AgentSkillsCN

security-audit

对 SkiaSharp 的原生依赖库进行安全漏洞与 CVE 审计。这是一项仅读取的调查,旨在生成一份包含建议的安全状况报告。 当用户提出以下需求时可使用此技能:- 审计安全问题或 CVE;- 检查各依赖库的 CVE 状态;- 查找与安全相关的漏洞及其对应的 PR 覆盖率;- 获取当前开放漏洞的概览;- 了解尚待处理的安全工作。 触发条件:“安全审计”、“审计 CVE”、“CVE 状态”、“有哪些安全问题尚未解决”、“检查漏洞状态”、“安全概览”、“哪些 CVE 需要修复”。 此技能仅限于“只读”操作。若要真正修复问题,应使用 `native-dependency-update` 技能。

SKILL.md
--- frontmatter
name: security-audit
description: >
  Audit SkiaSharp's native dependencies for security vulnerabilities and CVEs.
  Read-only investigation that produces a status report with recommendations.

  Use when user asks to:
  - Audit security issues or CVEs
  - Check CVE status across dependencies
  - Find security-related issues and their PR coverage
  - Get an overview of open vulnerabilities
  - See what security work is pending

  Triggers: "security audit", "audit CVEs", "CVE status", "what security issues are open",
  "check vulnerability status", "security overview", "what CVEs need fixing".

  This skill is READ-ONLY. To actually fix issues, use the `native-dependency-update` skill.

Security Audit Skill

Investigate security status of SkiaSharp's native dependencies. Produces a report with actionable recommendations.

ℹ️ This skill is read-only. To create PRs and fix issues, use the native-dependency-update skill.

Key References

Workflow

code
1. Search issues/PRs
2. Get versions from DEPS
3. Web search CVEs
4. Verify fix commits for each CVE
   ├─ Fixed? → Mark clean
   └─ Not fixed? → Flag for action
5. Check false positives
6. Generate report

Step 1: Search Issues & PRs

Search mono/SkiaSharp open issues for:

  • CVE numbers (e.g., "CVE-2024")
  • Keywords: "security", "vulnerability"
  • Dependency names: libpng, expat, zlib, webp, harfbuzz, freetype

Search PRs in both mono/SkiaSharp and mono/skia for dependency updates.

Step 2: Get Dependency Versions

bash
cd externals/skia/third_party/externals/{dep}
git describe --tags --always

Only audit security-relevant dependencies (see dependencies.md).

Step 3: Web Search for CVEs

code
"{dependency} CVE {current year}"
"{dependency} security vulnerability"

Step 4: Verify Fix Commits (CRITICAL)

⚠️ CVE databases often have WRONG version ranges. Always verify.

bash
cd externals/skia/third_party/externals/{dependency}

# Check if fix commit is ancestor of current HEAD
git merge-base --is-ancestor {fix_commit} HEAD && echo "FIXED" || echo "VULNERABLE"

Example: CVE-2025-27363 claimed FreeType ≤2.13.3 was affected, fix in 2.13.4. Verification showed the fix commit was in 2.13.1 — SkiaSharp's 2.13.3 was already patched.

Step 5: Check False Positives

Before flagging, verify the CVE actually affects SkiaSharp:

  • MiniZip (in zlib) — Not compiled, not vulnerable
  • FreeType's bundled zlib — Separate from Skia's zlib

See dependencies.md for details.

Step 6: Generate Report

Use references/report-template.md.

Priority order:

  1. 🔴 User-reported + no PR
  2. ✅ User-reported + PR ready
  3. 🟡 User-reported + PR needs work
  4. 🆕 Undiscovered CVEs
  5. ⚪ False positives

Handoff

After audit, use native-dependency-update skill:

  • "Merge PR #3458"
  • "Update libwebp to 1.6.0"
  • "Bump libpng to fix CVE-2024-XXXXX"