Audit History - market-research-reports

Audit version 5

Latest Low Risk

Jan 17, 2026, 01:28 AM

Legitimate market research skill. Static findings are false positives triggered by documentation patterns: LaTeX formatting commands (\samp), markdown code backticks, and relative file paths. The only actual code finding is subprocess.run() for internal visualization scripts, properly secured with list form (no shell injection risk). No network access, credential handling, or sensitive file operations.

9

Files scanned

6,704

Lines analyzed

3

findings

claude

Audited by

High Risk Issues (1)

scripts/generate_market_visuals.py:374-398

Subprocess execution for visual generation

Python subprocess.run() call to internal visualization scripts. Properly secured with list form, no shell=True, hardcoded arguments, pathlib paths, 120s timeout. Calls only sibling scripts in skills directory.

Risk Factors

⚡ Contains scripts (1)

scripts/generate_market_visuals.py:1-530

⚙️ External commands (1)

scripts/generate_market_visuals.py:374-398

Audit version 4

Low Risk

Jan 17, 2026, 01:28 AM

Legitimate market research skill. Static findings are false positives triggered by documentation patterns: LaTeX formatting commands (\samp), markdown code backticks, and relative file paths. The only actual code finding is subprocess.run() for internal visualization scripts, properly secured with list form (no shell injection risk). No network access, credential handling, or sensitive file operations.

9

Files scanned

6,704

Lines analyzed

3

findings

claude

Audited by

High Risk Issues (1)

scripts/generate_market_visuals.py:374-398

Subprocess execution for visual generation

Python subprocess.run() call to internal visualization scripts. Properly secured with list form, no shell=True, hardcoded arguments, pathlib paths, 120s timeout. Calls only sibling scripts in skills directory.

Risk Factors

⚡ Contains scripts (1)

scripts/generate_market_visuals.py:1-530

⚙️ External commands (1)

scripts/generate_market_visuals.py:374-398

Audit version 3

Low Risk

Jan 7, 2026, 12:38 AM

This is a legitimate market research skill with minimal risk. The Python script uses controlled subprocess calls to internal visualization scripts. No network access, no sensitive file access, no credential handling.

8

Files scanned

3,899

Lines analyzed

3

findings

claude

Audited by

Low Risk Issues (1)

scripts/generate_market_visuals.py:374-398

Subprocess execution for visual generation

The script uses subprocess.run() to invoke sibling visualization scripts. This is intentional and controlled: subprocess calls use list form (no shell injection risk), paths are constructed with pathlib, and only internal skill scripts are called.

Risk Factors

⚡ Contains scripts (1)

scripts/generate_market_visuals.py:1-530

⚙️ External commands (1)

scripts/generate_market_visuals.py:374-398

Audit version 2

Low Risk

Jan 7, 2026, 12:38 AM

This is a legitimate market research skill with minimal risk. The Python script uses controlled subprocess calls to internal visualization scripts. No network access, no sensitive file access, no credential handling.

8

Files scanned

3,899

Lines analyzed

3

findings

claude

Audited by

Low Risk Issues (1)

scripts/generate_market_visuals.py:374-398

Subprocess execution for visual generation

The script uses subprocess.run() to invoke sibling visualization scripts. This is intentional and controlled: subprocess calls use list form (no shell injection risk), paths are constructed with pathlib, and only internal skill scripts are called.

Risk Factors

⚡ Contains scripts (1)

scripts/generate_market_visuals.py:1-530

⚙️ External commands (1)

scripts/generate_market_visuals.py:374-398

Audit version 1

Low Risk

Jan 7, 2026, 12:38 AM

This is a legitimate market research skill with minimal risk. The Python script uses controlled subprocess calls to internal visualization scripts. No network access, no sensitive file access, no credential handling.

8

Files scanned

3,899

Lines analyzed

3

findings

claude

Audited by

Low Risk Issues (1)

scripts/generate_market_visuals.py:374-398

Subprocess execution for visual generation

The script uses subprocess.run() to invoke sibling visualization scripts. This is intentional and controlled: subprocess calls use list form (no shell injection risk), paths are constructed with pathlib, and only internal skill scripts are called.

Risk Factors

⚡ Contains scripts (1)

scripts/generate_market_visuals.py:1-530

⚙️ External commands (1)

scripts/generate_market_visuals.py:374-398