{ "schemaVersion": "1.0", "item": { "slug": "agent-skills-audit", "name": "Audit Code", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/Swader/agent-skills-audit", "canonicalUrl": "https://clawhub.ai/Swader/agent-skills-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/agent-skills-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=agent-skills-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "agents/openai.yaml", "references/audit-framework.md", "scripts/sync-to-agents.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/agent-skills-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/agent-skills-audit", "agentPageUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Overview", "body": "Run an expert-panel audit with strict sequencing and one unified output document.\nProduce findings first, sorted by severity, with file references, exploit/perf/flow impact, and actionable fixes.\n\nLoad references/audit-framework.md before starting the analysis." }, { "title": "Required Inputs", "body": "Collect or infer the following:\n\nAudit scope: paths, modules, PR diff, or whole repository.\nProduct context: PRD/spec/user stories, trust boundaries, and critical business flows.\nRuntime context: deployment model, queue/cron/background jobs, traffic profile, data sensitivity, and abuse assumptions.\nConstraints: timeline, acceptable risk, and preferred remediation style.\n\nIf product context is missing, state assumptions explicitly and continue." }, { "title": "Team Roles", "body": "Use exactly these roles:\n\nSecurity expert\nPerformance expert\nUX expert\nDX expert\nEdge case master\nTie-breaker team lead\n\nThe tie-breaker lead resolves conflicts, prioritizes issues, and produces the final single report." }, { "title": "Workflow", "body": "Follow this sequence every time:\n\nBuild Context\nRead code + product flows. Identify assets, entry points, high-risk operations, privileged actions, external dependencies, and \"failure hurts\" journeys.\n\n\nBuild Invariant Coverage Matrix\nBefore specialist pass 1, map critical invariants to every mutating path (HTTP routes, webhooks, async jobs, scripts):\n\nData-link invariants: multi-table relationships that must remain consistent.\nAuth lifecycle invariants: disable/revoke semantics for sessions/tokens/API keys.\nInput/transport invariants: validation, content-type policy, body-size/parse behavior.\nShape invariants: trees/graphs must reject cycles where applicable.\nTreat missing parity across equivalent paths as a finding candidate.\n\nPass 1 Specialist Reviews\nRun role-specific analysis in this order:\n\nSecurity\nPerformance\nUX\nDX\nEdge case master\nCapture findings using the schema in references/audit-framework.md.\n\nTie-Breaker Reconciliation\nResolve disagreements:\n\nDecide whether contested items are true issues.\nSet severity and confidence.\nRemove duplicates and merge overlapping findings.\n\nCross-Review Pass 2\nAfter edge-case findings, rerun specialists:\n\nSecurity/Performance/UX/DX reassess prior findings and new edge-triggered scenarios.\nEdge case master performs a final pass on residual risk after proposed mitigations.\n\nFinal Report\nPublish one document from the tie-breaker lead with:\n\nFindings first (ordered by severity, then blast radius, then exploitability).\nOpen questions/assumptions.\nRemediation plan with priority, owner type, and verification tests.\nShort executive summary at the end." }, { "title": "Quality Bar", "body": "Enforce these requirements:\n\nUse concrete evidence with file references and line numbers where available.\nInclude reproduction steps for security/performance/edge findings when feasible.\nPrefer actionable fixes over abstract advice.\nSeparate confirmed defects from speculative risks.\nMark confidence for each finding.\nRun a cross-route consistency sweep: equivalent endpoints/jobs must enforce equivalent invariants.\nFor each High/Critical finding, include at least one focused regression test/check." }, { "title": "Safety and Policy Guardrails", "body": "Apply these guardrails while auditing:\n\nDo not provide operational abuse instructions or exploit weaponization details.\nEvaluate manipulative UX patterns as legal/trust/reputation risk, not as recommended growth tactics.\nPrioritize user safety, system integrity, and maintainable engineering outcomes." }, { "title": "Output Format", "body": "Follow this response structure:\n\nFindings\nList only validated issues. Use the finding schema in references/audit-framework.md.\n\n\nOpen Questions / Assumptions\nState missing context that could change priority or validity.\n\n\nChange Summary\nSummarize high-impact remediation themes in a few lines.\n\n\nSuggested Verification\nList focused tests/checks to confirm each major fix." }, { "title": "Runtime Heuristics", "body": "When the target stack is Bun + SQLite, apply the runtime-specific checklist in references/audit-framework.md (Runtime-Specific Heuristics (Bun + SQLite)) before finalizing findings." } ], "body": "Audit Code\nOverview\n\nRun an expert-panel audit with strict sequencing and one unified output document. Produce findings first, sorted by severity, with file references, exploit/perf/flow impact, and actionable fixes.\n\nLoad references/audit-framework.md before starting the analysis.\n\nRequired Inputs\n\nCollect or infer the following:\n\nAudit scope: paths, modules, PR diff, or whole repository.\nProduct context: PRD/spec/user stories, trust boundaries, and critical business flows.\nRuntime context: deployment model, queue/cron/background jobs, traffic profile, data sensitivity, and abuse assumptions.\nConstraints: timeline, acceptable risk, and preferred remediation style.\n\nIf product context is missing, state assumptions explicitly and continue.\n\nTeam Roles\n\nUse exactly these roles:\n\nSecurity expert\nPerformance expert\nUX expert\nDX expert\nEdge case master\nTie-breaker team lead\n\nThe tie-breaker lead resolves conflicts, prioritizes issues, and produces the final single report.\n\nWorkflow\n\nFollow this sequence every time:\n\nBuild Context Read code + product flows. Identify assets, entry points, high-risk operations, privileged actions, external dependencies, and \"failure hurts\" journeys.\n\nBuild Invariant Coverage Matrix Before specialist pass 1, map critical invariants to every mutating path (HTTP routes, webhooks, async jobs, scripts):\n\nData-link invariants: multi-table relationships that must remain consistent.\nAuth lifecycle invariants: disable/revoke semantics for sessions/tokens/API keys.\nInput/transport invariants: validation, content-type policy, body-size/parse behavior.\nShape invariants: trees/graphs must reject cycles where applicable. Treat missing parity across equivalent paths as a finding candidate.\nPass 1 Specialist Reviews Run role-specific analysis in this order:\nSecurity\nPerformance\nUX\nDX\nEdge case master Capture findings using the schema in references/audit-framework.md.\nTie-Breaker Reconciliation Resolve disagreements:\nDecide whether contested items are true issues.\nSet severity and confidence.\nRemove duplicates and merge overlapping findings.\nCross-Review Pass 2 After edge-case findings, rerun specialists:\nSecurity/Performance/UX/DX reassess prior findings and new edge-triggered scenarios.\nEdge case master performs a final pass on residual risk after proposed mitigations.\nFinal Report Publish one document from the tie-breaker lead with:\nFindings first (ordered by severity, then blast radius, then exploitability).\nOpen questions/assumptions.\nRemediation plan with priority, owner type, and verification tests.\nShort executive summary at the end.\nQuality Bar\n\nEnforce these requirements:\n\nUse concrete evidence with file references and line numbers where available.\nInclude reproduction steps for security/performance/edge findings when feasible.\nPrefer actionable fixes over abstract advice.\nSeparate confirmed defects from speculative risks.\nMark confidence for each finding.\nRun a cross-route consistency sweep: equivalent endpoints/jobs must enforce equivalent invariants.\nFor each High/Critical finding, include at least one focused regression test/check.\nSafety and Policy Guardrails\n\nApply these guardrails while auditing:\n\nDo not provide operational abuse instructions or exploit weaponization details.\nEvaluate manipulative UX patterns as legal/trust/reputation risk, not as recommended growth tactics.\nPrioritize user safety, system integrity, and maintainable engineering outcomes.\nOutput Format\n\nFollow this response structure:\n\nFindings List only validated issues. Use the finding schema in references/audit-framework.md.\n\nOpen Questions / Assumptions State missing context that could change priority or validity.\n\nChange Summary Summarize high-impact remediation themes in a few lines.\n\nSuggested Verification List focused tests/checks to confirm each major fix.\n\nRuntime Heuristics\n\nWhen the target stack is Bun + SQLite, apply the runtime-specific checklist in references/audit-framework.md (Runtime-Specific Heuristics (Bun + SQLite)) before finalizing findings." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Swader/agent-skills-audit", "publisherUrl": "https://clawhub.ai/Swader/agent-skills-audit", "owner": "Swader", "version": "0.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/agent-skills-audit", "downloadUrl": "https://openagent3.xyz/downloads/agent-skills-audit", "agentUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/agent-skills-audit/agent.md" } }