AI 安全审计 — OWASP 与漏洞扫描 Skill
安装安全审计 Skill,将 Claude Code 变成专注安全的代码审查员。OWASP Top 10 检查、依赖漏洞扫描、密钥泄露检测和威胁建模——全部在编辑器本地运行。
安装 Security Auditor Skill
# Install the Security Auditor agent skill
curl -s https://api.tokrepo.com/raw/security-auditor-agent \
> ~/.claude/skills/security-auditor/SKILL.md
# Or install via TokRepo CLI
npx tokrepo install security-auditor-agentRemotion AI Skill — Programmatic Video in React
Official Remotion Agent Skill for Claude Code and Codex. 30+ rules covering animations, transitions, captions, FFmpeg, audio visualization, voiceover, 3D, and more.
Google Gemini CLI — All Official Extensions Collection
40+ official Gemini CLI extensions by Google: coding, security, Google Cloud, databases, and partner integrations.
Vercel Skills — Agent Skill Ecosystem & CLI
Open agent skills ecosystem from Vercel. Install packaged SKILL.md instruction sets into Claude Code, Cursor, Codex, and 30+ AI agents with one command. 13,000+ GitHub stars.
Lark CLI Skill: Skill Maker — Create Custom Skills
Lark/Feishu CLI skill for creating reusable custom skills. Wrap atomic APIs or orchestrate multi-step workflows.
Agent Skills Standard — Cross-Platform AI Skills
The shared Agent Skills format used by Claude Code, OpenAI Codex, and Gemini CLI. Write skills once, use across all major AI coding tools.
Claude Memory Compiler — Evolving Knowledge Base
Auto-capture Claude Code sessions into a structured knowledge base. Hooks extract decisions and lessons, compiler organizes into cross-referenced articles. No vector DB needed. 365+ stars.
CC Status Board — Smart Status Bar for Claude Code
Add a context meter, AI asset discovery, and session info to your Claude Code status bar. Scans 300+ installed assets (skills, agents, MCP, plugins) and surfaces the most relevant ones as you type. Zero token cost, 100% local.
Lark CLI Skill: Wiki — Knowledge Base Management
Lark/Feishu CLI skill for knowledge base. Create and manage knowledge spaces, organize document nodes and shortcuts.
Claude SEO — Complete SEO Skill for Claude Code
Universal SEO analysis skill with 15 sub-skills and 12 parallel subagents. Covers technical SEO, E-E-A-T, schema markup, GEO/AEO, local SEO, Google APIs, and PDF reporting. MIT license, 4,000+ stars.
GEO 内容写作 Skill
GEO (Generative Engine Optimization) 内容写作 Skill,优化 AI 搜索引擎可见度
Gemini CLI Extension: Stitch — AI Design Tool
Gemini CLI extension for Google Stitch. AI-driven UI design, component generation, and design system management.
Ollama Model Library — Best AI Models for Local Use
Curated guide to the best models available on Ollama for coding, chat, and reasoning. Compare Llama, Mistral, Gemma, Phi, and Qwen models for local AI development.
身体追踪 Skill 套件(多用户版 + 飞书卡片推送)
Claude Code 身体追踪 Skill:支持多用户自助 onboarding、飞书群聊饮食记录、AI 营养估算、飞书多维表格仪表盘同步、每日卡片推送。包含 body-track(日常记录)、body-track-dashboard(仪表盘同步)和 body_push.py(定时卡片推送脚本)。
Get Shit Done (GSD) — Meta-Prompting Dev System for Claude Code
A spec-driven development system with 48.6k GitHub stars. Adds phase-based planning, multi-agent execution, verification gates, and state persistence to Claude Code, Cursor, Gemini CLI and 9 more runtimes. Install with one npx command.
Agent Skill Creator — One Skill, 14+ Platforms
Turn any workflow into reusable AI agent skills that install on Claude Code, Copilot, Cursor, Windsurf, Codex, Gemini CLI, Kiro, and 7 more tools. No coding required. MIT, 660+ stars.
Remotion Rule: Transparent Videos
Remotion skill rule: Rendering transparent videos in Remotion. Part of the official Remotion Agent Skill for programmatic video in React.
Claude Official Skill: frontend-design
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, artifacts, posters, or appli...
Prompt Master — Zero-Waste AI Prompt Generator Skill
Claude Code skill that generates optimized prompts for 30+ AI tools. Auto-detects target tool, applies 5 safe techniques, catches 35 credit-killing patterns. 4.8K+ stars, MIT license.
Remotion Rule: Voiceover
Remotion skill rule: Adding AI-generated voiceover to Remotion compositions using TTS. Part of the official Remotion Agent Skill for programmatic video in React.
Claude Code Agent: K8s Specialist — Kubernetes Operations
Claude Code agent for Kubernetes. Deployment configs, helm charts, troubleshooting, scaling, monitoring, and cluster management.
Nuxt + Go-Zero Quality Audit Skill — 30 Checks from 250 Real Bugs
Production-tested quality check skill for Nuxt SSR + Go-Zero + MySQL projects. 30 automated checks across 7 dimensions (security, race conditions, transactions, frontend SSR, dependencies, API contracts, ops) — distilled from 10 rounds of Codex audit that found ~250 real issues in a live SaaS product.
Gemini CLI Extension: Workspace — Google Docs & Sheets
Gemini CLI extension for Google Workspace. Read, create, and edit Google Docs, Sheets, and Slides from your terminal.
Awesome Claude Code Subagents — 130+ Specialized Agents
Install 130+ specialized Claude Code subagents across 10 categories: core dev, language experts, infra, security, data/AI, DevEx, and business. Plugin-based with 16.7K GitHub stars.
Marketing Skills — 34 CRO, SEO & Growth Skills for AI Agents
34 specialized marketing skills for Claude Code covering CRO, copywriting, SEO, analytics, pricing, email sequences, and growth engineering. Built by marketers for AI-assisted marketing workflows.
n8n-as-code — AI Agent Superpowers for n8n
Give your AI agent n8n superpowers with 537 node schemas, 7,700+ templates, and TypeScript workflow definitions. Works with Claude Code, Cursor, VS Code, and OpenClaw. MIT license.
oh-my-claudecode — Zero-Config Multi-Agent System
Zero learning curve multi-agent orchestration for Claude Code. Includes team mode, autopilot, Ralph persistent execution, and ultrawork parallel mode with 19 specialized agents.
OpenAI Codex & Cookbook — Official Collection
Official OpenAI resources: Codex CLI coding agent and the OpenAI Cookbook with prompting guides for GPT, Codex, and Realtime API.
GitHub Copilot — Official Customization Collection
Official GitHub Copilot customization: agents, skills, instructions, plugins, hooks, and agentic workflows. Plus documentation.
Antigravity Awesome Skills — 1,340+ Agentic Skills Library
Installable library of 1,340+ agentic skills for Claude Code, Cursor, Codex CLI, and Gemini CLI. One command installs skills like brainstorming, security auditing, frontend design, and API design.
Lark CLI — 19 AI Agent Skills for Lark/Feishu
Command-line tool for Lark/Feishu Open Platform with 200+ commands and 19 AI Agent Skills. Covers Messenger, Docs, Base, Sheets, Calendar, Mail, Tasks, and more.
用 AI 实现安全左移
The AI security auditor brings professional penetration testing patterns into your daily coding workflow. Instead of running security scans after deployment — when fixes are expensive and risky — these skills check for vulnerabilities as you write code. Every commit gets checked for SQL injection, XSS, CSRF, insecure deserialization, broken authentication, and the rest of the OWASP Top 10.
What makes AI-powered security auditing different from traditional SAST (Static Application Security Testing) tools is contextual understanding. A regex-based scanner flags every eval() call; an AI auditor understands that eval(JSON.stringify(config)) with a trusted input is safe while eval(userInput) is critical. This dramatically reduces false positives — the noise that makes teams ignore security tools entirely.
The skills below also cover areas traditional scanners miss: secrets detection (API keys, tokens, passwords committed to git), dependency analysis (known CVEs in your package.json/go.mod), threat modeling (identifying attack surfaces in your architecture), and smart contract auditing for Web3 projects. Pair with AI code review skills for a complete quality gate, or browse the full security tools directory for dedicated scanners. For CI/CD integration, check DevOps tools that run these checks automatically on every PR.
The cheapest vulnerability fix is the one your AI catches before you hit commit.
常见问题
What does the AI security auditor check for?+
The skill audits for: OWASP Top 10 vulnerabilities (injection, XSS, CSRF, broken auth, etc.), hardcoded secrets and API keys, known CVEs in dependencies, insecure cryptographic implementations, path traversal vulnerabilities, insecure deserialization, server-side request forgery (SSRF), and misconfigured security headers. It produces a severity-ranked report with specific file locations and fix suggestions.
How is this different from Snyk or SonarQube?+
Traditional SAST tools use pattern matching and rule engines — they're fast but produce many false positives and miss complex vulnerabilities that require understanding code flow. AI security auditors understand context: they can trace data flow from user input to database query, understand authentication middleware, and assess whether a flagged pattern is actually exploitable. They complement traditional scanners — use both for defense in depth.
Can the AI fix the vulnerabilities it finds?+
Yes. After identifying a vulnerability, Claude Code can propose a fix — for example, replacing string concatenation in SQL with parameterized queries, adding input sanitization for XSS, or implementing CSRF tokens. Always review security fixes carefully before applying — AI can introduce subtle regressions in security-critical code. The safest workflow: AI identifies and proposes, human reviews and approves.
Does it work for smart contracts?+
Yes. TokRepo includes a dedicated Smart Contract Auditor skill that checks Solidity and other EVM languages for reentrancy attacks, integer overflow, access control issues, gas optimization, and common DeFi vulnerabilities. It's specifically trained on known Web3 exploit patterns and audit report formats.
How do I integrate security auditing into CI/CD?+
Run Claude Code in headless mode as a CI step: 'claude --headless audit-security' with appropriate flags. Some teams use Claude Code Hooks to trigger security scans on every commit. For GitHub-native solutions, several tools in TokRepo's DevOps directory provide GitHub Actions that run AI security scans on every PR and block merge if critical issues are found.