📦

审计历史

generate-sparkle-appcast - 6 审计

审计版本 6

最新 中风险

Jun 28, 2026, 07:48 PM

Static analysis found many command, filesystem, network, environment, and sensitive-key patterns. Review confirms the script is a plausible release automation tool, but it handles a Sparkle private signing key and writes temporary key material, so publication should include a clear security warning.

2
已扫描文件
521
分析行数
10
发现项
codex
审计者
中风险问题 (2)
Private Sparkle Signing Key Handling
The script requires a Sparkle private key, reads it into a shell variable, passes the base64 seed to Python as a process argument, and writes DER and PEM key material in a temporary directory before signing the zip. This is legitimate for appcast generation, but it exposes sensitive signing material to local process inspection and temporary storage risks.
Release Automation Executes Local Commands
The script runs python3, git, openssl, wc, date, cp, mkdir, mktemp, and rm to inspect the build zip, derive release notes, sign the archive, and write appcast files. Arguments are mostly quoted and Python subprocess calls do not use a shell, but running this skill still grants broad local command and filesystem effects.
低风险问题 (3)
Hardcoded URLs Are Publication Targets
The GitHub and Mos URLs are used to build appcast download links, release notes links, and XML namespace metadata. I did not find evidence that the script performs outbound network requests or exfiltrates data to those URLs.
Markdown Backticks Misclassified As Shell Execution
Many SKILL.md findings are Markdown command examples and file paths inside backticks. They document expected usage and outputs rather than executable code in the skill file itself.
Weak Cryptography Flags Are False Positives
The weak cryptography findings point at XML description text and appcast fields, while the actual signature flow uses Ed25519 through OpenSSL. I did not find evidence of MD5, SHA1, DES, RC4, or another weak algorithm in the reviewed script.

检测到的模式

Sensitive Key Material In Temporary FilesGenerated Release Files Written Into Build And Docs

审计版本 5

低风险

Jan 16, 2026, 07:41 PM

Legitimate macOS release automation tool for generating Sparkle appcast files. All static findings are false positives stemming from the scanner's inability to distinguish between legitimate release tooling and malicious patterns. The script operates only within project build/docs directories, uses standard tooling (git, python3, openssl) for release signing, and handles Ed25519 private keys appropriately for Sparkle update signing.

3
已扫描文件
767
分析行数
5
发现项
claude
审计者
未发现安全问题

审计版本 4

低风险

Jan 16, 2026, 07:41 PM

Legitimate macOS release automation tool for generating Sparkle appcast files. All static findings are false positives stemming from the scanner's inability to distinguish between legitimate release tooling and malicious patterns. The script operates only within project build/docs directories, uses standard tooling (git, python3, openssl) for release signing, and handles Ed25519 private keys appropriately for Sparkle update signing.

3
已扫描文件
767
分析行数
5
发现项
claude
审计者
未发现安全问题

审计版本 3

低风险

Jan 10, 2026, 11:56 AM

Standard release automation script for generating Sparkle appcast files. Operates only within project build/docs directories. Uses python3, openssl, and git commands appropriate for release signing and git history processing.

2
已扫描文件
524
分析行数
4
发现项
claude
审计者
未发现安全问题

审计版本 2

低风险

Jan 10, 2026, 11:56 AM

Standard release automation script for generating Sparkle appcast files. Operates only within project build/docs directories. Uses python3, openssl, and git commands appropriate for release signing and git history processing.

2
已扫描文件
524
分析行数
4
发现项
claude
审计者
未发现安全问题

审计版本 1

低风险

Jan 10, 2026, 11:56 AM

Standard release automation script for generating Sparkle appcast files. Operates only within project build/docs directories. Uses python3, openssl, and git commands appropriate for release signing and git history processing.

2
已扫描文件
524
分析行数
4
发现项
claude
审计者
未发现安全问题