Historial de auditorías - ai-native-development

Versión de auditoría 6

Más reciente Riesgo medio

Jun 28, 2026, 10:29 AM

Static analysis reported many high-risk patterns, but most are false positives from Markdown code fences, template strings, API documentation links, and normal SDK environment-variable configuration. No prompt injection attempt, malicious exfiltration, or hidden command execution intent was found. The main residual risk is unsafe copy-paste sample code, especially an eval-based calculator tool and broad autonomous-agent tool templates.

10

Archivos escaneados

4,519

Líneas analizadas

12

hallazgos

codex

Auditado por

Problemas de riesgo medio (3)

references/agentic-workflows.md:82-89

Unsafe eval-based calculator example

The agent workflow reference defines a calculator tool that returns eval(expression). This is dangerous if copied into an agent because model-controlled or user-controlled input could execute arbitrary JavaScript. The surrounding context is educational reference material, so this is not evidence of malicious intent. Verdict: TRUE_POSITIVE for unsafe sample code. confidence: 0.94. confidence_reasoning: Direct eval() is present in a tool handler, and the semantic context shows the expression comes from tool input. Risk is reduced because it is documentation, not hidden runtime code.

templates/agent-workflow-template.ts:25-72 templates/agent-workflow-template.ts:120-190 templates/agent-workflow-template.ts:260-279

Autonomous tool templates need authorization gates

The agent workflow template demonstrates web search, database query, and email tools that can be selected by an LLM-driven loop. The sample implementations are placeholders, but production use would need authorization, confirmation for side effects, allowlists, and argument validation. Verdict: NEEDS_REVIEW for safe integration controls. confidence: 0.78. confidence_reasoning: The template explicitly exposes side-effect-capable tools to an autonomous agent loop, but the functions are demonstrative placeholders rather than active malicious actions.

templates/rag-pipeline-template.ts:156-183 examples/chatbot-with-rag-example.ts:23-34

RAG context is inserted into prompts without explicit untrusted-context guard

The RAG template and chatbot example place retrieved document text and user messages directly into model messages. The system prompt restricts answers to context, but it does not explicitly instruct the model to treat retrieved content as untrusted and ignore instructions inside documents. Verdict: NEEDS_REVIEW for prompt-injection resilience. confidence: 0.70. confidence_reasoning: The pattern is common and legitimate, but the sampled code lacks a clear document-instruction isolation rule, which is a known risk for RAG systems.

Problemas de riesgo bajo (4)

SKILL.md:200-244 references/vector-databases.md:13-37 references/rag-patterns.md:456-470

Markdown code fences misclassified as shell execution

Most external command findings are false positives caused by Markdown code fences and TypeScript template literals. The reviewed locations are documentation examples, not Ruby backtick execution or shell command invocation. Verdict: FALSE_POSITIVE. confidence: 0.93. confidence_reasoning: Line-number review shows code fences and template strings, and no child_process, exec, spawn, or shell invocation evidence was found in the sampled files.

templates/rag-pipeline-template.ts:10-11 templates/agent-workflow-template.ts:6-8 references/observability.md:16-18 references/function-calling.md:489-493

Environment-variable access is standard SDK configuration

The env_access and secret findings reference SDK initialization with API keys from process.env. I found no evidence that these values are logged, written to files, or sent to unauthorized endpoints. Verdict: FALSE_POSITIVE for credential theft, with normal secret-handling caution. confidence: 0.88. confidence_reasoning: The cited lines pass environment variables to OpenAI, Pinecone, Anthropic, or observability SDK clients, which is expected configuration behavior.

examples/chatbot-with-rag-example.ts:6-8 SKILL.md:42-55 SKILL.md:367 checklists/ai-implementation-checklist.md:30-38

Path traversal and weak-crypto scanner hits are contextual false positives

The path traversal hits are relative documentation imports or cross-skill references, and the weak-cryptography hits align with ordinary AI terminology such as embeddings, models, similarity metrics, and checklist headings. No evidence found of file reads, crypto implementation, or traversal against user-supplied paths. Verdict: FALSE_POSITIVE. confidence: 0.86. confidence_reasoning: Reviewed locations show imports, reference links, and checklist text rather than filesystem access or cryptographic code.

references/function-calling.md:296-298 references/vector-databases.md:177 references/vector-databases.md:290 SKILL.md:608-613

Hardcoded URLs are documentation and local service examples

The network findings include vendor documentation links, localhost vector database endpoints, and an example weather API call. These are not covert destinations or exfiltration endpoints, but production code should encode URL parameters and use configured endpoints. Verdict: FALSE_POSITIVE for malicious networking. confidence: 0.84. confidence_reasoning: The URLs are visible examples tied to the skill topic, and no secret material is sent to them in the reviewed context.

Factores de riesgo

⚡ Contiene scripts (1)

references/agentic-workflows.md:82-89

🌐 Acceso a red (3)

references/function-calling.md:296-298 references/vector-databases.md:177 SKILL.md:608-613

📁 Acceso al sistema de archivos (2)

examples/chatbot-with-rag-example.ts:6-8 SKILL.md:367

🔑 Variables de entorno (4)

templates/rag-pipeline-template.ts:10-11 templates/agent-workflow-template.ts:6-8 references/observability.md:16-18 references/function-calling.md:489-493

⚙️ Comandos externos (3)

SKILL.md:200-244 references/vector-databases.md:13-37 references/rag-patterns.md:456-470

Patrones detectados

Dynamic JavaScript evaluation in tool handlerModel-selected tools can perform side effects

Versión de auditoría 5

Riesgo bajo

Jan 16, 2026, 04:18 PM

This skill is educational/reference content for AI-native development patterns. Static scanner flagged 401 patterns, but all are FALSE POSITIVES. The flagged patterns (eval, process.env, backticks, grep commands) are legitimate documentation and template code for building AI agents. No malicious intent, data exfiltration, or unauthorized credential access found.

11

Archivos escaneados

4,783

Líneas analizadas

3

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Factores de riesgo

⚙️ Comandos externos (2)

SKILL.md:424-442 references/agentic-workflows.md:1-100

🔑 Variables de entorno (1)

templates/agent-workflow-template.ts:8

⚡ Contiene scripts (1)

references/agentic-workflows.md:88-89

Versión de auditoría 4

Riesgo bajo

Jan 16, 2026, 04:18 PM

This skill is educational/reference content for AI-native development patterns. Static scanner flagged 401 patterns, but all are FALSE POSITIVES. The flagged patterns (eval, process.env, backticks, grep commands) are legitimate documentation and template code for building AI agents. No malicious intent, data exfiltration, or unauthorized credential access found.

11

Archivos escaneados

4,783

Líneas analizadas

3

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Factores de riesgo

⚙️ Comandos externos (2)

SKILL.md:424-442 references/agentic-workflows.md:1-100

🔑 Variables de entorno (1)

templates/agent-workflow-template.ts:8

⚡ Contiene scripts (1)

references/agentic-workflows.md:88-89

Versión de auditoría 3

Seguro

Jan 10, 2026, 10:25 AM

This skill is a pure knowledge module containing only documentation and TypeScript code templates for building AI applications. No executable scripts, no network behavior beyond documented API patterns, no filesystem access outside the skill directory, and no suspicious capabilities detected. Safe for marketplace publication.

10

Archivos escaneados

5,589

Líneas analizadas

1

hallazgos

claude

Auditado por

Problemas de riesgo bajo (1)

references/agentic-workflows.md:87-89

eval() usage in calculator tool example

The agentic-workflows.md reference contains a calculator tool example using eval(expression) at line 88-89. While this is documentation code (not executable), using eval() with unvalidated user input creates code injection risk. Recommended: Use a math expression parser library instead.

Versión de auditoría 2

Seguro

Jan 10, 2026, 10:25 AM

This skill is a pure knowledge module containing only documentation and TypeScript code templates for building AI applications. No executable scripts, no network behavior beyond documented API patterns, no filesystem access outside the skill directory, and no suspicious capabilities detected. Safe for marketplace publication.

10

Archivos escaneados

5,589

Líneas analizadas

1

hallazgos

claude

Auditado por

Problemas de riesgo bajo (1)

references/agentic-workflows.md:87-89

eval() usage in calculator tool example

The agentic-workflows.md reference contains a calculator tool example using eval(expression) at line 88-89. While this is documentation code (not executable), using eval() with unvalidated user input creates code injection risk. Recommended: Use a math expression parser library instead.

Versión de auditoría 1

Seguro

Jan 10, 2026, 10:25 AM

This skill is a pure knowledge module containing only documentation and TypeScript code templates for building AI applications. No executable scripts, no network behavior beyond documented API patterns, no filesystem access outside the skill directory, and no suspicious capabilities detected. Safe for marketplace publication.

10

Archivos escaneados

5,589

Líneas analizadas

1

hallazgos

claude

Auditado por

Problemas de riesgo bajo (1)

references/agentic-workflows.md:87-89

eval() usage in calculator tool example

The agentic-workflows.md reference contains a calculator tool example using eval(expression) at line 88-89. While this is documentation code (not executable), using eval() with unvalidated user input creates code injection risk. Recommended: Use a math expression parser library instead.