feat: add skill-security-auditor as default example skill#1479
feat: add skill-security-auditor as default example skill#1479statxc wants to merge 3 commits intoeigent-ai:mainfrom
Conversation
|
@Wendong-Fan @bytecii Please review this PR. |
|
@Wendong-Fan @fengju0213 @Pakchoioioi Please review my PR and give me any feedbacks |
|
Please any updates for me |
|
Thanks @statxc for contribution! could @fengju0213 @Pakchoioioi help review it? |
| same "printed page" as the copyright notice for easier | ||
| identification within third-party archives. | ||
|
|
||
| Copyright [yyyy] [name of copyright owner] |
There was a problem hiding this comment.
Hi @statxc The copyright line is still the template placeholder [yyyy] [name of copyright owner]. Could you fill this in?
|
|
||
| def should_skip(path: Path) -> bool: | ||
| """Return True if path should be skipped (e.g. .git, node_modules).""" | ||
| return any(part in SKIP_DIRS for part in path.parts) |
There was a problem hiding this comment.
Hi @statxc Consider checking only the parts relative to the project root instead. Same issue exists in scan_secrets.py
fengju0213
left a comment
fengju0213
left a comment
There was a problem hiding this comment.
thanks @statxc left some comments
|
|
||
| SKIP_DIRS = { | ||
| ".git", "node_modules", "__pycache__", ".venv", "venv", | ||
| "env", ".env", "dist", "build", ".tox", ".mypy_cache", |
There was a problem hiding this comment.
we should also check env?
| lines = content.splitlines() | ||
| for line_num, line in enumerate(lines, 1): | ||
| stripped = line.lstrip() | ||
| if stripped.startswith("#") or stripped.startswith("//"): |
There was a problem hiding this comment.
This might cause miss commented keys.
…-skill-security-auditor-example
statxc
force-pushed
the
feat/add-skill-security-auditor-example
branch
from
30f2c89 to
7f90ec1
Compare
|
@4pmtong @fengju0213 Thanks for your feedbacks. Good points! I have fixed. I'd appreciate you review again. |
|
Please review again. what else should I update more? |
3 participants
Related Issue
Closes #1462
Description
Add
skill-security-auditoras a default example skill that ships with Eigent. This gives all agents built-in security awareness for code auditing, secrets detection, and vulnerability scanning.What's included:
SKILL.md- Core audit guide with a 6-step workflow: reconnaissance, secrets detection, OWASP Top 10 vulnerability scanning, dependency audit, configuration review, and auth/authorization review. Includes a standardized report format.references/vulnerability-patterns.md- Detailed detection patterns for injection, auth, crypto, deserialization, SSRF, and file operation vulnerabilities across Python, JavaScript, TypeScript, Go, and Java. Includes framework-specific checks for Django, Flask, Express, and Spring Boot.references/secrets-patterns.md- Regex patterns for 20+ secret types (AWS, GCP, Azure, GitHub, Slack, Stripe, SendGrid, etc.), database connection strings, and private keys. Includes false-positive reduction rules.scripts/scan_project.py- Full project scanner that checks for hardcoded secrets, dangerous function calls (by language), and insecure configuration patterns. Supports text and JSON output.scripts/scan_secrets.py- Focused secrets scanner with false-positive filtering (skips placeholders, env var references, test files by default). Supports--include-testsflag.No code changes required - the existing skill system auto-discovers new example skills from
resources/example-skills/viaseedDefaultSkillsIfEmpty()andskills-scan. No modifications to Electron, frontend, backend, or build config.Testing Evidence (REQUIRED)
Script verification:
Both scripts run successfully with stdlib-only dependencies (no pip installs needed), produce correct output in both text and JSON formats, and return appropriate exit codes (0 for clean, 1 for findings).
Project Scan:
Secretes Scan:
What is the purpose of this pull request?
Contribution Guidelines Acknowledgement