📦

审计历史

spec-kit-claude-code-workflow - 6 审计

审计版本 6

最新 安全

Jun 28, 2026, 03:57 AM

Static analysis reported six possible issues, but all reviewed locations are prose in SKILL.md. No executable code, network activity, system reconnaissance, weak cryptography use, data exfiltration, or prompt injection attempt was found.

1
已扫描文件
184
分析行数
3
复核项
0
已忽略误报

已确认安全问题 (3)

False Positive: Weak Cryptography Pattern
The static hits occur in descriptive workflow text, not in cryptographic code. Line 7 describes the skill, and line 45 discusses folder-specific rule overrides.
The referenced lines contain natural-language documentation only. I found no algorithm names, crypto libraries, key handling, or encryption implementation.
False Positive: System Reconnaissance Pattern
The static hits refer to rapid prototyping and rapid specification changes. They do not instruct collection of host, user, process, or environment information.
Both locations are workflow guidance sentences. I found no command usage, filesystem probing, environment access, or inventory collection.
False Positive: Network Reconnaissance Pattern
The static hits discuss feedback mechanisms and workflow monitoring. They do not contain network scanning, connection testing, or external endpoint access.
The relevant text is conceptual process guidance. I found no URLs, sockets, port scans, ping commands, or network libraries.
审计者: codex

审计版本 5

安全

Jan 16, 2026, 03:50 PM

Pure documentation skill containing only YAML frontmatter and markdown guidance for development workflow. No executable code, scripts, network calls, filesystem access, or command execution capabilities. All 15 static findings are false positives from pattern-matching on benign documentation text.

2
已扫描文件
361
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 4

安全

Jan 16, 2026, 03:50 PM

Pure documentation skill containing only YAML frontmatter and markdown guidance for development workflow. No executable code, scripts, network calls, filesystem access, or command execution capabilities. All 15 static findings are false positives from pattern-matching on benign documentation text.

2
已扫描文件
361
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 3

安全

Jan 10, 2026, 09:51 AM

Pure documentation skill with no executable code. Contains only YAML frontmatter and markdown guidance for development workflow. No scripts, network calls, filesystem access, or command execution capabilities.

1
已扫描文件
184
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 2

安全

Jan 10, 2026, 09:51 AM

Pure documentation skill with no executable code. Contains only YAML frontmatter and markdown guidance for development workflow. No scripts, network calls, filesystem access, or command execution capabilities.

1
已扫描文件
184
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude

审计版本 1

安全

Jan 10, 2026, 09:51 AM

Pure documentation skill with no executable code. Contains only YAML frontmatter and markdown guidance for development workflow. No scripts, network calls, filesystem access, or command execution capabilities.

1
已扫描文件
184
分析行数
0
复核项
0
已忽略误报
未发现安全问题
审计者: claude