一键导入
arc-audit
Read-only project/AppSec audit: assets, data map, vuln review; Lark risks via arc:docs.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Read-only project/AppSec audit: assets, data map, vuln review; Lark risks via arc:docs.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Use .ai-code-index for local search, symbols, profiles, files, stats, refresh, and diagnostics.
Local SAST/SCA/secrets/DAST automation with data-value re-ranking and Arc handoffs.
Current-state task docs; security/audit handoff to detailed subtasks with roles and caliber.
Apply backend architecture, DIP, usecase result boundaries, zap logging, Go constants, and helper limits.
Add low-cost fmt/time or log.Printf timing probes to Go Gin SSR request paths.
Apply Chinese comment conventions; avoid noisy parameter/return boilerplate on obvious usecase contracts.
基于 SOC 职业分类
| name | arc:audit |
| description | Read-only project/AppSec audit: assets, data map, vuln review; Lark risks via arc:docs. |
arc:audit performs read-only engineering and application-security review. It reports evidence-backed risks and recommendations only; it does not patch code or create Lark resources directly.
Two review modes share one skill:
| Mode | Purpose |
|---|---|
general | Architecture, maintainability, tests, dependency health, code-rot taxonomy |
appsec | Cross-project vulnerability / project security audit: assets → data map → soft targets → finding cards |
For CLI scanners (SAST/SCA/secrets/DAST), hand off to arc:security after Phase 1 assets exist—or when the user explicitly wants automation-first.
AppSec methodology lives in references/appsec-playbook.md.
general / appsec), risk focus, optional changed files, authorized environment notes.appsec, also asset table, data map, top hypotheses, manual gaps; optional Lark handoff.docs/arc-routing-matrix.md.arc:clarify if audit scope, environment authorization, or active-test boundaries are vague.arc:security when the user wants local scanner automation, dependency/secrets CLI reports, API fuzz, or authorized DAST—after recon when possible.arc:fix if a concrete failure or confirmed vuln must be repaired.arc:task-doc-progress-conventions before remediation when findings become large, multi-step, cross-module, or tracked implementation work; as role R-task after emitting a Handoff Package (项目定位 / 项目口径 / 功能角色 / findings)—never dump a vague “修安全” task list.arc:build / arc:fix only after task docs exist for tracked remediation, or for a single small confirmed fix the user wants implemented immediately.arc:docs only when Lark is active for audit reports, risk Base rows, remediation tasks, approval gates, or .lark.json.lifecycle[]..ai-code-index/search.sh first for relevant code paths, tests, dependencies, and architecture boundaries..ai-code-index/struct-search.sh for risky code shapes when relevant (auth, SQL, uploads, SSRF, JWT, payments)..lark.json exists, MUST read it before reporting prior risks, tasks, approvals, and audit records.Begin by stating clearly:
"I am using arc:audit to perform a read-only, evidence-backed project review."
When mode=appsec or the user asked for vulnerability/security audit, also state:
"AppSec mode follows the asset → data-map → soft-target playbook; scanners stay in arc:security unless already requested."
NO FINDING WITHOUT EVIDENCE.
NO CODE EDIT DURING AUDIT.
NO LARK AUDIT UPDATE OUTSIDE arc:docs.
NO APPSEC CLAIM WITHOUT PERMISSION CLASS AND DATA YIELD (OR EXPLICIT CAPABILITY-ONLY).
NO MASS AI DEEP-DIVE BEFORE ASSET INVENTORY.
arc:frontend when relevant: Web = React 19 + TypeScript + Vite + Tailwind CSS + shadcn/ui + Zustand + TanStack Query + TanStack Router + React Hook Form + Zod; mobile = React Native + Expo + TypeScript + NativeWind + Zustand + TanStack Query + Expo Router; desktop = Tauri 2 + Web stack; mini-program = Taro 4 + React + TypeScript + Zustand, unless an explicit project exception exists.arc:docs..lark.json is absent and the user did not explicitly trigger or confirm Lark.arc:task-doc-progress-conventions before execution starts.references/appsec-playbook.md when mode is appsec or risk_focus is security/vuln/appsec.arc:audit; authorize and route those to arc:security.general vs appsec), and risk focus.R-recon, write the Handoff Package (定位/口径/角色/assets/data-map/findings/task-seed), then hand to arc:task-doc-progress-conventions (R-task) before any arc:build / arc:fix. Pipeline: ../arc:task-doc-progress-conventions/references/security-audit-task-pipeline.md..lark.json exists or the user explicitly triggered/confirmed Lark, hand off to arc:docs with findings, risk rows, tasks, and approval needs.generaldocs/code-rot-taxonomy.md.appsec (default when user asks 漏洞/安全/AppSec/代码审计 in a security sense)Follow the playbook phases without skipping inventory:
arc:security.assets + data-map + top hypotheses + findings + manual gaps; optional arc:security handoff for automation.00-项目定位与口径.md + 06-task-seed.md with risk-domain groups only; do not author full implementation subtasks here—that is R-task.Do not spend the whole engagement on low-yield host/RCE fantasies while bulk data paths remain unmapped.
arc:task-doc-progress-conventions as the required local planning gate..lark.json only when Lark is active.arc:security or labeled non-coverage.Business Maturity when relevant.Dependency Health.Expert Review Card.9 Tab summary only when evidence supports it.No dedicated runtime scripts. Use:
.ai-code-index/search.sh, struct-search.sh, symbols.sharc:security scripts only after handoff / user request for automationSuggested appsec collectors (adapt per stack):
# examples — prefer project-native equivalents
.ai-code-index/struct-search.sh 'raw SQL|ExecContext|Find\(|jwt|password|upload|webhook'
# list HTTP registrations, OpenAPI, permission matrices, *.yaml configs, deploy scripts
.lark.json.arc:build for implementation, arc:fix for known failures, and arc:security for local scanner/DAST automation. Use this skill for methodology-first read-only review.| parameter | type | required | description |
|---|---|---|---|
project_path | string | yes | Target repository root |
scope | string | no | Whole project, module, PR, or concern |
mode | enum | no | general (default for health/architecture) or appsec (default for vuln/security audit language) |
risk_focus | string | no | Architecture, security, tests, dependencies, performance, maintainability, data, auth, config-deploy |
changed_files | string | no | Optional PR or local diff focus |
environment | string | no | local / test / staging / prod notes; prod active tests require explicit authorization |
Audit Report
- Mode and scope
- Findings by severity (finding cards in appsec mode)
- Evidence
- Impact (permission class + data yield in appsec mode)
- Recommendation
- Residual risks
- Appsec bundle when applicable:
- assets
- data-map
- top hypotheses
- manual-gaps
- optional arc:security handoff
- Handoff Package for R-task when remediation is tracked:
- 项目定位 / 项目口径 / 功能角色
- findings + task-seed (not full subtasks)
- Lark / .lark.json handoff, if applicable