Fähigkeiten security-checklist Audit-Verlauf
📦

Audit-Verlauf

security-checklist - 6 Audits

Audit-Version 6

Neueste Mittleres Risiko

Jun 28, 2026, 10:30 AM

Static analysis flagged many dangerous patterns, but review shows they are mostly documentation examples, defensive test payloads, and checklist items. No malicious intent or prompt injection was found. The skill still carries medium operational risk because it instructs agents to run local scanners, write scan reports, and handle secret-scan results.

2
Gescannte Dateien
1,270
Analysierte Zeilen
11
befunde
codex
Auditiert von
Probleme mit mittlerem Risiko (3)
SKILL.md:24-73SKILL.md:544-592SKILL.md:609-672SKILL.md:861-894
Local Security Tool Execution Guidance
TRUE POSITIVE for operational risk. The skill instructs agents to run npm audit, pip-audit, Semgrep, Bandit, TruffleHog, Trivy, and related shell commands. These are legitimate defensive tools, but they execute local commands, can create report files, and may contact package or vulnerability services.
SKILL.md:262-270checklists/owasp-top-10-checklist.md:138-149
Project-Mutating Dependency Fix Command
TRUE POSITIVE for change risk. The skill includes npm audit fix as a recommended mitigation command. This command can modify dependency lockfiles or installed packages, so it should require user approval in managed workflows.
SKILL.md:676-692SKILL.md:694-699
Secret Scan Output Handling
TRUE POSITIVE for sensitive-data handling risk. The skill teaches agents to run secret scanners and save results, which may contain secret types or sensitive repository evidence. It does not direct exfiltration, but outputs should be treated as confidential.
Probleme mit niedrigem Risiko (3)
checklists/owasp-top-10-checklist.md:71-75checklists/owasp-top-10-checklist.md:225-245SKILL.md:378-415
Dangerous Payloads Used as Defensive Test Examples
FALSE POSITIVE for malicious behavior. SQL injection strings, command substitution strings, internal IP addresses, and metadata endpoint URLs appear as security test cases and SSRF checklist items. They are not executed by the skill files.
SKILL.md:146-150SKILL.md:182-198checklists/owasp-top-10-checklist.md:253-256
Unsafe Code Patterns Presented as Anti-Patterns
FALSE POSITIVE for direct exploit code. eval, exec, shell=True, weak hashing, and vulnerable request examples are presented as bad examples with safer alternatives or mitigation guidance. The documentation warns users to avoid these patterns.
SKILL.md:450-476SKILL.md:694-699checklists/owasp-top-10-checklist.md:117-122
Sensitive Keyword Matches Without Credential Access
FALSE POSITIVE for credential theft. SECRET_KEY, environment variable guidance, private key mentions, and cookie SameSite text are part of secure configuration examples or checklist language. No evidence found of reading real secrets or sending them to a remote endpoint.

Risikofaktoren

⚡ Enthält Skripte (2)
SKILL.md:197 checklists/owasp-top-10-checklist.md:256
⚙️ Externe Befehle (11)
SKILL.md:30 SKILL.md:36-47 SKILL.md:49-52 SKILL.md:184-190 SKILL.md:262-270 SKILL.md:573-592 SKILL.md:611-621 SKILL.md:644-672 SKILL.md:680-692 SKILL.md:705-712 checklists/owasp-top-10-checklist.md:138-149
🌐 Netzwerkzugriff (6)
SKILL.md:329-331 SKILL.md:383-407 SKILL.md:414 SKILL.md:444 SKILL.md:853 checklists/owasp-top-10-checklist.md:231-245
📁 Dateisystemzugriff (2)
SKILL.md:682 SKILL.md:721
🔑 Umgebungsvariablen (3)
SKILL.md:233 SKILL.md:471-476 checklists/owasp-top-10-checklist.md:119-122

Erkannte Muster

Shell Commands in DocumentationNetwork and SSRF Test Targets

Audit-Version 5

Sicher

Jan 16, 2026, 05:07 PM

This skill is a pure markdown knowledge base containing only security documentation and educational code examples. No executable code, network calls, filesystem access, or external commands are present. All static findings (194 patterns) are false positives triggered by educational examples showing both vulnerable and secure coding patterns for documentation purposes.

3
Gescannte Dateien
1,462
Analysierte Zeilen
3
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Risikofaktoren

⚡ Enthält Skripte (2)
SKILL.md:197 checklists/owasp-top-10-checklist.md:256
⚙️ Externe Befehle (2)
SKILL.md:187-190 SKILL.md:573-592
🌐 Netzwerkzugriff (2)
SKILL.md:388-408 checklists/owasp-top-10-checklist.md:243-245

Audit-Version 4

Sicher

Jan 16, 2026, 05:07 PM

This skill is a pure markdown knowledge base containing only security documentation and educational code examples. No executable code, network calls, filesystem access, or external commands are present. All static findings (194 patterns) are false positives triggered by educational examples showing both vulnerable and secure coding patterns for documentation purposes.

3
Gescannte Dateien
1,462
Analysierte Zeilen
3
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Risikofaktoren

⚡ Enthält Skripte (2)
SKILL.md:197 checklists/owasp-top-10-checklist.md:256
⚙️ Externe Befehle (2)
SKILL.md:187-190 SKILL.md:573-592
🌐 Netzwerkzugriff (2)
SKILL.md:388-408 checklists/owasp-top-10-checklist.md:243-245

Audit-Version 3

Sicher

Jan 10, 2026, 10:51 AM

This skill is a pure markdown knowledge base. It contains only documentation and security guidance examples. No executable code, scripts, network calls, filesystem access, or external commands are present. The skill is a read-only reference for AI agents to understand security best practices.

2
Gescannte Dateien
1,270
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Audit-Version 2

Sicher

Jan 10, 2026, 10:51 AM

This skill is a pure markdown knowledge base. It contains only documentation and security guidance examples. No executable code, scripts, network calls, filesystem access, or external commands are present. The skill is a read-only reference for AI agents to understand security best practices.

2
Gescannte Dateien
1,270
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden

Audit-Version 1

Sicher

Jan 10, 2026, 10:51 AM

This skill is a pure markdown knowledge base. It contains only documentation and security guidance examples. No executable code, scripts, network calls, filesystem access, or external commands are present. The skill is a read-only reference for AI agents to understand security best practices.

2
Gescannte Dateien
1,270
Analysierte Zeilen
0
befunde
claude
Auditiert von
Keine Sicherheitsprobleme gefunden
← Zurück zum Skill