Fähigkeiten quality-reviewer Audit-Verlauf
📦

Audit-Verlauf

quality-reviewer - 6 Audits

Audit-Version 6

Neueste Mittleres Risiko

Jun 28, 2026, 10:15 AM

Static external-command and weak-cryptography alerts are mostly false positives from Markdown fences, inline code formatting, and words such as description. The skill is still medium risk because it grants wildcard tool access, asks the agent to inspect project files, and requires web research.

1
Gescannte Dateien
158
Analysierte Zeilen
8
befunde
codex
Auditiert von
Probleme mit mittlerem Risiko (2)
SKILL.md:4
Wildcard Tool Permission
The skill declares allowed-tools as '*' on line 4. This is not malicious by itself, but it gives the agent broad execution, filesystem, and network capability for a community skill.
SKILL.md:37-44SKILL.md:97-98SKILL.md:111-113
Project Inspection and Web Research Workflow
The workflow asks the agent to list project context files and search or fetch current documentation. This is legitimate for the skill purpose, but it can expose local project structure or send dependency information to external services.
Probleme mit niedrigem Risiko (3)
SKILL.md:37-39SKILL.md:43-44SKILL.md:125-131
False Positive: Markdown Backticks
Static analysis reported Ruby or shell backtick execution, but the cited locations are Markdown fences, inline file names, and output examples. No evidence found of executable Ruby backticks or command substitution.
SKILL.md:3SKILL.md:77
False Positive: Weak Cryptography
Static analysis reported weak cryptography on lines 3 and 77. These lines contain descriptive text, not cryptographic algorithms, hash functions, ciphers, or security-sensitive operations.
SKILL.md:119
False Positive: System Reconnaissance
Static analysis reported system reconnaissance on line 119. That line asks whether library recommendations changed recently and does not request host, network, account, or system discovery.

Risikofaktoren

⚙️ Externe Befehle (1)
SKILL.md:37-39
📁 Dateisystemzugriff (1)
SKILL.md:37-44
🌐 Netzwerkzugriff (2)
SKILL.md:97-98 SKILL.md:111-113

Erkannte Muster

Broad Tool Access

Audit-Version 5

Sicher

Jan 16, 2026, 04:02 PM

All 20 static findings are FALSE_POSITIVES. The scanner misclassified documentation syntax (markdown code blocks, backticks, URL fields) as executable code patterns. This is a pure prompt-based skill containing only markdown documentation. The 'ls' commands are example instructions, not executed code. No actual cryptographic algorithms, external commands, or network calls exist in this skill file.

2
Gescannte Dateien
334
Analysierte Zeilen
1
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Risikofaktoren

⚙️ Externe Befehle (8)
SKILL.md:37-39 SKILL.md:39-43 SKILL.md:43 SKILL.md:43-44 SKILL.md:44-125 SKILL.md:125-127 SKILL.md:127-131 SKILL.md:131-145

Audit-Version 4

Sicher

Jan 16, 2026, 04:02 PM

All 20 static findings are FALSE_POSITIVES. The scanner misclassified documentation syntax (markdown code blocks, backticks, URL fields) as executable code patterns. This is a pure prompt-based skill containing only markdown documentation. The 'ls' commands are example instructions, not executed code. No actual cryptographic algorithms, external commands, or network calls exist in this skill file.

2
Gescannte Dateien
334
Analysierte Zeilen
1
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Risikofaktoren

⚙️ Externe Befehle (8)
SKILL.md:37-39 SKILL.md:39-43 SKILL.md:43 SKILL.md:43-44 SKILL.md:44-125 SKILL.md:125-127 SKILL.md:127-131 SKILL.md:131-145

Audit-Version 3

Sicher

Jan 10, 2026, 10:22 AM

Prompt-based skill containing only markdown documentation for AI code review guidance. No executable code, scripts, or network calls. Operates as a system prompt instructing the AI to perform file reading and web research - appropriate for the stated purpose.

1
Gescannte Dateien
158
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Audit-Version 2

Sicher

Jan 10, 2026, 10:22 AM

Prompt-based skill containing only markdown documentation for AI code review guidance. No executable code, scripts, or network calls. Operates as a system prompt instructing the AI to perform file reading and web research - appropriate for the stated purpose.

1
Gescannte Dateien
158
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Audit-Version 1

Sicher

Jan 10, 2026, 10:22 AM

Prompt-based skill containing only markdown documentation for AI code review guidance. No executable code, scripts, or network calls. Operates as a system prompt instructing the AI to perform file reading and web research - appropriate for the stated purpose.

1
Gescannte Dateien
158
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden
← Zurück zum Skill