Compétences writing-skills Historique des audits
📝

Historique des audits

writing-skills - 5 audits

Version de l’audit 5

Dernier Sûr

Jan 17, 2026, 08:06 AM

All 525 static findings are false positives. The skill is legitimate documentation for creating AI skills using TDD principles. External command patterns in markdown files are documentation code examples. Weak crypto patterns show what NOT to do. C2 keywords are legitimate references. render-graphs.js is a benign utility for rendering graphviz diagrams.

8
Fichiers analysés
3,155
Lignes analysées
3
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Facteurs de risque

⚙️ Commandes externes (2)
SKILL.md:12 anthropic-best-practices.md:32
📁 Accès au système de fichiers (1)
render-graphs.js:16
🌐 Accès réseau (1)
skill-report.json:6

Version de l’audit 4

Sûr

Jan 17, 2026, 08:06 AM

All 525 static findings are false positives. The skill is legitimate documentation for creating AI skills using TDD principles. External command patterns in markdown files are documentation code examples. Weak crypto patterns show what NOT to do. C2 keywords are legitimate references. render-graphs.js is a benign utility for rendering graphviz diagrams.

8
Fichiers analysés
3,155
Lignes analysées
3
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Facteurs de risque

⚙️ Commandes externes (2)
SKILL.md:12 anthropic-best-practices.md:32
📁 Accès au système de fichiers (1)
render-graphs.js:16
🌐 Accès réseau (1)
skill-report.json:6

Version de l’audit 3

Sûr

Jan 14, 2026, 12:16 AM

This is a legitimate documentation framework for creating AI skills using Test-Driven Development principles. The static analysis flagged numerous false positives from code examples and documentation that mention security-sensitive patterns. All external command references are in documentation/examples, not executable code.

7
Fichiers analysés
2,911
Lignes analysées
2
résultats
claude
Audité par
Aucun problème de sécurité trouvé

Facteurs de risque

⚙️ Commandes externes (1)
render-graphs.js:18
📁 Accès au système de fichiers (1)
render-graphs.js:16

Version de l’audit 2

Risque faible

Jan 6, 2026, 07:41 AM

Documentation and methodology skill for creating AI skills using TDD. Contains one utility script (render-graphs.js) that renders GraphViz diagrams to SVG. All file access is limited to the skill's own directory or user-specified skill directories. No network access, no credential access, no data exfiltration. The only external command executed is the graphviz 'dot' command which is explicitly required and documented.

7
Fichiers analysés
2,421
Lignes analysées
5
résultats
claude
Audité par
Problèmes à risque faible (2)
render-graphs.js:72-76
External command execution in render-graphs.js
The render-graphs.js script uses execSync to execute the 'dot' command from GraphViz. The command is constructed as a literal string 'dot -Tsvg' on line 72, not using any user input, making it safe. This is the expected functionality for a diagram rendering tool.
render-graphs.js:101-108
Filesystem access in render-graphs.js
The script reads and writes files using fs.readFileSync and fs.writeFileSync. Access is limited to the specified skill directory and its 'diagrams' subdirectory. The skill directory path is resolved using path.resolve on user-provided input, but only creates directories and writes files within the target skill directory, limiting scope.

Facteurs de risque

⚡ Contient des scripts (1)
render-graphs.js:1-169
📁 Accès au système de fichiers (6)
render-graphs.js:16-18 render-graphs.js:105-108 render-graphs.js:120 render-graphs.js:131-133 render-graphs.js:141 render-graphs.js:156-157
⚙️ Commandes externes (3)
render-graphs.js:18 render-graphs.js:72-76 render-graphs.js:112

Version de l’audit 1

Risque faible

Jan 6, 2026, 07:41 AM

Documentation and methodology skill for creating AI skills using TDD. Contains one utility script (render-graphs.js) that renders GraphViz diagrams to SVG. All file access is limited to the skill's own directory or user-specified skill directories. No network access, no credential access, no data exfiltration. The only external command executed is the graphviz 'dot' command which is explicitly required and documented.

7
Fichiers analysés
2,421
Lignes analysées
5
résultats
claude
Audité par
Problèmes à risque faible (2)
render-graphs.js:72-76
External command execution in render-graphs.js
The render-graphs.js script uses execSync to execute the 'dot' command from GraphViz. The command is constructed as a literal string 'dot -Tsvg' on line 72, not using any user input, making it safe. This is the expected functionality for a diagram rendering tool.
render-graphs.js:101-108
Filesystem access in render-graphs.js
The script reads and writes files using fs.readFileSync and fs.writeFileSync. Access is limited to the specified skill directory and its 'diagrams' subdirectory. The skill directory path is resolved using path.resolve on user-provided input, but only creates directories and writes files within the target skill directory, limiting scope.

Facteurs de risque

⚡ Contient des scripts (1)
render-graphs.js:1-169
📁 Accès au système de fichiers (6)
render-graphs.js:16-18 render-graphs.js:105-108 render-graphs.js:120 render-graphs.js:131-133 render-graphs.js:141 render-graphs.js:156-157
⚙️ Commandes externes (3)
render-graphs.js:18 render-graphs.js:72-76 render-graphs.js:112
← Retour au skill