firebase-firestore

Name: firebase-firestore
Author: firebase

Baixo Risco ⚙️ Comandos externos🌐 Acesso à rede

Sets up, manages, and executes queries against Cloud Firestore database instances. Activates when listing or creating Firestore databases, configuring security rules, designing data models, writing client SDK queries, or checking indexes.

Suporta: Claude Codex Code(CC)

⚠️ 68 Ruim

Baixar o ZIP da skill

Upload no Claude

Vá em Configurações → Capacidades → Skills → Upload skill

Ative e comece a usar

Testar

"test.default"

Resultado esperado:

Auditoria de Segurança

Baixo Risco

v1 • 5/25/2026

Static analysis flagged 737 potential issues with a computed risk score of 100/100, but all findings are false positives from documentation code examples. The 615 external_commands detections are markdown code fences (```bash) and inline backticks in reference docs showing Firebase CLI commands like 'npx firebase-tools'. The 9 network detections are legitimate Firebase documentation URLs and placeholder project endpoints. Weak crypto, system reconnaissance, and certificate/key file detections all appear in security rules teaching examples and setup instructions. One critical heuristic finding combining code execution + network + credential patterns is expected in Firebase documentation that teaches CLI usage, API endpoints, and service account setup. The skill's inherent behaviors (instructing users to run Firebase CLI commands, referencing Firebase URLs) are core to its purpose as a Firestore setup and management guide. No malicious intent, no prompt injection, no data exfiltration patterns found.

Arquivos analisados

3,190

Linhas analisadas

achados

Total de auditorias

Problemas de Baixo Risco (2)

SKILL.md:19-20 SKILL.md:38-42 references/enterprise/provisioning.md:24-30

Shell command execution instructions

The skill instructs the AI to run shell commands via npx firebase-tools for database provisioning, listing, and creation. These commands (firestore:databases:list, firestore:databases:create, firestore:locations) are legitimate Firebase CLI operations inherent to the skill's purpose. No user input is interpolated into command arguments. Risk is low and expected for a Firebase management skill.

references/standard/android_sdk_usage.md:21 references/enterprise/security_rules.md:141

Reference URLs in documentation

Documentation contains hardcoded URLs to Firebase services (firebase.google.com, firebaseio.com) and placeholder project URLs. These are legitimate references for users to look up Firebase BoM versions, API documentation, and project endpoints. No data is sent to these URLs by the skill itself.