auditing-pre-release-security

Pre-Release Security Audit (Between Any Two Git Refs)

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "auditing-pre-release-security" with this command: npx skills add onekeyhq/app-monorepo/onekeyhq-app-monorepo-auditing-pre-release-security

Pre-Release Security Audit (Between Any Two Git Refs)

This skill compares any two git refs (tag/branch/commit SHA) and audits:

  • Source-code diffs for security regressions

  • Dependency changes (direct + transitive) and lockfile determinism

  • Newly introduced package behaviors inside node_modules

  • CI/CD workflow risks in .github/workflows and build configs (Expo/EAS)

The output is a Chinese Markdown report, with a unique title and filename containing the refs to avoid overwrites.

  1. Mandatory: confirm audit range (BASE_REF, TARGET_REF)

Ref rules

  • Accepted: tag / branch / commit SHA

  • BASE_REF = starting point, TARGET_REF = ending point (release candidate)

If refs are not explicitly provided by the user

Ask exactly once before doing any work:

Which two git refs should I compare? (e.g. v5.19.0 → release/v5.20.0 , or main → feature/xxx )

If only one ref is provided

Ask for the missing ref. Do not assume defaults unless the user explicitly says:

  • “latest tag → HEAD”

  • or provides an equivalent instruction.

  1. Output requirements (hard constraints)

  • Report language: Chinese

  • Report filename must include refs to avoid collisions:

  • security-audit__${BASE_REF_SAFE}to${TARGET_REF_SAFE}.md

  • BASE_REF_SAFE /TARGET_REF_SAFE must replace / with __ (or - ) for filesystem safety.

  • Report title must include refs:

  • 安全预审报告(${BASE_REF} → ${TARGET_REF})

  • Evidence must be traceable: file path + line numbers (when possible) + short snippet.

  1. Safety rules (must follow)

  • Never print or paste secrets: mnemonics/seed phrases, private keys, signing payloads, API keys, tokens, cookies, session IDs.

  • If command outputs may contain secrets (env dumps, logs), redact before writing to the report.

  • Prefer short excerpts; do not paste large bundles.

  1. Execution checklist

Step A — Verify refs and collect context

  • Verify both refs exist:

  • git rev-parse --verify "${BASE_REF}^{commit}"

  • git rev-parse --verify "${TARGET_REF}^{commit}"

  • Record:

  • BASE_SHA, TARGET_SHA

  • Working tree clean? git status --porcelain

  • List changed files:

  • git diff --name-status "${BASE_REF}..${TARGET_REF}"

Step B — Collect key diffs

Focus on:

  • Source: **/*.{js,ts,tsx}

  • Dependencies: **/package.json , yarn.lock

  • CI: .github/workflows/**

  • Expo/EAS configs: eas.json , app.json , app.config.* , build scripts

Step C — Dependency delta (direct deps)

  • For each changed package.json , compute:

  • Added / removed / updated deps (include workspace path)

  • Version range policy checks:

  • Flag * / latest as High risk

  • Flag ^ / ~ as Medium risk (explain why this matters for release determinism)

  • If deps changed but yarn.lock did not, flag as High risk.

Step D — Lockfile determinism (best-effort)

  • Detect Yarn flavor: yarn -v

  • Try one:

  • Yarn Berry: yarn install --immutable

  • Yarn Classic: yarn install --frozen-lockfile

  • Record anomalies: resolutions , patches , non-registry sources, unexpected downloads.

Step E — Known vulnerability scanning (best-effort)

  • yarn audit (if available)

  • osv-scanner against yarn.lock (if available)

  • If missing tools, note “not run + reason”.

Step F — New dependency deep inspection (node_modules)

For each newly added direct dependency:

  • Inspect <pkg>/package.json :

  • preinstall , install , postinstall scripts

  • entry points (main , module , exports )

  • binary/native artifacts (bin/ , .node )

  • Keyword scan (case-insensitive) in its installed code:

  • Sensitive: privateKey|mnemonic|seed|keystore|passphrase

  • Storage: localStorage|indexedDB|AsyncStorage|keychain|keystore

  • Network: fetch|axios|XMLHttpRequest|http|https|WebSocket|ws

  • Dynamic exec: eval|new Function|child_process|spawn|exec

  • Install hooks: preinstall|install|postinstall

  • If hits exist: include path + line + short snippet and explain expected vs suspicious behavior.

  • Assign risk rating: Low / Medium / High.

Step G — Source diff security review (AI reasoning step)

Within ${BASE_REF}..${TARGET_REF} diffs, prioritize:

  • signing flows / key handling / mnemonic

  • network layer / RPC / telemetry

  • storage layer (local/secure storage)

  • logging / analytics / error reporting Output: suspicious changes list (each with summary, impact, evidence excerpt).

Step H — CI/CD & build pipeline risks

Inspect .github/workflows/** and build configs:

  • Flag uses: ...@latest (High)

  • Flag floating tags not pinned to SHA (Medium, note risk)

  • Check permissions: for over-broad scopes

  • Flag remote script execution patterns (curl|bash, remote downloads)

  • Note install safety (--ignore-scripts , etc.)

  • Expo/EAS: flag hooks that download remote code, run arbitrary scripts, or leak env into logs

  1. Report template (must follow; Chinese output)

Write the report to: security-audit__${BASE_REF_SAFE}to${TARGET_REF_SAFE}.md

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

react-best-practices

No summary provided by upstream source.

Repository SourceNeeds Review
-81
onekeyhq
General

implementing-figma-designs

No summary provided by upstream source.

Repository SourceNeeds Review
-72
onekeyhq
General

pr-review

No summary provided by upstream source.

Repository SourceNeeds Review
-62
onekeyhq