История аудитов - working-on-ancplua-plugins

Версия аудита 6

Последняя Средний риск

Jun 28, 2026, 08:43 AM

Static analysis flagged many high-risk patterns, but review found they are markdown documentation examples rather than executable code. The remaining risk is that the skill asks agents to run local validation, permission, search, and log-inspection commands, so use should stay within a trusted repository.

4

Просканировано файлов

394

Проанализировано строк

8

находки

codex

Проверено

Проблемы среднего риска (2)

SKILL.md:44-57 references/instrumentation.md:76-81 references/testing.md:53-66 references/testing.md:73-78

Agent-Run Shell Command Guidance

The skill contains shell command examples for validation, marketplace sync, JSON checks, path searches, and permission changes. These commands are legitimate repository workflows, but an agent could affect local files if used outside a trusted checkout.

references/conventions.md:26-28 references/conventions.md:42-56 references/testing.md:62-66 references/testing.md:90-95

Local Filesystem and Log Inspection Guidance

The skill describes plugin directories, hidden configuration directories, executable script permissions, and Claude Code log locations. This is normal debugging guidance, but logs can contain sensitive local context.

Проблемы низкого риска (3)

SKILL.md:35-38 references/conventions.md:3 references/conventions.md:92 references/instrumentation.md:31-33

Hardcoded Documentation URLs Are Benign

The hardcoded URLs point to official Claude Code documentation, Conventional Commits documentation, and the source repository. They are references and manifest examples, not network calls or data exfiltration.

SKILL.md:25-29 references/conventions.md:44-48 references/instrumentation.md:24-35 references/testing.md:84-85

Weak Crypto Matches Are Markdown False Positives

The weak-cryptography detections map to markdown filenames, table rows, version examples, or skill references. No hashing API, cipher selection, credential handling, or cryptographic implementation was found in the reviewed files.

SKILL.md:18-21 references/conventions.md:81-85 references/testing.md:100-105

Ruby Backtick Matches Are Markdown Formatting

Most external-command detections are caused by inline code ticks and fenced examples in markdown. The package does not include Ruby files or executable scripts that use shell backtick execution.

Факторы риска

⚙️ Внешние команды (7)

SKILL.md:44-57 references/instrumentation.md:9-16 references/instrumentation.md:76-81 references/testing.md:7-9 references/testing.md:53-66 references/testing.md:73-78 references/testing.md:90-95

🌐 Доступ к сети (8)

SKILL.md:35-38 references/conventions.md:3 references/conventions.md:40 references/conventions.md:63 references/conventions.md:92 references/instrumentation.md:3 references/instrumentation.md:31-33 references/instrumentation.md:68

📁 Доступ к файловой системе (4)

references/conventions.md:26-28 references/conventions.md:42-56 references/testing.md:62-66 references/testing.md:90-95

Обнаруженные паттерны

Manual Local Command Execution Examples

Версия аудита 5

Безопасно

Jan 16, 2026, 04:32 PM

This is a documentation-only skill. The static analyzer flagged markdown code formatting (backticks) and documentation links as security issues. All 162 findings are false positives. This skill provides conventions, validation commands, and debugging steps in markdown only. No executable code, file system access, network calls, or environment variable access occurs.

5

Просканировано файлов

594

Проанализировано строк

3

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚙️ Внешние команды (114)

🌐 Доступ к сети (12)

references/conventions.md:3 references/conventions.md:40 references/conventions.md:63 references/conventions.md:92 references/instrumentation.md:3 references/instrumentation.md:31 references/instrumentation.md:33 references/instrumentation.md:68 SKILL.md:35 SKILL.md:36 SKILL.md:37 SKILL.md:38

📁 Доступ к файловой системе (4)

references/instrumentation.md:14 references/instrumentation.md:20 references/testing.md:95 references/testing.md:95

Версия аудита 4

Безопасно

Jan 16, 2026, 04:32 PM

This is a documentation-only skill. The static analyzer flagged markdown code formatting (backticks) and documentation links as security issues. All 162 findings are false positives. This skill provides conventions, validation commands, and debugging steps in markdown only. No executable code, file system access, network calls, or environment variable access occurs.

5

Просканировано файлов

594

Проанализировано строк

3

находки

claude

Проверено

Проблем безопасности не найдено

Факторы риска

⚙️ Внешние команды (114)

🌐 Доступ к сети (12)

references/conventions.md:3 references/conventions.md:40 references/conventions.md:63 references/conventions.md:92 references/instrumentation.md:3 references/instrumentation.md:31 references/instrumentation.md:33 references/instrumentation.md:68 SKILL.md:35 SKILL.md:36 SKILL.md:37 SKILL.md:38

📁 Доступ к файловой системе (4)

references/instrumentation.md:14 references/instrumentation.md:20 references/testing.md:95 references/testing.md:95

Версия аудита 3

Безопасно

Jan 10, 2026, 09:56 AM

Documentation-only skill with no code execution, file system access, network calls, or environment variable access. Contains markdown files providing guidelines and conventions for plugin development.

4

Просканировано файлов

380

Проанализировано строк

0

находки

claude

Проверено

Проблем безопасности не найдено

Версия аудита 2

Безопасно

Jan 10, 2026, 09:56 AM

Documentation-only skill with no code execution, file system access, network calls, or environment variable access. Contains markdown files providing guidelines and conventions for plugin development.

4

Просканировано файлов

380

Проанализировано строк

0

находки

claude

Проверено

Проблем безопасности не найдено

Версия аудита 1

Безопасно

Jan 10, 2026, 09:56 AM

Documentation-only skill with no code execution, file system access, network calls, or environment variable access. Contains markdown files providing guidelines and conventions for plugin development.

4

Просканировано файлов

380

Проанализировано строк

0

находки

claude

Проверено

Проблем безопасности не найдено