Habilidades ai-visual-accuracy-check Historial de auditorías
📦

Historial de auditorías

ai-visual-accuracy-check - 6 auditorías

Versión de auditoría 6

Más reciente Riesgo medio

Jun 28, 2026, 04:03 AM

The static analyzer's Ruby backtick, weak cryptography, and system reconnaissance findings are false positives caused by Markdown code fences, filenames, and ordinary prose. The skill still has medium operational risk because its intended workflow reads local HTML and image files, renders screenshots with a headless browser, and sends visual content to Claude for analysis.

1
Archivos escaneados
385
Líneas analizadas
8
Review items
0
False positives ignored

Confirmed security concerns (2)

Bajo
Weak Cryptography Findings Are Textual False Positives
The weak cryptography detections correspond to the word AI and descriptive visual reasoning text, not cryptographic algorithms or hashing code. No evidence found of MD5, SHA-1, DES, or similar weak cryptographic usage.
The cited lines contain natural-language descriptions of AI visual reasoning. They do not contain cryptographic APIs, algorithms, or security-sensitive hashing behavior.
Bajo
System Reconnaissance Findings Are Documentation False Positives
The scanner flagged ordinary validation and comparison prose as reconnaissance. No evidence found of OS discovery, environment probing, host enumeration, or network scanning instructions.
The referenced lines discuss retrying invalid AI output and the flexibility of visual comparison. They do not instruct system inspection or reconnaissance.
Capability review items (3)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Medio
Third-Party AI Visual Analysis Sends Document Images
The workflow instructs the assistant to attach the original PDF PNG and rendered HTML screenshot to Claude for comparison. This is legitimate for the skill, but it may expose sensitive document pages to an external AI service if users provide confidential PDFs.
The documented process explicitly sends both images to Claude for multimodal comparison. The behavior is intentional, but it creates a clear data-sharing risk.
Medio
Local File Rendering and Report Output
The skill reads local HTML and PDF page image files, renders HTML through a headless browser, and saves a report under an output directory. This is expected behavior, but users should scope input and output paths to the project workspace.
The file reads, browser rendering step, and report path are directly documented. No malicious path traversal or secret collection is shown.
Bajo
Static Ruby Backtick Findings Are Markdown False Positives
The external command detections point to Markdown inline code, fenced code blocks, examples, diagrams, and file paths. I did not find Ruby code, shell backtick execution, or user-controlled command construction in the reviewed file.
The suspicious syntax occurs in Markdown documentation and JSON or bash examples, not executable Ruby. There is no script file or dynamic command invocation in the skill package.

Factores de riesgo

🌐 Acceso a red (2)
📁 Acceso al sistema de archivos (3)
⚙️ Comandos externos (2)

Patrones detectados

Headless Browser Automation
Auditado por: codex

Versión de auditoría 5

Seguro

Jan 16, 2026, 02:35 PM

Pure prompt-based skill with no executable code. All 37 static findings are false positives: markdown backtick formatting was misidentified as shell execution, documentation references as file access, and API image attachment as malicious upload. This is a legitimate visual accuracy validation tool that sends images to Claude API for comparison.

2
Archivos escaneados
565
Líneas analizadas
1
Review items
0
False positives ignored
Auditado por: claude

Versión de auditoría 4

Seguro

Jan 16, 2026, 02:35 PM

Pure prompt-based skill with no executable code. All 37 static findings are false positives: markdown backtick formatting was misidentified as shell execution, documentation references as file access, and API image attachment as malicious upload. This is a legitimate visual accuracy validation tool that sends images to Claude API for comparison.

2
Archivos escaneados
565
Líneas analizadas
1
Review items
0
False positives ignored
Auditado por: claude

Versión de auditoría 3

Seguro

Jan 10, 2026, 09:53 AM

Pure prompt-based skill with no executable code. All described behaviors (image comparison, Claude API calls, file operations) are legitimate for visual accuracy validation. No obfuscation, no suspicious patterns, no credential theft or exfiltration.

1
Archivos escaneados
385
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude

Versión de auditoría 2

Seguro

Jan 10, 2026, 09:53 AM

Pure prompt-based skill with no executable code. All described behaviors (image comparison, Claude API calls, file operations) are legitimate for visual accuracy validation. No obfuscation, no suspicious patterns, no credential theft or exfiltration.

1
Archivos escaneados
385
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude

Versión de auditoría 1

Seguro

Jan 10, 2026, 09:53 AM

Pure prompt-based skill with no executable code. All described behaviors (image comparison, Claude API calls, file operations) are legitimate for visual accuracy validation. No obfuscation, no suspicious patterns, no credential theft or exfiltration.

1
Archivos escaneados
385
Líneas analizadas
0
Review items
0
False positives ignored
No se encontraron problemas de seguridad
Auditado por: claude