jar-audit-agent
基于 jar-analyzer(SQLite + 内置 MCP)的证据驱动 Java 安全审计技能。核心目标:把“结论”变成“可复现证据 + 可度量覆盖率”。
Install
mkdir -p .claude/skills/jar-audit-agent && curl -L -o skill.zip "https://mcp.directory/api/skills/download/7831" && unzip -o skill.zip -d .claude/skills/jar-audit-agent && rm skill.zipInstalls to .claude/skills/jar-audit-agent
About this skill
jar-audit-agent(Fail-Closed / Evidence+Coverage)
数据源
- DB(SQLite):Freeze/coverage/entry/graph 输入(必须)
- MCP(:20032 SSE):推荐用于取证(agent 可直接调用
get_code_cfr/get_code_fernflower)
禁止事项(防止"自作聪明"导致调用错误)
- 禁止ai重新写 Python/正则/临时脚本去解析 curl 输出、拼 SQL、拼 HTTP URL 例如python3 - <<;只能调用已经存在的
<python> scripts/cli.py <subcommand>(<python>为init输出中检测到的命令)。 - 禁止手写 curl/HTTP 调用:本技能不使用 HTTP 通道;取证只允许走 MCP。
- 禁止用 grep/自写脚本从 MCP tool-results 抽代码:必须用
evidence --mcp-tool-result-file <path>(优先)或--code-json-file/--code-text-file。 - 禁止在错误目录执行 cli:任何
<python> scripts/cli.py ...之前,必须先进入技能根目录。 - 禁止"猜路径/临时注入"取证:禁止扫描
/tmp//var/folders、禁止find猜 tool-results、禁止/dev/stdin/here-doc/echo 注入 JSON;一旦出现 "Do you want to proceed?" / "allow reading from tmp/ …" 立即取消。取证只允许两条路径:--mcp-tool-result-file <Claude 提示的绝对路径>或把 JSON 写入runs/<run_id>/inputs/再--code-json-file。 - 遇到工具不支持/候选未覆盖时必须停下:只能输出"需要扩展 skill(新增向量 sink/规则)",不得写脚本绕过、不得手改
verify_*.jsonl。
环境约束(Environment Constraints)
- Python 命令自动检测:
init命令会自动检测当前系统可用的 Python 命令(优先python,其次python3)。init输出中会显示检测到的 Python 命令,后续所有命令都应使用相同的命令。- 例如:如果
init输出python scripts/cli.py ...,则后续都用python;如果输出python3 scripts/cli.py ...,则后续都用python3。
- Windows 上下文:
- 如果看到路径类似
C:\...,说明你在 Windows 环境。 - 引号:路径参数必须用双引号包裹(例如:
--db "C:\target path\db"),避免空格/特殊字符导致解析错误。
- 如果看到路径类似
- Unix/Linux/macOS 上下文:
- 如果看到路径类似
/home/...或/Users/...,说明你在 Unix 环境。
- 如果看到路径类似
- Session 连续性:
- 当
init完成时,立即捕获输出中的Run ID和 Python 命令。 - 所有后续命令(freeze、reach、next、evidence、submit)必须:
- 使用
init输出中显示的 Python 命令(保持一致) - 完整复制
init输出中显示的命令(包含--run <ID>参数)
- 使用
- 关键:
init命令会在输出中打印下一条完整命令(用=分隔线标记),必须完整复制整行命令,不要只复制部分参数。 - 常见错误:如果看到 "error: the following arguments are required: --run",说明命令被截断了,需要重新查看
init输出并完整复制命令。
- 当
操作细则(避免卡点)
- 详细操作门禁(MCP 文件路径/anchor/SAFE-NEEDS_DEEPER 边界/扩展 sink/结束判定/工作目录)见:
references/TACTICS_LIBRARY.md
MCP 取证(唯一推荐)
- MCP 工具名:
get_code_cfr/get_code_fernflower(返回 JSON,含fullClassCode)
- 取证方式:
- 先调用 MCP
get_code_*(不要阅读/解析返回内容;输出过大时系统会自动落盘到 tool-results 文件) - 立刻调用
<python> scripts/cli.py evidence --mcp-tool-result-file <tool-results/xxx.txt>(<python>为init输出中检测到的命令,自动抽fullClassCode并完成切片+hash 落盘) - 注意:
evidence不会自己去找代码;如果没提供--mcp-tool-result-file/--code-json-file/--code-text-file,工具会 fail-closed 直接报 “missing code input” - 若 MCP 输出未自动落盘且可手动保存:将 MCP 返回 JSON 保存到
runs/<run_id>/inputs/mcp_<candidate_id>.json,然后用--code-json-file
- 先调用 MCP
铁律
- Fact:节点=四元组
(jar_id,class,method,desc);禁止只用名字 join/追链 - Evidence:submit 必须带
snippet_ref或chain_trace或sql_proof,否则拒绝写入 - Report:报告只读 artifacts 编译;
--strict未完成 coverage 直接 fail
状态机(唯一入口)
用 <python> scripts/cli.py(等价 scripts/jaudit.py,<python> 为 init 自动检测的命令):
init:创建runs/<id>/session.json inventory.json rules/ graph_cache/ ...profile --cwd <jar-analyzer>:写 profile 并快照vulnerability.yaml/dfs-sink.json到runs/<id>/rules/freeze --vector <v> --cwd <jar-analyzer>:圈地+降噪+sink_resolutiongraph→reach --vector <v>:可达性/最短链回写 candidatesnext --vector <v> --limit 5:生成 batch(默认按向量batch.size,推荐 5);NEEDS_DEEPER 优先evidence --candidate-id <CID> --batch-id <BID> --code-json-file <mcp.json> --auto-fallback:WARN/BAD 自动 expand→methodsubmit --candidate-id <CID> --batch-id <BID> --status VULN|SAFE|NEEDS_DEEPER:严格模式 VULN 需 GOOD 证据report [--strict]:只读编译audit_report.md(含 Remaining TopK 下一批计划)status:机器可算进度(final=VULN/SAFE;NEEDS_DEEPER 仍算 remaining)
强制运行规程(防“一条就结束”)
你是驾驶员:必须按批次循环,直到满足停止条件才允许 report。
Full Audit(覆盖表 67-84 对应的全套类别)
- 入口:优先用默认队列(
vectors/default_queue.yaml),不要只跑单个向量就下结论。 - 流程:
initprofile --cwd <jar-analyzer>graph(每个 run 只需一次)- 对默认队列里每个
vector执行:freeze --vector <v> --cwd <jar-analyzer>reach --vector <v>- VERIFY LOOP(必须循环,不许只做一条):
next --vector <v> --limit 5- 对 batch 里的每个 candidate:
evidence ... --auto-fallback→submit ... - 继续
next取下一批,直到:- 该向量没有可取候选(next 输出为空/或触发 no candidates),或
- 你已经把所有候选都提交为 final(VULN/SAFE),或
- 你把剩余的全部标记为 NEEDS_DEEPER(并在 reasoning 里写明阻断原因:例如入口不可达/证据不可用/缺少环境信息)。
- 全部向量跑完后再
report(必要时--strict)
什么时候允许生成报告
- 只有在 至少完成一次完整的 VERIFY LOOP(next→evidence→submit→next…) 后才允许
report。 report不是“结束”,只是“当前台账快照”;如果存在 Remaining TopK,你必须继续循环。
You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
Web FetcherWeb Fetcher uses Playwright for reliable data web scraping and extraction from JavaScript-heavy websites, returning clea
macOS AutomatorAutomate macOS tasks with AppleScript and JavaScript. Control apps, files, and system efficiently using macOS Automator'
TypeScript RefactoringTypeScript Refactoring offers advanced TypeScript/JavaScript code analysis and intelligent refactoring for seamless and
Code RunnerRun Python code online or compile Java programs easily with Code Runner. Test code in 30+ languages instantly in your br
MiniMax MultimodalMiniMax Multimodal JavaScript integrates image, video, text-to-speech, and voice cloning for advanced multimodal experie
Electron Desktop AutomationElectron Desktop Automation streamlines app testing with screenshots, console monitoring, project detection, and debuggi
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.