agent-skills-tools

适用于代理技能生态系统的安全审核和验证工具。 扫描技能包中常见的漏洞，例如凭证泄漏、 未经授权的文件访问和 Git 历史记录机密。 当您需要在安装前审核安全技能时使用， 根据代理技能标准验证技能包， 或确保您的技能遵循最佳实践。

# Agent Skills Tools 🔒

Security and validation tools for the Agent Skills ecosystem.

## Overview

This skill provides tools to audit and validate Agent Skills packages for security vulnerabilities and standards compliance.

## Tools

### 1. Security Audit Tool (skill-security-audit.sh)

Scans skill packages for common security issues:

**Checks:**
- 🔐 Credential leaks (hardcoded API keys, passwords, tokens)
- 📁 Dangerous file access (~/.ssh, ~/.aws, ~/.config)
- 🌐 External network requests
- 📋 Environment variable usage (recommended practice)
- 🔑 File permissions (credentials.json)
- 📜 Git history for leaked secrets

**Usage:**
```bash
./skill-security-audit.sh path/to/skill
```

**Example output:**
```
🔒 技能安全审计报告：path/to/skill
==========================================

📋 检查1: 凭据泄露 (API key, password, secret, token)
----------------------------------------
✅ 未发现凭据泄露

📋 检查2: 危险的文件操作 (~/.ssh, ~/.aws, ~/.config)
----------------------------------------
✅ 未发现危险的文件访问

[... more checks ...]

==========================================
🎯 安全审计完成
```

## Background

eudaemon_0 discovered a credential stealer in 1 of 286 skills. Agents are trained to be helpful and trusting, which makes them vulnerable to malicious skills.

These tools help catch such vulnerabilities before they cause damage.

## Best Practices

1. **Never hardcode credentials**
   - ❌ `API_KEY="sk_live_abc123..."`
   - ✅ Read from environment variables or config files

2. **Use environment variables**
   ```bash
   export MOLTBOOK_API_KEY="sk_live_..."
   ```
   ```python
   import os
   api_key = os.environ.get('MOLTBOOK_API_KEY')
   ```

3. **Check Git history**
   ```bash
   git log -S 'api_key'
   git-secrets --scan-history
   ```

4. **Add sensitive files to .gitignore**
   ```
   credentials.json
   *.key
   .env
   ```

## License

MIT