スキル skill-name 監査履歴
📦

監査履歴

skill-name - 6 監査

監査バージョン 6

最新 高リスク

Jun 28, 2026, 06:29 AM

Static analysis found many command, network, secret, filesystem, and script patterns. Most are false positives from security training examples and rule templates, but the CI asset contains a real remote installer piped directly into a shell. No confirmed malicious intent or prompt injection was found, but the unsafe CI pattern and unfinished template quality make this unsuitable for publication without remediation.

5
スキャンされたファイル
1,677
解析された行数
10
検出結果
codex
監査者

高リスクの問題 (1)

assets/ci-config-template.yml:240
Remote Installer Piped to Shell
The CI template downloads a third-party installer over the network and executes it directly with a shell. This is a true positive because users copying the template would run unauthenticated remote code in CI unless they replace this pattern with a pinned, verified installation method.
中リスクの問題 (2)
assets/ci-config-template.yml:134assets/ci-config-template.yml:164assets/ci-config-template.yml:250assets/ci-config-template.yml:323
Executable CI Template Requires Trust Review
The CI asset is designed to run security scanners, parse reports, read generated files, and post pull request comments. These actions are legitimate for DevSecOps, but they should be reviewed before publication because they combine external commands, filesystem reads, network-based actions, and GitHub token access.
SKILL.md:3-11SKILL.md:13-16SKILL.md:133-151
Unfinished Generic Skill Template
The primary skill file still contains placeholders for name, maintainer, category, patterns, troubleshooting, and examples. This is not a direct exploit, but it increases operational risk because users may copy incomplete security guidance into production workflows.
低リスクの問題 (2)
assets/rule-template.yaml:128-165assets/rule-template.yaml:268-299references/EXAMPLE.md:135-162references/EXAMPLE.md:235-279references/WORKFLOW_CHECKLIST.md:177-195
Security Example Snippets Trigger Static Patterns
The hardcoded secrets, weak crypto, XSS, C2, malware, and reconnaissance hits are mostly examples inside security rule or reference documentation. They demonstrate vulnerable and fixed patterns rather than executing those patterns as part of the skill.
assets/rule-template.yaml:43-45assets/rule-template.yaml:191-193SKILL.md:155-157
Reference Links Are Documentation URLs
Most hardcoded URL findings point to OWASP, CWE, example.com, or security documentation references. These are expected documentation links and do not show data exfiltration.

リスク要因

⚙️ 外部コマンド (5)
assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 references/WORKFLOW_CHECKLIST.md:74 SKILL.md:75
🌐 ネットワークアクセス (3)
assets/ci-config-template.yml:240 assets/rule-template.yaml:43-45 SKILL.md:155-157
📁 ファイルシステムへのアクセス (1)
assets/ci-config-template.yml:323
🔑 環境変数 (3)
assets/ci-config-template.yml:164 assets/rule-template.yaml:147-148 references/EXAMPLE.md:423-425
⚡ スクリプトを含む (1)
references/EXAMPLE.md:137-138

検出されたパターン

Pipe to Shell in Reusable CI Asset

監査バージョン 5

安全

Jan 16, 2026, 04:24 PM

This is a documentation and template directory containing no executable code. All 161 static findings are in template files (YAML schemas, markdown documentation, CI/CD configurations) used for creating security skills. The findings are false positives triggered by example code snippets demonstrating anti-patterns for educational purposes. All security patterns detected (Gitleaks, Trivy, Semgrep, shell commands) are legitimate defensive security tooling patterns.

6
スキャンされたファイル
1,886
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)
assets/ci-config-template.yml:54-92
🌐 ネットワークアクセス (1)
assets/ci-config-template.yml:237-244
🔑 環境変数 (1)
assets/ci-config-template.yml:163-164

監査バージョン 4

安全

Jan 16, 2026, 04:24 PM

This is a documentation and template directory containing no executable code. All 161 static findings are in template files (YAML schemas, markdown documentation, CI/CD configurations) used for creating security skills. The findings are false positives triggered by example code snippets demonstrating anti-patterns for educational purposes. All security patterns detected (Gitleaks, Trivy, Semgrep, shell commands) are legitimate defensive security tooling patterns.

6
スキャンされたファイル
1,886
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)
assets/ci-config-template.yml:54-92
🌐 ネットワークアクセス (1)
assets/ci-config-template.yml:237-244
🔑 環境変数 (1)
assets/ci-config-template.yml:163-164

監査バージョン 3

安全

Jan 10, 2026, 11:04 AM

This is a documentation template directory containing no executable code. Files are markdown documentation, YAML schemas, and CI/CD configuration templates designed for creating new security skills. All content serves defensive security education purposes.

6
スキャンされたファイル
1,672
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 11:04 AM

This is a documentation template directory containing no executable code. Files are markdown documentation, YAML schemas, and CI/CD configuration templates designed for creating new security skills. All content serves defensive security education purposes.

6
スキャンされたファイル
1,672
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 11:04 AM

This is a documentation template directory containing no executable code. Files are markdown documentation, YAML schemas, and CI/CD configuration templates designed for creating new security skills. All content serves defensive security education purposes.

6
スキャンされたファイル
1,672
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
← スキルに戻る