📦

سجل التدقيق

frontend-dev - 2 عمليات التدقيق

إصدار التدقيق 2

الأحدث مخاطر متوسطة

May 27, 2026, 06:26 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

الملفات التي تم فحصها

6,382

الأسطر التي تم تحليلها

النتائج

claude

تم تدقيقه بواسطة

لا توجد مشكلات أمنية

عوامل الخطر

🌐 الوصول إلى الشبكة (73)

⚙️ الأوامر الخارجية (841)

🔑 متغيرات البيئة (51)

📁 الوصول إلى نظام الملفات (16)

references/minimax-cli-reference.md:82 references/minimax-cli-reference.md:114 references/minimax-cli-reference.md:131 references/minimax-music-guide.md:29 references/minimax-tts-guide.md:37 scripts/minimax_image.py:88 scripts/minimax_image.py:80 scripts/minimax_image.py:119 scripts/minimax_image.py:97 scripts/minimax_music.py:141 scripts/minimax_music.py:148 scripts/minimax_music.py:127 scripts/minimax_tts.py:120 scripts/minimax_tts.py:105 scripts/minimax_video.py:131 scripts/minimax_video.py:130

⚡ يحتوي على سكربتات (1)

templates/generator_template.js:133

الأنماط المكتشفة

Hardcoded URLWeak cryptographic algorithmSystem reconnaissanceRuby/shell backtick executionsudo privilege escalationGeneric API/secret keysHidden file accessPython file write/appendArray join empty stringPython HTTP librariesPython os file operationsPython getenv functiongetenv function callPython base64 decodePython exec() functionProcess execWindows SAM database[HEURISTIC] Very high entropy string (5.95 bits) - likely encoded/encrypted payload[HEURISTIC] DANGEROUS COMBINATION: Code execution + Network + Credential access[HEURISTIC] DANGEROUS COMBINATION: Network + Credentials + Evasion techniques[HEURISTIC] SUSPICIOUS COMBINATION: Filesystem + Credentials + Network

إصدار التدقيق 1

مخاطر منخفضة

Apr 16, 2026, 06:14 AM

Static analysis flagged 1176 patterns with a risk score of 100/100, but evaluation confirms these are overwhelmingly false positives. High-severity 'weak cryptographic algorithm' findings in canvas-fonts/*.txt files are font Open Font License texts, not crypto code. 'Ruby/shell backtick execution' findings in markdown reference files are backtick-enclosed code examples in documentation. 'Windows SAM database' finding at templates/viewer.html:508 is the word 'CUSTOMIZE' containing the substring 'SAM'. regex.exec() in generator_template.js:133 is a standard JavaScript hex color parser. The skill is a legitimate frontend development tool with MiniMax API client scripts that properly use environment variables for API key management. Low risk after review.

الملفات التي تم فحصها

6,379

الأسطر التي تم تحليلها

النتائج

claude

تم تدقيقه بواسطة

مشكلات متوسطة المخاطر (2)

scripts/minimax_image.py:20 scripts/minimax_music.py:21 scripts/minimax_tts.py:21 scripts/minimax_video.py:21

API key stored in module-level variable

MINIMAX_API_KEY is read from environment at module import time and stored in a module-level variable. While this is standard practice for API clients, the key persists in memory for the process lifetime.

scripts/minimax_image.py:80-119 scripts/minimax_music.py:141-148 scripts/minimax_tts.py:120 scripts/minimax_video.py:130-131

File write operations for generated media

Scripts write generated media (images, video, audio) to local filesystem. This is expected behavior for a media generation tool. File paths are user-controlled via command line arguments.

مشكلات منخفضة المخاطر (6)

canvas-fonts/ArsenalSC-OFL.txt:1-94 canvas-fonts/BigShoulders-OFL.txt:1-94 canvas-fonts/Boldonse-OFL.txt:1-94

False positive: Weak cryptographic algorithm in font license files

Static scanner flagged 'weak cryptographic algorithm' in canvas-fonts/*-OFL.txt files. These are Open Font License text files for bundled fonts, containing no code. Pattern matching triggered on license boilerplate text.

references/minimax-cli-reference.md:1-128 SKILL.md:30-446

False positive: Shell backtick execution in markdown documentation

Static scanner flagged 'Ruby/shell backtick execution' in markdown reference files. These are backtick-enclosed code examples and CLI command documentation, not actual shell execution. The files are reference guides for users.

templates/viewer.html:508

False positive: Windows SAM database reference

Scanner flagged 'Windows SAM database' at templates/viewer.html:508. The actual text is '// PARTICLE SYSTEM - CUSTOMIZE FOR YOUR ALGORITHM'. The substring 'SAM' within 'CUSTOMIZE' triggered a false regex match.

templates/generator_template.js:133

False positive: Python exec() function

Scanner flagged 'Python exec() function' at templates/generator_template.js:133. The actual code is '/^#?([a-f\d]{2})([a-f\d]{2})([a-f\d]{2})$/i.exec(hex)', which is a standard JavaScript regex method for parsing hex color strings.

canvas-fonts/JetBrainsMono-OFL.txt:81 canvas-fonts/WorkSans-OFL.txt:81

False positive: System reconnaissance in font license files

Scanner flagged 'system reconnaissance' patterns in OFL license files. These contain URLs to font directories and repository links as part of standard Open Font License attribution requirements.

canvas-fonts/JetBrainsMono-OFL.txt:1-5 canvas-fonts/WorkSans-OFL.txt:1-5

False positive: Hardcoded URLs in font license files

Scanner flagged 'hardcoded URL' in canvas-fonts/*.txt license files. These are standard Open Font License repository and directory URLs, not actual network requests or data exfiltration.

عوامل الخطر

🌐 الوصول إلى الشبكة (70)

⚙️ الأوامر الخارجية (841)

🔑 متغيرات البيئة (51)

📁 الوصول إلى نظام الملفات (16)

⚡ يحتوي على سكربتات (1)

templates/generator_template.js:133

← العودة إلى المهارة