quickstart

GitHub

仓库入门助手,提供两种模式:空参数时进行简短介绍并引导完成首次漏洞扫描演练;带参数时基于仓库文档解答用户关于使用方法、配置或错误的具体问题。

.claude/skills/quickstart/SKILL.md anthropics/defending-code-reference-harness

Trigger Scenarios

用户输入 /quickstart 且无后续内容 用户询问如何开始使用 用户提出关于仓库功能、配置或操作的具体问题

Install

npx skills add anthropics/defending-code-reference-harness --skill quickstart -g -y
More Options

Non-standard path

npx skills add https://github.com/anthropics/defending-code-reference-harness/tree/main/.claude/skills/quickstart -g -y

Use without installing

npx skills use anthropics/defending-code-reference-harness@quickstart

指定 Agent (Claude Code)

npx skills add anthropics/defending-code-reference-harness --skill quickstart -a claude-code -g -y

安装 repo 全部 skill

npx skills add anthropics/defending-code-reference-harness --all -g -y

预览 repo 内 skill

npx skills add anthropics/defending-code-reference-harness --list

SKILL.md

Frontmatter
{
    "name": "quickstart",
    "description": "The front door for this repo. With no argument: a 30-second intro, then an offer to walk you through your first run on the canary target. With a question: answers it from this repo's own docs and source, cites where it looked, and hands you the next command. Use for \"how do I…\", \"why does…\", \"where is…\", \"can this…\", or just \"\/quickstart\" to get oriented.",
    "allowed-tools": [
        "Read",
        "Glob",
        "Grep",
        "Task",
        "AskUserQuestion"
    ],
    "argument-hint": "[question]   (blank = 30-sec intro)"
}

/quickstart

Two modes, picked by whether $ARGUMENTS is empty.

  • Empty → Intro mode. Short orientation, then offer the guided first run.
  • Non-empty → Help mode. Treat $ARGUMENTS as the operator's question.

Intro mode

Keep it short and a little warm; this is the first thing a new operator sees.

Say roughly:

Welcome! This repo takes you from finding your first vulnerability to patching at scale, using a set of Claude Code skills and an autonomous pipeline. Two ways in: interactive skills (no setup, safe, start here) and the autonomous pipeline (Docker, scales to hundreds of parallel agents).

The ramp-up:

| Day 1 | Threat-model + first static scan + triage | | Day 2 | Run the reference pipeline (C/C++) | | Day 3-4 | Customize it for your stack | | Week 2 | Autonomous scanning, triage, and patching |

Day-1 goal: threat-model, scan, and triage the bundled canary target. Most teams get there before lunch.

Remind them to export CLAUDE_CODE_SUBAGENT_MODEL=<model-id> so subagents use the same model as the session.

Then AskUserQuestion with three options:

  1. Walk me through Day 1 on the canary (~10 min) → run "Guided first run" below.
  2. I have a question → ask what it is, then switch to Help mode.
  3. I'll read the README → point at README.md Step 1 and stop.

Guided first run

Runs the three Step-1 skills on targets/canary, pausing after each to show what landed on disk. These only read/write files in the repo; no sandbox needed.

  1. /threat-model bootstrap targets/canary via Task. When done, open THREAT_MODEL.md, show the focus areas, explain in 2-3 sentences how this steers the scan.
  2. /vuln-scan targets/canary via Task. When done, open targets/canary/VULN-FINDINGS.md, summarize the count and top 2-3 findings, point at VULN-FINDINGS.json.
  3. /triage targets/canary/VULN-FINDINGS.json via Task. When done, open TRIAGE.md, explain what changed vs. raw findings (verified, deduped, re-ranked).

Pause for the operator between each (AskUserQuestion); don't barrel through. Close with a one-line recap of the three artifacts on disk, then point at README Step 2 for the execution-verified pipeline. Never run vuln-pipeline or anything that executes target code here; that's Step 2 and needs Docker + a sandbox.


Help mode

Answer the operator's question using this repo as ground truth: README, docs/*.md, harness/*.py, targets/*/config.yaml, .claude/skills/*. Don't answer from general knowledge when the repo has a specific answer.

Routing map

If the question is about… Read first Then offer
running the pipeline docs/pipeline.md, README Step 2 the recon / run command
too many findings, triage docs/triage.md /triage <path>
porting, Java/Go/Rust/etc. docs/customizing.md, README Step 3 /customize
safety, sandbox, Docker docs/security.md cite; no action
rate limits, 429, token budget docs/pipeline.md: Rate limits, docs/troubleshooting.md#rate-limits cite the numbers
duplicates, dedup docs/troubleshooting.md#duplicate-findings known_bugs: hint
CLI flags, "what does --X do" harness/cli.py (grep the argparse) exact flag + example
which model, subagent pinning docs/troubleshooting.md: Subagents the export line
best practices, prompting docs/best-practices.md, docs/prompting.md cite the principle
"how do I start" README Step 1 offer Guided first run
patching, fix, diff, re-attack docs/patching.md, README Step 4 /patch <input>
binary, pentest, other domains docs/other-use-cases.md cite section
anything else README Table of contents best-match doc

Answer format

  1. Direct answer in 2-5 sentences.
  2. > source: the file(s) and section you used.
  3. Next action: one copy-pasteable command or skill invocation, if one applies. If none does, say so.
  4. If the question is ambiguous, ask one clarifying question; don't guess.

Constraints

  • Never fabricate CLI flags or file paths. If unsure, Grep for it in harness/cli.py or the target configs and quote what you find.
  • If the repo doesn't answer the question, say so plainly and suggest the operator open a GitHub issue on this repo.
  • Keep the Q&A dry and cited. Save the warmth for Intro mode.

Version History

  • b5b61c8 Current 2026-07-05 18:37

Same Skill Collection

.claude/skills/customize/SKILL.md
.claude/skills/triage/SKILL.md
.claude/skills/vuln-scan/SKILL.md
.claude/skills/patch/SKILL.md
.claude/skills/threat-model/SKILL.md

Metadata

Files
0
Version
b5b61c8
Hash
ab902b09
Indexed
2026-07-05 18:37

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 20:16
浙ICP备14020137号-1 $Гость$