Habilidades bases Historial de auditorías
📦

Historial de auditorías

bases - 7 auditorías

Versión de auditoría 7

Más reciente Riesgo medio

Jun 28, 2026, 10:21 AM

Static command and network findings are mostly true positives in documentation examples that call a local Obsidian RPC service with curl and process results with jq. The weak cryptographic algorithm finding is a false positive from the RPC description, and no prompt injection or malicious exfiltration intent was found.

1
Archivos escaneados
65
Líneas analizadas
7
hallazgos
codex
Auditado por
Problemas de riesgo medio (2)
SKILL.md:17-20SKILL.md:23-26SKILL.md:29-32
Local RPC Commands Can Read Obsidian Vault Data
TRUE POSITIVE: The skill documents curl commands that query a local Obsidian Bases Query RPC endpoint. This is legitimate for the skill purpose, but it can expose structured note metadata and frontmatter to the AI session when a user runs the commands.
SKILL.md:54-60
Shell Pipeline Examples Require User Review
TRUE POSITIVE: The skill includes jq command examples for extracting fields from RPC responses. The examples are simple and fixed, but agents should not run shell commands against private vault data without user consent.
Problemas de riesgo bajo (3)
SKILL.md:12SKILL.md:18SKILL.md:24SKILL.md:30
Loopback Network Endpoint Is Expected
FALSE POSITIVE FOR EXTERNAL NETWORK RISK: The hardcoded URL and IP address point to 127.0.0.1 for a local Obsidian plugin. No evidence found of outbound third-party exfiltration.
SKILL.md:3
Weak Cryptography Finding Is Not Supported
FALSE POSITIVE: The line describes RPC usage and does not reference a weak hash, cipher, or cryptographic operation. No evidence found of cryptographic code.
SKILL.md:64
Plugin Installation Link Requires Source Trust
TRUE POSITIVE LOW RISK: The skill links to a GitHub repository for installation through BRAT. This is normal for Obsidian community plugins, but users should review the plugin before installing it.

Factores de riesgo

⚙️ Comandos externos (4)
SKILL.md:17-20 SKILL.md:23-26 SKILL.md:29-32 SKILL.md:54-60
🌐 Acceso a red (5)
SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30 SKILL.md:64

Patrones detectados

Documented curl POST RequestsLocalhost RPC Endpoint

Versión de auditoría 6

Riesgo bajo

Jan 21, 2026, 04:19 PM

Static analysis flagged pattern matches for crypto and external commands. Evaluation confirms these are false positives: crypto findings misidentify RPC documentation; command findings are curl examples in docs, not executing code. All network access is to localhost (127.0.0.1:27125) for the Obsidian plugin, a safe local RPC endpoint.

2
Archivos escaneados
442
Líneas analizadas
5
hallazgos
claude
Auditado por

Problemas de riesgo alto (1)

SKILL.md:3
False positive: Weak cryptographic algorithm flagged
Static scanner misidentified RPC documentation examples as cryptographic code. The skill contains no cryptographic operations - only local RPC calls to Obsidian plugin.
Problemas de riesgo bajo (2)
SKILL.md:12SKILL.md:17-20SKILL.md:20-23SKILL.md:23-26SKILL.md:26-29SKILL.md:29-32SKILL.md:32-36SKILL.md:36-50SKILL.md:50-54SKILL.md:54-60SKILL.md:60-64
False positive: External command execution
Static scanner flagged curl examples in documentation as command execution. These are inline documentation examples, not executing code. The skill is a read-only documentation skill with no runtime command execution.
SKILL.md:12SKILL.md:18SKILL.md:24SKILL.md:30SKILL.md:64
False positive: Hardcoded URLs and IP addresses
Static scanner flagged localhost URLs for the Obsidian plugin RPC endpoint. These are safe local network references (127.0.0.1:27125) used by the Obsidian Bases Query plugin. No external network access or security risk.

Factores de riesgo

🌐 Acceso a red (9)
SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30 SKILL.md:64 SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30
⚙️ Comandos externos (11)
SKILL.md:12 SKILL.md:17-20 SKILL.md:20-23 SKILL.md:23-26 SKILL.md:26-29 SKILL.md:29-32 SKILL.md:32-36 SKILL.md:36-50 SKILL.md:50-54 SKILL.md:54-60 SKILL.md:60-64

Versión de auditoría 5

Riesgo medio

Jan 16, 2026, 05:14 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

2
Archivos escaneados
240
Líneas analizadas
2
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (9)
SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30 SKILL.md:64 SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30
⚙️ Comandos externos (11)
SKILL.md:12 SKILL.md:17-20 SKILL.md:20-23 SKILL.md:23-26 SKILL.md:26-29 SKILL.md:29-32 SKILL.md:32-36 SKILL.md:36-50 SKILL.md:50-54 SKILL.md:54-60 SKILL.md:60-64

Patrones detectados

Hardcoded URLHardcoded IP addressWeak cryptographic algorithmRuby/shell backtick execution

Versión de auditoría 4

Riesgo medio

Jan 16, 2026, 05:14 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

2
Archivos escaneados
240
Líneas analizadas
2
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🌐 Acceso a red (9)
SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30 SKILL.md:64 SKILL.md:12 SKILL.md:18 SKILL.md:24 SKILL.md:30
⚙️ Comandos externos (11)
SKILL.md:12 SKILL.md:17-20 SKILL.md:20-23 SKILL.md:23-26 SKILL.md:26-29 SKILL.md:29-32 SKILL.md:32-36 SKILL.md:36-50 SKILL.md:50-54 SKILL.md:54-60 SKILL.md:60-64

Patrones detectados

Hardcoded URLHardcoded IP addressWeak cryptographic algorithmRuby/shell backtick execution

Versión de auditoría 3

Seguro

Jan 10, 2026, 10:22 AM

This skill is a pure documentation file (SKILL.md) with no executable code. It describes how to query Obsidian Bases via a local RPC endpoint (127.0.0.1:27125) which only communicates with the local Obsidian application. No network calls to external servers, no file system access beyond its own directory, and no code execution capabilities.

1
Archivos escaneados
65
Líneas analizadas
0
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Versión de auditoría 2

Seguro

Jan 10, 2026, 10:22 AM

This skill is a pure documentation file (SKILL.md) with no executable code. It describes how to query Obsidian Bases via a local RPC endpoint (127.0.0.1:27125) which only communicates with the local Obsidian application. No network calls to external servers, no file system access beyond its own directory, and no code execution capabilities.

1
Archivos escaneados
65
Líneas analizadas
0
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Versión de auditoría 1

Seguro

Jan 10, 2026, 10:22 AM

This skill is a pure documentation file (SKILL.md) with no executable code. It describes how to query Obsidian Bases via a local RPC endpoint (127.0.0.1:27125) which only communicates with the local Obsidian application. No network calls to external servers, no file system access beyond its own directory, and no code execution capabilities.

1
Archivos escaneados
65
Líneas analizadas
0
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad
← Volver a Skill