📦

审计历史

rust-development - 6 审计

审计版本 6

最新 低风险

Jun 28, 2026, 03:44 AM

Static analysis reported many command, network, sensitive-file, weak-crypto, reconnaissance, and heuristic issues. Review found these are Markdown examples, Rust identifiers, Cargo metadata, and legitimate development guidance, with no evidence of malicious intent or prompt injection.

1
已扫描文件
172
分析行数
6
复核项
0
已忽略误报

已确认安全问题 (1)

False Positive Sensitive and Cryptography Matches
The reported certificate/key and weak-cryptography findings map to Rust project text, Ed25519 signing examples, and Cargo description fields. Ed25519 is a modern signature algorithm, and no private key files or weak cryptographic algorithm usage were found.
The relevant lines contain prose and an Ed25519 API example. I did not find evidence of certificate files, hardcoded secrets, DES, MD5, SHA1, or similar weak crypto use.
能力复核项 (3)

这些是真实的本地能力,对此技能可能是预期行为,因此需要复核,但不会按已确认恶意行为计分。

Development Command Examples
The static command findings are from a fenced Bash example that recommends cargo fmt and cargo clippy before commits. These are normal Rust developer commands, but agents should still run them only in the user's intended repository.
The commands are visible Markdown examples for formatting and linting. No dynamic input, shell metacharacter abuse, or hidden execution instruction was found.
Repository URL in Cargo Metadata
The network finding is a Cargo.toml repository field that points to the source project. It is metadata, not an instruction to send data or make an unauthorized network request.
The URL appears inside a Cargo.toml example as a repository value. There is no fetch, upload, webhook, credential transfer, or runtime network operation.
False Positive Reconnaissance and Heuristic Combination
The system reconnaissance and dangerous-combination findings are not supported by semantic context. The file contains Rust best practices, dependency examples, and module patterns, with no credential access or exfiltration flow.
The suspicious combination is explained by Markdown code examples plus a repository URL. No environment access, secret collection, command obfuscation, or data exfiltration was present.

风险因素

⚙️ 外部命令 (1)
🌐 网络访问 (1)
审计者: codex

审计版本 5

安全

Jan 16, 2026, 03:33 PM

Pure documentation skill containing Rust best practices and code examples. No executable code, scripts, network calls, filesystem access, or command execution. The static findings are false positives - code examples (Ed25519, Tokio), markdown code blocks, and GitHub URLs in metadata were misidentified as security issues.

2
已扫描文件
350
分析行数
2
复核项
0
已忽略误报
审计者: claude

审计版本 4

安全

Jan 16, 2026, 03:33 PM

Pure documentation skill containing Rust best practices and code examples. No executable code, scripts, network calls, filesystem access, or command execution. The static findings are false positives - code examples (Ed25519, Tokio), markdown code blocks, and GitHub URLs in metadata were misidentified as security issues.

2
已扫描文件
350
分析行数
2
复核项
0
已忽略误报
审计者: claude

审计版本 3

安全

Jan 10, 2026, 09:54 AM

Pure prompt-based skill containing only documentation and code examples. No executable code, scripts, network calls, filesystem access, or command execution. Contains only Rust best practices and patterns for the Guts project.

1
已扫描文件
172
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 2

安全

Jan 10, 2026, 09:54 AM

Pure prompt-based skill containing only documentation and code examples. No executable code, scripts, network calls, filesystem access, or command execution. Contains only Rust best practices and patterns for the Guts project.

1
已扫描文件
172
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 1

安全

Jan 10, 2026, 09:54 AM

Pure prompt-based skill containing only documentation and code examples. No executable code, scripts, network calls, filesystem access, or command execution. Contains only Rust best practices and patterns for the Guts project.

1
已扫描文件
172
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude