スキル dast-ffuf 監査履歴
📦

監査履歴

dast-ffuf - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 05:19 AM

Static analysis reported many command, network, environment, script, and filesystem patterns, but review shows most are documentation examples or security-rule templates. The skill is still medium risk because it provides real ffuf network fuzzing and credential-fuzzing workflows that require authorization and rate limits. No prompt injection or confirmed malicious intent was found.

5
スキャンされたファイル
1,996
解析された行数
12
検出結果
codex
監査者
中リスクの問題 (3)
SKILL.md:48-57SKILL.md:67-86SKILL.md:367-373
Dual-use Web Fuzzing Commands
The skill documents real ffuf workflows for directory discovery, parameter fuzzing, virtual host discovery, and CI testing. This is appropriate for authorized DAST work, but the same commands can be misused for reconnaissance against unauthorized targets.
SKILL.md:118-133SKILL.md:141-176
Authentication Endpoint Credential Fuzzing Guidance
The skill includes examples for fuzzing usernames and passwords against login endpoints. This is legitimate in a scoped test, but it is sensitive because it can resemble credential stuffing or brute-force activity if used without permission.
assets/ci-config-template.yml:237-244
Pipe-to-Shell Installer in CI Template
The CI template installs tfsec by piping a remote script directly into bash. This is a real supply-chain risk if copied as-is because remote script content is executed without pinning or verification.
低リスクの問題 (4)
SKILL.md:30-42SKILL.md:48-57SKILL.md:390-407
Static Hits Are Mostly Documentation Examples
Many external command and URL findings are expected markdown examples for installing ffuf and running authorized web fuzzing. They are not hidden automation and do not execute when the skill is loaded.
assets/rule-template.yaml:93-119assets/rule-template.yaml:128-165assets/rule-template.yaml:168-205
Security Rule Template Contains Vulnerable Examples
The rule template includes sample vulnerable code for hardcoded secrets, XSS, and weak cryptography so security rules can detect those patterns. These examples are educational content rather than active malicious behavior.
assets/ci-config-template.yml:161-165
Environment Token Use Is GitHub Action Configuration
The GitHub token reference is used by the Gitleaks action in a CI template. This is normal GitHub Actions configuration, not evidence of credential exfiltration.
references/EXAMPLE.md:135-141references/EXAMPLE.md:422-430
XSS and API Key Examples Are Remediation Documentation
The example document shows unsafe DOM operations and environment-based API key handling as part of security education. These snippets are not loaded by an application runtime in this skill.

リスク要因

⚙️ 外部コマンド (4)
SKILL.md:30-42 SKILL.md:48-57 SKILL.md:390-407 assets/ci-config-template.yml:240
🌐 ネットワークアクセス (4)
SKILL.md:48-57 SKILL.md:67-86 SKILL.md:396-400 assets/ci-config-template.yml:240
📁 ファイルシステムへのアクセス (2)
SKILL.md:402-406 assets/ci-config-template.yml:322-323
🔑 環境変数 (3)
assets/ci-config-template.yml:161-165 assets/rule-template.yaml:146-165 references/EXAMPLE.md:422-430
⚡ スクリプトを含む (2)
references/EXAMPLE.md:135-141 assets/rule-template.yaml:201-205

検出されたパターン

Remote Script Piped to BashNetwork Fuzzing Against User-Supplied TargetsCredential Fuzzing Workflow

監査バージョン 5

安全

Jan 16, 2026, 03:32 PM

Documentation-only skill providing guidance for ffuf, a legitimate open-source DAST tool. All static findings are in markdown files and YAML templates showing example commands. No executable code, network operations, or credential access present in the skill itself. Heuristic alerts trigger on expected DAST tool patterns (command execution, network requests, credential handling) which are legitimate functionality for web fuzzing.

6
スキャンされたファイル
2,214
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (2)
SKILL.md:30-450 references/EXAMPLE.md:54-476
🌐 ネットワークアクセス (2)
SKILL.md:19-477 assets/rule-template.yaml:43-261
🔑 環境変数 (1)
references/EXAMPLE.md:423-437
⚡ スクリプトを含む (1)
references/EXAMPLE.md:137-138

監査バージョン 4

安全

Jan 16, 2026, 03:32 PM

Documentation-only skill providing guidance for ffuf, a legitimate open-source DAST tool. All static findings are in markdown files and YAML templates showing example commands. No executable code, network operations, or credential access present in the skill itself. Heuristic alerts trigger on expected DAST tool patterns (command execution, network requests, credential handling) which are legitimate functionality for web fuzzing.

6
スキャンされたファイル
2,214
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (2)
SKILL.md:30-450 references/EXAMPLE.md:54-476
🌐 ネットワークアクセス (2)
SKILL.md:19-477 assets/rule-template.yaml:43-261
🔑 環境変数 (1)
references/EXAMPLE.md:423-437
⚡ スクリプトを含む (1)
references/EXAMPLE.md:137-138

監査バージョン 3

安全

Jan 10, 2026, 10:24 AM

Documentation-only skill containing no executable code. Provides guidance for using the legitimate open-source ffuf security tool. All files are template documentation with defensive security patterns. No network operations, file system access, or code execution paths present.

5
スキャンされたファイル
1,896
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 10:24 AM

Documentation-only skill containing no executable code. Provides guidance for using the legitimate open-source ffuf security tool. All files are template documentation with defensive security patterns. No network operations, file system access, or code execution paths present.

5
スキャンされたファイル
1,896
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 10:24 AM

Documentation-only skill containing no executable code. Provides guidance for using the legitimate open-source ffuf security tool. All files are template documentation with defensive security patterns. No network operations, file system access, or code execution paths present.

5
スキャンされたファイル
1,896
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
← スキルに戻る