📦

审计历史

api-jwt-authenticator - 6 审计

审计版本 6

最新 低风险

Jun 28, 2026, 03:48 AM

Static analysis flagged Markdown backticks, JWT terminology, and HTTP authentication documentation as suspicious patterns. Review found no executable code, shell invocation, prompt injection, malware behavior, or data exfiltration in SKILL.md. The skill is a conceptual security guide and is safe to publish with low residual risk.

1
已扫描文件
136
分析行数
0
复核项
3
已忽略误报
已忽略静态误报 (3)

这些静态命中已被语义复核判定为误报,或只命中了 schema 定义里的词;这里保留展示用于透明度,但不影响质量评分。

False Positive: Markdown Formatting Flagged as Shell Execution
The flagged locations use Markdown inline code for an Authorization header and JWT claim names. They do not contain Ruby code, shell execution, command substitution, or user-controlled command construction.
The evidence is plain Markdown documentation. The surrounding text describes token format and claims, not executable Ruby or shell behavior.
False Positive: Weak Cryptography Pattern Not Confirmed
The flagged lines do not specify a weak signing algorithm or unsafe cryptographic implementation. Line 7 is the skill description, and line 128 discusses testing error response formats.
No cryptographic algorithm is named at either location. The skill recommends validating JWT signatures and expiration but does not prescribe insecure crypto.
False Positive: System Reconnaissance Pattern Not Confirmed
The flagged locations describe HTTP status handling, token structure, information disclosure avoidance, and authentication tests. They do not collect host data, enumerate files, or inspect the runtime environment.
The context is API authentication guidance. No commands, filesystem reads, environment probing, or network discovery instructions are present.
未发现安全问题
审计者: codex

审计版本 5

安全

Jan 16, 2026, 03:39 PM

This is a pure documentation skill providing conceptual guidance for implementing JWT authentication in FastAPI APIs. Contains no executable code, no network calls, no filesystem operations, and no external command execution. The static analysis findings are false positives triggered by security-related terminology in documentation (JWT, authorization, tokens, roles) and metadata fields. All 27 static findings are dismissed as keyword-pattern false positives.

2
已扫描文件
314
分析行数
1
复核项
0
已忽略误报
审计者: claude

审计版本 4

安全

Jan 16, 2026, 03:39 PM

This is a pure documentation skill providing conceptual guidance for implementing JWT authentication in FastAPI APIs. Contains no executable code, no network calls, no filesystem operations, and no external command execution. The static analysis findings are false positives triggered by security-related terminology in documentation (JWT, authorization, tokens, roles) and metadata fields. All 27 static findings are dismissed as keyword-pattern false positives.

2
已扫描文件
314
分析行数
1
复核项
0
已忽略误报
审计者: claude

审计版本 3

安全

Jan 10, 2026, 09:48 AM

Pure documentation-based conceptual skill containing only a SKILL.md file. No executable code, no network calls, no filesystem access beyond its own file. The content provides guidance on implementing JWT authentication following security best practices.

1
已扫描文件
136
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 2

安全

Jan 10, 2026, 09:48 AM

Pure documentation-based conceptual skill containing only a SKILL.md file. No executable code, no network calls, no filesystem access beyond its own file. The content provides guidance on implementing JWT authentication following security best practices.

1
已扫描文件
136
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 1

安全

Jan 10, 2026, 09:48 AM

Pure documentation-based conceptual skill containing only a SKILL.md file. No executable code, no network calls, no filesystem access beyond its own file. The content provides guidance on implementing JWT authentication following security best practices.

1
已扫描文件
136
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude