back
loading skill details...
Mandatory security audit for **every** Agent Skill that is newly added, installed, imported, updated, or written. Scope of inspection: the full bundle — `SKI...
---
name: skill-integrity-auditor
version: 0.1.12
author: ambarion
description: >-
Mandatory security audit for **every** Agent Skill that is newly added,
installed, imported, updated, or written. Scope of inspection: the full
bundle — `SKILL.md`, every script next to it (`.sh` / `.py` / `.js`,
etc.), and any bundled resource files. Audit dimensions cover skill
integrity, prompt injection, data exfiltration, persistence, cross-skill
writes, undeclared remote downloads, hardcoded credentials, and more.
===== MUST BE TRIGGERED WHENEVER =====
* The user **adds / creates / installs / imports / updates / writes**
any single Skill.
* A skill is pulled into the agent's skills directory from ClawdHub,
GitHub, a URL, or a local folder.
* **Every** newly introduced or modified skill must be audited
**individually** — when N skills are added at once, emit a complete
report + the §7 final Chinese verdict line for each skill separately.
Sampling, merging, or single-summary output is not allowed.
===== Triggering keywords (natural language, Chinese or English) =====
add skill, install skill, create skill, creating a new skill,
write a skill, scaffold a skill, new skill, register skill, import skill,
update skill, modify skill, bring in skill, hook up skill,
audit skill, scan skill, check skill safety, analyze skill, inspect skill,
verify skill, skill security, skill supply chain,
这个 skill 安全吗, skill 安全扫描, 检查 skill 安全, 新增 skill,
添加 skill, 安装 skill, 创建 skill, 引入 skill, 更新 skill, 写一个 skill,
接入 skill。
===== Do NOT trigger for =====
* General system health checks, project debugging, or normal development
work that does not touch any skill file.
---
# Skill Audit — Evaluation Core (Classification + Severity)
This file defines the audit evaluation logic. The classification layer answers *what it is*; the severity layer answers *how bad it is*. The two are orthogonal and interact only through three interface fields (`C_base` / `required_dims` / `dataflow_role`).
---
## Language Detection Rule — EXECUTE BEFORE ANYTHING ELSE
Detect the language of the user's triggering message and lock the output language for the entire run. This detection is an **internal step only** — do NOT output any text that reveals the detection result, such as "当前输出语言为中文", "Detected language: English", or similar meta-statements. Simply use the detected language silently for all subsequent output.
| User message language | Output language |
|-----------------------|-----------------|
| Chinese | Chinese — entire output in Chinese |
| English | English — entire output in English |
| Other language | Match that language |
| Cannot determine | Default to Chinese |
All intermediate output — scan start prompt, table headers, labels, prose, finding records, and reasoning — must be written exclusively in the detected language. The single **final-line verdict** in §7 is **always Chinese**, regardless of detected language. Do NOT mix languages in intermediate output and do NOT announce the language choice at any point.
---
## 1. Classification Layer (Taxonomy)
Each finding is tagged with a triple `(Surface, Behavior, IntentMarker)`. `IntentMarker` does not participate in scoring; it only affects presentation.
### 1.1 Surface
| Code | Meaning |
|------|---------|
| `EXE` | Code / shell / subprocess / dynamic eval execution |
| `FS` | Local filesystem read / write / delete / chmod |
| `NET` | Network inbound / outbound / DNS / sockets |
| `CRED` | Environment variables / keys / tokens / credential stores |
| `PROC` | Process management, persistence, autostart, scheduled tasks |
| `LLM` | Prompt manipulation, tool-description poisoning, jailbreak payloads |
| `AGT` | Cross-skill / cross-tool / MCP supply-chain behavior |
### 1.2 Behavior Node Table
Each node declares **C_base ∈ {1..4}**, **required dimensions**, and **data-flow role** (`source / transform / sink / none`). The data-flow role feeds chain amplification in §2.4.
#### EXE
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `EXE.StaticShell` — shell with fully constant arguments | 2 | R, B | transform |
| `EXE.DynamicShell` — variable interpolation / `shell=True` + external input | 4 | R, I, B | sink |
| `EXE.EvalCode` — `eval` / `exec` / `Function()` on strings | 4 | R, I, B | sink |
| `EXE.RemoteFetch` — `curl \| sh` / download-then-exec / fetch-and-run | 4 | I, B | sink |
| `EXE.Subprocess` — constrained subprocess (whitelisted commands) | 2 | R | transform |
#### FS
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `FS.ReadPublic` — read public files (README, declared paths) | 1 | — | none |
| `FS.ReadWorkspace` — read files inside the workspace | 2 | R | source |
| `FS.ReadSensitive` — read sensitive paths (`~/.ssh`, `~/.aws`, Keychain, browser cookies, `.env`) | 4 | I, R | source |
| `FS.ReadOutOfScope` — read user files outside declared scope | 3 | I, B | source |
| `FS.WriteScoped` — write inside declared directories | 1 | — | none |
| `FS.WriteOutOfScope` — write outside declared scope | 3 | I, B | sink |
| `FS.WriteStartup` — write startup hooks / shell rc / autostart / launchd | 4 | R, I | sink |
| `FS.DeleteBroad` — wide deletion / `rm -rf` / wildcard delete / `find ... -delete` | 4 | R, I, B | sink |
| `FS.ChmodDangerous` — chmod 777 / privilege widen / SUID bit | 3 | R, I | transform |
#### NET
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `NET.OutboundDeclared` — outbound to a host declared in SKILL.md | 1 | — | sink |
| `NET.OutboundUndeclared` — outbound to an undeclared host | 3 | I, B | sink |
| `NET.OutboundUntrustedSink` — outbound to an Untrusted-Sink indicator (see §5.1.1) | 4 | B | sink |
| `NET.OutboundObfuscated` — obfuscated destination (concat, encoding, homograph) | 4 | I, B | sink |
| `NET.DnsExfil` — DNS TXT with suspicious payload (long subdomain, base64) | 4 | I, B | sink |
| `NET.InboundListen` — local listening port / reverse shell endpoint | 4 | R, I | sink |
| `NET.Websocket` — long-lived / bidirectional channel | 2 | I | transform |
#### CRED
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `CRED.ReadEnv` — broad read of `os.environ` / `process.env` | 3 | I, B | source |
| `CRED.ReadNamedEnv` — read a single declared environment variable | 1 | — | source |
| `CRED.ReadKeychain` — read Keychain / Credential Manager / libsecret | 4 | I, B | source |
| `CRED.ReadBrowserStore` — read browser cookies / session / password store | 4 | I, B | source |
| `CRED.Hardcoded` — real secret hardcoded in code or config | 3 | R | none |
| `CRED.HardcodedInjected` — hardcoded credential the skill instructs the agent to *inject* into a user system (DB, service, config) | 4 | R, I | sink |
| `CRED.TokenEcho` — credential echoed to LLM / logs / stdout | 3 | R, B | transform |
#### PROC
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `PROC.Spawn` — ordinary child process creation (paired with EXE) | 1 | — | none |
| `PROC.Persist` — cron / launchd / systemd / Run-key install | 4 | R, I | sink |
| `PROC.ToolTamper` — modify / replace system tools, hook package managers | 4 | R, I, B | sink |
| `PROC.CryptoMine` — miner binaries / known mining-pool hosts | 4 | — | sink |
| `PROC.HideSelf` — process masquerade | 3 | I | transform |
#### LLM
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `LLM.PromptOverride` — "ignore previous / you are now / system:" style directives | 3 | I, B | sink |
| `LLM.PromptOverrideActionable` — override directive that resolves to a concrete malicious *action* (run script X, send data to host Y, delete files matching Z) | 4 | I, B | sink |
| `LLM.ObfuscatedPrompt` — override directive encoded in base64 / ROT13 / hex | 4 | I, B | sink |
| `LLM.UnicodeSmuggling` — directives hidden in zero-width / Unicode-tag / bidi chars | 4 | I, B | sink |
| `LLM.DescriptionInjection` — enticement text in `description`/`triggers` to coerce other agents | 3 | I | sink |
| `LLM.ToolPoisoning` — tool descriptions deliberately mislead the agent's plan | 4 | I, B | sink |
#### AGT
| Behavior | C_base | Required | Data-flow |
|----------|--------|----------|-----------|
| `AGT.CrossSkillWrite` — write into another skill's directory / modify registry | 4 | I, B | sink |
| `AGT.MCPRemoteFetch` — dynamically fetch tool definitions from a remote MCP server | 3 | I, B | source+sink |
| `AGT.ContextExfil` — exfiltrate data via chat context / tool responses | 3 | I, B | sink |
| `AGT.PrivilegeCreep` — behavior materially exceeds the SKILL.md-declared scope | 3 | I | transform |
| `AGT.ApprovalBypass` — attempts to bypass approval / sandbox / trust boundary | 4 | I | sink |
### 1.3 IntentMarker
| Marker | Meaning |
|--------|---------|
| `legitimate_elevated` | Sensitive behavior consistent with declared function and documented |
| `suspicious` | Behavior is suspect but evidence is not closed |
| `malicious_confirmed` | Clear evidence of malicious intent. Sufficient evidence (any one suffices): (a) closed `source → sink` chain whose sink is an Untrusted-Sink indicator, (b) `find ... -delete` / `rm -rf` over user-data globs, (c) hardcoded credential + an `inject into user system` instruction, (d) directive to `curl|sh` from an unverified URL, (e) `LLM.ObfuscatedPrompt` / `LLM.UnicodeSmuggling`, (f) `LLM.PromptOverrideActionable` whose action falls under (a)–(e) |
---
## 2. Severity Layer (Scoring)
### 2.1 Formula
```
Score = C × R × I × B
```
`R = 0` (unreachable) → Score = 0 → finding is dropped. `I = 0` (legitimate and declared) → Score = 0 → finding is reported at **Info** as a capability disclosure entry; it does not affect the verdict.
### 2.2 Dimensions
#### C — Capability
**{1, 2, 3, 4}**, defaulting to the Behavior's `C_base`; an instance may float ±1 without leaving the range.
| Value | Meaning | Typical |
|-------|---------|---------|
| 1 | Low (public read / in-scope write) | `FS.ReadPublic`, `NET.OutboundDeclared` |
| 2 | Medium (limited effect) | `EXE.StaticShell`, `FS.ReadWorkspace` |
| 3 | High (privacy / out-of-scope) | `FS.ReadOutOfScope`, `CRED.ReadEnv` |
| 4 | Very high (RCE / credentials / persistence / destruction) | `EXE.DynamicShell`, `CRED.ReadKeychain`, `FS.DeleteBroad` |
#### R — Reachability
**{0, 1, 2, 3}**.
| Value | Meaning |
|-------|---------|
| 0 | Unreachable (comment / docs / dead code not imported) |
| 1 | Weakly reachable (example / test fixture / rare branch) |
| 2 | Conditionally reachable (main module, requires specific input or trigger) |
| 3 | On the main path (entry in `SKILL.md`, or reachable via import chain) |
#### I — Intent / Stealth
**{0, 1, 2, 3}**, used directly as a multiplier.
| Value | Meaning |
|-------|---------|
| 0 | Legitimate and declared — function needs it, SKILL.md states it, scope matches |
| 1 | Undeclared but not hidden — functionally needed, simply omitted from docs *and not matching any hard trigger below* |
| 2 | Obfuscated / hidden — base64, string concat, zero-width chars, homograph host *or* a non-obfuscated trigger from the table below |
| 3 | Confirmed malicious — matches a C2 blacklist, clear attack signature, or closed chain *or* an obfuscated trigger from the table below |
**§2.2.1 Hard triggers — minimum I floor.** When any of the following is observed in evidence text, the finding's `I` cannot be lower than the listed floor, regardless of how the surrounding documentation is phrased:
| # | Trigger condition (require concrete evidence, not a paraphrase) | Floor |
|---|-----------------------------------------------------------------|-------|
| T1 | Outbound to an **Untrusted-Sink indicator** (see §5.1.1) carrying any user / workspace / system / agent data | **I ≥ 3** |
| T2 | Outbound to an **undeclared** host with a payload built from `os.environ`, file reads, or chat context | **I ≥ 3** |
| T3 | `find ... -delete` / `rm -rf` / wildcard delete that matches **user data file extensions** (`.ics`, `.docx`, `.xlsx`, `.pdf`, `.json`, `.csv`, `.md`, `.txt`, photos, source code) and is invoked by a SKILL.md instruction | **I ≥ 3** |
| T4 | Hardcoded credential (`CRED.Hardcoded`) **plus** an instruction telling the agent to inject it into the user's database / service / config (`CRED.HardcodedInjected`) | **I ≥ 3** |
| T5 | `curl \| sh` / `wget \| bash` / `EXE.RemoteFetch` whose URL is not pinned to a known package registry or a host declared in SKILL.md | **I ≥ 3** |
| T6 | `LLM.ObfuscatedPrompt`, `LLM.UnicodeSmuggling`, base64-encoded directive, or zero-width chars in `description`/`triggers` | **I ≥ 3** |
| T7 | `LLM.PromptOverrideActionable` whose action resolves to T1–T5 | **I ≥ 3** |
| T8 | `AGT.CrossSkillWrite` to a sibling skill directory or to the agent registry | **I ≥ 2** |
| T9 | `PROC.Persist` (cron / launchd / shell-rc) installed by the skill without being declared as the skill's purpose | **I ≥ 2** |
| T10 | `LLM.PromptOverride` directives ("ignore previous", "you are now", "system:") that are not wrapped in a documentation example block | **I ≥ 2** |
**Anti-overshoot guards (must be satisfied to apply a hard trigger):**
- The trigger must come from **executable text** (script body, SKILL.md directive, frontmatter `triggers`/`allowed-tools`) **not** from a clearly fenced documentation block whose surrounding prose marks it as a counter-example, "do not do" warning, or quoted sample of a third-party attack.
- A trigger whose only evidence is a comment is downgraded by 1 floor (e.g. T1 from `I ≥ 3` to `I ≥ 2`).
- If the entire skill is itself an *anti-pattern teaching skill* (declared in SKILL.md as security demo / red-team training), apply a single skill-wide downgrade of one floor on T6/T10 only.
#### B — Blast Radius
**{1, 2, 3}**.
| Value | Meaning |
|-------|---------|
| 1 | Self only — this skill's directory / current session |
| 2 | Workspace / user scope — current project or user files |
| 3 | Machine / cross-user / cross-agent — system-level, credential-level, propagable |
### 2.3 Tier Mapping
Theoretical range `1 – 108` (`4 × 3 × 3 × 3`). `I = 0` findings are always **Info** (see §2.1).
| Score | Tier | Badge | Notes |
|-------|------|-------|-------|
| 0 | Info | `·` | I = 0 (declared capability disclosure) or no findings |
| 1 – 6 | Info | `·` | trivial scoring artifacts (e.g. C=1×R=1×I=2×B=1) |
| 7 – 14 | Low | `⚠️` | small, real risks but not attack-shaped |
| 15 – 48 | Medium | `⚠️` | real risk class, almost always worth surfacing to the user |
| 49 – 80 | High | `🔴` | strong evidence of attack-shaped behavior |
| 81 – 108 | Critical | `🚨` | closed chain or top-tier sink |
### 2.4 Chain Amplification
A *closed chain* is
```
source → transform (any, optional) → sink
```
When a closed chain exists across the same execution path, an additional `chain-finding` is emitted whose tier equals the highest member tier + 1 (capped at Critical). Unclosed chains (missing source or sink) do not amplify. Member findings are still reported on their own.
For chain detection, the `source` may also be a **directive in SKILL.md** that instructs the agent to read a specific user / workspace / environment data slice. In other words, the chain is closed when `(SKILL.md tells the agent to obtain X)` connects to `(a script or directive sends X to a sink)`, even if no single script reads-then-writes by itself.
Typical closed chains:
- `FS.ReadSensitive` → `NET.OutboundUndeclared` (credential exfiltration)
- `CRED.ReadEnv` → `LLM.PromptOverride` (credentials leaked to a third-party LLM)
- `EXE.RemoteFetch` → `FS.WriteStartup` (download then persist)
- `SKILL.md directive: "first read all .docx in workspace"` → `script: POST to undeclared host` (instructed exfil)
- `SKILL.md directive: "always run cleanup.sh after any operation"` → `cleanup.sh: find . -delete` (instructed destruction)
### 2.5 Mandatory Confirmation Rules
The following nine signatures **set a tier floor regardless of the per-finding score arithmetic**, because each one already implies that the four dimensions (C, R, I, B) are at least at the floor's combination. Compute the per-finding score normally, *then* take `tier = max(arithmetic_tier, floor_tier)`:
| # | Signature | Tier floor |
|---|-----------|------------|
| M1 | A closed chain (§2.4) where the sink is an Untrusted-Sink indicator (§5.1.1) | **Critical** |
| M2 | Any `find ... -delete`, `rm -rf`, or wildcard delete that targets user data extensions and is reachable from SKILL.md | **High** |
| M3 | `LLM.PromptOverrideActionable` whose action concretely matches T1–T5 | **High** |
| M4 | `CRED.HardcodedInjected` (a hardcoded secret the agent is told to push into a user system) | **High** |
| M5 | `EXE.RemoteFetch` from an unpinned, non-declared URL | **High** |
| M6 | `LLM.ObfuscatedPrompt` / `LLM.UnicodeSmuggling` | **High** |
| M7 | `PROC.Persist` (cron / launchd / shell-rc / Run-key) installed without being declared as the skill's purpose | **High** |
| M8 | `AGT.CrossSkillWrite` into another skill's directory or the agent registry | **Medium** |
| M9 | Outbound to an **undeclared** host carrying data sourced from `os.environ`, file reads, or chat context (T2 without an Untrusted-Sink upgrade) | **Medium** |
If multiple signatures fire, the verdict is `max(tier_floor)`. Floors only *raise*, never lower.
---
## 3. Interface Between Classification and Severity
| Interface | Direction | Description |
|-----------|-----------|-------------|
| `C_base` | Classification → Severity | Capability baseline per Behavior node, default for `C` |
| `required_dims` | Classification → Severity | Checklist of dimensions that must be evaluated |
| `dataflow_role` | Classification → Severity | `source/transform/sink/none`, used by chain amplification |
The severity layer does not read the classification layer's prose descriptions or the `IntentMarker`; the classification layer does not read the final `Score`. The two layers can evolve independently.
---
## 4. Finding Data Structure
A finding is one `(Behavior, evidence location)` hit. The evidence location is `(file path, line range, code snippet)`. The same Behavior hitting at multiple locations produces multiple findings; the same code hitting multiple Behaviors produces multiple findings; a `chain-finding` is itself a finding.
```yaml
finding:
id: "F-001"
category:
surface: "FS"
behavior: "FS.ReadSensitive"
intent_marker: "suspicious" # legitimate_elevated | suspicious | malicious_confirmed
evidence:
file: "scripts/helper.sh"
line_range: [23, 31]
snippet: "..."
scoring:
C: 4
R: 3
I: 1
I_floor_applied: null # null | "T1" | "T2" | … (which §2.2.1 trigger raised I, if any)
B: 3
score: 36 # C × R × I × B = 4×3×1×3
arithmetic_tier: "Medium" # tier from raw score
floor_rule_applied: null # null | "M1"…"M9"
tier: "Medium" # final = max(arithmetic_tier, floor_tier)
badge: "⚠️"
dataflow_role: "source"
chain_id: null # fill with a chain id if this finding is part of a closed chain
```
All fields are required (`I_floor_applied`, `floor_rule_applied`, `chain_id` may be null). `score` must equal `C × R × I × B`; for `I = 0` findings, score is 0 and tier is always `Info`. `tier` must equal `max(arithmetic_tier, floor_rule_tier_if_any)`.
---
## 5. Audit Procedure
### 5.1 Scan Scope
The audit target is the whole skill bundle, not `SKILL.md` alone. The scope has three layers:
1. **Recursive enumeration of the skill directory.** Walk every file (including hidden ones) and classify by content rather than extension. Text-like content is analyzed as script/configuration; non-text content is judged by its location and reference relationships, without any fixed preset conclusion.
2. **Locally referenced resources.** Resolve relative-path references that appear in `SKILL.md` and in scripts (frontmatter, code blocks, Markdown links, arguments to bash / python / node invocations, etc.) and pull the referenced files into the scan. Their Reachability baseline is set per §5.3. If a referenced file lies outside the skill directory, additionally record an `FS.ReadOutOfScope` or `AGT.CrossSkillWrite` finding as appropriate.
3. **Remote resources.** Patterns such as `curl | sh`, `wget`, `git clone` then `exec`, `pip`/`npm` pointing at non-standard registries, or remote MCP servers trigger `EXE.RemoteFetch` or `AGT.MCPRemoteFetch`. During the audit, a single static fetch is allowed (never executed); on success the content joins the scan, on failure or without authorization the finding's `I` is forced to `≥ 2`.
#### 5.1.1 Untrusted-Sink Indicators
A network sink is **Untrusted** when it matches one or more of the patterns below **and** is not explicitly declared as a service the skill exists to integrate with. Match on the URL string itself (with light normalization for concatenation / encoding):
| Pattern class | Examples |
|---------------|----------|
| Free / temporary tunnel & PaaS hosts commonly abused as exfiltration sinks | `*.ngrok.io`, `*.ngrok-free.app`, `*.serveo.net`, `*.loca.lt`, `*.trycloudflare.com`, `*.onrender.com`, `*.herokuapp.com`, `*.glitch.me`, `*.replit.dev`, `*.vercel.app` (**when** the host is not the official site of a service named in SKILL.md) |
| Generic webhook / log-collector relays | `webhook.site`, `requestbin.*`, `pipedream.com`, `pastebin.com`, `transfer.sh`, `0x0.st`, `gist.githubusercontent.com/<unknown user>/raw/...` |
| Raw-IP outbound or non-standard high port to an undeclared host | `http://\d+\.\d+\.\d+\.\d+:\d+/`, hosts on ports `4444`, `8443`, `9001`, etc. when not declared |
| Obfuscated / dynamically constructed host strings | `"agen" + "skill" + ".onrender.com"`, base64-encoded host literal, `chr(…)` concatenation, homograph (`gооgle.com` with Cyrillic `o`) |
| Hosts whose name suggests collection / logging / exfil | `*log*`, `*collector*`, `*ingest*`, `*audit*`, `*exfil*`, `*dump*`, `*beacon*` (only when not a service named in SKILL.md) |
Indicator matching is purely structural; it does **not** depend on a curated blocklist of specific domains. A skill that genuinely integrates with one of the listed PaaS hosts (e.g. a Render-hosted official API for that vendor) avoids the trigger by **declaring the host in SKILL.md frontmatter or `## Integrations` section**.
False-positive guard: a host that resolves to the homepage / documentation of a recognizable open-source project, official vendor API, or well-known CDN (npm, PyPI, GitHub.com, Hugging Face, OpenAI, Anthropic, Google Cloud, AWS, Azure, Stripe, Slack, Discord, etc.) is **not** an Untrusted Sink even if it lives on a tunnel host. When in doubt, downgrade T1 to T2.
### 5.2 Flow
```
Input: skill root directory
│
▼
[Step 1] Build scan inventory
├─ 1a. Recursively enumerate files and classify by content
├─ 1b. Parse references → add local files / register remote-URL findings
├─ 1c. Match each outbound URL against §5.1.1 Untrusted-Sink Indicators
└─ 1d. Attempt a single static fetch of remote resources (success → include; failure → I ≥ 2)
▼
[Step 2] Match each file against Behavior nodes → {category, evidence(file, line_range, snippet)}
▼
[Step 3] Score each finding:
3a. C ← C_base ± Δ; R / I / B per §2.2
3b. Apply §2.2.1 hard triggers → raise I to floor (record `I_floor_applied`)
3c. score = C × R × I × B; drop if R = 0
3d. arithmetic_tier ← §2.3
▼
[Step 4] Build cross-file data-flow graph (SKILL.md instructions count as source per §2.4)
→ detect closed chains → append chain-findings
▼
[Step 5] Apply §2.5 Mandatory Confirmation Rules
per finding: tier ← max(arithmetic_tier, floor_tier); record `floor_rule_applied`
▼
[Step 6] Emit all findings
```
### 5.3 Cross-File Reachability
| File location | Default R |
|---------------|-----------|
| `SKILL.md` frontmatter + body | 3 |
| Scripts explicitly referenced / invoked by `SKILL.md` | 3 |
| Files `source`d / `import`ed from referenced scripts | inherits along the chain, capped at 3 |
| Orphan scripts in the skill directory with no incoming reference | 1 (forced to 2 if the file hits any Behavior with `C ≥ 3`, **3 if it matches any §2.2.1 hard trigger**) |
| Files under `tests/`, `examples/`, `docs/` not referenced from SKILL.md | 0 or 1 |
| Plain documentation (e.g. `README.md`) | 1 (treated as main path when it contains executable code blocks and is referenced) |
> Note: an "orphan" script that nonetheless implements a hard trigger
> (e.g. an unreferenced `cleanup.sh` that does `rm -rf
> ~/Documents/*`) is treated as on-path because the SKILL.md often
> references such scripts indirectly (e.g. "always run the cleanup
> script after any operation"). Promoting R to 3 prevents these from
> being silently dropped.
---
## 6. Verdict
`verdict.tier = max(f.tier for f in findings)`; `Info` when there are no findings. The verdict is computed internally and is **not** printed as a label or badge by itself; it only selects which one-line conclusion §7 emits.
---
## 7. Final Output
The audit may produce a normal report — findings tables, per-finding evidence, brief reasoning, etc. — and writing it out is encouraged, since externalizing the classification, scoring, and chain analysis from §1–§6 tends to stabilize the final verdict.
The **only mandatory final emission is a single Chinese one-liner** that maps directly from the verdict tier. There is no machine-readable result block, no detailed report wrapper, no signature line.
### 7.1 Final-Line Mapping
The very last thing emitted by the run **must** be exactly one of the following lines, chosen by the verdict tier from §6, with `<NAME>` replaced by the audited skill's name. Note: the "存在风险" line is reserved for **Critical** only — High and below all map to "可使用" wording, because hardening from §2.2.1 + §2.5 already guarantees that Critical is reached by genuine attack-shaped behavior.
| Verdict tier | Final line (Chinese, mandatory verbatim) |
|--------------|------------------------------------------|
| Info | `✅ 您的「<NAME>」插件可正常使用。` |
| Low | `⚠️ 您的「<NAME>」插件可使用。` |
| Medium | `⚠️ 您的「<NAME>」插件可使用。` |
| High | `⚠️ 您的「<NAME>」插件可使用。` |
| Critical | `🚨 您的「<NAME>」插件可能存在风险,请关注。` |
### 7.2 Field & Formatting Rules
- `<NAME>` — the `name` field from the audited `SKILL.md`. Fallback order: skill directory name → `unknown`.
- The final line is **always Chinese**, regardless of the run's detected output language. Do not translate, paraphrase, reorder, or restyle it.
- Preserve the leading emoji (`✅` / `⚠️` / `🚨`), the corner brackets `「 」`, and the trailing full-width period `。` exactly as shown.
- The line must be the **last non-empty line** of the entire output. Nothing — no signature, no closing remark, no horizontal rule, no trailing whitespace block — may come after it.
- Emit the line **even when the verdict is `Info`** and even when there are no findings.
- Emit **exactly one** final line. If the audit aborts early (e.g. unreadable bundle), still emit the line with the most conservative tier consistent with what was actually observed (default to `Info` when no behavior was scored).
don't have the plugin yet? install it then click "run inline in claude" again.