スキル observability-monitoring 監査履歴
📦

監査履歴

observability-monitoring - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 10:08 AM

The static critical finding is dismissed: the apparent command execution and weak cryptography hits are Markdown fences, comments, alert durations, imports, and normal configuration reads. The skill is not malicious, but it includes reusable logging and tracing templates that can collect request metadata, error details, and trace attributes, so publication should include a privacy warning.

6
スキャンされたファイル
796
解析された行数
10
検出結果
codex
監査者
中リスクの問題 (3)
templates/structured-logging.ts:72-78
Unredacted Request Metadata Logging
The request logger records query parameters, user agent, and IP address. This is useful for observability, but adopters could accidentally log tokens, personal data, or internal identifiers without redaction.
templates/opentelemetry-tracing.ts:22-30templates/opentelemetry-tracing.ts:64-69
Telemetry Export May Send Sensitive Trace Attributes
The OpenTelemetry template exports traces to an endpoint selected by environment configuration and records order and payment attributes. This is expected observability behavior, but it can transmit sensitive operational data to a collector.
templates/health-checks.ts:44-49templates/health-checks.ts:61-64templates/health-checks.ts:77-80templates/health-checks.ts:87-90
Health Check Responses Expose Operational Details
The readiness endpoint returns application version, uptime, dependency names, latency, and raw error messages. These details can help operators, but they can also reveal internal system state if exposed publicly.
低リスクの問題 (4)
SKILL.md:25-33SKILL.md:48-59SKILL.md:74-80SKILL.md:95-103SKILL.md:139-151templates/structured-logging.ts:117-120
External Command Findings Are Markdown and Comments
The static shell execution matches are Markdown code fences, TypeScript template string examples, template references, or a commented bad logging example. No executable Ruby backtick or shell command path was found in these locations.
SKILL.md:3templates/alerting-rules.yml:19templates/alerting-rules.yml:33templates/alerting-rules.yml:44templates/alerting-rules.yml:60templates/alerting-rules.yml:71templates/alerting-rules.yml:89templates/alerting-rules.yml:103templates/health-checks.ts:81templates/opentelemetry-tracing.ts:5templates/opentelemetry-tracing.ts:16
Weak Cryptography Findings Are Keyword Collisions
The weak cryptography hits are not cryptographic code. They appear in descriptive text, Prometheus alert expressions, humanized descriptions, imports, and normal control flow comments.
templates/structured-logging.ts:14-35templates/opentelemetry-tracing.ts:18-23templates/health-checks.ts:48
Environment Access Is Configuration Only
The environment variable reads configure log level, service metadata, deployment environment, trace exporter endpoint, and application version. No code reads environment files or sends all environment variables elsewhere.
templates/opentelemetry-tracing.ts:22-23
Hardcoded Network URL Defaults To Local Collector
The only hardcoded URL is the OpenTelemetry trace exporter default for localhost. It is a standard local collector endpoint, not an external exfiltration destination.

リスク要因

⚙️ 外部コマンド (5)
SKILL.md:25-33 SKILL.md:48-59 SKILL.md:95-103 SKILL.md:139-149 templates/structured-logging.ts:117-120
🔑 環境変数 (3)
templates/structured-logging.ts:14-35 templates/opentelemetry-tracing.ts:18-23 templates/health-checks.ts:48
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-23

検出されたパターン

Log Request Data Only After RedactionProtect Telemetry Export Destinations

監査バージョン 5

安全

Jan 16, 2026, 04:53 PM

This skill contains standard observability templates using legitimate libraries (Winston, Prometheus, OpenTelemetry). All static findings are false positives: 'weak cryptographic algorithm' detections are misidentified Prometheus query expressions; 'C2 keywords' and 'system reconnaissance' are legitimate monitoring terms; 'backtick execution' in SKILL.md are markdown code delimiters. All network calls are to configurable OTLP endpoints, all file access is for logging purposes.

7
スキャンされたファイル
1,058
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🔑 環境変数 (3)
templates/opentelemetry-tracing.ts:18-23 templates/structured-logging.ts:14-35 templates/health-checks.ts:48
📁 ファイルシステムへのアクセス (1)
templates/structured-logging.ts:36
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-24

監査バージョン 4

安全

Jan 16, 2026, 04:53 PM

This skill contains standard observability templates using legitimate libraries (Winston, Prometheus, OpenTelemetry). All static findings are false positives: 'weak cryptographic algorithm' detections are misidentified Prometheus query expressions; 'C2 keywords' and 'system reconnaissance' are legitimate monitoring terms; 'backtick execution' in SKILL.md are markdown code delimiters. All network calls are to configurable OTLP endpoints, all file access is for logging purposes.

7
スキャンされたファイル
1,058
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🔑 環境変数 (3)
templates/opentelemetry-tracing.ts:18-23 templates/structured-logging.ts:14-35 templates/health-checks.ts:48
📁 ファイルシステムへのアクセス (1)
templates/structured-logging.ts:36
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-24

監査バージョン 3

安全

Jan 10, 2026, 10:39 AM

This skill contains only documentation and standard observability templates using legitimate libraries (Winston, Prometheus, OpenTelemetry). All network calls are to configurable OTLP endpoints. All file access is to log directories only. No suspicious behavior detected.

6
スキャンされたファイル
560
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🔑 環境変数 (4)
templates/opentelemetry-tracing.ts:18-20 templates/health-checks.ts:48 templates/structured-logging.ts:14-23 templates/prometheus-metrics.ts:1-126
📁 ファイルシステムへのアクセス (1)
templates/structured-logging.ts:36
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-24

監査バージョン 2

安全

Jan 10, 2026, 10:39 AM

This skill contains only documentation and standard observability templates using legitimate libraries (Winston, Prometheus, OpenTelemetry). All network calls are to configurable OTLP endpoints. All file access is to log directories only. No suspicious behavior detected.

6
スキャンされたファイル
560
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🔑 環境変数 (4)
templates/opentelemetry-tracing.ts:18-20 templates/health-checks.ts:48 templates/structured-logging.ts:14-23 templates/prometheus-metrics.ts:1-126
📁 ファイルシステムへのアクセス (1)
templates/structured-logging.ts:36
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-24

監査バージョン 1

安全

Jan 10, 2026, 10:39 AM

This skill contains only documentation and standard observability templates using legitimate libraries (Winston, Prometheus, OpenTelemetry). All network calls are to configurable OTLP endpoints. All file access is to log directories only. No suspicious behavior detected.

6
スキャンされたファイル
560
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

🔑 環境変数 (4)
templates/opentelemetry-tracing.ts:18-20 templates/health-checks.ts:48 templates/structured-logging.ts:14-23 templates/prometheus-metrics.ts:1-126
📁 ファイルシステムへのアクセス (1)
templates/structured-logging.ts:36
🌐 ネットワークアクセス (1)
templates/opentelemetry-tracing.ts:22-24
← スキルに戻る