[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-27fa7634-7546-45cf-a822-2706d7daf51b":3,"$fHnI8_MiLATp1AmZZQ1n_hDrRhmTUQGKQPk5miNkRzI0":42},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":33},"27fa7634-7546-45cf-a822-2706d7daf51b","mock-hunter","对实时网页进行五阶段审计（目录、点击、追踪、分类、报告），以识别模拟数据、硬编码值、LLM生成的指标和损坏的端点。输出Markdown报告，每个可见值均有REAL\u002FMOCK\u002FLLM\u002FHARDCODED\u002FBROKEN\u002FUNKNOWN的判断。","cat_coding_backend","mod_coding","sickn33,coding","---\nname: mock-hunter\ndescription: \"Audit a live web page in five phases (catalog, click, trace, classify, report) to identify mock data, hardcoded values, LLM-generated metrics, and broken endpoints. Outputs a markdown report with REAL\u002FMOCK\u002FLLM\u002FHARDCODED\u002FBROKEN\u002FUNKNOWN verdicts per visible value.\"\ncategory: testing\nrisk: critical\nsource: community\nsource_repo: CodeShuX\u002Fmockhunter\nsource_type: community\ndate_added: \"2026-05-07\"\nauthor: CodeShuX\ntags: [testing, qa, playwright, mock-detection, web-audit, ai-testing, vibe-coding, claude-code]\ntools: [claude]\nlicense: \"MIT\"\nlicense_source: \"https:\u002F\u002Fgithub.com\u002FCodeShuX\u002Fmockhunter\u002Fblob\u002Fmain\u002FLICENSE\"\nplugin:\n  targets:\n    codex: blocked\n    claude: blocked\n---\n\n# MockHunter — Live Page Reality Check\n\n## Overview\n\nMockHunter is a Claude Code skill that audits a live web page and tells you, for every visible value, whether it is real, mocked, LLM-generated, hardcoded, broken, or unknown. It is built for vibe-coded apps (Lovable, Bolt, v0, Replit, AI Studio, Cursor Composer) where the UI may look complete but the data layer often is not. It uses Playwright MCP to drive a real browser, then traces each visible value through the network and DOM to its source.\n\nThis skill adapts the upstream `CodeShuX\u002Fmockhunter` project (community source).\n\nBecause this workflow drives a real browser against live pages, treat it as an interactive audit tool, not a plugin-safe read-only helper. Default to observation-only until the user confirms the target is theirs, identifies a safe test account or environment, and explicitly approves any click, submit, or authenticated action that can mutate state.\n\n## When to Use This Skill\n\n- Use when auditing an AI-generated UI to find out which values are actually wired up\n- Use when reviewing a contractor or teammate's deliverable before sign-off\n- Use before showing a vibe-coded MVP to a customer or investor\n- Use when a dashboard \"looks too clean\" — every metric uniformly round, all timestamps clustered, no variance — and you suspect seeded data\n\n## How It Works\n\n### Phase 1: Setup & Smart Questions\n\n1. Greet the user, ask for the target URL\n2. Auto-detect the stack from the URL (`*.lovable.app`, `*.bolt.new`, `*.v0.app`, `*.replit.app`, `aistudio.google.com`, otherwise Custom)\n3. Ask 3-5 targeted questions: auth mode (public \u002F localhost \u002F form \u002F skip), DB access (optional), suspicions, page goal\n4. Confirm the audit plan, ownership\u002Fpermission, target environment, and allowed action classes before proceeding\n\n### Phase 2: Navigate & Catalog\n\n1. `browser_navigate` to the target URL\n2. Handle auth per chosen mode (form-login: fill fields, click submit)\n3. Wait for network idle (max 10s)\n4. Take full-page screenshot, capture accessibility snapshot\n5. Inventory every: heading, button, link, input, card, badge, stat, table cell, empty state, image\n6. Capture initial console errors and network requests\n\n### Phase 3: Test Interactivity\n\n1. For every tab: click only after the user has approved navigation-style interactions, then snapshot, scroll to bottom, re-catalog\n2. For every button: click only user-approved, allowlisted controls that are clearly non-destructive by role, accessible name, nearby text, icon, URL\u002Faction target, and expected network side effect; skip destructive or ambiguous controls rather than relying on a label regex alone\n3. For every form: identify required fields and prefer empty-submit validation; submit throwaway data only when the user explicitly approved the exact form, target environment, and test account\n4. Record per-element behavior\n\n### Phase 4: Trace Provenance\n\nFor every visible value, run this decision tree:\n\n```\nDid any network request return this value?\n├── YES — found in a response:\n│   ├── Status 4xx\u002F5xx → BROKEN\n│   ├── Endpoint matches \u002Fai|openai|generate|llm|chat → LLM\n│   ├── Response shape matches mock library (faker, MSW, mockoon) → MOCK\n│   ├── Uniformity flags trigger → MOCK or LLM (review)\n│   ├── DB connection provided?\n│   │   ├── Run read-only SELECT, value matches DB row → REAL\n│   │   └── Value not in DB → MOCK\n│   └── No DB → UNKNOWN (best-guess)\n└── NO — value not in any network response:\n    ├── String literal in DOM source → HARDCODED\n    ├── Computed from Math.random \u002F Date.now \u002F faker → MOCK\n    └── Cannot determine → UNKNOWN\n```\n\nUniformity heuristics flag suspicious data:\n- All numeric values identical across rows\n- All percentages round (50%, 75%, 90%)\n- All timestamps cluster within a single minute\n- \u003C 3 unique values across 10+ rows\n\n### Phase 5: Report\n\nGenerate `mockhunter-report.md` with:\n- Summary table (verdict counts)\n- Findings per section\u002Ftab (element \u002F value \u002F verdict \u002F source \u002F severity \u002F action)\n- Console errors and network failures\n- NO-OP buttons\n- Suspicious patterns\n- Smart follow-up questions for the user\n\n## Examples\n\n### Example 1: Auditing a Lovable admin dashboard\n\n```\nUser: \u002Fmockhunter audit https:\u002F\u002Fmy-app.lovable.app\u002Fadmin\nSkill: [Phase 1] Stack detected: Lovable. Auth: skip. DB: no.\n       [Phase 2] Catalog: 6 stat cards, 4 verification queues, 8 activity items.\n       [Phase 3] Search box: NO-OP (zero network requests). Activity link → 404.\n       [Phase 4] Bundle 2.7 MB. Zero \u002Fapi\u002F, zero supabase, zero axios.\n                 \"$42,850\" → string literal in JSX → HARDCODED.\n                 \"+12% vs last month\" → string literal → HARDCODED.\n       [Phase 5] Verdict: 23 HARDCODED, 1 BROKEN, 1 NO-OP, 0 REAL.\n                 Report written to .\u002Fmockhunter-report.md\n```\n\n### Example 2: Public marketing site (mostly real)\n\n```\nUser: \u002Fmockhunter audit https:\u002F\u002Fexample-saas.com\nSkill: ...\n       [Phase 5] Verdict: 8 REAL, 18 HARDCODED (intentional marketing copy),\n                 0 MOCK, 0 BROKEN, 2 UNKNOWN.\n                 No console errors, no broken endpoints.\n```\n\n## Best Practices\n\n- ✅ Provide DB access when available — lifts UNKNOWN verdicts to REAL or MOCK\n- ✅ Use a dedicated test account for form-login auth\n- ✅ Run cold-start tests (zero data) — many vibe-coded apps fail there\n- ✅ Tell the skill if specific sections are intentionally AI-generated, so it doesn't false-flag them\n- ❌ Don't run active interaction on apps you don't own without permission — live clicks and form submissions can mutate state\n- ❌ Don't trust a destructive-button exclusion list by itself — localized labels, icons, aria text, and backend routes can hide mutating actions\n- ❌ Don't trust the audit if the page failed to load — check console first\n\n## Limitations\n\n- Single-page audit per run — no multi-page crawl in v0.1.0\n- Form-login only for auth — no OAuth, magic-link, or 2FA in v0.1.0\n- Caps at ~30 most-prominent buttons per page\n- Markdown report only — no JSON output yet\n- DB verification supports any DB reachable via shell command (psql, mysql, mongosh, wrangler, supabase REST), but not Firestore directly\n\n## Security & Safety Notes\n\n- The skill runs read-only DB SELECTs only, never INSERT\u002FUPDATE\u002FDELETE\n- Skips destructive-looking, ambiguous, icon-only, localized, or external-write controls unless the user has explicitly allowlisted the exact control and environment\n- Never submits forms that look like payment, account deletion, external write operations, account changes, invites, publishing, deployment, messaging, or money movement\n- Uses placeholder credentials (`mockhunter@example.com`) for any throwaway form tests, never the user's real credentials\n- All Playwright actions happen in a controlled MCP browser context — no headless escalation\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,212,1902,"2026-05-16 13:29:14",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":25,"skillCount":32,"createdAt":26},"后端开发","backend","mdi-server","API、数据库、服务端架构",296,[34],{"id":35,"skillId":4,"version":36,"fileName":37,"fileSize":38,"filePath":39,"fileHash":40,"manifest":41,"createdAt":19},"56c6df1d-211b-4f31-9b3c-60df6ed63c85","1.0.0","mock-hunter.zip",3738,"uploads\u002Fskills\u002F27fa7634-7546-45cf-a822-2706d7daf51b\u002Fmock-hunter.zip","b3a05cab287e21fcfa404549a264506c95ab953ab6be75a7a0014454a966d1ab","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":7678}]",{"code":43,"message":44,"data":45},200,"success",{"items":46,"stats":47,"page":50},[],{"averageRating":48,"totalRatings":48,"ratingCounts":49},0,[48,48,48,48,48],{"limit":51,"offset":48,"hasMore":52,"nextOffset":51,"ratedOnly":16},15,false]