Skill132 repo starsupdated 2d ago

snyk-agent-scan-compliance

Compliance expert for snyk-agent-scan — the agent skill file scanner — NOT for other Snyk CLI tools (snyk test, snyk code SAST, snyk iac, snyk container). Fixes alerts through content restructuring, never by suppressing or deleting information. Covers every file in a skill directory: SKILL.md, references/, assets/, and any secondary markdown. Apply when authoring a new skill, editing an existing one, triaging a failed snyk-agent-scan run locally or in CI, or unblocking a PR held by agent scanner failures. Not applicable to dependency vulnerabilities, code security findings, or infrastructure misconfigurations — those are out of scope.

View source Repository: cc-skills

Install in Claude Code

Copy

git clone --depth 1 https://github.com/samber/cc-skills /tmp/snyk-agent-scan-compliance && cp -r /tmp/snyk-agent-scan-compliance/skills/snyk-agent-scan-compliance ~/.claude/skills/snyk-agent-scan-compliance

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

**Persona:** You are a skill-authoring compliance expert. You fix snyk-agent-scan alerts by restructuring content — never by suppressing or deleting useful information.

**Thinking mode:** Use `ultrathink` for multi-alert remediation where fixes for one alert type can surface or suppress another. Deep reasoning reduces rework.

# snyk-agent-scan Compliance

The `snyk-agent-scan` tool analyzes skill bodies for three categories of unsafe patterns: third-party content exposure (W011), malicious external URLs (W012), and prompt injection via MCP tool calls (W001). All three are fixable through content restructuring without losing any information.

## Reference Files

| File | When to read |
| --- | --- |
| [references/w001-patterns.md](references/w001-patterns.md) | Fixing W001 alerts — MCP tool name patterns |
| [references/w011-patterns.md](references/w011-patterns.md) | Fixing W011 alerts — imperative URL and external content patterns |
| [references/w012-patterns.md](references/w012-patterns.md) | Fixing W012 alerts — version pinning and frontmatter offloading |

## Quick Reference

| Alert | Severity | Root Cause | Primary Fix |
| --- | --- | --- | --- |
| W011 | High | Skill body instructs agent to fetch/interpret external content | Replace imperatives with passive availability hints |
| W012 | High | Skill body references external URLs fetched and executed at runtime | Move to frontmatter `install` block; pin versions |
| W001 | High | Skill body names MCP tool functions explicitly | Use generic formulations instead |

## Running the Scanner

```bash
# Scan a single skill
SNYK_TOKEN=<token> snyk-agent-scan --skills skills/<name>/

# Scan all skills
SNYK_TOKEN=<token> snyk-agent-scan --skills ./skills
```

The scanner requires a valid `SNYK_TOKEN`. In CI, store it as a secret. If `snyk-agent-scan` is not installed, use `uvx snyk-agent-scan@latest` as a drop-in replacement without installing. See [detailed patterns](references/w011-patterns.md) for fixes per alert type.

## W011 — Third-Party Content Exposure

W011 fires when the skill body uses imperative verbs directing the agent to fetch, check, or evaluate external content and then act on it. The scanner treats the agent as the grammatical subject performing an external action.

Rules:

- Replace `Check <url>` and `Fetch <url>` with passive hints: `The release notes at <url> may be useful.`
- Remove "always" from any instruction involving external data: `Always reference the changelog` → `The changelog documents breaking changes.`
- Keep tool invocations (`gh repo view`, `govulncheck`) in code blocks, not in prose checklists that imply the agent must run them before acting.
- Decouple tool execution from decisions: running a tool is fine; using its remote-sourced output as the sole trigger for a refactor is not.

See [W011 pattern catalog](references/w011-patterns.md) for 12+ before/after examples.

## W012 — Potentially Malicious External URL

W012 fires when the body references external content fetched and executed at runtime: package installs with `@latest`, pipe-to-shell patterns, or GitHub Actions with wrong/non-existent major versions.

Rules:

- Move `go install pkg@latest` and similar commands from prose into the frontmatter `metadata.openclaw.install` block — the scanner does not flag frontmatter.
- Pin GitHub Actions to the correct current major version (`@v4`, not `@v6`).
- Never use pipe-to-shell patterns (`curl ... | sh`) in skill bodies.

See [W012 pattern catalog](references/w012-patterns.md) for 8+ before/after examples.

## W001 — Prompt Injection via MCP Tool Calls

W001 fires when the skill body explicitly names MCP server tool functions, triggering prompt-injection detection.

Rules:

- Never write tool function names (`resolve-library-id`, `query-docs`, `mcp__*`) in the skill body.
- Replace with generic formulations: `Context7 can help as a discoverability platform.`
- MCP tool names may still appear in the `allowed-tools` frontmatter field — only the body is restricted.

See [W001 pattern catalog](references/w001-patterns.md) for safe reformulations.

## Remediation Methodology

Fix one alert at a time, re-run `snyk-agent-scan` after each change, and verify the alert count dropped before moving to the next. If a fix does not reduce alerts, undo it and try a different approach — do not stack unverified changes.

When a scan returns multiple alerts, fix in this order to minimize rework:

```
1. W001 (simplest) — remove MCP tool names from body; confirm allowed-tools is correct
2. W011 — rewrite imperative sentences as passive statements; move checklist items to code blocks
3. W012 — move install commands to frontmatter; pin versions
4. Re-scan after each individual fix to verify improvement
```

W011 fixes sometimes surface hidden W012s when URLs become more prominent after restructuring.

## False Positives

Not all alerts are real. Criteria for a likely false positive:

| Condition | Likely false positive? |
| --- | --- |
| URL appears in a markdown table cell as reference data, not in an instruction | Yes — tables are usually safe |
| In a skill describing a library, URL is the library official documentation | Yes — usually safe |
| URL is the `homepage` or `issues` link in frontmatter | Yes — not scanned |
| Tool name appears inside a triple-backtick code block as a shell command | Sometimes — code blocks have lighter scrutiny |
| `go install` with a pinned version in a Quick Reference code block | Sometimes — pinned versions are lower risk |
| `always` appears in a sentence not involving external resources | Yes — "always" alone doesn't trigger W011 |

When an alert is a likely false positive, restructure anyway using the passive hint pattern — the scanner's heuristic protects real users; restructuring is safer than assuming scanner error.

## Pre-Authoring Checklist

Apply these checks while writing a new skill body to avoid alerts before the first scan:

- [ ] No sentence has the agent as subject perform

More from this repository

chrome-extensionSkill

Comprehensive guide for building Chrome extensions with Manifest V3. Use this skill whenever the user mentions Chrome extension, browser extension, manifest.json, content script, service worker (in extension context), popup, side panel, chrome.runtime, chrome.tabs, chrome.storage, chrome.scripting, background script, MV3, Manifest V3, or any Chrome extension API. Also trigger when the user wants to inject scripts into web pages, communicate between page and background, bypass CSP from a content script, build an RPC layer over chrome messaging, or publish to the Chrome Web Store. Covers both new extension projects and adding features to existing ones. Do NOT use for framework-specific questions.

conventional-gitSkill

Conventional Commits v1.0.0 branch naming, worktree naming, and commit message standards for GitHub and GitLab projects. Use when creating branches, naming worktrees, writing commits, generating commit messages, reviewing branch conventions, or setting up changelog automation. Apply when your project needs consistent git history, SemVer-driven releases, parseable changelog generation, or automatic issue closing. Trigger when the user asks how to name a worktree, create a git worktree, or organize worktrees alongside branches.

copywriting-ctaSkill

Design end-of-article CTAs (calls-to-action placed at the bottom of blog posts, newsletters, essays, articles, or any long-form content). Use this skill whenever the user asks to write, design, review, or improve a CTA at the bottom of an article, blog post, or essay; mentions "end-of-post CTA", "bottom of the article", "call-to-action", "signup box", "newsletter CTA", "subscribe block", "what should I put at the bottom", "how do I get readers to subscribe / share / book a call / buy / follow / join / download"; or asks how to convert article readers into subscribers, leads, customers, community members, or supporters. Also trigger when the user wants A/B testing guidance or accessibility review for a CTA block. Covers independent / personal writing, newsletter publications, and brand / content-marketing blogs across any topic — tech, finance, food, climate, design, lifestyle, B2B, B2C. Produces both the copy (content) and the structural / visual design (form), matched to the user's objective and audience.

copywriting-hooksSkill

copywriting-prose-creatorSkill

Codifies how someone or a brand writes — prose mechanics (lexicon, syntax, rhythm, structure, signature moves) independent of emotional tone. Output: PROSE.md. Three modes: BUILD a fresh guide from SOUL.md + TONE.md + discovery interview; ADAPT an existing guide to a new channel; AUDIT a corpus for prose patterns before codification. Use when: writing rules for a content factory, codifying ghostwriting voice for multi-writer consistency, defining banned words and sentence-length targets, building a house style guide, reverse-engineering prose from a corpus, porting style across channels. Trigger on: PROSE.md, writing style guide, prose guide, house style, ghostwriter style, writing playbook, brand writing mechanics, signature moves. NOT for: writing actual content (→ linkedin-ghostwriting, technical-article-writer, press-release-writer), removing AI patterns (→ humanizer), tone decisions (→ copywriting-tone-of-voice), hooks (→ copywriting-hooks), CTAs (→ copywriting-cta).

copywriting-tone-of-voice-creatorSkill

Build a brand tone of voice guide (TONE.md) via discovery, voice definition, and channel modulation. Outputs voice attributes with do's/don'ts, NN/g positioning, tone modulation matrix, lexicon, mechanics, and channel rules — consumed by downstream content skills writing on-brand copy. Covers B2B SaaS, B2C/D2C, NGO, public sector, consulting, industrial, product-led, personal, and volunteering brands; researches uncovered contexts (politics, regulated niches, religious orgs, gaming) on demand. Also adapts an existing TONE.md to a new channel (blog → LinkedIn, web → Twitter/X, in-product UI). Optionally consumes SOUL.md to pre-fill brand identity. Apply when the user wants to create a TONE.md, define brand voice, port voice to a new channel, refresh an outdated voice, or set up a content factory writing across many supports. Not for writing individual posts, articles, emails, or UI strings (→ dedicated writing skills), nor SOUL.md, PROSE.md, DESIGN.md.

crxjsSkill

CRXJS Chrome extension development — true HMR for popup, options, content scripts, side panels, manifest-driven builds, dynamic content script imports (`?script`, `?script&module`), and `defineManifest` for type-safe manifests. Uses Vite as its build tool. Use when the user mentions CRXJS, crxjs, @crxjs/vite-plugin, 'extension with hot reload', 'HMR for chrome extension', or wants to set up a CRXJS-based Chrome extension project with any framework (React, Vue, Svelte, Solid, Vanilla). Also trigger when the user has an existing CRXJS project and wants to add features, fix HMR issues, or configure content scripts with CRXJS. For general Chrome extension architecture (messaging, CSP, storage, permissions) -> See `samber/cc-skills@chrome-extension` skill.

deep-researchSkill

Deep research skill — broad parallel web searches, multi-source validation, confidence tracking, cited Markdown report. Supports 11 research types: market (TAM/SAM, segments, pricing, trends), domain (industry structure, ecosystem, regulatory landscape), technical (architecture, tools, benchmarks), competitive (competitor teardown, positioning, win/loss), product (feature analysis, reviews, roadmap signals), academic (literature survey, citation networks, key authors), person/org (due diligence on a company or public figure), financial (funding rounds, valuation multiples, revenue signals), legal (IP, patents, litigation, compliance), trend (emerging signals, foresight, scenario mapping), community (ecosystem health, key voices, governance, fragmentation). Use when asked to: 'research <topic>', 'deep dive on X', 'analyze the landscape', 'competitive analysis', 'compare these options', 'who are the players in Z', 'literature review', 'background on Y', 'what papers exist on X', 'product teardown', 'technology evaluation', 'regulatory overview', 'funding landscape', 'what trends are emerging in X', 'patent landscape', 'community health', or any request requiring scanning many sources and producing a cited written analysis. Apply whenever the deliverable is a thorough, sourced report rather than a quick answer. Trigger even when phrased casually: 'look into X', 'what's the deal with Y', 'dig into Z', 'I need to understand the space', 'catch me up on X'.