --include="*.py" . | head -20 > env-access.txt

# Shell execution
grep -rE "(exec|spawn|execSync|child_process)" --include="*.js" --include="*.ts" . | head -20 > shell-execution.txt

# Cryptocurrency/mining patterns
grep -riE "(bitcoin|ethereum|monero|mining|crypto|wallet|blockchain)" --include="*.js" --include="*.ts" --include="*.py" . | head -10 > crypto-patterns.txt

2.2 Dependency Vulnerability Scan

# JavaScript/TypeScript
npm audit --json 2>/dev/null > npm-audit.json || echo "No npm audit available"

# Python
pip install safety 2>/dev/null && safety check -r requirements.txt --json 2>/dev/null > safety-report.json || echo "No safety check available"

# Use GitHub Advisory Database via CLI if available
gh api repos/:owner/:repo/dependency-graph/sbom 2>/dev/null > sbom.json || echo "No SBOM available"

2.3 License Compliance Check

# Check license file
LICENSE_FILE=$(find . -maxdepth 2 -iname "license*" -o -iname "copying*" | head -1)
if [ -n "$LICENSE_FILE" ]; then
    cat "$LICENSE_FILE" > license-content.txt
fi

# Package.json license field
grep -A2 '"license"' package.json 2>/dev/null > license-package.txt

2.4 Supply Chain Risk Assessment

# Check for unpublished or scoped packages with low downloads
echo "Checking package registry visibility..."
npm ls --depth=0 --json 2>/dev/null | jq -r '.dependencies | keys[]' 2>/dev/null | head -20 > package-list.txt

Step 3: Risk Assessment & Scoring

Score each category 0-10 (10 = highest risk):

Category	Weight	Findings	Score
Network exfiltration	25%	Suspicious outbound calls	0-10
Dynamic code execution	20%	eval(), new Function(), etc.	0-10
Obfuscation	15%	Encoded strings, packed code	0-10
Dependency vulnerabilities	20%	Known CVEs in deps	0-10
License risk	10%	GPL, proprietary conflicts	0-10
Supply chain	10%	Unpublished packages, typosquats	0-10

Verdict thresholds:

0-3: Safe to use — proceed with clean reimplementation
4-6: Caution — review flagged items, may proceed with modifications
7-10: High risk — do not use, recommend alternatives

Step 4: Security Report Generation

Generate a comprehensive markdown report:

# Security Audit Report: [REPO_NAME]
**URL:** [GITHUB_URL]
**Audit Date:** [DATE]
**Auditor:** Repo Security Auditor Skill

## Executive Summary
**Overall Risk Score:** [X.X]/10 ([SAFE|CAUTION|HIGH RISK])
**Recommendation:** [PROCEED WITH CAUTION|DO NOT USE|SAFE TO REIMPLEMENT]

## Risk Breakdown

### 🔴 Network Exfiltration Risk: [SCORE]/10
**Findings:**
- [List suspicious network calls]
- [Document data transmission patterns]

**Assessment:** [Explanation]

### 🔴 Dynamic Code Execution Risk: [SCORE]/10
**Findings:**
- [List eval/new Function usage]
- [Document dynamic import patterns]

**Assessment:** [Explanation]

### 🟡 Obfuscation Risk: [SCORE]/10
**Findings:**
- [List encoded strings, packed code]
- [Document minification patterns]

**Assessment:** [Explanation]

### 🔴 Dependency Vulnerabilities: [SCORE]/10
**Findings:**
- [CVE-XXXX-XXXX: Description]
- [Severity levels]

**Assessment:** [Explanation]

### 🟡 License Risk: [SCORE]/10
**License:** [LICENSE_TYPE]
**Compatibility:** [COMPATIBLE|INCOMPATIBLE]
**Restrictions:** [Any commercial/use restrictions]

### 🟡 Supply Chain Risk: [SCORE]/10
**Findings:**
- [Unpublished packages]
- [Low-download dependencies]
- [Typosquatting candidates]

## Detailed Findings

### High Priority Issues
1. **[Issue title]**
   - Location: `file:line`
   - Evidence: [code snippet]
   - Risk: [Description]
   - Mitigation: [How to address]

### Medium Priority Issues
...

### Low Priority Issues
...

## Clean Reimplementation Assessment

**Eligible:** [YES|NO - explain why]

If YES, include:
- Core features to preserve
- Architecture to replicate
- Security improvements to make
- Dependencies to update/replace

Step 5: Clean Reimplementation (If Safe)

If overall score ≤ 3.0, scaffold a clean reimplementation:

5.1 Feature Extraction

Analyze the repo and extract:

Core functionality: What does this code do?
Public API: Classes, functions, exports
Data models: Types, schemas, interfaces
Key algorithms: Unique logic worth preserving

5.2 Scaffold Generation

Create a new clean project structure:

clean-reimplementation/
├── README.md                 # Feature documentation
├── LICENSE                   # Your preferred license
├── package.json              # Clean dependency manifest
├── src/
│   ├── index.ts             # Clean entry point
│   ├── [feature-modules]/   # Modular architecture
│   └── utils/               # Clean utilities
├── tests/
│   └── [test-files].test.ts # Comprehensive tests
└── docs/
    └── ARCHITECTURE.md       # Design decisions

5.3 Security Improvements to Make

When reimplementing, always:

Use latest dependency versions
Remove any dynamic code execution
Add input validation at all boundaries
Use dependency scanning in CI/CD
Add security headers/cors config
Implement proper error handling (no info leakage)
Use least-privilege permissions

Anti-Patterns to Avoid

Don't just grep and report — analyze context. eval() in a test file for a parser is different from eval() in production handling user input.

Don't flag minified code as malicious — Check if it's a legitimate build artifact vs. intentionally obfuscated source.

Don't ignore test files — But weight them lower; test utilities often use "dangerous" patterns legitimately.

Don't trust package download counts alone — New packages can be safe; old packages can be compromised.

Don't skip manual review — Automated scans catch patterns, not intent. Always review findings in context.

Scripts Reference

Use bundled scripts for deterministic analysis:

# Run full security audit
bash scripts/audit-repo.sh [GITHUB_URL]

# Generate SBOM and vulnerability report
bash scripts/dependency-scan.sh [REPO_PATH]

# Extract features for reimplementation
bash scripts/extract-features.sh [REPO_PATH]

Output Files

Always save to ~/repo-audits/[repo-name]-[date]/:

security-report.md — Full audit report
risk-assessment.json — Machine-readable scores
inventory.txt — File and dependency inventory
suspicious-*.txt — Raw grep findings
clean-scaffold/ — Reimplementation scaffold (if safe)

Changelog

Version	Date	Changes
1.0	2026-05-15	Initial skill creation for Chibitek Labs

安全使用建议

Use this skill if you are comfortable with it cloning the selected repo, writing local audit reports, and optionally contacting registry or scanner services. Prefer a sandbox or virtual environment, approve any package installs, verify which CLI accounts are active, and treat any PASS/FAIL result as a starting point for review rather than a final safety guarantee.

功能分析

Type: OpenClaw Skill Name: repo-security-auditor Version: 1.0.0 The skill bundle provides a legitimate security auditing toolset designed to analyze GitHub repositories. It uses bash scripts (audit-repo.sh, dependency-scan.sh) to clone repositories and perform static analysis using grep for common indicators of compromise, such as network exfiltration, obfuscation, and dynamic code execution. The logic is transparent, lacks any data exfiltration or persistence mechanisms, and the instructions in SKILL.md are strictly aligned with the stated purpose of security auditing and safe code reimplementation.

能力标签

cryptorequires-walletrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The scripts and instructions are coherent with repository security auditing: they clone a user-selected repo, inventory files, grep for suspicious patterns, and run dependency scanners. The wording around “comprehensive” audits and “Safe to use” is stronger than the visible automated checks can fully support.

ℹ Instruction Scope

The visible workflow is user-invoked and scoped to a user-provided repository. It does not show hidden autonomous behavior, but it does include shell commands, optional package installation, and optional external scanner/API use that users should approve knowingly.

ℹ Install Mechanism

There is no install spec or required-binary declaration, while the skill’s scripts assume tools such as git, npm, yarn, pnpm, snyk, jq, safety, pip-audit, bandit, cargo-audit, and others may be present. SKILL.md also suggests an unpinned `pip install safety` command.

ℹ Credentials

The skill reads and copies data from the selected repo and writes audit artifacts under locations such as `$HOME/repo-audits` or local output folders. This is proportionate for auditing, but private repository metadata may be included in local reports or sent to dependency-scanning services.

ℹ Persistence & Privilege

No background persistence, privilege escalation, or self-propagation is shown. Local audit outputs persist until the user deletes them, and optional tools such as GitHub CLI or Snyk may use existing local authentication if configured.

版本历史

v1.0.0

Initial release - security audit and clean reimplementation skill

元数据

Slug repo-security-auditor

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题