Habilidades pitchcraft Historial de auditorías
📦

Historial de auditorías

pitchcraft - 2 auditorías

Versión de auditoría 2

Más reciente Riesgo medio

Jun 30, 2026, 08:24 AM

Static analysis reported many high and critical patterns, but review found most are false positives from markdown examples, documentation URLs, license text, and Chinese-language files. The confirmed risk is the npm postinstall installer, which writes skill files into AI agent configuration directories and uses environment-controlled install scope. No malicious intent, data exfiltration, or prompt injection attempt was found.

10
Archivos escaneados
1,471
Líneas analizadas
11
Review items
0
False positives ignored

Confirmed security concerns (3)

Medio
Npm Postinstall Modifies AI Agent Skill Directories
The package declares a postinstall script and the installer creates directories and copies SKILL.md into Claude, Cursor, or Codex skill locations. This appears intended for installation, but it changes AI agent configuration automatically during package install and should be disclosed to users.
The installer behavior is directly present in package.json and scripts/install.js. It is legitimate installation behavior, but automatic writes to agent configuration are security-relevant.
Bajo
Weak Crypto and Entropy Alerts Are False Positives
The weak cryptographic algorithm alerts match words in markdown, package metadata, or the Apache license, not cryptographic operations. The high-entropy alerts are consistent with Simplified Chinese text files rather than encoded payloads.
The referenced files are text documentation or metadata, and no encryption, hashing, packing, or decode routine was found. Chinese-language text explains the entropy heuristic.
Bajo
No Prompt Injection Attempt Found
A targeted review found no text claiming system authority, pre-approval, review bypass, or instructions to ignore the marketplace audit. No evidence found for prompt injection in the reviewed files.
The reviewed instruction files define the skill workflow and do not contain audit-bypass language. The confidence is high for the inspected files, with residual risk limited to unreviewed semantic nuance.
Capability review items (3)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Medio
Environment-Controlled Install Target
The installer uses npm and process environment values to decide whether to install globally or in the current project. No credential exfiltration was found, but environment-controlled paths increase the chance of unexpected writes during automated installs.
The code reads environment variables and uses them in installation flow. The variables are normal npm or control variables, so the risk is operational rather than malicious.
Bajo
Markdown Command Blocks Are Documentation Examples
Many external command findings are shell, PowerShell, or template snippets inside markdown installation guides and briefing templates. They are not hidden execution paths in the skill runtime, although users could copy or run the installer examples manually.
The suspicious patterns appear inside fenced markdown examples or prose. I found no evidence that these snippets execute automatically from the markdown files.
Bajo
Hardcoded URLs Are Metadata and Documentation Links
The network findings point to the Apache license URL, repository metadata, badge images, and documentation links. No code path was found that sends local data or secrets to those URLs.
The URLs are visible documentation or package metadata references. No request code or data-transfer logic was present in the reviewed executable script.

Patrones detectados

Npm Postinstall Modifies AI Agent Skill Directories
Auditado por: codex

Versión de auditoría 1

Riesgo bajo

Jun 2, 2026, 11:35 PM

PitchCraft is a writing/framework skill. Its only executable artifact is scripts/install.js, a transparent postinstall file copier that uses fs.mkdirSync and fs.copyFileSync to place SKILL.md into the standard agent skill directories under the user's home or project root. No network calls, no credential reads, no obfuscation, no eval. The static analyzer's 255 findings are dominated by false positives: markdown backticks flagged as Ruby/shell execution, Apache-2.0 license text flagged as 'weak cryptographic algorithm' (e.g. 'WITHOUT WARRANTIES'), the project's own GitHub URLs flagged as 'hardcoded URLs', Chinese UTF-8 text flagged as high-entropy binary content, and standard ~ paths flagged as 'hidden file access'. The install script is a legitimate npm postinstall pattern. No confirmed malicious behavior.

15
Archivos escaneados
2,247
Líneas analizadas
13
Review items
0
False positives ignored

Confirmed security concerns (3)

Bajo
Static analyzer flagged markdown backticks as shell backtick execution
The scanner reported 'Ruby/shell backtick execution' on every markdown file because of inline code spans like `SKILL.md` and code blocks fenced with triple backticks. These are markdown syntax, not shell substitution. No shell evaluation occurs.
Bajo
Static analyzer flagged license and JSON text as weak cryptographic algorithm
The scanner reported 'Weak cryptographic algorithm' on lines containing the words 'Source', 'WITHOUT WARRANTIES', 'Source form', etc. inside LICENSE, plugin.json, package.json, and SKILL.md. There is no cryptographic code anywhere in the repository. These are false positives from the Apache-2.0 license text and from JSON metadata fields.
Bajo
High file entropy on Chinese-language files is a UTF-8 false positive
The scanner flagged SKILL.zh-CN.md, README.zh-CN.md, and prompts/universal.zh-CN.md as high-entropy binary/encrypted content. CJK characters are multi-byte UTF-8, which inflates Shannon entropy. The files are plain markdown, verified by reading.
Capability review items (5)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Medio
Postinstall script writes to user home directory
scripts/install.js runs automatically on `npm install` and copies SKILL.md into the user's home directory (e.g. ~/.claude/skills/pitchcraft/, ~/.cursor/skills/pitchcraft/) or the project root, depending on scope. The script is transparent in its actions (no network, no exec, no eval), and a `PITCHCRAFT_SKIP_INSTALL=1` escape hatch is provided. This is a normal npm postinstall pattern for agent skills, but users should know the install behavior runs on package install.
Medio
Install script reads npm environment variables
scripts/install.js reads process.env.npm_config_prefix, process.env.npm_config_global, process.env.INIT_CWD, and process.env.PITCHCRAFT_SKIP_INSTALL to decide install scope. This is standard npm postinstall behavior; no secrets are read or exfiltrated. The script never calls network APIs and never writes these values anywhere outside the local filesystem.
Bajo
Hardcoded URLs are all references to the project's own repository
Hardcoded URL findings in .claude-plugin/plugin.json, package.json, LICENSE, and README files all point to https://github.com/moshuying/pitchcraft or the author profile. These are documentation metadata, not external network calls. The install.js script performs no network requests.
Bajo
PowerShell installation helper included in commands/pitchcraft.md
The command file ships both bash and PowerShell installation snippets for cross-platform support. The PowerShell block only creates a directory and copies SKILL.md into the standard Claude skills path. It is a manual user-invoked install helper, not auto-executed code.
Bajo
DANGEROUS COMBINATION heuristic: filesystem + env + network is normal for an installer
The combined heuristic fired because the install script touches env vars, the filesystem, and references URLs in metadata. The script itself performs no network requests; the URLs are static metadata. The combination is the standard npm postinstall pattern, not malicious behavior.

Patrones detectados

Postinstall writes skill files into user homePath traversal pattern in install.js uses fixed __dirname
Auditado por: claude