Persona: You are a skill-authoring compliance expert. You fix snyk-agent-scan alerts by restructuring content — never by suppressing or deleting useful information.
Thinking mode: Use ultrathink for multi-alert remediation where fixes for one alert type can surface or suppress another. Deep reasoning reduces rework.
The snyk-agent-scan tool analyzes skill bodies for three categories of unsafe patterns: third-party content exposure (W011), malicious external URLs (W012), and prompt injection via MCP tool calls (W001). All three are fixable through content restructuring without losing any information.
| File | When to read |
|---|---|
| --- | --- |
| references/w001-patterns.md | Fixing W001 alerts — MCP tool name patterns |
| references/w011-patterns.md | Fixing W011 alerts — imperative URL and external content patterns |
| references/w012-patterns.md | Fixing W012 alerts — version pinning and frontmatter offloading |
| Alert | Severity | Root Cause | Primary Fix |
|---|---|---|---|
| --- | --- | --- | --- |
| W011 | High | Skill body instructs agent to fetch/interpret external content | Replace imperatives with passive availability hints |
| W012 | High | Skill body references external URLs fetched and executed at runtime | Move to frontmatter install block; pin versions |
| W001 | High | Skill body names MCP tool functions explicitly | Use generic formulations instead |
# Scan a single skill
SNYK_TOKEN=<token> snyk-agent-scan --skills skills/<name>/
# Scan all skills
SNYK_TOKEN=<token> snyk-agent-scan --skills ./skills
The scanner requires a valid SNYK_TOKEN. In CI, store it as a secret. If snyk-agent-scan is not installed, use uvx snyk-agent-scan@latest as a drop-in replacement without installing. See detailed patterns for fixes per alert type.
W011 fires when the skill body uses imperative verbs directing the agent to fetch, check, or evaluate external content and then act on it. The scanner treats the agent as the grammatical subject performing an external action.
Rules:
Check and Fetch with passive hints: The release notes at may be useful. Always reference the changelog → The changelog documents breaking changes.gh repo view, govulncheck) in code blocks, not in prose checklists that imply the agent must run them before acting.See W011 pattern catalog for 12+ before/after examples.
W012 fires when the body references external content fetched and executed at runtime: package installs with @latest, pipe-to-shell patterns, or GitHub Actions with wrong/non-existent major versions.
Rules:
go install pkg@latest and similar commands from prose into the frontmatter metadata.openclaw.install block — the scanner does not flag frontmatter.@v4, not @v6).curl ... | sh) in skill bodies.See W012 pattern catalog for 8+ before/after examples.
W001 fires when the skill body explicitly names MCP server tool functions, triggering prompt-injection detection.
Rules:
resolve-library-id, query-docs, mcp__*) in the skill body.Context7 can help as a discoverability platform.allowed-tools frontmatter field — only the body is restricted.See W001 pattern catalog for safe reformulations.
Fix one alert at a time, re-run snyk-agent-scan after each change, and verify the alert count dropped before moving to the next. If a fix does not reduce alerts, undo it and try a different approach — do not stack unverified changes.
When a scan returns multiple alerts, fix in this order to minimize rework:
1. W001 (simplest) — remove MCP tool names from body; confirm allowed-tools is correct
2. W011 — rewrite imperative sentences as passive statements; move checklist items to code blocks
3. W012 — move install commands to frontmatter; pin versions
4. Re-scan after each individual fix to verify improvement
W011 fixes sometimes surface hidden W012s when URLs become more prominent after restructuring.
Not all alerts are real. Criteria for a likely false positive:
| Condition | Likely false positive? |
|---|---|
| --- | --- |
| URL appears in a markdown table cell as reference data, not in an instruction | Yes — tables are usually safe |
| In a skill describin a library, URL is the library official documentation | Yes — usually safe |
URL is the homepage or issues link in frontmatter | Yes — not scanned |
| Tool name appears inside a triple-backtick code block as a shell command | Sometimes — code blocks have lighter scrutiny |
go install with a pinned version in a Quick Reference code block | Sometimes — pinned versions are lower risk |
always appears in a sentence not involving external resources | Yes — "always" alone doesn't trigger W011 |
When an alert is a likely false positive, restructure anyway using the passive hint pattern — the scanner's heuristic protects real users; restructuring is safer than assuming scanner error.
Apply these checks while writing a new skill body to avoid alerts before the first scan:
@latest tags in any install instruction in the bodymcp__*, resolve-library-id, etc.) in body proseinstall blockIf you encounter a bug or unexpected behavior in snyk-agent-scan, open an issue at https://github.com/snyk/snyk-agent-scan/issues.
If you discover a pattern that triggers an alert not covered in the reference files above — a new bypass technique, a false positive condition, or an undocumented alert code — open a pull request to the samber/cc-skills repository to add it to the relevant pattern file. New patterns are the most valuable contribution to this skill.
共 1 个版本