المهارات faceless-explainer سجل التدقيق
📦

سجل التدقيق

faceless-explainer - 2 عمليات التدقيق

إصدار التدقيق 2

الأحدث مخاطر متوسطة

Jun 30, 2026, 02:55 AM

Static analysis reported 1059 issues and a critical heuristic, but review found no prompt injection, credential exfiltration, or malicious intent. Most alerts are markdown backticks, relative documentation paths, color parsing, or RegExp.exec false positives. Confirmed risks are legitimate HyperFrames workflow privileges: local scripts, project filesystem writes, an environment-controlled audio engine override, and generated HTML that loads GSAP from a CDN.

17
الملفات التي تم فحصها
3,233
الأسطر التي تم تحليلها
12
النتائج
codex
تم تدقيقه بواسطة
مشكلات متوسطة المخاطر (3)
scripts/audio.mjs:23scripts/audio.mjs:71scripts/audio.mjs:85
Local Subprocess Invocation for Audio Pipeline
The audio adapter imports child_process and uses spawnSync to run a Node-based shared media audio engine. This is expected for narration, BGM, and SFX generation, and arguments are passed as an array without shell interpolation. It still creates a local command execution surface when users run the workflow, especially because HF_MEDIA_ENGINE can override the engine path.
scripts/build-frame.mjs:147scripts/build-frame.mjs:260scripts/audio.mjs:155scripts/captions.mjs:165scripts/captions.mjs:178scripts/assemble-index.mjs:348
Project Filesystem Modification by Workflow Scripts
Several scripts write generated project artifacts such as frame.md, caption HTML, caption metadata, audio metadata, and index.html. This is necessary for HyperFrames rendering, but users should run it only in the intended video project directory because the scripts accept project paths from CLI arguments.
scripts/assemble-index.mjs:323scripts/captions.mjs:452
Generated HTML Loads External GSAP CDN Script
The generated index and fallback captions HTML include GSAP from jsDelivr. This is a normal rendering dependency, but it introduces a runtime network and supply-chain dependency unless the environment pins or vendors the asset.
مشكلات منخفضة المخاطر (4)
SKILL.md:32SKILL.md:92references/story-design.md:215
Markdown Backtick Command Alerts Are False Positives
Many external command alerts come from markdown code formatting and workflow instructions, not hidden Ruby backtick execution. The cited lines describe commands users may run as part of the HyperFrames workflow.
scripts/lib/storyboard.mjs:107scripts/lib/tokens.mjs:27scripts/transitions.mjs:76
Regex exec Alerts Are False Positives
The script findings labeled as Python exec or process exec are RegExp.exec calls used for parsing headings, colors, and transition HTML. These do not execute code.
SKILL.md:191SKILL.md:192references/story-design.md:5
Path Traversal Alerts Are Documentation Relative Paths
Several path traversal alerts refer to documentation links such as ../hyperframes-core and ../hyperframes-animation. These are intended skill reference paths, not code that reads arbitrary parent directories.
scripts/lib/tokens.mjs:27scripts/lib/tokens.mjs:107references/visual-design.md:58
Weak Cryptography Alerts Are Color and Design Vocabulary
The weak cryptography alerts are caused by terms such as hex colors, chroma, blur, and visual design language. I did not find hashing, encryption, or cryptographic verification code in the reviewed context.

عوامل الخطر

⚙️ الأوامر الخارجية (6)
scripts/audio.mjs:23 scripts/audio.mjs:85 SKILL.md:32 SKILL.md:92 SKILL.md:109 SKILL.md:151
📁 الوصول إلى نظام الملفات (9)
scripts/build-frame.mjs:27-28 scripts/build-frame.mjs:147 scripts/build-frame.mjs:260 scripts/audio.mjs:70 scripts/audio.mjs:155 scripts/captions.mjs:165 scripts/captions.mjs:178 scripts/captions.mjs:202 scripts/assemble-index.mjs:348
🔑 متغيرات البيئة (1)
scripts/audio.mjs:71
🌐 الوصول إلى الشبكة (2)
scripts/assemble-index.mjs:323 scripts/captions.mjs:452
⚡ يحتوي على سكربتات (5)
scripts/build-frame.mjs:1 scripts/audio.mjs:1 scripts/captions.mjs:1 scripts/transitions.mjs:1 scripts/assemble-index.mjs:1

الأنماط المكتشفة

child_process.spawnSync UsageEnvironment-Controlled Engine PathHardcoded External Script URL

إصدار التدقيق 1

مخاطر متوسطة

Jun 27, 2026, 09:04 AM

Static analysis reported 1059 issues and a critical heuristic, but review found no prompt injection, credential exfiltration, or malicious intent. Most alerts are markdown backticks, relative documentation paths, color parsing, or RegExp.exec false positives. Confirmed risks are legitimate HyperFrames workflow privileges: local scripts, project filesystem writes, an environment-controlled audio engine override, and generated HTML that loads GSAP from a CDN.

17
الملفات التي تم فحصها
3,233
الأسطر التي تم تحليلها
12
النتائج
codex
تم تدقيقه بواسطة
مشكلات متوسطة المخاطر (3)
scripts/audio.mjs:23scripts/audio.mjs:71scripts/audio.mjs:85
Local Subprocess Invocation for Audio Pipeline
The audio adapter imports child_process and uses spawnSync to run a Node-based shared media audio engine. This is expected for narration, BGM, and SFX generation, and arguments are passed as an array without shell interpolation. It still creates a local command execution surface when users run the workflow, especially because HF_MEDIA_ENGINE can override the engine path.
scripts/build-frame.mjs:147scripts/build-frame.mjs:260scripts/audio.mjs:155scripts/captions.mjs:165scripts/captions.mjs:178scripts/assemble-index.mjs:348
Project Filesystem Modification by Workflow Scripts
Several scripts write generated project artifacts such as frame.md, caption HTML, caption metadata, audio metadata, and index.html. This is necessary for HyperFrames rendering, but users should run it only in the intended video project directory because the scripts accept project paths from CLI arguments.
scripts/assemble-index.mjs:323scripts/captions.mjs:452
Generated HTML Loads External GSAP CDN Script
The generated index and fallback captions HTML include GSAP from jsDelivr. This is a normal rendering dependency, but it introduces a runtime network and supply-chain dependency unless the environment pins or vendors the asset.
مشكلات منخفضة المخاطر (4)
SKILL.md:32SKILL.md:92references/story-design.md:215
Markdown Backtick Command Alerts Are False Positives
Many external command alerts come from markdown code formatting and workflow instructions, not hidden Ruby backtick execution. The cited lines describe commands users may run as part of the HyperFrames workflow.
scripts/lib/storyboard.mjs:107scripts/lib/tokens.mjs:27scripts/transitions.mjs:76
Regex exec Alerts Are False Positives
The script findings labeled as Python exec or process exec are RegExp.exec calls used for parsing headings, colors, and transition HTML. These do not execute code.
SKILL.md:191SKILL.md:192references/story-design.md:5
Path Traversal Alerts Are Documentation Relative Paths
Several path traversal alerts refer to documentation links such as ../hyperframes-core and ../hyperframes-animation. These are intended skill reference paths, not code that reads arbitrary parent directories.
scripts/lib/tokens.mjs:27scripts/lib/tokens.mjs:107references/visual-design.md:58
Weak Cryptography Alerts Are Color and Design Vocabulary
The weak cryptography alerts are caused by terms such as hex colors, chroma, blur, and visual design language. I did not find hashing, encryption, or cryptographic verification code in the reviewed context.

عوامل الخطر

⚙️ الأوامر الخارجية (6)
scripts/audio.mjs:23 scripts/audio.mjs:85 SKILL.md:32 SKILL.md:92 SKILL.md:109 SKILL.md:151
📁 الوصول إلى نظام الملفات (9)
scripts/build-frame.mjs:27-28 scripts/build-frame.mjs:147 scripts/build-frame.mjs:260 scripts/audio.mjs:70 scripts/audio.mjs:155 scripts/captions.mjs:165 scripts/captions.mjs:178 scripts/captions.mjs:202 scripts/assemble-index.mjs:348
🔑 متغيرات البيئة (1)
scripts/audio.mjs:71
🌐 الوصول إلى الشبكة (2)
scripts/assemble-index.mjs:323 scripts/captions.mjs:452
⚡ يحتوي على سكربتات (5)
scripts/build-frame.mjs:1 scripts/audio.mjs:1 scripts/captions.mjs:1 scripts/transitions.mjs:1 scripts/assemble-index.mjs:1

الأنماط المكتشفة

child_process.spawnSync UsageEnvironment-Controlled Engine PathHardcoded External Script URL
← العودة إلى المهارة