📦
Historial de auditorías
pnpm - 2 auditorías
Versión de auditoría 2
Más reciente Riesgo medioJun 28, 2026, 09:08 AM
Static analysis found many command, network, filesystem, script, and sensitive-file patterns. Manual review found these are Markdown guidance and examples for pnpm, CI, configuration, hooks, and migration rather than hidden executable skill code. The skill is publishable with a medium warning because following the guidance can install packages, run lifecycle scripts, edit dependency configuration, read .npmrc files, or publish packages.
15
Archivos escaneados
2,918
Líneas analizadas
11
hallazgos
codex
Auditado por
Problemas de riesgo medio (3)
SKILL.md:12references/core-cli.md:68-200references/best-practices-migration.md:14-19references/best-practices-performance.md:220-230
Package Manager Command Guidance Can Mutate Projects
The static command findings are true string matches in Markdown documentation, not hidden executable code. They still carry operational risk because the guidance includes install, test, build, patch, publish, and removal commands that can change dependencies, execute lifecycle scripts, delete generated directories, or publish artifacts if run without review.
SKILL.md:12references/core-config.md:49-52references/core-config.md:132-135references/best-practices-migration.md:202-212
Sensitive npm Configuration Handling Requires Care
The skill tells agents to check .npmrc and documents registry token configuration. This is legitimate pnpm guidance, but .npmrc files can contain private registry tokens, so agents should avoid copying token values into prompts, logs, or generated output.
references/core-cli.md:66-88references/core-config.md:114-126references/features-hooks.md:12-31references/features-hooks.md:190-197
pnpm Hooks and Lifecycle Script Controls Affect Executed Code
The references describe .pnpmfile.cjs hooks, package scripts, and build-script controls. These are normal pnpm features, but they influence JavaScript code that runs during resolution or installation and should be reviewed in untrusted repositories.
Problemas de riesgo bajo (3)
SKILL.md:7references/core-config.md:80-82references/best-practices-performance.md:163-190references/best-practices-ci.md:281-284
Hardcoded URL Findings Are Documentation References
The network findings are mostly registry examples and source reference URLs in Markdown. They do not show unauthorized requests or data exfiltration by the skill itself.
SKILL.md:3references/core-config.md:36-40references/features-overrides.md:94-102references/features-aliases.md:151-163
Weak Cryptography Matches Lack Semantic Evidence
The scanner reported weak cryptographic algorithm blockers at many Markdown lines, but manual review found pnpm documentation, dependency names, version pins, and examples rather than cryptographic code. No evidence found of MD5, SHA1, insecure cipher use, or custom crypto implementation in the reviewed files.
No Prompt Injection Evidence Found
Manual review and targeted search did not find instructions that attempted to override the evaluator, claim pre-approval, skip analysis, or impersonate system messages.
Factores de riesgo
⚙️ Comandos externos (5)
🌐 Acceso a red (4)
📁 Acceso al sistema de archivos (5)
⚡ Contiene scripts (4)
Patrones detectados
Documentation Includes High-Impact pnpm CommandsDocumentation References Token-Bearing Configuration Files
Versión de auditoría 1
Riesgo bajoJan 30, 2026, 08:50 AM
All static findings are false positives. The skill consists of markdown documentation files that describe pnpm package manager usage. Shell command syntax in documentation (backticks, $() substitution) are standard markdown patterns for documenting CLI tools, not executable code. No actual code execution, credential access, or network calls are present in this documentation-only skill.
15
Archivos escaneados
2,918
Líneas analizadas
9
hallazgos
claude
Auditado por
Problemas de riesgo alto (3)
Documentation Shell Command Syntax
Markdown documentation contains shell command syntax patterns (backticks, $() substitution) used to document pnpm CLI usage. These are standard documentation patterns for CLI tools, not actual code execution.
Heuristic False Positive: Dangerous Combination
Static analyzer flagged 'Code execution + Network + Credential access' combination. This is a false positive - the skill contains only documentation files with no executable code, no network calls, and no credential handling.
Heuristic False Positive: Filesystem + Credentials
Static analyzer flagged 'Filesystem + Credentials + Network' combination. This is a false positive - documentation references to config files are informational, not actual file operations.
Problemas de riesgo bajo (1)
Documentation URL References
Documentation contains hardcoded URLs to external resources (pnpm documentation, package registries). This is standard practice for documentation.