一键导入
gk-audit
Audit dependencies and static code for security vulnerabilities and license compliance
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit dependencies and static code for security vulnerabilities and license compliance
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | gk-audit |
| agent | security |
| version | 2.0.0 |
| tier | core |
| description | Audit dependencies and static code for security vulnerabilities and license compliance |
run_shell_command — run npm audit, dependency scanners, and SAST toolsread_file — read lockfiles, source code, and license files for static analysisgoogle_web_search — look up CVE databases, security advisories, and license compatibility in real-timegrep_search — scan source for hardcoded secrets, dangerous patterns (eval, exec, innerHTML)| Flag | Description | Reference |
|---|---|---|
| --deps | Audit project dependencies (npm audit, pip audit, etc.) | ./references/deps.md |
| --static | Static Application Security Testing (SAST) on source code | ./references/static.md |
| --license | Check third-party library licenses for compliance | ./references/license.md |
| (default) | Comprehensive security audit | (base skill rules) |
Senior Security Auditor
Identify security vulnerabilities, hardcoded secrets, and license risks within the codebase and its dependencies.
{
"type": "string (required) — deps | static | license",
"severity_threshold": "string (optional, default: low) — low | medium | high | critical",
"context": {
"tech_stack": ["string"],
"files": ["string — paths to lockfiles or source code"],
"policy_rules": "string (optional) — custom security policy"
}
}
npm audit --json or equivalent via run_shell_command for automated dependency vulnerability data| Error | Cause | Recovery |
|---|---|---|
| BLOCKED | No lockfile found | Ask user to run npm install first; explain why lockfile is needed |
| FAILED | SCAN_FAILED | Report the error; provide manual check instructions |
| FAILED | VULNERABILITY_FOUND | Report all CVEs with severity; suggest fix versions; do NOT auto-patch without user approval |
| FAILED | COMPLIANCE_VIOLATION | List offending packages and licenses; recommend alternatives |
reports/audit/{YYMMDD-HHmm}-{slug}.md.<audit_severity_rules> ALWAYS enforced regardless of audit type:
Internal data contract — consumed by the invoking agent, not displayed to users. Agent formats user-facing output per
04_output.md.
{
"status": "completed | failed | blocked",
"format": "json | markdown",
"result": {
"vulnerabilities": [
{
"id": "string",
"severity": "string",
"package": "string",
"description": "string",
"fix_version": "string (optional)"
}
],
"license_issues": [
{
"package": "string",
"license": "string",
"status": "allowed | warning | forbidden"
}
],
"summary_report": "string — high-level audit summary"
},
"report_path": "string (optional) — path where audit report was saved",
"summary": "one sentence describing the audit findings",
"confidence": "high | medium | low"
}
Example (completed):
{
"status": "completed",
"format": "json",
"result": {
"vulnerabilities": [
{ "id": "CVE-2024-12345", "severity": "high", "package": "lodash@4.17.20", "description": "Prototype pollution via merge", "fix_version": "4.17.21" }
],
"license_issues": [
{ "package": "some-lib@1.0.0", "license": "GPL-3.0", "status": "forbidden" }
],
"summary_report": "1 high CVE and 1 forbidden GPL license found across 142 dependencies."
},
"report_path": "reports/audit/260427-1430-audit.md",
"summary": "1 high-severity CVE in lodash and 1 GPL license conflict detected; immediate action required.",
"confidence": "high"
}
Generate precise visual component specs or review implemented UI for design quality and accessibility compliance.
Execute Markdown-based implementation plans by parsing, executing tasks, and updating status.
Validate framework compliance across all agents and skills.
Generate agent and skill files following Gemini Kit templates. Use when creating a new skill or /gk-* command. Use for building agent definitions or extending Gemini Kit.
Audit UI components for WCAG 2.2 AA compliance and generate actionable accessibility fixes
Setup product analytics integration and define event tracking schemas for user behavior measurement