Historial de auditorías - provider-management

Versión de auditoría 6

Más reciente Riesgo medio

Jun 28, 2026, 12:25 PM

Static analysis reported many external command hits, but review shows these are Markdown inline code spans and fenced examples rather than executable scripts. The real risks are semantic: the skill documents command-line handling of API keys and session tokens, and it stores credentials and OAuth tokens under a hidden home-directory path without verifiable encryption.

1

Archivos escaneados

218

Líneas analizadas

7

hallazgos

codex

Auditado por

Problemas de riesgo medio (2)

SKILL.md:64-71 SKILL.md:178-183 SKILL.md:203-207

Sensitive Provider Credentials Are Entered Through Commands

The documented setup flow passes API keys and subscription session tokens through slash-command arguments. This can expose secrets in chat transcripts, logs, command history, telemetry, or shared screenshots depending on the host environment.

SKILL.md:130-137 SKILL.md:156-166

Local Credential And OAuth Token Storage Requires Stronger Guarantees

The skill documents auth.json and tokens.json under a hidden home-directory path and mentions file permissions, but no implementation is present to verify encryption, permission enforcement, token rotation, or safe deletion.

Problemas de riesgo bajo (3)

SKILL.md:23-44 SKILL.md:54-128 SKILL.md:194-215

Static External Command Findings Are Markdown Examples

The repeated Ruby or shell backtick detections come from Markdown inline code spans and fenced bash examples for provider commands, model names, and provider IDs. No standalone script, shell invocation, or dynamic command construction is present in the scanned file.

SKILL.md:3 SKILL.md:15-19 SKILL.md:42 SKILL.md:170-174

Weak Cryptography Detections Are Token And Model Text Matches

The weak cryptography blocker detections are not supported by evidence in the file. The flagged areas contain metadata, auth labels, model names, or credential examples, and no MD5, SHA1, DES, RC4, or custom cryptographic implementation appears in SKILL.md.

SKILL.md:203-207

System Reconnaissance Detection Is Troubleshooting Guidance

The system reconnaissance hit is tied to a troubleshooting sentence about ensuring a session token is valid. No host enumeration, environment discovery, or system information collection is described at the cited location.

Factores de riesgo

⚙️ Comandos externos (7)

SKILL.md:60-71 SKILL.md:78-89 SKILL.md:96-108 SKILL.md:125-127 SKILL.md:156-163 SKILL.md:178-183 SKILL.md:199-207

📁 Acceso al sistema de archivos (1)

SKILL.md:130-137

Patrones detectados

Command-Line Secret HandlingPersistent Token Storage

Versión de auditoría 5

Seguro

Jan 16, 2026, 05:32 PM

This skill contains only documentation files (SKILL.md). No executable code exists. All 71 static findings are false positives triggered by markdown documentation syntax misinterpreted as code patterns.

2

Archivos escaneados

396

Líneas analizadas

2

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Factores de riesgo

⚙️ Comandos externos (56)

SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:32 SKILL.md:32 SKILL.md:32 SKILL.md:32 SKILL.md:36 SKILL.md:36 SKILL.md:40 SKILL.md:40 SKILL.md:41 SKILL.md:41 SKILL.md:42 SKILL.md:42 SKILL.md:43 SKILL.md:44 SKILL.md:56 SKILL.md:60-72 SKILL.md:72-74 SKILL.md:74-78 SKILL.md:78-90 SKILL.md:90-92 SKILL.md:92-96 SKILL.md:96-100 SKILL.md:100-102 SKILL.md:102-106 SKILL.md:106-109 SKILL.md:109-111 SKILL.md:111-115 SKILL.md:115-119 SKILL.md:119-121 SKILL.md:121-125 SKILL.md:125-128 SKILL.md:128-132 SKILL.md:132-138 SKILL.md:138-142 SKILL.md:142-150 SKILL.md:150-156 SKILL.md:156-164 SKILL.md:164-178 SKILL.md:178-185 SKILL.md:185-199 SKILL.md:199-201 SKILL.md:201-206 SKILL.md:206-208 SKILL.md:208-213 SKILL.md:213-215

📁 Acceso al sistema de archivos (2)

SKILL.md:133 SKILL.md:133

Versión de auditoría 4

Seguro

Jan 16, 2026, 05:32 PM

This skill contains only documentation files (SKILL.md). No executable code exists. All 71 static findings are false positives triggered by markdown documentation syntax misinterpreted as code patterns.

2

Archivos escaneados

396

Líneas analizadas

2

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Factores de riesgo

⚙️ Comandos externos (56)

SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:24 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:32 SKILL.md:32 SKILL.md:32 SKILL.md:32 SKILL.md:36 SKILL.md:36 SKILL.md:40 SKILL.md:40 SKILL.md:41 SKILL.md:41 SKILL.md:42 SKILL.md:42 SKILL.md:43 SKILL.md:44 SKILL.md:56 SKILL.md:60-72 SKILL.md:72-74 SKILL.md:74-78 SKILL.md:78-90 SKILL.md:90-92 SKILL.md:92-96 SKILL.md:96-100 SKILL.md:100-102 SKILL.md:102-106 SKILL.md:106-109 SKILL.md:109-111 SKILL.md:111-115 SKILL.md:115-119 SKILL.md:119-121 SKILL.md:121-125 SKILL.md:125-128 SKILL.md:128-132 SKILL.md:132-138 SKILL.md:138-142 SKILL.md:142-150 SKILL.md:150-156 SKILL.md:156-164 SKILL.md:164-178 SKILL.md:178-185 SKILL.md:185-199 SKILL.md:199-201 SKILL.md:201-206 SKILL.md:206-208 SKILL.md:208-213 SKILL.md:213-215

📁 Acceso al sistema de archivos (2)

SKILL.md:133 SKILL.md:133

Versión de auditoría 3

Seguro

Jan 10, 2026, 10:41 AM

Pure documentation-only skill. No code execution, no file system access, no network calls. SKILL.md contains only command documentation for a provider management system.

1

Archivos escaneados

218

Líneas analizadas

0

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Versión de auditoría 2

Seguro

Jan 10, 2026, 10:41 AM

Pure documentation-only skill. No code execution, no file system access, no network calls. SKILL.md contains only command documentation for a provider management system.

1

Archivos escaneados

218

Líneas analizadas

0

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad

Versión de auditoría 1

Seguro

Jan 10, 2026, 10:41 AM

Pure documentation-only skill. No code execution, no file system access, no network calls. SKILL.md contains only command documentation for a provider management system.

1

Archivos escaneados

218

Líneas analizadas

0

hallazgos

claude

Auditado por

No se encontraron problemas de seguridad