📦

Audit History

extend-signal-schema - 6 audits

Audit version 6

Latest Safe

Jun 28, 2026, 06:01 AM

Static analysis reported many high-risk patterns, but review found they are false positives caused by Markdown inline code, documentation examples, and ordinary words such as description. The skill is a procedural guide for schema changes and contains no executable script, no prompt injection attempt, no credential handling, and no data exfiltration behavior.

1
Files scanned
376
Lines analyzed
3
findings
codex
Audited by
Low Risk Issues (3)
False Positive: Markdown Backtick Text Flagged as Command Execution
Static analysis flagged many inline Markdown backtick spans as Ruby or shell backtick execution. These lines document filenames, schema fields, and example commands inside SKILL.md; they are not executable code and do not create command injection risk.
False Positive: Weak Cryptography Pattern From Plain Text
Static analysis flagged weak cryptography at lines containing prose such as frontmatter description and summary text. No hash, cipher, encryption library, or cryptographic operation appears in the reviewed SKILL.md context.
False Positive: Reconnaissance Terms Are Repository Guidance
Static analysis flagged system and network reconnaissance patterns, but the cited lines instruct the user to read governance files, inspect target schemas, avoid nondeterminism, or avoid external APIs. The skill does not collect host, network, or environment information.

Audit version 5

Safe

Jan 16, 2026, 03:04 PM

All 109 static findings are false positives from pattern matching against documentation and metadata files. The skill contains no executable code, only markdown documentation (SKILL.md) and JSON metadata (). All detected patterns are backtick-wrapped code examples in documentation or JSON string values describing the skill's functionality.

2
Files scanned
558
Lines analyzed
1
findings
claude
Audited by
No security issues found

Audit version 4

Safe

Jan 16, 2026, 03:04 PM

All 109 static findings are false positives from pattern matching against documentation and metadata files. The skill contains no executable code, only markdown documentation (SKILL.md) and JSON metadata (). All detected patterns are backtick-wrapped code examples in documentation or JSON string values describing the skill's functionality.

2
Files scanned
558
Lines analyzed
1
findings
claude
Audited by
No security issues found

Audit version 3

Safe

Jan 10, 2026, 09:42 AM

Pure prompt-based skill consisting only of documentation. No executable code, scripts, network calls, filesystem access, or command execution. The skill provides guidelines for schema extension with explicit safety boundaries and hard prohibitions against dangerous operations.

1
Files scanned
376
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 2

Safe

Jan 10, 2026, 09:42 AM

Pure prompt-based skill consisting only of documentation. No executable code, scripts, network calls, filesystem access, or command execution. The skill provides guidelines for schema extension with explicit safety boundaries and hard prohibitions against dangerous operations.

1
Files scanned
376
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 1

Safe

Jan 10, 2026, 09:42 AM

Pure prompt-based skill consisting only of documentation. No executable code, scripts, network calls, filesystem access, or command execution. The skill provides guidelines for schema extension with explicit safety boundaries and hard prohibitions against dangerous operations.

1
Files scanned
376
Lines analyzed
0
findings
claude
Audited by
No security issues found