Habilidades bark-notify Historial de auditorías
📦

Historial de auditorías

bark-notify - 6 auditorías

Versión de auditoría 6

Más reciente Riesgo medio

Jun 28, 2026, 08:16 PM

AI review did not confirm malicious intent or prompt injection. The critical static heuristic is explained by the skill purpose: it runs a local helper, reads notification configuration, and sends a Bark push request. Publish with a warning because task summaries and the Bark key can leave the local environment.

2
Archivos escaneados
202
Líneas analizadas
11
hallazgos
codex
Auditado por
Problemas de riesgo medio (3)
Task Summary Sent to External Push Service
TRUE POSITIVE. The helper builds a notification body from machine name, project name, status, and summary, then posts it to the Bark endpoint. This is the intended feature, but summaries can leak sensitive task details if the caller includes secrets. Confidence: 0.86.
Dry Run Can Print Bark Key
TRUE POSITIVE. The Bark key is embedded in the URL path, and dry-run mode prints the full POST URL. Terminal logs or copied output could expose the notification token. Confidence: 0.93.
Environment Variables Control Notification Credentials and Endpoint
TRUE POSITIVE with legitimate context. The script reads CODEX_MACHINE_NAME, CODEX_BARK_KEY, and CODEX_BARK_BASE_URL from the environment. This is normal configuration, but a changed base URL can redirect notification contents. Confidence: 0.78.
Problemas de riesgo bajo (3)
Documented Shell Command Invokes Local Helper Script
FALSE POSITIVE for command injection. The Markdown shows a fixed python3 command for the installed helper script with placeholder arguments. I did not find evidence of untrusted input being interpolated into a shell command by the skill code. Confidence: 0.95.
Local Project Metadata Read From AGENTS.md
TRUE POSITIVE with low severity. The helper searches the current directory and parent directories for AGENTS.md and reads it to extract a project name. This is limited filesystem access and does not exfiltrate file contents except the derived project name in the notification body. Confidence: 0.82.
Static Heuristic Findings Mostly Dismissed
FALSE POSITIVE. The weak cryptography detections point to descriptive text, not cryptographic code. The path traversal and hidden-file detections are Markdown examples for ~/.codex and placeholder ellipses, not runtime traversal logic. Confidence: 0.98.

Factores de riesgo

Patrones detectados

Task Summary Sent to External Push ServiceDry Run Can Print Bark Key

Versión de auditoría 5

Seguro

Jan 16, 2026, 08:46 PM

All 42 static findings are false positives. The scanner misinterpreted YAML frontmatter fields as 'weak cryptographic algorithms', bash escaping quotes as 'path traversal sequences', and standard config file paths as 'hidden file' access. This is a legitimate notification utility that reads environment variables for API configuration, reads project metadata from AGENTS.md files, and sends push notifications to the official Bark API (api.day.app). The credential access pattern is explicitly documented and required for the skill's intended function.

3
Archivos escaneados
437
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🔑 Variables de entorno (1)
📁 Acceso al sistema de archivos (1)
🌐 Acceso a red (1)

Versión de auditoría 4

Seguro

Jan 16, 2026, 08:46 PM

All 42 static findings are false positives. The scanner misinterpreted YAML frontmatter fields as 'weak cryptographic algorithms', bash escaping quotes as 'path traversal sequences', and standard config file paths as 'hidden file' access. This is a legitimate notification utility that reads environment variables for API configuration, reads project metadata from AGENTS.md files, and sends push notifications to the official Bark API (api.day.app). The credential access pattern is explicitly documented and required for the skill's intended function.

3
Archivos escaneados
437
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🔑 Variables de entorno (1)
📁 Acceso al sistema de archivos (1)
🌐 Acceso a red (1)

Versión de auditoría 3

Riesgo bajo

Jan 8, 2026, 05:56 AM

Legitimate notification utility that reads environment variables for API configuration, reads project metadata from AGENTS.md files, and sends push notifications to the official Bark API (api.day.app). No suspicious patterns detected.

2
Archivos escaneados
146
Líneas analizadas
4
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🔑 Variables de entorno (1)
📁 Acceso al sistema de archivos (1)
🌐 Acceso a red (1)
⚡ Contiene scripts (1)

Versión de auditoría 2

Riesgo bajo

Jan 8, 2026, 05:56 AM

Legitimate notification utility that reads environment variables for API configuration, reads project metadata from AGENTS.md files, and sends push notifications to the official Bark API (api.day.app). No suspicious patterns detected.

2
Archivos escaneados
146
Líneas analizadas
4
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🔑 Variables de entorno (1)
📁 Acceso al sistema de archivos (1)
🌐 Acceso a red (1)
⚡ Contiene scripts (1)

Versión de auditoría 1

Riesgo bajo

Jan 8, 2026, 05:56 AM

Legitimate notification utility that reads environment variables for API configuration, reads project metadata from AGENTS.md files, and sends push notifications to the official Bark API (api.day.app). No suspicious patterns detected.

2
Archivos escaneados
146
Líneas analizadas
4
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

🔑 Variables de entorno (1)
📁 Acceso al sistema de archivos (1)
🌐 Acceso a red (1)
⚡ Contiene scripts (1)