Dispatch an independent challenger agent to adversarially review a spec or implementation plan against the actual codebase. Catches hallucinated APIs, wrong field names, nonexistent files, and incorrect assumptions. Two modes: (1) spec review — verifies DB model fields, API paths, config attributes, file paths referenced in a design spec, (2) plan review — verifies imports, function signatures, constructor args, file paths in an implementation plan. Use after brainstorming produces a spec, or after writing-plans produces a plan, before execution. Triggers: "review the spec", "review the plan", "challenge this", "check for hallucinations", "design review", "spec review", "plan review", "/design-review".
Graph-driven project understanding using code-review-graph (CRG). Query architecture, modules, callers/callees, impact radius, hotspots, execution flows, and search nodes. Use when: (1) brainstorming and need to understand project structure, (2) writing plans and need impact analysis, (3) user says "understand this project", "how does this module work", "impact analysis", "/explore", (4) reviewing code changes and need blast radius. Requires .code-review-graph/graph.db — run /graph build first if missing.
Manage code knowledge graphs via code-review-graph (CRG). Build, update, and check status of project code graphs stored in .code-review-graph/graph.db. Use when: (1) user says "build graph", "update graph", "graph status", "/graph", (2) Harness init detects CRG, (3) preparing to use /explore commands. Gracefully degrades if CRG is not installed.
SCA 漏洞 AI 降噪与风险优先级评估。对 Grype/Snyk/Xray 等 SCA 工具的漏洞发现进行多维度风险评估,按 P0-P3 分级,过滤噪音(DoS、本地提权、低影响信息泄露),聚焦真正可利用的高风险漏洞。当用户需要对 SCA 扫描结果降噪、漏洞优先级排序、或供应链风险评估时使用。
生成安全审计 skill。两种模式:(1) 项目模式——根据项目文档生成定制化审计 skill;(2) 通用模式——仅指定语言+框架,从参考资料库生成通用审计 skill。当用户想创建安全审计 skill、生成审计规则、或提到"生成安全审计skill"、"创建code review skill"、"生成 Java 审计 skill"时使用。
审计 Docker/容器部署安全。检测 Dockerfile、docker-compose.yml、Kubernetes manifests 中的安全问题:特权容器、root 运行、敏感挂载、资源无限制、密钥泄露、Base Image 不合规、网络暴露等。当审计容器配置、Docker 安全、K8s 部署安全、或检查基础设施安全时使用。支持 Dockerfile、docker-compose.yml、Kubernetes YAML、Helm charts。
审计 Terraform / IaC 代码安全(AWS 基础设施)。检测硬编码凭据、过宽 Security Group(0.0.0.0/0)、IAM 权限过大(Action/Resource *)、S3 公开访问、RDS 未加密/公开、State 文件泄露、ECS/EKS 容器特权、CloudTrail/VPC FlowLog 缺失、不安全 Provider/Module 引用等。当审计 Terraform 代码、IaC 安全评审、AWS 云基础设施配置检查、GitOps 安全审计时使用。支持 HCL(.tf)、Terraform JSON、tfvars、Terragrunt(HCL) 代码。
Audit AI Agent skills for security vulnerabilities including malicious code, remote execution, credential leaks, and supply chain risks. Use when reviewing third-party skills, investigating suspicious behavior, or performing security assessments.