meta-security-review-bundle
GitHub组合式元技能,并行执行策略治理、密钥扫描和审计日志三个独立安全关卡,按严格优先级(治理拒绝>扫描警告>允许)仲裁结果。用于审查代码变更或脚本操作的安全性,生成可追溯的审计记录。
Trigger Scenarios
Install
npx skills add opensquilla/opensquilla --skill meta-security-review-bundle -g -y
SKILL.md
Frontmatter
{
"kind": "meta",
"name": "meta-security-review-bundle",
"always": false,
"metadata": {
"opensquilla": {
"risk": "high",
"capabilities": [
"filesystem-read",
"network-read",
"subprocess"
]
}
},
"triggers": [
"security review",
"安全审查",
"审查这段代码",
"review for safety"
],
"provenance": {
"origin": "opensquilla-original",
"license": "Apache-2.0"
},
"composition": {
"steps": [
{
"id": "policy_review",
"kind": "agent",
"with": {
"task": "You are the *policy reviewer* for a security-review bundle.\nApply only the rules below; do not invent additional concerns.\n\nOperation under review:\n---\n{{ inputs.user_message | xml_escape | truncate(800) }}\n---\n\nRules (in priority order):\n 1. DENY if the operation would modify `\/etc\/`, `\/boot\/`, system\n systemd units, `~\/.ssh\/authorized_keys`, or `\/etc\/sudoers`.\n 2. DENY if the operation would exfiltrate credentials\n (read `.env`, `~\/.aws\/credentials`, `~\/.ssh\/id_*`, etc.)\n to a remote destination.\n 3. DENY if the operation would disable or bypass sandbox \/\n selinux \/ apparmor controls.\n 4. Otherwise ALLOW.\n\nReply with EXACTLY one line, no preamble:\n DENY: <one-sentence reason>\n ALLOW: ok\n"
},
"skill": "sub-agent"
},
{
"id": "secret_scan",
"kind": "agent",
"with": {
"task": "You are the *secret scanner* for a security-review bundle. You\ndo NOT judge intent — only detect credential-shaped strings.\n\nInput:\n---\n{{ inputs.user_message | xml_escape | truncate(800) }}\n---\n\nLook for:\n * API keys (sk-…, ghp_…, AKIA…, AIza…, …)\n * JWT \/ OAuth bearer tokens\n * Private keys (-----BEGIN … PRIVATE KEY-----)\n * Database connection URIs with embedded passwords\n * Plaintext passwords next to obvious labels (pwd=, password:)\n\nReply with EXACTLY one line, no preamble:\n WARN: <count> <one-line summary of kinds detected>\n CLEAR: no secrets found\n"
},
"skill": "sub-agent"
},
{
"id": "arbitrate",
"kind": "agent",
"with": {
"task": "Three independent security gates ran on this operation:\n\n- policy_review: {{ outputs.policy_review }}\n- secret_scan: {{ outputs.secret_scan }}\n\nApply the arbitration rule STRICTLY in this priority order\n(higher wins; do NOT mix or soften):\n\n 1. If policy_review begins with \"DENY\" → final verdict is DENY.\n Pass through the policy reviewer's reason verbatim.\n 2. Else if secret_scan begins with \"WARN\" → final verdict is WARN.\n Pass through the scanner's summary verbatim and require\n explicit user acknowledgement before proceeding.\n 3. Else (policy_review ALLOW and secret_scan CLEAR) → ALLOW.\n\nReply with EXACTLY this structure on the first line, then\nadditional lines as needed:\n\n DENY: <policy reason>\n WARN: <scanner summary; user must confirm>\n ALLOW: cleared by both gates"
},
"skill": "sub-agent",
"depends_on": [
"policy_review",
"secret_scan"
]
},
{
"id": "audit_emit",
"kind": "tool_call",
"tool": "memory_save",
"tool_args": {
"mode": "append",
"path": "memory\/security-review.md",
"content": "=== security review audit ===\noperation: {{ inputs.user_message | xml_escape | truncate(400) }}\npolicy_review: {{ outputs.policy_review | truncate(200) }}\nsecret_scan: {{ outputs.secret_scan | truncate(200) }}\nverdict: {{ outputs.arbitrate | truncate(400) }}"
},
"depends_on": [
"arbitrate"
],
"tool_allowlist": [
"memory_save"
]
}
]
},
"description": "Compose three independent security gates over a candidate operation — policy\/governance review, secret\/credential scan, and audit-log emit — then arbitrate the verdicts with a strict priority rule (governance DENY > scanner WARN > ALLOW). Use when reviewing a proposed code change, script, or environment manipulation for safety.",
"meta_priority": 75
}
Security Review Bundle (Combinator Meta-Skill)
A combinator-style meta-skill: three independent gates run in parallel over the candidate operation, then a fourth step arbitrates the verdicts with a strict priority rule. The fifth step emits an audit record so the run is recallable later.
This bundle is the OpenSquilla equivalent of pptx slide 7's combinator pattern: multiple rule sets active simultaneously, with the arbitration rule explicit in the SKILL.md rather than implicit in the LLM's good judgement.
Arbitration rule
The arbitrate step encodes the priority policy > scanner > allow
verbatim in its task prompt. The rule is not soft-suggested
("consider whether…"); it's an enforceable check (startswith("DENY")).
This follows the pptx slide 7 recommendation to combine extensive scenario
testing with an explicit non-negotiable-rule fallback sentence.
Fallback
If any of the three primary gates fails (sub-agent error, timeout,
empty deliverable), the orchestrator's existing failure cascade
produces a structured failure payload. Operators should review the
partial verdicts in step_outputs and decide manually.
Use sparingly
This pattern multiplies token cost by N (number of gates) for a single user turn. Don't reach for the combinator unless multiple independent rule sets genuinely must both apply — otherwise prefer an orchestrator with a single, well-defined sequence.
Version History
- 7f72a32 Current 2026-07-05 18:41


