📦

審計紀錄

database-schema-designer - 6 審計

審計版本 6

最新 低風險

Jun 28, 2026, 09:45 AM

Static analysis reported weak cryptography, system reconnaissance, and Ruby backtick execution patterns. Manual review found these are false positives from database terminology, SQL metadata queries, and Markdown fenced examples rather than executable behavior. One low-severity content issue remains because a negative Python example uses SQL string interpolation without calling out injection risk.

3
已掃描檔案
1,031
分析行數
4
Review items
0
False positives ignored

Confirmed security concerns (4)

False Positive: Weak Cryptography Detections Are Database Terms
Verdict: FALSE_POSITIVE. The flagged weak cryptography patterns occur in documentation about schema design, index types, and template metadata. They do not implement MD5, SHA1, DES, or any cryptographic operation.
The reviewed lines are prose, headings, or SQL comments about database schema design. No cryptographic API, hash function implementation, or password handling code is present.
False Positive: Backtick Execution Detections Are Markdown Fences
Verdict: FALSE_POSITIVE. The flagged Ruby or shell backtick detections correspond to Markdown code block delimiters around SQL, JSON, JavaScript, and Python examples. The skill has no script file or instruction that executes shell commands.
The matched areas are fenced documentation examples, not runtime code. No command shell, Ruby evaluation, subprocess call, or user-controlled command construction was found.
False Positive: Reconnaissance Detections Are SQL Review Queries
Verdict: FALSE_POSITIVE. The flagged reconnaissance patterns are database inspection guidance such as EXPLAIN and INFORMATION_SCHEMA checks. These are normal schema validation queries and do not inspect the host system.
The context is database query analysis and migration validation. There is no filesystem, network, host inventory, or credential discovery behavior.
Negative Example Uses SQL String Interpolation
Verdict: LOW_RISK_CONTENT_ISSUE. A Python example marked as bad demonstrates an N+1 query using an f-string inside a SQL query. Because the example is explicitly labeled bad, this is not malicious, but it could be clearer that interpolation also creates SQL injection risk.
The unsafe interpolation is visible in a negative example, so legitimate teaching context is clear. The risk is limited to possible user misunderstanding if the snippet is copied without the surrounding warning.

偵測到的模式

SQL String Interpolation Appears In A Negative Example
審計單位: codex

審計版本 5

安全

Jan 16, 2026, 04:29 PM

This is a documentation-only skill containing SQL templates, database design checklists, and schema patterns. The static analyzer flagged 202 issues but ALL are false positives caused by the scanner misidentifying SQL keywords (FLOAT, DECIMAL) as 'weak cryptographic algorithms' and database terminology (EXPLAIN, INFORMATION_SCHEMA) as 'system reconnaissance'. No executable code, network access, or filesystem operations exist in this skill.

4
已掃描檔案
1,235
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 4

安全

Jan 16, 2026, 04:29 PM

This is a documentation-only skill containing SQL templates, database design checklists, and schema patterns. The static analyzer flagged 202 issues but ALL are false positives caused by the scanner misidentifying SQL keywords (FLOAT, DECIMAL) as 'weak cryptographic algorithms' and database terminology (EXPLAIN, INFORMATION_SCHEMA) as 'system reconnaissance'. No executable code, network access, or filesystem operations exist in this skill.

4
已掃描檔案
1,235
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 3

安全

Jan 10, 2026, 10:32 AM

This is a prompt-based knowledge skill containing only documentation, SQL templates, and checklists for database schema design. No executable code, no network access, no filesystem access beyond reading its own files.

3
已掃描檔案
1,024
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 2

安全

Jan 10, 2026, 10:32 AM

This is a prompt-based knowledge skill containing only documentation, SQL templates, and checklists for database schema design. No executable code, no network access, no filesystem access beyond reading its own files.

3
已掃描檔案
1,024
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 1

安全

Jan 10, 2026, 10:32 AM

This is a prompt-based knowledge skill containing only documentation, SQL templates, and checklists for database schema design. No executable code, no network access, no filesystem access beyond reading its own files.

3
已掃描檔案
1,024
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude