📦

審計歷史

blocklet-updater - 6 審計

審計版本 6

最新 中風險

Jun 28, 2026, 10:23 AM

The static Ruby backtick and weak cryptography findings are false positives from markdown prose, inline code, and fenced command examples. The skill has a real medium-risk behavior because it instructs the agent to run blocklet and pnpm commands, including dependency installation and project build scripts, inside the user workspace.

3
已掃描檔案
183
分析行數
3
發現項
codex
審計者
中風險問題 (1)
Project-Controlled Commands During Release Workflow
The workflow directs the agent to run blocklet version, pnpm install, pnpm run build, blocklet meta, and blocklet bundle commands. This is legitimate release automation, but pnpm install and build scripts can execute code from the current project and its dependencies, so users should apply it only in trusted repositories.
低風險問題 (1)
Static Command and Crypto Alerts Are Markdown False Positives
The analyzer reported Ruby backtick execution and weak cryptography indicators, but the referenced files are markdown documentation, front matter, inline command names, and fenced shell examples. No Ruby code, cryptographic operation, obfuscation, or malware intent was found in these files.

偵測到的模式

Shell Command Execution Required by Workflow

審計版本 5

安全

Jan 16, 2026, 04:15 PM

This is a documentation-only skill containing workflow guidance for blocklet releases. No executable code, scripts, or network calls. Static findings are false positives: detected command patterns are bash examples in documentation, not shell execution; cryptographic algorithm warnings are pattern matches in JSON metadata; network detection is source URL in metadata. The skill only guides AI to run standard blocklet CLI commands in user projects.

4
已掃描檔案
371
分析行數
1
發現項
claude
審計者
未發現安全問題

審計版本 4

安全

Jan 16, 2026, 04:15 PM

This is a documentation-only skill containing workflow guidance for blocklet releases. No executable code, scripts, or network calls. Static findings are false positives: detected command patterns are bash examples in documentation, not shell execution; cryptographic algorithm warnings are pattern matches in JSON metadata; network detection is source URL in metadata. The skill only guides AI to run standard blocklet CLI commands in user projects.

4
已掃描檔案
371
分析行數
1
發現項
claude
審計者
未發現安全問題

審計版本 3

安全

Jan 10, 2026, 10:23 AM

This is a prompt-based skill containing only documentation files. No executable code, scripts, or network calls. The skill provides workflow guidance for the AI to execute standard blocklet CLI commands in the user's project directory.

3
已掃描檔案
161
分析行數
0
發現項
claude
審計者
未發現安全問題

審計版本 2

安全

Jan 10, 2026, 10:23 AM

This is a prompt-based skill containing only documentation files. No executable code, scripts, or network calls. The skill provides workflow guidance for the AI to execute standard blocklet CLI commands in the user's project directory.

3
已掃描檔案
161
分析行數
0
發現項
claude
審計者
未發現安全問題

審計版本 1

安全

Jan 10, 2026, 10:23 AM

This is a prompt-based skill containing only documentation files. No executable code, scripts, or network calls. The skill provides workflow guidance for the AI to execute standard blocklet CLI commands in the user's project directory.

3
已掃描檔案
161
分析行數
0
發現項
claude
審計者
未發現安全問題