Навыки firebase-development-validate История аудитов
📦

История аудитов

firebase-development-validate - 4 аудиты

Версия аудита 4

Последняя Низкий риск

Jun 27, 2026, 03:33 PM

Static analysis flagged many Markdown backtick spans and command examples as external command execution. Review found no executable scripts, prompt injection, network exfiltration, or malicious intent; the examples are project validation checks for Firebase code. The skill is safe to publish with low risk because it may lead an agent to run local grep, npm, and build commands in a user project.

1
Просканировано файлов
199
Проанализировано строк
6
Review items
0
False positives ignored

Confirmed security concerns (2)

Низкий
Weak Cryptography Detections Are Textual False Positives
The static weak-cryptography findings at lines 3, 103, and 128 are not cryptographic code. They occur in descriptive text, a TypeScript ABOUTME comment example, and an HTTP status code checklist item.
The referenced lines do not contain hash functions, encryption calls, or security-sensitive algorithm choices. The scanner appears to have matched incidental text patterns.
Низкий
System Reconnaissance Finding Is Firebase Configuration Review
The static system reconnaissance finding at line 152 is a false positive. The line asks reviewers to confirm Firebase rewrites reference valid functions, which is normal deployment configuration validation.
The context is a Firebase hosting checklist, not host enumeration or system discovery. No command gathers machine, network, or account inventory.
Capability review items (2)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Низкий
Markdown Command Examples Require User Project Context
The static external command findings are false positives for executable code. Lines 107-120 and 141-143 show example grep, npm test, npm audit, build, and test commands for validating a Firebase project. These are legitimate review steps, but agents should run them only in the user's intended repository.
The detected lines are inside Markdown code blocks or checklist text, not executable skill code. The commands are standard local validation commands with no network destination or credential handling beyond normal package audit behavior.
Низкий
Environment File Reference Is a Security Checklist Item
The static sensitive-file finding at line 136 is a false positive for secret access. The text says to confirm .env files are in .gitignore, which is defensive guidance rather than an instruction to read or exfiltrate environment files.
Line 136 only references .env files as part of a security review checklist. No code reads file contents, prints secrets, or transmits environment data.

Факторы риска

⚙️ Внешние команды (4)
🔑 Переменные окружения (1)
Аудитор:: codex

Версия аудита 3

Безопасно

Jan 16, 2026, 01:46 PM

This is a pure prompt-based documentation skill with no executable code. The static scanner flagged Markdown backtick syntax (for file paths, skill references, and example commands) as shell execution patterns - these are false positives. No network access, file system modifications, or actual command execution capabilities exist. The skill only provides validation guidance for Claude to follow when reviewing Firebase projects.

2
Просканировано файлов
380
Проанализировано строк
1
Review items
0
False positives ignored
Аудитор:: claude

Версия аудита 2

Безопасно

Jan 16, 2026, 01:46 PM

This is a pure prompt-based documentation skill with no executable code. The static scanner flagged Markdown backtick syntax (for file paths, skill references, and example commands) as shell execution patterns - these are false positives. No network access, file system modifications, or actual command execution capabilities exist. The skill only provides validation guidance for Claude to follow when reviewing Firebase projects.

2
Просканировано файлов
380
Проанализировано строк
1
Review items
0
False positives ignored
Аудитор:: claude

Версия аудита 1

Безопасно

Jan 10, 2026, 09:21 AM

This is a pure prompt-based skill with no executable code. It contains only markdown instructions for validating Firebase projects. No network access, file system modifications, or command execution capabilities.

1
Просканировано файлов
199
Проанализировано строк
0
Review items
0
False positives ignored
Проблем безопасности не найдено
Аудитор:: claude