Навыки tech-stack-evaluator История аудитов

📦

История аудитов

tech-stack-evaluator - 4 аудиты

Версия аудита 4

Последняя Низкий риск

Jun 28, 2026, 09:09 AM

The static analyzer reported a critical heuristic, but review found no command execution, network client usage, secret harvesting, obfuscation, or prompt injection attempt. Most high and medium matches are false positives from markdown examples, security terminology, URL parsing, and technology evaluation vocabulary. Residual risk is low because the skill contains Python scripts, checks one non-secret environment variable, and can write a report to a caller-provided filename.

Просканировано файлов

5,083

Проанализировано строк

находки

codex

Проверено

Проблемы низкого риска (5)

README.md:185-220 HOW_TO_USE.md:168-174 report_generator.py:38

Static Critical Heuristic Dismissed

The scanner combined markdown backticks, documentation URLs, and an API key placeholder into a critical heuristic. Review found no subprocess, eval, exec, network client, credential read, or exfiltration behavior in the Python modules.

security_assessor.py:15-20 README.md:294-335 SKILL.md:285-304

Security Terminology Misclassified as Dangerous Keywords

C2, weak cryptography, and certificate/key alerts are triggered by normal technology evaluation language such as compliance standards, encryption readiness, and scoring terms. No evidence found of malware control logic or cryptographic implementation.

SKILL.md:150-154 HOW_TO_USE.md:9-12 README.md:185-195

Markdown Command Blocks Misclassified as Shell Execution

External command alerts are caused by markdown fences and example prompts in documentation. These examples are not executable code paths and no Python shell execution APIs were found.

report_generator.py:34-46

Non-Secret Environment Context Check

report_generator.py reads CLAUDE_DESKTOP to choose desktop or CLI report formatting. This is environment access, but it does not read API keys, tokens, passwords, or other secrets.

report_generator.py:444-458

User-Directed Report File Write

The report export helper writes generated markdown to the filename supplied by the caller. This is expected functionality, but callers should avoid untrusted or sensitive output paths.

Факторы риска

⚡ Содержит скрипты (3)

stack_comparator.py:1-10 security_assessor.py:1-10 report_generator.py:1-10

📁 Доступ к файловой системе (1)

report_generator.py:444-458

🔑 Переменные окружения (1)

report_generator.py:38

Версия аудита 3

Безопасно

Jan 16, 2026, 02:58 PM

All 219 static findings are false positives. The scanner detected benign documentation patterns including security terminology, code block formatting, and technology names. No actual code execution, network requests, or credential access exists. Uses Python standard library only.

Просканировано файлов

5,387

Проанализировано строк

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (3)

stack_comparator.py:1-50 security_assessor.py:1-50 format_detector.py:1-50

📁 Доступ к файловой системе (1)

report_generator.py:444-461

🔑 Переменные окружения (1)

report_generator.py:38

Версия аудита 2

Безопасно

Jan 16, 2026, 02:58 PM

Просканировано файлов

5,387

Проанализировано строк

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (3)

stack_comparator.py:1-50 security_assessor.py:1-50 format_detector.py:1-50

📁 Доступ к файловой системе (1)

report_generator.py:444-461

🔑 Переменные окружения (1)

report_generator.py:38

Версия аудита 1

Безопасно

Jan 15, 2026, 12:01 PM

All 190 static findings are false positives. The skill is a legitimate technology evaluation tool. Flags were triggered by security/compliance documentation keywords, bash command examples in markdown, and URL references - not malicious code patterns.

Просканировано файлов

4,847

Проанализировано строк

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

📁 Доступ к файловой системе (1)

report_generator.py:457

🔑 Переменные окружения (1)

report_generator.py:38

← Назад к навыку