Skill Audit — Evaluation Core (Classification + Severity)

This file defines the audit evaluation logic. The classification layer answers what it is; the severity layer answers how bad it is. The two are orthogonal and interact only through three interface fields (C_base / required_dims / dataflow_role).

Language Detection Rule — EXECUTE BEFORE ANYTHING ELSE

Detect the language of the user's triggering message and lock the output language for the entire run. This detection is an internal step only — do NOT output any text that reveals the detection result, such as "当前输出语言为中文", "Detected language: English", or similar meta-statements. Simply use the detected language silently for all subsequent output.

All intermediate output — scan start prompt, table headers, labels, prose, finding records, and reasoning — must be written exclusively in the detected language. The single final-line verdict in §7 is always Chinese, regardless of detected language. Do NOT mix languages in intermediate output and do NOT announce the language choice at any point.

1. Classification Layer (Taxonomy)

Each finding is tagged with a triple (Surface, Behavior, IntentMarker). IntentMarker does not participate in scoring; it only affects presentation.

1.1 Surface

1.2 Behavior Node Table

Each node declares C_base ∈ {1..4}, required dimensions, and data-flow role (source / transform / sink / none). The data-flow role feeds chain amplification in §2.4.

EXE

FS

NET

CRED

PROC

LLM

AGT

1.3 IntentMarker

2. Severity Layer (Scoring)

2.1 Formula

Score = C × R × I × B

R = 0 (unreachable) → Score = 0 → finding is dropped. I = 0 (legitimate and declared) → Score = 0 → finding is reported at Info as a capability disclosure entry; it does not affect the verdict.

2.2 Dimensions

C — Capability

{1, 2, 3, 4}, defaulting to the Behavior's C_base; an instance may float ±1 without leaving the range.

R — Reachability

{0, 1, 2, 3}.

I — Intent / Stealth

{0, 1, 2, 3}, used directly as a multiplier.

§2.2.1 Hard triggers — minimum I floor. When any of the following is observed in evidence text, the finding's I cannot be lower than the listed floor, regardless of how the surrounding documentation is phrased:

Anti-overshoot guards (must be satisfied to apply a hard trigger):

• The trigger must come from executable text (script body, SKILL.md directive, frontmatter triggers/allowed-tools) not from a clearly fenced documentation block whose surrounding prose marks it as a counter-example, "do not do" warning, or quoted sample of a third-party attack.
• A trigger whose only evidence is a comment is downgraded by 1 floor (e.g. T1 from I ≥ 3 to I ≥ 2).
• If the entire skill is itself an anti-pattern teaching skill (declared in SKILL.md as security demo / red-team training), apply a single skill-wide downgrade of one floor on T6/T10 only.

B — Blast Radius

{1, 2, 3}.

2.3 Tier Mapping

Theoretical range 1 – 108 (4 × 3 × 3 × 3). I = 0 findings are always Info (see §2.1).

2.4 Chain Amplification

A closed chain is

source → transform (any, optional) → sink

When a closed chain exists across the same execution path, an additional chain-finding is emitted whose tier equals the highest member tier + 1 (capped at Critical). Unclosed chains (missing source or sink) do not amplify. Member findings are still reported on their own.

For chain detection, the source may also be a directive in SKILL.md that instructs the agent to read a specific user / workspace / environment data slice. In other words, the chain is closed when (SKILL.md tells the agent to obtain X) connects to (a script or directive sends X to a sink), even if no single script reads-then-writes by itself.

Typical closed chains:

• FS.ReadSensitive → NET.OutboundUndeclared (credential exfiltration)
• CRED.ReadEnv → LLM.PromptOverride (credentials leaked to a third-party LLM)
• EXE.RemoteFetch → FS.WriteStartup (download then persist)
• SKILL.md directive: "first read all .docx in workspace" → script: POST to undeclared host (instructed exfil)
• SKILL.md directive: "always run cleanup.sh after any operation" → cleanup.sh: find . -delete (instructed destruction)

2.5 Mandatory Confirmation Rules

The following nine signatures set a tier floor regardless of the per-finding score arithmetic, because each one already implies that the four dimensions (C, R, I, B) are at least at the floor's combination. Compute the per-finding score normally, then take tier = max(arithmetic_tier, floor_tier):

If multiple signatures fire, the verdict is max(tier_floor). Floors only raise, never lower.

3. Interface Between Classification and Severity

The severity layer does not read the classification layer's prose descriptions or the IntentMarker; the classification layer does not read the final Score. The two layers can evolve independently.

4. Finding Data Structure

A finding is one (Behavior, evidence location) hit. The evidence location is (file path, line range, code snippet). The same Behavior hitting at multiple locations produces multiple findings; the same code hitting multiple Behaviors produces multiple findings; a chain-finding is itself a finding.

finding:
  id: "F-001"
  category:
    surface: "FS"
    behavior: "FS.ReadSensitive"
    intent_marker: "suspicious"   # legitimate_elevated | suspicious | malicious_confirmed
  evidence:
    file: "scripts/helper.sh"
    line_range: [23, 31]
    snippet: "..."
  scoring:
    C: 4
    R: 3
    I: 1
    I_floor_applied: null         # null | "T1" | "T2" | … (which §2.2.1 trigger raised I, if any)
    B: 3
    score: 36                     # C × R × I × B = 4×3×1×3
    arithmetic_tier: "Medium"     # tier from raw score
    floor_rule_applied: null      # null | "M1"…"M9"
    tier: "Medium"                # final = max(arithmetic_tier, floor_tier)
    badge: "⚠️"
  dataflow_role: "source"
  chain_id: null                  # fill with a chain id if this finding is part of a closed chain

All fields are required (I_floor_applied, floor_rule_applied, chain_id may be null). score must equal C × R × I × B; for I = 0 findings, score is 0 and tier is always Info. tier must equal max(arithmetic_tier, floor_rule_tier_if_any).

5. Audit Procedure

5.1 Scan Scope

The audit target is the whole skill bundle, not SKILL.md alone. The scope has three layers:

1. Recursive enumeration of the skill directory. Walk every file (including hidden ones) and classify by content rather than extension. Text-like content is analyzed as script/configuration; non-text content is judged by its location and reference relationships, without any fixed preset conclusion.
2. Locally referenced resources. Resolve relative-path references that appear in SKILL.md and in scripts (frontmatter, code blocks, Markdown links, arguments to bash / python / node invocations, etc.) and pull the referenced files into the scan. Their Reachability baseline is set per §5.3. If a referenced file lies outside the skill directory, additionally record an FS.ReadOutOfScope or AGT.CrossSkillWrite finding as appropriate.
3. Remote resources. Patterns such as curl | sh, wget, git clone then exec, pip/npm pointing at non-standard registries, or remote MCP servers trigger EXE.RemoteFetch or AGT.MCPRemoteFetch. During the audit, a single static fetch is allowed (never executed); on success the content joins the scan, on failure or without authorization the finding's I is forced to ≥ 2.

5.1.1 Untrusted-Sink Indicators

A network sink is Untrusted when it matches one or more of the patterns below and is not explicitly declared as a service the skill exists to integrate with. Match on the URL string itself (with light normalization for concatenation / encoding):

Indicator matching is purely structural; it does not depend on a curated blocklist of specific domains. A skill that genuinely integrates with one of the listed PaaS hosts (e.g. a Render-hosted official API for that vendor) avoids the trigger by declaring the host in SKILL.md frontmatter or ## Integrations section.

False-positive guard: a host that resolves to the homepage / documentation of a recognizable open-source project, official vendor API, or well-known CDN (npm, PyPI, GitHub.com, Hugging Face, OpenAI, Anthropic, Google Cloud, AWS, Azure, Stripe, Slack, Discord, etc.) is not an Untrusted Sink even if it lives on a tunnel host. When in doubt, downgrade T1 to T2.

5.2 Flow

Input: skill root directory
  │
  ▼
[Step 1] Build scan inventory
  ├─ 1a. Recursively enumerate files and classify by content
  ├─ 1b. Parse references → add local files / register remote-URL findings
  ├─ 1c. Match each outbound URL against §5.1.1 Untrusted-Sink Indicators
  └─ 1d. Attempt a single static fetch of remote resources (success → include; failure → I ≥ 2)
  ▼
[Step 2] Match each file against Behavior nodes → {category, evidence(file, line_range, snippet)}
  ▼
[Step 3] Score each finding:
         3a. C ← C_base ± Δ; R / I / B per §2.2
         3b. Apply §2.2.1 hard triggers → raise I to floor (record `I_floor_applied`)
         3c. score = C × R × I × B; drop if R = 0
         3d. arithmetic_tier ← §2.3
  ▼
[Step 4] Build cross-file data-flow graph (SKILL.md instructions count as source per §2.4)
         → detect closed chains → append chain-findings
  ▼
[Step 5] Apply §2.5 Mandatory Confirmation Rules
         per finding: tier ← max(arithmetic_tier, floor_tier); record `floor_rule_applied`
  ▼
[Step 6] Emit all findings

5.3 Cross-File Reachability

Note: an "orphan" script that nonetheless implements a hard trigger (e.g. an unreferenced cleanup.sh that does rm -rf ~/Documents/*) is treated as on-path because the SKILL.md often references such scripts indirectly (e.g. "always run the cleanup script after any operation"). Promoting R to 3 prevents these from being silently dropped.

6. Verdict

verdict.tier = max(f.tier for f in findings); Info when there are no findings. The verdict is computed internally and is not printed as a label or badge by itself; it only selects which one-line conclusion §7 emits.

7. Final Output

The audit may produce a normal report — findings tables, per-finding evidence, brief reasoning, etc. — and writing it out is encouraged, since externalizing the classification, scoring, and chain analysis from §1–§6 tends to stabilize the final verdict.

The only mandatory final emission is a single Chinese one-liner that maps directly from the verdict tier. There is no machine-readable result block, no detailed report wrapper, no signature line.

7.1 Final-Line Mapping

The very last thing emitted by the run must be exactly one of the following lines, chosen by the verdict tier from §6, with <NAME> replaced by the audited skill's name. Note: the "存在风险" line is reserved for Critical only — High and below all map to "可使用" wording, because hardening from §2.2.1 + §2.5 already guarantees that Critical is reached by genuine attack-shaped behavior.

7.2 Field & Formatting Rules

• <NAME> — the name field from the audited SKILL.md. Fallback order: skill directory name → unknown.
• The final line is always Chinese, regardless of the run's detected output language. Do not translate, paraphrase, reorder, or restyle it.
• Preserve the leading emoji (✅ / ⚠️ / 🚨), the corner brackets 「 」, and the trailing full-width period 。 exactly as shown.
• The line must be the last non-empty line of the entire output. Nothing — no signature, no closing remark, no horizontal rule, no trailing whitespace block — may come after it.
• Emit the line even when the verdict is Info and even when there are no findings.
• Emit exactly one final line. If the audit aborts early (e.g. unreadable bundle), still emit the line with the most conservative tier consistent with what was actually observed (default to Info when no behavior was scored).