История аудитов - managing-workflow

Версия аудита 6

Последняя Средний риск

Jun 28, 2026, 05:15 PM

The static report overstates risk because many high alerts are false positives from Markdown examples, relative imports, and template placeholders. The real risk is moderate: the skill intentionally runs local Node scripts and those scripts can read, write, or move files based on command arguments without strict path validation.

8

Просканировано файлов

917

Проанализировано строк

8

результаты

codex

Аудитор:

Проблемы среднего риска (2)

scripts/update-status.js:7-19 scripts/log-activity.js:7-69 scripts/archive-feature.js:8-75

Unrestricted Local File Modification Utilities

The helper scripts accept file paths or feature identifiers from command arguments and then read, write, or move files. This supports the intended .spec workflow, but missing path confinement could let a bad invocation modify files outside the expected workflow area.

SKILL.md:24-29 SKILL.md:80-87 SKILL.md:96-106 SKILL.md:340-351 SKILL.md:395-397

Bash-Based Workflow Execution

The skill instructs the assistant to run local Node scripts through Bash for context loading, validation, status updates, logging, and archiving. This is legitimate for the workflow, but publication should warn users that the skill requires local command execution permissions.

Проблемы низкого риска (2)

scripts/context-loader.js:10-14

Environment Variable Used for Project Directory Selection

The context loader reads CLAUDE_PROJECT_DIR and otherwise falls back to the current directory. I found no evidence that environment values are sent over the network or used to collect secrets, but a manipulated value could redirect workflow inspection.

scripts/archive-feature.js:5 scripts/context-loader.js:5-6 scripts/validate-phase.js:5-6 SKILL.md:56-73

Static High-Risk Pattern Alerts Are Mostly False Positives

The reported weak cryptography and path traversal alerts mostly map to Markdown placeholders, status text, and relative imports to shared utilities. I found no evidence of cryptographic operations, obfuscation, network exfiltration, or prompt injection attempts in the reviewed files.

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1 scripts/context-loader.js:1 scripts/log-activity.js:1 scripts/update-status.js:1 scripts/validate-phase.js:1

⚙️ Внешние команды (5)

SKILL.md:24-29 SKILL.md:80-87 SKILL.md:96-106 SKILL.md:340-351 SKILL.md:395-397

📁 Доступ к файловой системе (8)

scripts/archive-feature.js:21-25 scripts/archive-feature.js:45-63 scripts/archive-feature.js:70-75 scripts/log-activity.js:20-28 scripts/log-activity.js:69 scripts/update-status.js:15-19 scripts/validate-phase.js:39 scripts/validate-phase.js:56

🔑 Переменные окружения (1)

scripts/context-loader.js:10

Обнаруженные паттерны

Command Argument Paths Used in File WritesFeature Identifier Used in Archive Path Construction

Версия аудита 5

Безопасно

Jan 16, 2026, 07:21 PM

This is a legitimate workflow management skill for specification-driven development. All code operates locally within the project .spec directory. No network access, no credential handling, and no external command execution beyond controlled Node.js script invocations. Behavior matches stated purpose.

9

Просканировано файлов

1,207

Проанализировано строк

3

результаты

claude

Аудитор:

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1-84 scripts/context-loader.js:1-51 scripts/log-activity.js:1-79 scripts/update-status.js:1-28 scripts/validate-phase.js:1-78

📁 Доступ к файловой системе (3)

scripts/archive-feature.js:15-18 scripts/update-status.js:14-19 scripts/log-activity.js:27-69

🔑 Переменные окружения (1)

scripts/context-loader.js:10

Версия аудита 4

Безопасно

Jan 16, 2026, 07:21 PM

This is a legitimate workflow management skill for specification-driven development. All code operates locally within the project .spec directory. No network access, no credential handling, and no external command execution beyond controlled Node.js script invocations. Behavior matches stated purpose.

9

Просканировано файлов

1,207

Проанализировано строк

3

результаты

claude

Аудитор:

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1-84 scripts/context-loader.js:1-51 scripts/log-activity.js:1-79 scripts/update-status.js:1-28 scripts/validate-phase.js:1-78

📁 Доступ к файловой системе (3)

scripts/archive-feature.js:15-18 scripts/update-status.js:14-19 scripts/log-activity.js:27-69

🔑 Переменные окружения (1)

scripts/context-loader.js:10

Версия аудита 3

Безопасно

Jan 10, 2026, 11:39 AM

This is a legitimate workflow management skill for specification-driven development. All code operates locally within the project .spec directory. No network access, no credential handling, and no external command execution beyond controlled Node.js script invocations. Behavior matches stated purpose.

8

Просканировано файлов

892

Проанализировано строк

3

результаты

claude

Аудитор:

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1-84 scripts/log-activity.js:1-79 scripts/context-loader.js:1-51 scripts/validate-phase.js:1-78 scripts/update-status.js:1-28

📁 Доступ к файловой системе (3)

scripts/archive-feature.js:15-18 scripts/update-status.js:14-19 scripts/log-activity.js:27-69

🔑 Переменные окружения (1)

scripts/context-loader.js:10

Версия аудита 2

Безопасно

Jan 10, 2026, 11:39 AM

This is a legitimate workflow management skill for specification-driven development. All code operates locally within the project .spec directory. No network access, no credential handling, and no external command execution beyond controlled Node.js script invocations. Behavior matches stated purpose.

8

Просканировано файлов

892

Проанализировано строк

3

результаты

claude

Аудитор:

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1-84 scripts/log-activity.js:1-79 scripts/context-loader.js:1-51 scripts/validate-phase.js:1-78 scripts/update-status.js:1-28

📁 Доступ к файловой системе (3)

scripts/archive-feature.js:15-18 scripts/update-status.js:14-19 scripts/log-activity.js:27-69

🔑 Переменные окружения (1)

scripts/context-loader.js:10

Версия аудита 1

Безопасно

Jan 10, 2026, 11:39 AM

This is a legitimate workflow management skill for specification-driven development. All code operates locally within the project .spec directory. No network access, no credential handling, and no external command execution beyond controlled Node.js script invocations. Behavior matches stated purpose.

8

Просканировано файлов

892

Проанализировано строк

3

результаты

claude

Аудитор:

Проблем безопасности не найдено

Факторы риска

⚡ Содержит скрипты (5)

scripts/archive-feature.js:1-84 scripts/log-activity.js:1-79 scripts/context-loader.js:1-51 scripts/validate-phase.js:1-78 scripts/update-status.js:1-28

📁 Доступ к файловой системе (3)

scripts/archive-feature.js:15-18 scripts/update-status.js:14-19 scripts/log-activity.js:27-69

🔑 Переменные окружения (1)

scripts/context-loader.js:10