Histórico de Auditoria - fastapi-app

Versão da auditoria 6

Mais recente Baixo Risco

Jan 21, 2026, 04:50 PM

All static findings are false positives. The skill provides legitimate FastAPI development guidance. Pattern detections (C2 keywords, weak crypto, command execution) are misidentifications of standard code examples and documentation URLs in the SKILL.md file.

2

Arquivos analisados

1,766

Linhas analisadas

3

achados

claude

Auditado por

Problemas de Baixo Risco (1)

SKILL.md:666-670

Documentation references detected as patterns

Static scanner flagged documentation URLs (fastapi.tiangolo.com, docs.pydantic.dev) as network targets. These are legitimate documentation references in the SKILL.md References section.

Fatores de risco

📁 Acesso ao sistema de arquivos (1)

SKILL.md:436-457

⚡ Contém scripts (1)

SKILL.md:28-94

Versão da auditoria 5

Risco Médio

Jan 16, 2026, 05:55 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

2

Arquivos analisados

879

Linhas analisadas

4

achados

claude

Auditado por

Nenhum problema de segurança encontrado

Fatores de risco

⚙️ Comandos externos (41)

🌐 Acesso à rede (14)

skill-report.json:6 SKILL.md:61 SKILL.md:61 SKILL.md:552 SKILL.md:553 SKILL.md:554 SKILL.md:640 SKILL.md:666 SKILL.md:667 SKILL.md:668 SKILL.md:669 SKILL.md:670 SKILL.md:658 SKILL.md:661

📁 Acesso ao sistema de arquivos (1)

skill-report.json:6

🔑 Variáveis de ambiente (19)

skill-report.json:67 skill-report.json:67 skill-report.json:67 skill-report.json:67 skill-report.json:67 SKILL.md:240 SKILL.md:278 SKILL.md:240 SKILL.md:278 SKILL.md:240 SKILL.md:241 SKILL.md:245 SKILL.md:632 SKILL.md:278 SKILL.md:278 SKILL.md:291 SKILL.md:306 SKILL.md:589 SKILL.md:635

Padrões Detectados

Ruby/shell backtick executionHardcoded URLHidden file accessPython getenv functiongetenv function callGeneric API/secret keysC2 keywordsWeak cryptographic algorithmHardcoded IP addressDatabase connection stringsEnvironment file accessSystem reconnaissanceNetwork reconnaissance[HEURISTIC] DANGEROUS COMBINATION: Code execution + Network + Credential access[HEURISTIC] SUSPICIOUS COMBINATION: Filesystem + Credentials + Network

Versão da auditoria 4

Risco Médio

Jan 16, 2026, 05:55 PM

AI analysis failed after multiple attempts - MANUAL REVIEW REQUIRED before publishing. This skill cannot be auto-published until reviewed by a human.

2

Arquivos analisados

879

Linhas analisadas

4

achados

claude

Auditado por

Nenhum problema de segurança encontrado

Fatores de risco

⚙️ Comandos externos (41)

🌐 Acesso à rede (14)

skill-report.json:6 SKILL.md:61 SKILL.md:61 SKILL.md:552 SKILL.md:553 SKILL.md:554 SKILL.md:640 SKILL.md:666 SKILL.md:667 SKILL.md:668 SKILL.md:669 SKILL.md:670 SKILL.md:658 SKILL.md:661

📁 Acesso ao sistema de arquivos (1)

skill-report.json:6

🔑 Variáveis de ambiente (19)

skill-report.json:67 skill-report.json:67 skill-report.json:67 skill-report.json:67 skill-report.json:67 SKILL.md:240 SKILL.md:278 SKILL.md:240 SKILL.md:278 SKILL.md:240 SKILL.md:241 SKILL.md:245 SKILL.md:632 SKILL.md:278 SKILL.md:278 SKILL.md:291 SKILL.md:306 SKILL.md:589 SKILL.md:635

Padrões Detectados

Ruby/shell backtick executionHardcoded URLHidden file accessPython getenv functiongetenv function callGeneric API/secret keysC2 keywordsWeak cryptographic algorithmHardcoded IP addressDatabase connection stringsEnvironment file accessSystem reconnaissanceNetwork reconnaissance[HEURISTIC] DANGEROUS COMBINATION: Code execution + Network + Credential access[HEURISTIC] SUSPICIOUS COMBINATION: Filesystem + Credentials + Network

Versão da auditoria 3

Baixo Risco

Jan 10, 2026, 11:07 AM

This is a documentation/prompt skill containing code examples for legitimate FastAPI backend development. The skill provides guidance on app setup, routing, database connections, and authentication patterns. No executable code or direct system access. Minor security concern identified with default JWT secret fallback.

1

Arquivos analisados

671

Linhas analisadas

2

achados

claude

Auditado por

Problemas de Baixo Risco (1)

SKILL.md:278

Default JWT secret fallback

The auth dependency example provides a default secret key if JWT_SECRET_KEY is not set: `SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key")`. While this is a common pattern in examples, it creates a weak default that developers might overlook. Attackers could exploit this if developers deploy without setting a proper secret. The code correctly recommends environment variable configuration elsewhere (line 623-645).

Fatores de risco

🔑 Variáveis de ambiente (2)

SKILL.md:240-242 SKILL.md:278

Versão da auditoria 2

Baixo Risco

Jan 10, 2026, 11:07 AM

This is a documentation/prompt skill containing code examples for legitimate FastAPI backend development. The skill provides guidance on app setup, routing, database connections, and authentication patterns. No executable code or direct system access. Minor security concern identified with default JWT secret fallback.

1

Arquivos analisados

671

Linhas analisadas

2

achados

claude

Auditado por

Problemas de Baixo Risco (1)

SKILL.md:278

Default JWT secret fallback

The auth dependency example provides a default secret key if JWT_SECRET_KEY is not set: `SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key")`. While this is a common pattern in examples, it creates a weak default that developers might overlook. Attackers could exploit this if developers deploy without setting a proper secret. The code correctly recommends environment variable configuration elsewhere (line 623-645).

Fatores de risco

🔑 Variáveis de ambiente (2)

SKILL.md:240-242 SKILL.md:278

Versão da auditoria 1

Baixo Risco

Jan 10, 2026, 11:07 AM

This is a documentation/prompt skill containing code examples for legitimate FastAPI backend development. The skill provides guidance on app setup, routing, database connections, and authentication patterns. No executable code or direct system access. Minor security concern identified with default JWT secret fallback.

1

Arquivos analisados

671

Linhas analisadas

2

achados

claude

Auditado por

Problemas de Baixo Risco (1)

SKILL.md:278

Default JWT secret fallback

The auth dependency example provides a default secret key if JWT_SECRET_KEY is not set: `SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key")`. While this is a common pattern in examples, it creates a weak default that developers might overlook. Attackers could exploit this if developers deploy without setting a proper secret. The code correctly recommends environment variable configuration elsewhere (line 623-645).

Fatores de risco

🔑 Variáveis de ambiente (2)

SKILL.md:240-242 SKILL.md:278