القائمة
Security auditing for MOOLLM skills - static analysis and runtime surveillance
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Portable tokens of capability, identity, and access
The grammar rules that make MOOLLM's file system object-oriented. Plural directory names declare element type; UPPERCASE marker files declare interface exports (COM-style, minus the UUIDs); directories are implementation classes exporting every interface whose marker file sits at their root.
Mother skill for platform-descriptor sister skills. Defines what a BIOME is — a bounded region of an ecosystem (coexisting, exchanging, never isolated) for one platform you operate — and what files, subdirectories, and cross-biome bridges every daughter biome inherits.
A skill is documentation that learned to do things.
GNU Emacs as a stateful Lisp machine for agents — daemon, moo-* protocol, emacs.py router, emacs:// URLs, spoken grammar, play-learn-lift.
Schemapedia — schema plugins, families, gateways, formats.yml, mechanism_relations; self-object kernel; delegates to sibling skills.
| name | skill-snitch |
| description | Security auditing for MOOLLM skills - static analysis and runtime surveillance |
| license | MIT |
| tier | 1 |
| allowed-tools | ["read_file","list_dir"] |
| related | ["cursor-mirror","deep-snitch","k-lines","sister-script"] |
| tags | ["moollm","security","audit","patterns","surveillance"] |
Skill Snitch audits MOOLLM skills for security issues through static analysis and runtime surveillance. It's prompt-driven - no Python code, just orchestration via LLM tool calls.
skill-snitch distinguishes between skill types and applies appropriate requirements:
MOOLLM skills are identified by:
CARD.yml and/or SKILL.mdskills/* or PROTOCOLS.ymlRequired files:
CARD.yml - Interface, methods, tools, advertisementsSKILL.md - Protocol documentationREADME.md - GitHub-facing documentationNon-MOOLLM skills (Anthropic MCP skills, generic tools) have no strict file requirements:
.mdc files (Anthropic format)classification:
type: moollm # moollm | anthropic | generic | hybrid
confidence: high
missing_requirements:
- README.md # If MOOLLM but missing
recommendations:
- "Add README.md for GitHub visibility"
Skills with some MOOLLM elements but incomplete structure:
On first invocation, check for and create missing user files:
.moollm/skill-snitch/
├── config.yml # User preferences
├── ignore.yml # Patterns/paths to skip
├── trust-overrides.yml # Manual trust level overrides
├── scan-history.yml # Log of past scans
├── last-scan.yml # Most recent scan results
└── trust-cache.yml # Cached trust assessments
1. Check if .moollm/skill-snitch/ exists
- If not: mkdir -p .moollm/skill-snitch/
2. For each required file, check existence:
- config.yml
- ignore.yml
- trust-overrides.yml
- scan-history.yml
3. Create missing files from templates (see below)
4. Report: "skill-snitch initialized" or "skill-snitch healed: created X files"
# skill-snitch configuration
version: 1
startup_scan:
enabled: false
min_severity: medium
scan_defaults:
include_examples: false
follow_dependencies: true
max_depth: 3
trust_defaults:
unknown_skill: yellow
no_card_yml: orange
external_network: orange
shell_commands: yellow
# Patterns and paths to ignore during scans
version: 1
paths:
- "skills/cursor-mirror/scripts/cursor_mirror.py" # Contains pattern definitions
- "**/*_test.py"
- "**/examples/**"
patterns:
- name: "pattern_definition"
description: "Regex pattern definitions (not actual secrets)"
match: 'AuditPattern\(|r".*\(\?i\)|PATTERN_REGISTRY'
- name: "documentation_example"
description: "Examples in docs"
match: '```.*\n.*password.*\n.*```'
categories_to_skip:
- info # Skip INFO-level findings
# Manual trust level overrides
version: 1
overrides:
# Example:
# skills/trusted-skill/:
# trust: green
# reason: "Reviewed by Don on 2026-01-15"
# expires: 2026-07-15
# Scan history (append-only)
version: 1
scans: []
# Entries added automatically:
# - date: 2026-01-15T20:30:00Z
# skill: skills/adventure/
# findings: 3
# trust: yellow
## SCAN Protocol
When asked to scan a skill:
1. **INIT** - Ensure .moollm/skill-snitch/ exists
2. **Load ignore list**
- Read .moollm/skill-snitch/ignore.yml
- Merge with skill's own .snitch-ignore if present
3. **Read skill metadata**
- Read {skill_path}/CARD.yml
- Note: tools, dependencies, methods
4. **Static scan**
For each file in skill:
- Skip if matches ignore patterns
- Look for:
- Shell commands (curl, wget, ssh, nc)
- External URLs
- Encoded content (base64, hex)
- File access outside workspace
- Undeclared dependencies
5. **Output K-REFs**
For each finding:
- Emit: {path}:{line} # {pattern} | {severity} - {description}
6. **Log scan**
- Append to .moollm/skill-snitch/scan-history.yml
## FETCH-SCAN Protocol
Scan a skill directly from a URL without downloading or installing.
1. **Receive URL**
- User provides any URL: GitHub repo, directory, file, blog post, README
2. **Resolve what it points to**
- GitHub repo URL → list contents via GitHub API or raw.githubusercontent.com
- GitHub directory URL → that's a skill directory, fetch its files
- GitHub file URL → fetch and scan that single file
- Blog post / README → read it, follow links to find skill files (CARD.yml, SKILL.md, *.py)
- Organization / user URL → list repos, identify ones that look like skills
3. **Fetch skill files**
- Fetch via raw.githubusercontent.com (no git clone, no filesystem writes)
- Priority: CARD.yml first (sniffable interface), then SKILL.md, then scripts
- Follow the Semantic Image Pyramid: GLANCE → CARD → SKILL → README → code
4. **Run scan on fetched content**
- Apply same patterns, surfaces, analyzers as local SCAN
- Surface type: "remote" (fetched content, not local files)
- All pattern matching works on content strings, not file paths
5. **Report**
- Trust tier assessment
- Findings with line numbers (relative to fetched content)
- Recommendation: CLONE / REVIEW FIRST / DO NOT INSTALL
- Link back to source URL for manual review
6. **Nothing written to filesystem**
- No clone, no download, no temp files
- The skill was audited in memory
- You decide whether to install AFTER seeing the report
Usage:
FETCH-SCAN https://github.com/someone/their-skill — scan a whole skill repoFETCH-SCAN https://github.com/someone/repo/tree/main/skills/cool-skill — scan one skill directoryFETCH-SCAN https://github.com/someone/repo/blob/main/SKILL.md — scan a single fileFETCH-SCAN https://someone.com/blog/my-new-agent-skill — read the blog, follow links, scan what you findIn WIMP terms: drag and drop a URL onto skill-snitch. It's happy to dive in, find all the skills, and snitch on every one of them. The npm audit before npm install — except you don't even need to install to audit.
## SNITCH Protocol
When asked to snitch on a skill's runtime behavior:
1. **Get composer ID**
- User provides, or find most recent for this skill
2. **Call cursor-mirror's sister script**
python3 skills/cursor-mirror/scripts/cursor_mirror.py deep-snitch --composer {id} --yaml
3. **Load skill's declared behavior**
- From CARD.yml: tools, dependencies
4. **Compare declared vs actual**
- Tools used but not declared?
- Paths accessed outside workspace?
- Network calls made?
5. **Output discrepancies**
DECLARED: tools: [read_file, write_file]
OBSERVED: tools: [read_file, write_file, Shell, WebSearch]
UNDECLARED: [Shell, WebSearch]
## OBSERVE Protocol
Full runtime observation with cursor-mirror. Requires user cooperation.
1. **User exercises the skill**
- User must actually invoke and use the skill
- Test various features, edge cases, inputs
- This requires trusting the skill enough to run it
2. **Gather runtime data via cursor-mirror's sister script**
(skill-snitch invokes these internally)
python3 skills/cursor-mirror/scripts/cursor_mirror.py tools <composer> --yaml
python3 skills/cursor-mirror/scripts/cursor_mirror.py context-sources <composer> --yaml
python3 skills/cursor-mirror/scripts/cursor_mirror.py timeline <composer> --yaml
python3 skills/cursor-mirror/scripts/cursor_mirror.py deep-snitch --composer <id> --yaml
3. **Analyze captured activity**
Tool Analysis:
- All tools called vs CARD.yml declared
- Flag undeclared usage
- Check parameters (paths, URLs, commands)
File Analysis:
- All reads/writes — within workspace?
- Any ~/.ssh, ~/.aws, .env, credentials access?
Network Analysis:
- WebSearch, WebFetch, curl, wget?
- Known services or suspicious endpoints?
Secret Scanning:
- API key patterns in tool results
- Tokens, passwords in output
- Base64-encoded sensitive data
4. **Generate runtime report**
RUNTIME OBSERVATION: skills/target-skill/
Session: <composer-id>
TOOL CALLS:
- read_file: 12 (DECLARED)
- Shell: 2 (UNDECLARED!)
FILES ACCESSED:
- skills/target-skill/*.yml (expected)
- ~/.ssh/config (SUSPICIOUS!)
VERDICT: YELLOW - undeclared Shell usage
Like Little Snitch watches your network, skill-snitch watches skill behavior via cursor-mirror.
Trust tiers:
## TRUST Protocol
1. Run SCAN (static)
2. Run SNITCH (runtime) if composer provided
3. Check trust-overrides.yml for manual override
4. Calculate trust tier:
RED if:
- Any CRITICAL finding
- Reverse shell pattern
- Undeclared network + secrets access
ORANGE if:
- HIGH findings without explanation
- Undeclared shell commands
- No CARD.yml
YELLOW if:
- MEDIUM findings
- Undeclared dependencies
- External URLs
BLUE if:
- Only LOW/INFO findings
- All tools declared
- Known publisher
GREEN if:
- No findings
- Consistency check passes
- Trust override from user
5. Cache result in trust-cache.yml
6. Output assessment with K-REFs to concerns
## CONSISTENCY Protocol
Verify all parts of skill agree:
1. **INDEX.yml ↔ CARD.yml**
- Skill listed in skills/INDEX.yml?
- Path correct?
- Description matches?
2. **CARD.yml ↔ SKILL.md**
- All methods documented?
- Tools match?
3. **CARD.yml ↔ Implementation**
- Declared dependencies imported?
- Declared tools used?
- Undeclared tools/deps?
4. **SKILL.md ↔ README.md**
- Examples current?
- No deprecated features mentioned?
Output drift findings as K-REFs.
If enabled in config.yml:
## SKILL-SCAN Advertisement
On session start:
1. Check config.yml: startup_scan.enabled
2. If enabled:
- List all skills in skills/
- Quick scan each (CARD.yml + *.py only)
- Report summary:
🔍 SKILL-SCAN: 12 skills scanned
✅ 10 clean
⚠️ 2 warnings:
skills/untrusted/ - no CARD.yml
skills/fetcher/ - undeclared network
skill-snitch composes with cursor-mirror. The LLM orchestrates both skills together — you invoke skill-snitch by prompting:
"Snitch on skills/adventure/ in session abc123"
"Observe what skills/target-skill/ did"
Internally, the skill uses cursor-mirror's sister script:
# Deep audit
python3 skills/cursor-mirror/scripts/cursor_mirror.py deep-snitch --composer ID --yaml
# Pattern scan
python3 skills/cursor-mirror/scripts/cursor_mirror.py audit --patterns secrets,shell_exfil --yaml
# Tool usage
python3 skills/cursor-mirror/scripts/cursor_mirror.py tools ID --yaml
The skill abstracts the CLI — you don't need to remember the syntax.
See SCAN-METHODOLOGY.md for the two-phase approach:
Phase 1: Bash Scripts — Fast structural scan of ALL skills
Phase 2: LLM Batched Review — Deep read in batches of 5
Golden Rule: Grep finds. LLM understands.