スキル pytm 監査履歴
📦

監査履歴

pytm - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 05:55 AM

Static analysis reported many command, network, credential, C2, and weak-crypto patterns, but review shows most are markdown examples, security taxonomy terms, or reference links. No prompt injection or malicious intent was found in SKILL.md. The remaining risk is legitimate guidance that includes package installation and sudo commands, so publication should include a command-execution warning.

1
スキャンされたファイル
575
解析済み行数
6
検出結果
codex
監査者
中リスクの問題 (1)
Privileged Package Installation Guidance
The skill includes package installation commands, including sudo apt-get for graphviz in CI and troubleshooting examples. This is legitimate setup guidance, but users should review privileged package manager commands before running them.
低リスクの問題 (3)
Markdown Code Fences Misclassified as Command Execution
Many static external-command findings are caused by fenced markdown examples and inline command text. They document pytm usage and do not execute automatically when the skill is loaded.
Reference URLs Misclassified as Network Behavior
The hardcoded URLs are reference links to pytm, OWASP, Microsoft STRIDE, MITRE ATT&CK, and NIST material. No evidence found that the skill sends data to these URLs.
Security Terms Misclassified as Sensitive or Malicious Content
Static hits for Windows SAM, C2, and weak cryptography are false positives from security framework names and example threat descriptions. OWASP SAMM and SOC2 are compliance references, not credential access or command-and-control behavior.

検出されたパターン

Copy-Paste Shell Commands in Documentation

監査バージョン 5

安全

Jan 16, 2026, 03:54 PM

Pure documentation skill containing only YAML frontmatter and markdown documentation teaching threat modeling concepts with the pytm library. No executable code, scripts, network calls, filesystem access, environment variable reads, or command execution capabilities are present. All static findings are false positives triggered by documentation patterns, not actual security risks.

2
スキャンされたファイル
758
解析済み行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 4

安全

Jan 16, 2026, 03:54 PM

Pure documentation skill containing only YAML frontmatter and markdown documentation teaching threat modeling concepts with the pytm library. No executable code, scripts, network calls, filesystem access, environment variable reads, or command execution capabilities are present. All static findings are false positives triggered by documentation patterns, not actual security risks.

2
スキャンされたファイル
758
解析済み行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 3

安全

Jan 10, 2026, 10:52 AM

Pure documentation skill containing no executable code. Only contains YAML frontmatter and markdown documentation teaching threat modeling concepts with the pytm library. No scripts, network calls, filesystem access, environment variable reads, or command execution capabilities present.

1
スキャンされたファイル
575
解析済み行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 10:52 AM

Pure documentation skill containing no executable code. Only contains YAML frontmatter and markdown documentation teaching threat modeling concepts with the pytm library. No scripts, network calls, filesystem access, environment variable reads, or command execution capabilities present.

1
スキャンされたファイル
575
解析済み行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 10:52 AM

Pure documentation skill containing no executable code. Only contains YAML frontmatter and markdown documentation teaching threat modeling concepts with the pytm library. No scripts, network calls, filesystem access, environment variable reads, or command execution capabilities present.

1
スキャンされたファイル
575
解析済み行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした