Skills allaymc-plugin-dev Audit History
📦

Audit History

allaymc-plugin-dev - 6 audits

Audit version 6

Latest Low Risk

Jun 28, 2026, 09:19 AM

Static analysis reported many high-risk patterns, but manual review found they come from LGPL license prose, Markdown code formatting, and legitimate git or Gradle workflow examples. No prompt injection, credential access, data exfiltration, obfuscated code, or malicious network behavior was found in LICENSE, README.md, or SKILL.md. The skill is low risk because it can guide users or agents to run standard development commands and read local reference paths.

3
Files scanned
647
Lines analyzed
6
findings
codex
Audited by
Low Risk Issues (4)
LICENSE:15LICENSE:21LICENSE:28LICENSE:68LICENSE:83-90LICENSE:235-241LICENSE:306-312LICENSE:387
Static License Text Matches Are False Positives
Verdict: FALSE_POSITIVE. The reported weak cryptography and reconnaissance hits in LICENSE are standard LGPL prose. The cited lines contain license language about software freedom, libraries, source copies, offers, and operating systems, not executable code or cryptographic APIs.
README.md:9-12README.md:19-20README.md:27-34README.md:47-50SKILL.md:23-35SKILL.md:39-46SKILL.md:50-58SKILL.md:62-64SKILL.md:68-82
Markdown Backticks Flagged as Shell Execution
Verdict: FALSE_POSITIVE with a low operational caution. README.md and SKILL.md use Markdown backticks and fenced bash examples for installation, updates, and AllayGradle build tasks. These are transparent developer commands, not hidden Ruby backtick execution or command injection.
README.md:14-15SKILL.md:23-24SKILL.md:74-82
Path References Are Documentation, Not Traversal
Verdict: FALSE_POSITIVE with a low operational caution. README.md references installation directories, including a Codex skills path, and SKILL.md references template and API paths under references. The ellipsis in a Java source path is explanatory shorthand, not a traversal directive outside the project.
SKILL.md:3SKILL.md:28SKILL.md:37SKILL.md:69
Skill Metadata Keyword Matches Are False Positives
Verdict: FALSE_POSITIVE. Static hits in SKILL.md around the description, Gradle metadata, lifecycle heading, and API mismatch troubleshooting are ordinary AllayMC plugin guidance. They do not show weak cryptography, network reconnaissance, or system reconnaissance intent.

Risk Factors

⚙️ External commands (4)
README.md:9-12 README.md:19-20 README.md:27-34 SKILL.md:62-64
📁 Filesystem access (3)
README.md:14-15 SKILL.md:23-24 SKILL.md:74-82

Audit version 5

Safe

Jan 16, 2026, 03:04 PM

This is a prompt-only documentation skill containing guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. Static findings are false positives triggered by markdown documentation patterns (backticks in code blocks) and LGPL-2.1 license legal text. The skill reads reference materials via user-initialized git submodules.

4
Files scanned
858
Lines analyzed
2
findings
claude
Audited by
No security issues found

Risk Factors

⚙️ External commands (67)
README.md:9-12 README.md:12-14 README.md:14 README.md:14-15 README.md:15 README.md:15-19 README.md:19-21 README.md:21-27 README.md:27-29 README.md:29-33 README.md:33-35 README.md:35-47 README.md:47-48 README.md:48-49 README.md:49-50 README.md:50-52 SKILL.md:23 SKILL.md:24 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:29 SKILL.md:31 SKILL.md:32 SKILL.md:33 SKILL.md:34 SKILL.md:34 SKILL.md:35 SKILL.md:35 SKILL.md:39 SKILL.md:41 SKILL.md:42 SKILL.md:43 SKILL.md:44 SKILL.md:44 SKILL.md:45 SKILL.md:45 SKILL.md:46 SKILL.md:50 SKILL.md:51 SKILL.md:52 SKILL.md:53 SKILL.md:54 SKILL.md:55 SKILL.md:56 SKILL.md:57 SKILL.md:58 SKILL.md:58 SKILL.md:62 SKILL.md:63 SKILL.md:64 SKILL.md:64 SKILL.md:68 SKILL.md:68 SKILL.md:68 SKILL.md:68 SKILL.md:69 SKILL.md:70 SKILL.md:74 SKILL.md:75 SKILL.md:76 SKILL.md:77 SKILL.md:78 SKILL.md:80 SKILL.md:81 SKILL.md:82
📁 Filesystem access (3)
README.md:15 README.md:15 SKILL.md:77

Audit version 4

Safe

Jan 16, 2026, 03:04 PM

This is a prompt-only documentation skill containing guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. Static findings are false positives triggered by markdown documentation patterns (backticks in code blocks) and LGPL-2.1 license legal text. The skill reads reference materials via user-initialized git submodules.

4
Files scanned
858
Lines analyzed
2
findings
claude
Audited by
No security issues found

Risk Factors

⚙️ External commands (67)
README.md:9-12 README.md:12-14 README.md:14 README.md:14-15 README.md:15 README.md:15-19 README.md:19-21 README.md:21-27 README.md:27-29 README.md:29-33 README.md:33-35 README.md:35-47 README.md:47-48 README.md:48-49 README.md:49-50 README.md:50-52 SKILL.md:23 SKILL.md:24 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:28 SKILL.md:29 SKILL.md:31 SKILL.md:32 SKILL.md:33 SKILL.md:34 SKILL.md:34 SKILL.md:35 SKILL.md:35 SKILL.md:39 SKILL.md:41 SKILL.md:42 SKILL.md:43 SKILL.md:44 SKILL.md:44 SKILL.md:45 SKILL.md:45 SKILL.md:46 SKILL.md:50 SKILL.md:51 SKILL.md:52 SKILL.md:53 SKILL.md:54 SKILL.md:55 SKILL.md:56 SKILL.md:57 SKILL.md:58 SKILL.md:58 SKILL.md:62 SKILL.md:63 SKILL.md:64 SKILL.md:64 SKILL.md:68 SKILL.md:68 SKILL.md:68 SKILL.md:68 SKILL.md:69 SKILL.md:70 SKILL.md:74 SKILL.md:75 SKILL.md:76 SKILL.md:77 SKILL.md:78 SKILL.md:80 SKILL.md:81 SKILL.md:82
📁 Filesystem access (3)
README.md:15 README.md:15 SKILL.md:77

Audit version 3

Safe

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Files scanned
653
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 2

Safe

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Files scanned
653
Lines analyzed
0
findings
claude
Audited by
No security issues found

Audit version 1

Safe

Jan 10, 2026, 10:15 AM

This is a prompt-only skill containing documentation and guidance for AllayMC plugin development. No executable code, scripts, network operations, or file system access beyond the skill's own directory. References external git submodules that are initialized by the user.

4
Files scanned
653
Lines analyzed
0
findings
claude
Audited by
No security issues found
← Back to Skill