技能 docs-validator 审计历史
📦

审计历史

docs-validator - 6 审计

审计版本 6

最新 中风险

Jun 28, 2026, 07:00 PM

Static analysis found many shell, network, filesystem, and weak-crypto patterns in SKILL.md. Manual review shows the weak-crypto, path traversal, reconnaissance, and hardcoded URL matches are false positives from prose or sample report text. The remaining risk is legitimate but elevated because the skill instructs agents to run shell documentation scans, inspect workspace files, optionally test external URLs, and write reports.

1
已扫描文件
519
分析行数
9
发现项
codex
审计者
中风险问题 (2)
Agent-Directed Shell Documentation Scans
The skill includes Bash workflows that use find, ls, grep, shell variables, and loops to inspect documentation and source directories. This is legitimate for documentation validation, but it gives the agent command execution paths over the workspace and should be reviewed before use on sensitive repositories.
Optional External URL Validation
The skill directs the agent to check whether external documentation links are accessible. This can create outbound network traffic to URLs found in a repository, but the reviewed file does not instruct sending secrets or contacting a suspicious collection endpoint.
低风险问题 (4)
Weak Cryptography Static Matches Are False Positives
The high-severity weak cryptography matches occur in documentation prose, checklist text, or sample report content. No cryptographic API, password hashing, cipher selection, or implementation code is present in SKILL.md.
Path Traversal Match Is a Relative Link Example
The path traversal match is part of a suggested fix for a broken Markdown link. It shows a relative documentation path and is not used for file access or command execution.
Hardcoded URL Matches Are Sample Report Data
The hardcoded URLs appear in an example broken-link report that shows an old URL and a replacement URL. They are not configured endpoints and do not receive repository data or credentials.
System Reconnaissance Match Is Documentation Inventory
The reconnaissance-related match is part of documentation link and file-reference validation. The skill asks for inventory of documentation paths, not host fingerprinting or system discovery.

检测到的模式

Shell Commands in Skill InstructionsOutbound Link Checking Workflow

审计版本 5

安全

Jan 16, 2026, 08:15 PM

This is a pure prompt-based skill with no executable code. The SKILL.md file contains only documentation validation guidelines and example prompts for an AI assistant. All 65 static findings are false positives: cryptographic algorithm detections are misidentified hash identifiers, external_commands are illustrative bash examples with hardcoded paths, and network/filesystem detections are benign markdown content.

2
已扫描文件
698
分析行数
3
发现项
claude
审计者
未发现安全问题

审计版本 4

安全

Jan 16, 2026, 08:15 PM

This is a pure prompt-based skill with no executable code. The SKILL.md file contains only documentation validation guidelines and example prompts for an AI assistant. All 65 static findings are false positives: cryptographic algorithm detections are misidentified hash identifiers, external_commands are illustrative bash examples with hardcoded paths, and network/filesystem detections are benign markdown content.

2
已扫描文件
698
分析行数
3
发现项
claude
审计者
未发现安全问题

审计版本 3

安全

Jan 10, 2026, 11:48 AM

This is a pure prompt-based skill with no executable code. The SKILL.md file contains only documentation validation guidelines and example prompts for an AI assistant. No network calls, file writes, or command executions are performed by the skill itself.

1
已扫描文件
519
分析行数
0
发现项
claude
审计者
未发现安全问题

审计版本 2

安全

Jan 10, 2026, 11:48 AM

This is a pure prompt-based skill with no executable code. The SKILL.md file contains only documentation validation guidelines and example prompts for an AI assistant. No network calls, file writes, or command executions are performed by the skill itself.

1
已扫描文件
519
分析行数
0
发现项
claude
审计者
未发现安全问题

审计版本 1

安全

Jan 10, 2026, 11:48 AM

This is a pure prompt-based skill with no executable code. The SKILL.md file contains only documentation validation guidelines and example prompts for an AI assistant. No network calls, file writes, or command executions are performed by the skill itself.

1
已扫描文件
519
分析行数
0
发现项
claude
审计者
未发现安全问题