監査履歴 - synthese-multi-llm

監査バージョン 5

リスク要因

⚙️ 外部コマンド (2)

scripts/synthese.py:1229-1242 scripts/synthese.py:1299-1320

🌐 ネットワークアクセス (1)

scripts/synthese.py:836-848

📁 ファイルシステムへのアクセス (1)

scripts/synthese.py:708-720

🔑 環境変数 (1)

scripts/backends/anthropic_backend.py:106-108

監査バージョン 4

低リスク

Jan 16, 2026, 03:20 PM

This is a legitimate multi-LLM orchestration tool for text summarization. The static analyzer's 588 findings are overwhelmingly false positives. The 'weak cryptographic algorithm' findings are markdown documentation being misidentified. 'Shell backtick execution' findings are markdown code formatting. 'API/secret keys' findings are proper environment variable access patterns. The critical heuristics are triggered by legitimate subprocess execution for CLI model calls and API interactions with proper credential handling. No evidence of malicious intent, data exfiltration, or harmful patterns found.

22

スキャンされたファイル

9,013

解析された行数

4

検出結果

claude

監査者

セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (2)

scripts/synthese.py:1229-1242 scripts/synthese.py:1299-1320

🌐 ネットワークアクセス (1)

scripts/synthese.py:836-848

📁 ファイルシステムへのアクセス (1)

scripts/synthese.py:708-720

🔑 環境変数 (1)

scripts/backends/anthropic_backend.py:106-108

監査バージョン 3

低リスク

Jan 10, 2026, 10:15 AM

Legitimate multi-LLM synthesis tool. Capabilities align with stated purpose. Subprocess and network calls are documented and expected for calling external LLM services. Input sanitization and validation present. No malicious patterns detected.

14

スキャンされたファイル

4,642

解析された行数

7

検出結果

claude

監査者

低リスクの問題 (2)

scripts/synthese.py:70

Subprocess execution for LLM calls

The code executes subprocess calls to invoke external CLI commands (claude, gemini, codex). This is a legitimate capability for an LLM orchestration tool. Callers are hardcoded CLI tools, not user-controlled input. Code: `asyncio.create_subprocess_exec(*cmd)` at scripts/synthese.py:70

wrappers/claude_wrapper.sh:40-50

Network calls to external APIs

The code makes HTTP requests to external LLM APIs (Anthropic, Ollama). Endpoints are documented and expected: https://api.anthropic.com/v1/messages and http://localhost:11434/api/generate. Required for core functionality.

リスク要因

⚡ スクリプトを含む (3)

scripts/synthese.py:1-1500 scripts/config.py:1-534 scripts/retry.py:1-611

🌐 ネットワークアクセス (3)

scripts/backends/anthropic_backend.py:1-321 wrappers/claude_wrapper.sh:20-50 wrappers/ollama_wrapper.sh:40-46

📁 ファイルシステムへのアクセス (2)

scripts/config.py:175-177 scripts/synthese.py:634-724

🔑 環境変数 (2)

scripts/backends/anthropic_backend.py:106-108 scripts/backends/cli_backend.py:151-152

⚙️ 外部コマンド (2)

scripts/synthese.py:64-89 scripts/backends/cli_backend.py:127-224

監査バージョン 2

低リスク

Jan 10, 2026, 10:15 AM

Legitimate multi-LLM synthesis tool. Capabilities align with stated purpose. Subprocess and network calls are documented and expected for calling external LLM services. Input sanitization and validation present. No malicious patterns detected.

14

スキャンされたファイル

4,642

解析された行数

7

検出結果

claude

監査者

低リスクの問題 (2)

scripts/synthese.py:70

Subprocess execution for LLM calls

The code executes subprocess calls to invoke external CLI commands (claude, gemini, codex). This is a legitimate capability for an LLM orchestration tool. Callers are hardcoded CLI tools, not user-controlled input. Code: `asyncio.create_subprocess_exec(*cmd)` at scripts/synthese.py:70

wrappers/claude_wrapper.sh:40-50

Network calls to external APIs

The code makes HTTP requests to external LLM APIs (Anthropic, Ollama). Endpoints are documented and expected: https://api.anthropic.com/v1/messages and http://localhost:11434/api/generate. Required for core functionality.

リスク要因

⚡ スクリプトを含む (3)

scripts/synthese.py:1-1500 scripts/config.py:1-534 scripts/retry.py:1-611

🌐 ネットワークアクセス (3)

scripts/backends/anthropic_backend.py:1-321 wrappers/claude_wrapper.sh:20-50 wrappers/ollama_wrapper.sh:40-46

📁 ファイルシステムへのアクセス (2)

scripts/config.py:175-177 scripts/synthese.py:634-724

🔑 環境変数 (2)

scripts/backends/anthropic_backend.py:106-108 scripts/backends/cli_backend.py:151-152

⚙️ 外部コマンド (2)

scripts/synthese.py:64-89 scripts/backends/cli_backend.py:127-224

監査バージョン 1

低リスク

Jan 10, 2026, 10:15 AM

Legitimate multi-LLM synthesis tool. Capabilities align with stated purpose. Subprocess and network calls are documented and expected for calling external LLM services. Input sanitization and validation present. No malicious patterns detected.

14

スキャンされたファイル

4,642

解析された行数

7

検出結果

claude

監査者

低リスクの問題 (2)

scripts/synthese.py:70

Subprocess execution for LLM calls

The code executes subprocess calls to invoke external CLI commands (claude, gemini, codex). This is a legitimate capability for an LLM orchestration tool. Callers are hardcoded CLI tools, not user-controlled input. Code: `asyncio.create_subprocess_exec(*cmd)` at scripts/synthese.py:70

wrappers/claude_wrapper.sh:40-50

Network calls to external APIs

The code makes HTTP requests to external LLM APIs (Anthropic, Ollama). Endpoints are documented and expected: https://api.anthropic.com/v1/messages and http://localhost:11434/api/generate. Required for core functionality.

リスク要因

⚡ スクリプトを含む (3)

scripts/synthese.py:1-1500 scripts/config.py:1-534 scripts/retry.py:1-611

🌐 ネットワークアクセス (3)

scripts/backends/anthropic_backend.py:1-321 wrappers/claude_wrapper.sh:20-50 wrappers/ollama_wrapper.sh:40-46

📁 ファイルシステムへのアクセス (2)

scripts/config.py:175-177 scripts/synthese.py:634-724

🔑 環境変数 (2)

scripts/backends/anthropic_backend.py:106-108 scripts/backends/cli_backend.py:151-152

⚙️ 外部コマンド (2)

scripts/synthese.py:64-89 scripts/backends/cli_backend.py:127-224