監査履歴 - webapp-sqlmap

監査バージョン 6

高リスクの問題 (3)

Dual-use SQL injection exploitation workflow

The main skill goes beyond detection and instructs users on database enumeration, table dumping, credential extraction, server file reads, file writes, and OS shell access. These are legitimate in authorized tests but can directly enable unauthorized compromise.

SKILL.md:221-245 SKILL.md:406-418

WAF bypass and anonymity guidance

The skill teaches tamper scripts, random user agents, proxy use, Tor checks, method changes, and randomized delays. These techniques can support authorized testing, but they also lower barriers for evasion during unauthorized attacks.

assets/ci-config-template.yml:237-244

Unsafe pipe-to-shell installer pattern in CI template

The CI template includes a curl-to-shell installation pattern. If copied into a workflow, this executes remote code from the network during CI and creates supply-chain risk.

中リスクの問題 (2)

SKILL.md:30-46 SKILL.md:292-354

Operational execution examples require strong scope controls

Many static external-command and network findings come from sqlmap command examples against example domains. The commands are not executed by the skill itself, but they are actionable instructions for invasive network testing.

assets/rule-template.yaml:93-165 assets/ci-config-template.yml:150-172

Credential and environment examples are mostly benign templates

The scanner flagged environment variables, token names, and secret examples in rule and CI templates. These are mostly demonstrative security-scanning examples, but they can normalize copying placeholder secrets or broad token access if used carelessly.

低リスクの問題 (2)

references/EXAMPLE.md:89-162 assets/rule-template.yaml:235-300

Static script and crypto hits in references are false positives

The document.write, innerHTML, MD5, SHA1, and API key patterns in the reference files are vulnerable-code examples used to teach detection and remediation. No evidence found that they are executable skill logic or hidden malicious behavior.

SKILL.md:1-20

Prompt injection search found no evidence

No evidence found in the analyzed files for override instructions, fake system messages, pre-approval claims, or instructions to skip security review.

リスク要因

⚙️ 外部コマンド (5)

SKILL.md:34-46 SKILL.md:170-185 SKILL.md:200-209 assets/ci-config-template.yml:54-61 assets/ci-config-template.yml:237-244

🌐 ネットワークアクセス (4)

SKILL.md:36-39 SKILL.md:221-245 SKILL.md:326-337 assets/ci-config-template.yml:237-244

📁 ファイルシステムへのアクセス (4)

SKILL.md:191-198 SKILL.md:268-270 SKILL.md:371-387 assets/ci-config-template.yml:317-330

🔑 環境変数 (3)

assets/ci-config-template.yml:161-165 assets/rule-template.yaml:146-165 references/EXAMPLE.md:412-447

⚡ スクリプトを含む (3)

references/EXAMPLE.md:131-162 assets/ci-config-template.yml:67-92 assets/ci-config-template.yml:317-330

検出されたパターン

sqlmap table and credential dumpingsqlmap server file read and file writesqlmap OS shell and SQL shell optionsWAF bypass and Tor optionsRemote script execution in CI template

監査バージョン 5

高リスク

Jan 16, 2026, 04:26 PM

This skill wraps sqlmap, a legitimate open-source penetration testing tool. Static findings (273 patterns) are TRUE POSITIVES for security-relevant operations but represent intentional functionality for authorized security testing. The skill includes explicit authorization requirements and ethical use guidelines. SQL injection testing can be destructive to databases and requires strict authorization controls.

6

スキャンされたファイル

2,195

解析された行数

4

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)

🌐 ネットワークアクセス (1)

📁 ファイルシステムへのアクセス (1)

🔑 環境変数 (1)

監査バージョン 4

高リスク

Jan 16, 2026, 04:26 PM

This skill wraps sqlmap, a legitimate open-source penetration testing tool. Static findings (273 patterns) are TRUE POSITIVES for security-relevant operations but represent intentional functionality for authorized security testing. The skill includes explicit authorization requirements and ethical use guidelines. SQL injection testing can be destructive to databases and requires strict authorization controls.

6

スキャンされたファイル

2,195

解析された行数

4

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)

🌐 ネットワークアクセス (1)

📁 ファイルシステムへのアクセス (1)

🔑 環境変数 (1)

監査バージョン 3

安全

Jan 10, 2026, 11:07 AM

Pure documentation skill containing no executable code. Provides SQLMap usage guidance, workflow checklists, and CI/CD security templates. All content focuses on authorized penetration testing with explicit authorization requirements. No scripts, network calls, file system access, or command execution capabilities present.

5

スキャンされたファイル

1,059

解析された行数

0

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 11:07 AM

Pure documentation skill containing no executable code. Provides SQLMap usage guidance, workflow checklists, and CI/CD security templates. All content focuses on authorized penetration testing with explicit authorization requirements. No scripts, network calls, file system access, or command execution capabilities present.

5

スキャンされたファイル

1,059

解析された行数

0

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 11:07 AM

Pure documentation skill containing no executable code. Provides SQLMap usage guidance, workflow checklists, and CI/CD security templates. All content focuses on authorized penetration testing with explicit authorization requirements. No scripts, network calls, file system access, or command execution capabilities present.

5

スキャンされたファイル

1,059

解析された行数

0

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした