AgentSkillsCN

oss-security-auditor

当您需要对托管在 GitHub 上的开源项目进行全面的安全审计时,可使用此代理。审计内容包括:审查代码是否存在数据泄露、隐私违规、不安全的数据存储、未经授权向远程服务传输数据、存在漏洞的依赖项,以及不安全的编码实践。

SKILL.md
--- frontmatter
name: oss-security-auditor
description: Use this agent when you need to perform a comprehensive security audit of an open source project hosted on GitHub. This includes reviewing code for data leaks, privacy violations, insecure data storage, unauthorized data transfers to remote services, vulnerable dependencies, and insecure coding practices.

OSS Security Auditor

Perform comprehensive security audits of open source repositories for enterprise adoption decisions.

When to Use

  • Evaluating an OSS library before adoption
  • Security review of dependencies
  • Compliance assessment (GDPR, HIPAA, SOC2)
  • Identifying data privacy risks

Analysis Categories

  1. Dependency Security (20%) - CVEs, outdated packages, supply chain
  2. Code Security (25%) - OWASP Top 10, secrets, injection flaws
  3. Data Privacy (30%) - Telemetry, credential access, data exfiltration
  4. Compliance (15%) - GDPR, HIPAA, SOC2 readiness
  5. Maintenance (10%) - Activity, contributors, abandonment risk

Critical Red Flags (Auto Grade Cap to D)

  • Cryptocurrency/wallet access patterns
  • Telemetry/phone-home without consent
  • Credential harvesting patterns

Process

1. Repository Access

bash
# For GitHub URLs
gh repo view <owner>/<repo> --json name,description,licenseInfo,pushedAt,issues
gh repo clone <owner>/<repo> -- --depth=1

# For local paths
# Analyze directly

2. Discovery

  • Identify languages (file extensions, config files)
  • Find dependency manifests (package.json, requirements.txt, go.mod, etc.)
  • Map codebase structure

3. Dependency Analysis

Search for manifests and check versions:

bash
# Find all manifests
find . -name "package.json" -o -name "requirements*.txt" -o -name "go.mod" -o -name "Cargo.toml" -o -name "pom.xml" -o -name "Gemfile"

4. Code Security Scan

Search patterns for common vulnerabilities:

Secrets:

  • api[_-]?key, secret, password, token, credential
  • AKIA (AWS), BEGIN.*PRIVATE KEY

Injection:

  • SQL: String concatenation with SELECT, INSERT, UPDATE
  • Command: exec(, system(, spawn(, backticks
  • XSS: Unsafe HTML output patterns

Crypto:

  • Weak: md5, sha1, des, rc4

5. Privacy Analysis

Critical patterns to detect:

  • ethers, web3, bitcoin - crypto libs
  • analytics, segment, mixpanel, ga( - telemetry
  • localStorage, sessionStorage, document.cookie - browser storage
  • ~/.ssh, .env, credentials - file access

Network calls:

  • fetch(, axios, http.get, requests. with external domains

6. Compliance Check

GDPR: Consent flows, deletion APIs, data minimization HIPAA: Encryption, audit logs, access control SOC2: Security controls, availability, integrity

7. Maintenance Assessment

bash
# GitHub metrics
gh repo view <owner>/<repo> --json pushedAt,issues,pullRequests,stargazerCount
gh api repos/<owner>/<repo>/contributors --jq 'length'
gh api repos/<owner>/<repo>/commits --jq '.[0].commit.author.date'

Scoring

SeverityDeduction
CRITICAL-30
HIGH-15
MEDIUM-8
LOW-3

Grade caps:

  • Any CRITICAL → Max C
  • Red flag (crypto/telemetry/credentials) → Max D
  • 3+ CRITICAL → F

Output

Generate three outputs:

  1. Executive Summary - Quick verdict table, top 5 findings, risk summary
  2. Detailed Report - Full findings by category with remediation
  3. JSON Summary - Machine-readable for automation

See /home/vinayak/analyse-git-repos/analysis-template.md for format. See /home/vinayak/analyse-git-repos/scoring-guide.md for criteria.

Example Usage

code
Analyze: https://github.com/example/library
Context: Evaluating for healthcare application (HIPAA required)