repo-scan

扫描代码仓库资产并识别第三方库，生成模块级风险结论与交互报告

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "repo-scan" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/repo-scan/SKILL.md
2. 保存为 ~/.claude/skills/repo-scan/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

审计单个仓库代码资产

输入

请扫描这个代码仓库的所有文件，按类型分类每个文件，识别嵌入的第三方库，并按模块给出四级结论：安全、关注、风险、高风险。最后生成可交互的 HTML 报告，列出问题位置、证据和处理建议。

预期产出

一份仓库资产审计结果，包含文件分类、第三方依赖识别、模块级风险结论及可交互 HTML 报告。

识别历史遗留组件风险

输入

分析这个老项目中的各个模块，找出复制粘贴引入或嵌入的第三方代码，判断哪些组件来源不明、版本过旧或存在维护风险，并按照四级结论输出优先处理清单。

预期产出

一份聚焦历史遗留风险的清单，说明可疑第三方组件、风险等级、影响模块与优先处理建议。

生成交付前合规检查报告

输入

在发布前对仓库做一次全面源码资产审计，统计各类文件数量，识别第三方库分布情况，并对每个模块给出四级结论与整改建议，输出适合团队评审的 HTML 报告。

预期产出

一份适合发布评审的源码审计报告，展示资产分布、第三方库情况、模块结论和整改建议。

// 文档

repo-scan

Every ecosystem has its own dependency manager, but no tool looks across C++, Android, iOS, and Web to tell you: how much code is actually yours, what's third-party, and what's dead weight.

When to Use

Taking over a large legacy codebase and need a structural overview
Before major refactoring — identify what's core, what's duplicate, what's dead
Auditing third-party dependencies embedded directly in source (not declared in package managers)
Preparing architecture decision records for monorepo reorganization

Installation

# Fetch only the pinned commit for reproducibility
mkdir -p ~/.claude/skills/repo-scan
git init repo-scan
cd repo-scan
git remote add origin https://github.com/haibindev/repo-scan.git
git fetch --depth 1 origin 2742664
git checkout --detach FETCH_HEAD
cp -r . ~/.claude/skills/repo-scan

Review the source before installing any agent skill.

Core Capabilities

Capability	Description
Cross-stack scanning	C/C++, Java/Android, iOS (OC/Swift), Web (TS/JS/Vue) in one pass
File classification	Every file tagged as project code, third-party, or build artifact
Library detection	50+ known libraries (FFmpeg, Boost, OpenSSL…) with version extraction
Four-level verdicts	Core Asset / Extract & Merge / Rebuild / Deprecate
HTML reports	Interactive dark-theme pages with drill-down navigation
Monorepo support	Hierarchical scanning with summary + sub-project reports

Analysis Depth Levels

Level	Files Read	Use Case
`fast`	1-2 per module	Quick inventory of huge directories
`standard`	2-5 per module	Default audit with full dependency + architecture checks
`deep`	5-10 per module	Adds thread safety, memory management, API consistency
`full`	All files	Pre-merge comprehensive review

How It Works

Classify the repo surface: enumerate files, then tag each as project code, embedded third-party code, or build artifact.
Detect embedded libraries: inspect directory names, headers, license files, and version markers to identify bundled dependencies and likely versions.
Score each module: group files by module or subsystem, then assign one of the four verdicts based on ownership, duplication, and maintenance cost.
Highlight structural risks: call out dead-weight artifacts, duplicated wrappers, outdated vendored code, and modules that should be extracted, rebuilt, or deprecated.
Produce the report: return a concise summary plus the interactive HTML output with per-module drill-down so the audit can be reviewed asynchronously.