{"id":"013efe1b-42fe-478b-8c77-ecef8470ad50","shortId":"BG3Zzg","kind":"skill","title":"fix-selected-security-findings","tagline":"Use this skill only when the user explicitly selects security finding IDs to fix. Do not use it to fix all findings or perform broad refactors.","description":"# fix-selected-security-findings\n\n## English\n\n### Purpose\n\nFix explicitly selected security findings.\n\n### Required input\n\n- Finding IDs\n- Audit report or finding details\n- Expected scope\n- Test framework\n\n### Workflow\n\n1. Confirm selected finding IDs.\n2. Locate minimal patch.\n3. Add regression tests.\n4. Run targeted tests if allowed.\n5. Summarize changes and risks.\n6. Do not commit unless explicitly requested.\n\n### Safety rules\n\nDo not fix unselected findings. Do not broaden privileges. Do not make broad refactors.\n\n\n### Canonical finding format\n\n```yaml\nid: F-001\nseverity: Critical | High | Medium | Low | Informational\nconfidence: High | Medium | Low\ncategory:\naffected_code:\nroot_cause:\nexploit_path:\npreconditions:\nimpact:\nevidence:\nminimal_fix:\nregression_test:\nauto_fix_suitability: Safe | Needs Human Review | Do Not Auto-Fix\nnotes:\n```\n\n### v0.6 operational guardrails\n\n- Keep the skill within its stated trigger conditions and the user's explicitly provided scope.\n- Preserve project safety boundaries: audit-only by default; Do not execute exploits, Do not auto-merge, Do not upload private source code or secrets, and do not scan unrelated repositories without explicit user request.\n- Ask for explicit human approval before patching high-risk auth, IAM, governance, funds, terminal, or agent-tooling behavior.\n- Report validation performed, files changed, residual risk, and any skipped future-phase work when finished.\n\n## 中文\n\n### 目的\n\n使用这个 skill 进行修复已选择的安全 finding。它应该帮助审查者把输入边界、风险证据、影响、修复建议和回归测试组织成可复核的安全输出。\n\n### 触发条件\n\n适用于 用户明确指定 finding ID 且授权进行最小修复的场景。如果请求超出这些边界，先说明范围差异，并选择更合适的 prompt、skill 或人工 review 路径。\n\n### 不适用场景\n\n不要用于自动修复所有 finding、无边界重构、未授权提交或高风险改动直接落地。不要把这个 skill 当作自动扫描整个仓库、执行 exploit、上传私有源码或 secrets、自动提交、自动推送或 auto-merge 的许可。\n\n### 操作流程\n\n1. 明确用户给出的目标、允许查看的材料和不能触碰的范围。\n2. 收集必要上下文，但只读取完成任务所需的文件、diff、workflow、fixture 或文档。\n3. 识别 trust boundary、privileged operation、sensitive data、preconditions 和 security impact。\n4. 只报告有 evidence 的 finding；缺少上下文时写 question 或 assumption。\n5. 为 confirmed issue 提出 minimal fix，并规划修复前失败、修复后通过的最小回归测试，以及合法路径保持可用的测试。\n6. 完成后报告验证输出、残余风险和需要人工确认的事项。\n\n### 安全规则\n\n默认 audit-only。未经明确授权，不 patch、不 commit、不 push、不创建 PR、不 merge。不要执行 exploit，不要访问生产系统，不要打印 secrets。涉及 IAM、authz 模型、资金、治理、terminal 执行或 agent-tooling 权限的修复必须进入人工 review。\n\n### 输出要求\n\n使用 canonical finding format。每个 finding 都要包含 severity、confidence、category、affected_code、root_cause、exploit_path、preconditions、impact、evidence、minimal_fix、regression_test、auto_fix_suitability 和 notes。","tags":["fix","selected","security","findings","audit","playbook","edmund-xl","agent-skills","chatgpt","codex","devsecops","mcp"],"capabilities":["skill","source-edmund-xl","skill-fix-selected-security-findings","topic-agent-skills","topic-audit","topic-chatgpt","topic-codex","topic-devsecops","topic-mcp","topic-security","topic-smart-contracts"],"categories":["ai-security-audit-playbook"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/edmund-xl/ai-security-audit-playbook/fix-selected-security-findings","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add edmund-xl/ai-security-audit-playbook","source_repo":"https://github.com/edmund-xl/ai-security-audit-playbook","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 7 github stars · SKILL.md body (2,488 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:43.694Z","embedding":null,"createdAt":"2026-05-18T13:21:29.056Z","updatedAt":"2026-05-18T19:13:43.694Z","lastSeenAt":"2026-05-18T19:13:43.694Z","tsv":"'-001':111 '1':58,282 '2':63,285 '3':67,292 '4':71,304 '5':77,313 '6':82,323 'add':68 'affect':123,371 'agent':220,356 'agent-tool':219,355 'allow':76 'approv':207 'ask':203 'assumpt':312 'audit':48,172,329 'audit-on':171,328 'auth':213 'authz':349 'auto':136,146,183,278,384 'auto-fix':145 'auto-merg':182,277 'behavior':222 'boundari':170,295 'broad':30,103 'broaden':98 'canon':105,362 'categori':122,370 'caus':126,374 'chang':79,227 'code':124,190,372 'commit':85,335 'condit':159 'confid':118,369 'confirm':59,315 'critic':113 'data':299 'default':175 'detail':52 'diff':288 'english':37 'evid':131,306,379 'execut':178 'expect':53 'explicit':13,40,87,164,200,205 'exploit':127,179,272,343,375 'f':110 'file':226 'find':5,16,27,36,43,46,51,61,95,106,244,252,265,308,363,366 'finish':238 'fix':2,19,25,33,39,93,133,137,147,319,381,385 'fix-selected-security-find':1,32 'fixtur':290 'format':107,364 'framework':56 'fund':216 'futur':234 'future-phas':233 'govern':215 'guardrail':151 'high':114,119,211 'high-risk':210 'human':141,206 'iam':214,348 'id':17,47,62,109,253 'impact':130,303,378 'inform':117 'input':45 'issu':316 'keep':152 'locat':64 'low':116,121 'make':102 'medium':115,120 'merg':184,279,341 'minim':65,132,318,380 'need':140 'note':148,388 'oper':150,297 'patch':66,209,333 'path':128,376 'perform':29,225 'phase':235 'pr':339 'precondit':129,300,377 'preserv':167 'privat':188 'privileg':99,296 'project':168 'prompt':258 'provid':165 'purpos':38 'push':337 'question':310 'refactor':31,104 'regress':69,134,382 'report':49,223 'repositori':198 'request':88,202 'requir':44 'residu':228 'review':142,261,359 'risk':81,212,229 'root':125,373 'rule':90 'run':72 'safe':139 'safeti':89,169 'scan':196 'scope':54,166 'secret':192,274,346 'secur':4,15,35,42,302 'select':3,14,34,41,60 'sensit':298 'sever':112,368 'skill':8,154,242,259,269 'skill-fix-selected-security-findings' 'skip':232 'sourc':189 'source-edmund-xl' 'state':157 'suitabl':138,386 'summar':78 'target':73 'termin':217,353 'test':55,70,74,135,383 'tool':221,357 'topic-agent-skills' 'topic-audit' 'topic-chatgpt' 'topic-codex' 'topic-devsecops' 'topic-mcp' 'topic-security' 'topic-smart-contracts' 'trigger':158 'trust':294 'unless':86 'unrel':197 'unselect':94 'upload':187 'use':6,22 'user':12,162,201 'v0.6':149 'valid':224 'within':155 'without':199 'work':236 'workflow':57,289 'yaml':108 '上传私有源码或':273 '不':332,334,336,340 '不创建':338 '不要打印':345 '不要执行':342 '不要把这个':268 '不要用于自动修复所有':264 '不要访问生产系统':344 '不适用场景':263 '且授权进行最小修复的场景':254 '中文':239 '为':314 '以及合法路径保持可用的测试':322 '但只读取完成任务所需的文件':287 '使用':361 '使用这个':241 '修复后通过的最小回归测试':321 '修复建议和回归测试组织成可复核的安全输出':248 '允许查看的材料和不能触碰的范围':284 '先说明范围差异':256 '只报告有':305 '和':301,387 '如果请求超出这些边界':255 '它应该帮助审查者把输入边界':245 '安全规则':326 '完成后报告验证输出':324 '并规划修复前失败':320 '并选择更合适的':257 '当作自动扫描整个仓库':270 '影响':247 '或':311 '或人工':260 '或文档':291 '执行':271 '执行或':354 '提出':317 '操作流程':281 '收集必要上下文':286 '无边界重构':266 '明确用户给出的目标':283 '未授权提交或高风险改动直接落地':267 '未经明确授权':331 '权限的修复必须进入人工':358 '模型':350 '残余风险和需要人工确认的事项':325 '每个':365 '治理':352 '涉及':347 '用户明确指定':251 '的':307 '的许可':280 '目的':240 '缺少上下文时写':309 '自动推送或':276 '自动提交':275 '触发条件':249 '识别':293 '资金':351 '路径':262 '输出要求':360 '进行修复已选择的安全':243 '适用于':250 '都要包含':367 '风险证据':246 '默认':327","prices":[{"id":"b01a99c5-293f-4b1d-b02b-86cf5f2c2c3a","listingId":"013efe1b-42fe-478b-8c77-ecef8470ad50","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"edmund-xl","category":"ai-security-audit-playbook","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:29.056Z"}],"sources":[{"listingId":"013efe1b-42fe-478b-8c77-ecef8470ad50","source":"github","sourceId":"edmund-xl/ai-security-audit-playbook/fix-selected-security-findings","sourceUrl":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/fix-selected-security-findings","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:29.056Z","lastSeenAt":"2026-05-18T19:13:43.694Z"}],"details":{"listingId":"013efe1b-42fe-478b-8c77-ecef8470ad50","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"edmund-xl","slug":"fix-selected-security-findings","github":{"repo":"edmund-xl/ai-security-audit-playbook","stars":7,"topics":["agent-skills","audit","chatgpt","codex","devsecops","mcp","security","smart-contracts"],"license":"mit","html_url":"https://github.com/edmund-xl/ai-security-audit-playbook","pushed_at":"2026-05-13T02:30:26Z","description":"Local-first, audit-only security review playbook for AI coding agents: prompts, skills, read-only MCP, findings, and regression tests.","skill_md_sha":"427a3960700914cfcb2e907fe1b5d8e0e87ad8b5","skill_md_path":"skills/fix-selected-security-findings/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/edmund-xl/ai-security-audit-playbook/tree/main/skills/fix-selected-security-findings"},"layout":"multi","source":"github","category":"ai-security-audit-playbook","frontmatter":{"name":"fix-selected-security-findings","description":"Use this skill only when the user explicitly selects security finding IDs to fix. Do not use it to fix all findings or perform broad refactors."},"skills_sh_url":"https://skills.sh/edmund-xl/ai-security-audit-playbook/fix-selected-security-findings"},"updatedAt":"2026-05-18T19:13:43.694Z"}}