📊

監査履歴

libreoffice-calc - 2 監査

監査バージョン 2

最新低リスク

Mar 19, 2026, 03:59 PM

Static analysis flagged 197 patterns across 13 files. After evaluation, all high-severity findings are false positives: cryptographic warnings misidentified UNO connection code, 'system reconnaissance' flagged exception class definitions, and 'dynamic imports' were standard Python import statements. Shell command patterns exist only in markdown documentation. The single confirmed external command (subprocess.Popen launching LibreOffice) uses hardcoded arguments with no user input injection risk. Temp file usage follows Python best practices with proper cleanup. Skill is safe for publication with minor documentation recommended.

スキャンされたファイル

2,642

解析された行数

検出結果

claude

監査者

低リスクの問題 (2)

scripts/uno_bridge.py:140-155

Subprocess Launch of External Application

LibreOffice soffice binary launched via subprocess.Popen. Arguments are hardcoded with no user input injection vectors. Process is properly terminated and temp directories cleaned up in finally block.

scripts/uno_bridge.py:136-137

Temporary Directory Creation

Creates temporary directories for LibreOffice profile isolation using tempfile.mkdtemp. Directories are cleaned up in finally block with shutil.rmtree.

リスク要因

⚙️ 外部コマンド (1)

scripts/uno_bridge.py:140-155

📁 ファイルシステムへのアクセス (2)

scripts/uno_bridge.py:136-137 scripts/uno_bridge.py:189

🔑 環境変数 (1)

scripts/uno_bridge.py:69-71

監査バージョン 1

安全

Mar 10, 2026, 07:13 AM

All 88 static findings are false positives. The skill provides legitimate LibreOffice Calc automation via UNO API. Subprocess calls only launch LibreOffice with hardcoded arguments for spreadsheet operations. No cryptographic functions, no malicious code, no user input injection vectors.

スキャンされたファイル

1,601

解析された行数

検出結果

claude

監査者

高リスクの問題 (5)

scripts/calc/cells.py:64-65 scripts/calc/cells.py:112-113 scripts/calc/charts.py:57-58 scripts/calc/core.py:25-26 scripts/calc/core.py:39 scripts/calc/core.py:51-52 scripts/calc/find_replace.py:32-33 scripts/calc/find_replace.py:45 scripts/calc/find_replace.py:57 scripts/calc/formatting.py:49-50 scripts/calc/named_ranges.py:29-30 scripts/calc/named_ranges.py:74-75 scripts/calc/ranges.py:26-27 scripts/calc/ranges.py:72-73 scripts/calc/recalc.py:15-16 scripts/calc/sheets.py:23-24 scripts/calc/sheets.py:46-47 scripts/calc/sheets.py:75-76 scripts/calc/sheets.py:95-96 scripts/calc/snapshot.py:95-98 scripts/calc/validation.py:102-103 scripts/uno_bridge.py:67-74 scripts/uno_bridge.py:131-134 SKILL.md:3

Misidentified Weak Cryptographic Algorithms

47 'weak cryptographic algorithm' findings are false positives. The static scanner misidentified LibreOffice UNO API patterns (uno.createUnoStruct, storeToURL, etc.) as cryptographic functions. No cryptographic operations exist in this code.

scripts/uno_bridge.py:25 scripts/uno_bridge.py:100

Misidentified External Command Execution

Subprocess calls are legitimate LibreOffice automation. The subprocess.run finds the LibreOffice binary and subprocess.Popen launches it headlessly - both with hardcoded arguments only.

SKILL.md:9 SKILL.md:14-26 SKILL.md:30-32 SKILL.md:36-41 SKILL.md:44-70 SKILL.md:70-80 SKILL.md:80-83 SKILL.md:83-91 SKILL.md:91-94 SKILL.md:94-99 SKILL.md:109-111

Misidentified Shell Execution in Documentation

Backtick characters in SKILL.md are markdown code fences for documentation, not shell execution.

SKILL.md:87

Misidentified Temp Directory Access

The /tmp directory access is for the legitimate snapshot feature that exports chart areas as PNG images.

scripts/calc/exceptions.py:15

Misidentified System Reconnaissance

The 'InvalidCellReferenceError' is a standard Python custom exception, not system reconnaissance.

← スキルに戻る