Habilidades git-protocol Historial de auditorías
📦

Historial de auditorías

git-protocol - 7 auditorías

Versión de auditoría 7

Más reciente Riesgo bajo

Jun 28, 2026, 04:39 AM

Static analysis reported external command, network, weak cryptography, and reconnaissance patterns in SKILL.md. Review found these are Markdown and Rust implementation examples, not executable skill scripts or malicious behavior. The Git HTTP receive-pack example is legitimate but should be implemented with authentication, input limits, and repository path validation.

1
Archivos escaneados
290
Líneas analizadas
3
Review items
3
False positives ignored

Confirmed security concerns (1)

Bajo
Git HTTP Handler Examples Require Production Controls
The network finding is a Git smart HTTP server example that parses request bodies and can update references. It includes a permission check, but implementers should add body limits, repository path validation, and packfile validation.
The code describes HTTP upload-pack and receive-pack handlers, so network-facing behavior is real in the example. It is not active code in the skill and does include an explicit permission check.
Static false positives ignored (3)

These static matches were dismissed by semantic review or matched schema-only tokens, so they are shown for transparency but do not drive the quality score.

Bajo
Static Command Execution Findings Are Markdown Examples
The external command findings point to inline crate names and Rust fenced code blocks in documentation. No evidence found of shell execution, subprocess invocation, or install-time scripts.
The cited lines are Markdown list items or Rust code fences. The file contains no shell syntax or command execution API at these locations.
Bajo
Weak Cryptography Finding Not Confirmed
The static weak cryptography finding points to the skill description. The only concrete cryptographic primitive shown is Ed25519 signature verification, which is not a weak algorithm.
Line 3 is descriptive metadata and does not specify a weak primitive. The implementation example later references Ed25519 verification.
Bajo
Repository Access Findings Are Git Object Operations
The reconnaissance findings refer to repository object, commit, packfile, and reference operations. No evidence found of host enumeration, credential discovery, or system reconnaissance.
The cited calls operate on Git repository data using gitoxide APIs. They do not inspect the host system or collect environment details.
Auditado por: codex

Versión de auditoría 6

Riesgo bajo

Jan 21, 2026, 04:44 PM

All static findings are false positives. Ed25519 is strong modern crypto (misclassified as weak). Backticks are markdown code fences, not shell execution. Git protocol operations are legitimate repository functionality. No malicious patterns detected.

2
Archivos escaneados
705
Líneas analizadas
1
Review items
0
False positives ignored

Factores de riesgo

📁 Acceso al sistema de archivos (2)
Auditado por: claude

Versión de auditoría 5

Riesgo medio Audit incomplete

Jan 16, 2026, 03:26 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

Manual review required

This audit did not complete successfully. The quality score is capped until a successful audit is available.

2
Archivos escaneados
469
Líneas analizadas
3
Review items
0
False positives ignored

Patrones detectados

Weak cryptographic algorithmSystem reconnaissanceRuby/shell backtick executionHTTP client library
Auditado por: claude

Versión de auditoría 4

Riesgo medio Audit incomplete

Jan 16, 2026, 03:26 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

Manual review required

This audit did not complete successfully. The quality score is capped until a successful audit is available.

2
Archivos escaneados
469
Líneas analizadas
3
Review items
0
False positives ignored

Patrones detectados

Weak cryptographic algorithmSystem reconnaissanceRuby/shell backtick executionHTTP client library
Auditado por: claude

Versión de auditoría 3

Seguro

Jan 10, 2026, 09:46 AM

Pure documentation skill containing markdown guidance and Rust code examples. No executable code, scripts, network calls, or file system access. All content is informational patterns for Git protocol implementation.

1
Archivos escaneados
290
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude

Versión de auditoría 2

Seguro

Jan 10, 2026, 09:46 AM

Pure documentation skill containing markdown guidance and Rust code examples. No executable code, scripts, network calls, or file system access. All content is informational patterns for Git protocol implementation.

1
Archivos escaneados
290
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude

Versión de auditoría 1

Seguro

Jan 10, 2026, 09:46 AM

Pure documentation skill containing markdown guidance and Rust code examples. No executable code, scripts, network calls, or file system access. All content is informational patterns for Git protocol implementation.

1
Archivos escaneados
290
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude