監査履歴 - webapp-nikto

監査バージョン 6

高リスクの問題 (2)

IDS and WAF Evasion Guidance

The skill gives explicit Nikto evasion and WAF-blocking workarounds. Even with authorization warnings, this materially increases dual-use risk because it helps bypass detection during web scanning.

assets/ci-config-template.yml:237-244

Remote Installer Piped to Shell in CI Template

The CI template demonstrates downloading a remote shell installer and piping it directly to bash. This is a supply-chain risk if copied because remote content executes inside CI without pinning or verification.

中リスクの問題 (3)

SKILL.md:28-30 SKILL.md:217-225

Authorized Web Vulnerability Scanning Can Affect Targets

The skill is built around running Nikto against web servers. It warns users to get written permission and notes traffic, alerting, log volume, and possible production impact.

SKILL.md:89-90 SKILL.md:203-204 SKILL.md:289-297

Inline Credentials in Authenticated Scan Examples

Authenticated scanning examples place usernames, passwords, and cookies directly in command lines. These are placeholders, but copied patterns can leak credentials through shell history, logs, or process listings.

SKILL.md:110-111 SKILL.md:256-265 SKILL.md:300-311

Bulk Scanning Workflow Increases Blast Radius

The skill shows multi-host and bulk scan workflows. This is useful for authorized assessment, but it can create high traffic or scan unintended systems if scope controls are weak.

低リスクの問題 (3)

assets/ci-config-template.yml:161-165 assets/rule-template.yaml:146-165 references/EXAMPLE.md:422-425

Environment Token Access Is Limited to Security Tool Configuration

The GitHub token and API key references are used in CI or secure-code examples. No evidence found that the skill exfiltrates secrets or instructs users to reveal tokens.

assets/rule-template.yaml:79-91 assets/rule-template.yaml:153-165 references/EXAMPLE.md:131-161

Vulnerable Code Snippets Are Pedagogical Examples

Static hits for XSS, weak cryptography, hardcoded secrets, and injection occur inside rule templates or reference examples that show vulnerable and fixed patterns for education.

assets/ci-config-template.yml:317-330

Local File Reads Are for Generated Report Comments

The Node.js filesystem access in the CI template reads a locally generated markdown report before creating a pull request comment. No evidence found of arbitrary file reads.

リスク要因

⚙️ 外部コマンド (5)

SKILL.md:79-97 SKILL.md:258-265 SKILL.md:318-331 assets/ci-config-template.yml:240 references/WORKFLOW_CHECKLIST.md:71-75

🌐 ネットワークアクセス (5)

SKILL.md:38-47 SKILL.md:80-93 SKILL.md:190-204 SKILL.md:258-265 assets/rule-template.yaml:41-45

📁 ファイルシステムへのアクセス (4)

SKILL.md:145-159 SKILL.md:303-311 assets/ci-config-template.yml:288-315 assets/ci-config-template.yml:322-323

🔑 環境変数 (3)

assets/ci-config-template.yml:161-165 assets/rule-template.yaml:146-165 references/EXAMPLE.md:422-425

⚡ スクリプトを含む (2)

references/EXAMPLE.md:135-141 assets/rule-template.yaml:201-205

検出されたパターン

Nikto Evasion FlagsRemote Script Execution in PipelineInline Authentication Material in Shell Commands

監査バージョン 5

低リスク

Jan 16, 2026, 04:25 PM

Documentation-only skill providing guidance for the Nikto open-source web server scanner. All code examples are shell commands for the external Nikto tool which users install and run separately. Contains no executable scripts. Includes explicit authorization requirements and ethical usage guidelines. The static findings (external commands, network URLs, security vocabulary) are expected documentation content for a vulnerability scanning skill, not malicious patterns.

6

スキャンされたファイル

2,216

解析された行数

4

検出結果

claude

監査者

低リスクの問題 (1)

SKILL.md:1-443

Documentation describes security scanning capabilities

The skill documentation includes examples of Nikto scanning commands that interact with external web servers. These are documented usage instructions for a legitimate open-source security tool. Includes explicit authorization requirements and ethical usage guidelines.

リスク要因

⚙️ 外部コマンド (1)

SKILL.md:36-402

🌐 ネットワークアクセス (1)

SKILL.md:19-442

🔑 環境変数 (1)

assets/ci-config-template.yml:160-170

監査バージョン 4

低リスク

Jan 16, 2026, 04:25 PM

Documentation-only skill providing guidance for the Nikto open-source web server scanner. All code examples are shell commands for the external Nikto tool which users install and run separately. Contains no executable scripts. Includes explicit authorization requirements and ethical usage guidelines. The static findings (external commands, network URLs, security vocabulary) are expected documentation content for a vulnerability scanning skill, not malicious patterns.

6

スキャンされたファイル

2,216

解析された行数

4

検出結果

claude

監査者

低リスクの問題 (1)

SKILL.md:1-443

Documentation describes security scanning capabilities

The skill documentation includes examples of Nikto scanning commands that interact with external web servers. These are documented usage instructions for a legitimate open-source security tool. Includes explicit authorization requirements and ethical usage guidelines.

リスク要因

⚙️ 外部コマンド (1)

SKILL.md:36-402

🌐 ネットワークアクセス (1)

SKILL.md:19-442

🔑 環境変数 (1)

assets/ci-config-template.yml:160-170

監査バージョン 3

低リスク

Jan 10, 2026, 11:06 AM

Documentation-only skill providing guidance for the Nikto web server scanner. Contains no executable scripts. All code examples are for the external Nikto tool which users install separately. The skill includes explicit authorization requirements and ethical usage guidelines.

5

スキャンされたファイル

1,957

解析された行数

3

検出結果

claude

監査者

低リスクの問題 (1)

SKILL.md:37-205

Documentation describes network scanning capabilities

The SKILL.md documentation includes extensive examples of Nikto scanning commands that interact with external web servers. These are documented usage instructions for the Nikto tool, not executable code. An attacker could theoretically use this documentation to learn scanning techniques, but the documentation explicitly requires authorization before use.

リスク要因

🌐 ネットワークアクセス (1)

SKILL.md:37-48

⚙️ 外部コマンド (1)

SKILL.md:79-121

監査バージョン 2

低リスク

Jan 10, 2026, 11:06 AM

Documentation-only skill providing guidance for the Nikto web server scanner. Contains no executable scripts. All code examples are for the external Nikto tool which users install separately. The skill includes explicit authorization requirements and ethical usage guidelines.

5

スキャンされたファイル

1,957

解析された行数

3

検出結果

claude

監査者

低リスクの問題 (1)

SKILL.md:37-205

Documentation describes network scanning capabilities

The SKILL.md documentation includes extensive examples of Nikto scanning commands that interact with external web servers. These are documented usage instructions for the Nikto tool, not executable code. An attacker could theoretically use this documentation to learn scanning techniques, but the documentation explicitly requires authorization before use.

リスク要因

🌐 ネットワークアクセス (1)

SKILL.md:37-48

⚙️ 外部コマンド (1)

SKILL.md:79-121

監査バージョン 1

低リスク

Jan 10, 2026, 11:06 AM

Documentation-only skill providing guidance for the Nikto web server scanner. Contains no executable scripts. All code examples are for the external Nikto tool which users install separately. The skill includes explicit authorization requirements and ethical usage guidelines.

5

スキャンされたファイル

1,957

解析された行数

3

検出結果

claude

監査者

低リスクの問題 (1)

SKILL.md:37-205

Documentation describes network scanning capabilities

The SKILL.md documentation includes extensive examples of Nikto scanning commands that interact with external web servers. These are documented usage instructions for the Nikto tool, not executable code. An attacker could theoretically use this documentation to learn scanning techniques, but the documentation explicitly requires authorization before use.

リスク要因

🌐 ネットワークアクセス (1)

SKILL.md:37-48

⚙️ 外部コマンド (1)

SKILL.md:79-121