技能 wp-block-themes 審計紀錄
📦

審計紀錄

wp-block-themes - 7 審計

審計版本 7

最新 低風險

Jun 28, 2026, 11:44 AM

Static analysis reported many high-risk patterns, but review found no malicious intent, no prompt injection, and no confirmed weak cryptography. Most command and crypto matches are Markdown backticks around WordPress terms, file paths, or documentation links. The only real concern is a local Node.js helper that reads the current repository to detect block theme folders.

8
已掃描檔案
409
分析行數
8
發現
codex
審計單位
低風險問題 (4)
scripts/detect_block_themes.mjs:36-67scripts/detect_block_themes.mjs:95-113
Local Repository Filesystem Enumeration
The helper script walks the current working directory, reads theme.json files, and prints a report that includes the repository root. This is legitimate for theme detection, but it exposes local paths in command output and should only be run in intended project directories.
SKILL.md:13-16references/creating-new-block-theme.md:13-16references/theme-json.md:9-12references/templates-and-parts.md:7-8references/style-variations.md:1-7
Markdown Backtick False Positives
Many external command detections are false positives. The flagged backticks surround WordPress file names, folders, and theme.json keys in Markdown, not executable Ruby or shell code.
references/creating-new-block-theme.md:20-25references/theme-json.md:14-19references/theme-json.md:56-59references/patterns.md:10-12references/templates-and-parts.md:12-15
Documentation URL False Positives
The network findings are hardcoded links to WordPress documentation and plugin pages. No file performs fetch, HTTP requests, package installation, or data upload.
SKILL.md:3SKILL.md:99-109references/theme-json.md:12-18
Weak Cryptography False Positives
The high-severity weak cryptography detections appear to match the text theme.json and URLs containing json. No hashing, encryption, password handling, or cryptographic API use was found.

風險因素

⚡ 包含腳本 (1)
scripts/detect_block_themes.mjs:1-116
⚙️ 外部命令 (2)
SKILL.md:29-32 SKILL.md:46
🌐 網路存取 (6)
references/creating-new-block-theme.md:20-25 references/patterns.md:10-12 references/style-variations.md:11-13 references/templates-and-parts.md:12-15 references/theme-json.md:14-19 references/theme-json.md:56-59
📁 檔案系統存取 (4)
scripts/detect_block_themes.mjs:15-18 scripts/detect_block_themes.mjs:28-30 scripts/detect_block_themes.mjs:36-67 scripts/detect_block_themes.mjs:95-113

審計版本 6

低風險

Jan 16, 2026, 05:50 PM

This skill provides documentation and guidance for WordPress block theme development. The only executable script (detect_block_themes.mjs) safely reads theme.json files using bounded filesystem operations with no network access or command execution. All 92 static findings are false positives: markdown backticks are misinterpreted as shell execution, documentation URLs as network calls, and JSON content hashes as C2 indicators.

9
已掃描檔案
659
分析行數
2
發現
claude
審計單位
中風險問題 (1)
scripts/detect_block_themes.mjs:30-47
Filesystem Read Operations for Theme Detection
Node.js fs operations for reading theme.json files

風險因素

📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68

審計版本 5

低風險

Jan 16, 2026, 05:50 PM

This skill provides documentation and guidance for WordPress block theme development. The only executable script (detect_block_themes.mjs) safely reads theme.json files using bounded filesystem operations with no network access or command execution. All 92 static findings are false positives: markdown backticks are misinterpreted as shell execution, documentation URLs as network calls, and JSON content hashes as C2 indicators.

9
已掃描檔案
659
分析行數
2
發現
claude
審計單位
中風險問題 (1)
scripts/detect_block_themes.mjs:30-47
Filesystem Read Operations for Theme Detection
Node.js fs operations for reading theme.json files

風險因素

📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68

審計版本 4

低風險

Jan 16, 2026, 05:50 PM

This skill provides documentation and guidance for WordPress block theme development. The only executable script (detect_block_themes.mjs) safely reads theme.json files using bounded filesystem operations with no network access or command execution. All 92 static findings are false positives: markdown backticks are misinterpreted as shell execution, documentation URLs as network calls, and JSON content hashes as C2 indicators.

9
已掃描檔案
659
分析行數
2
發現
claude
審計單位
中風險問題 (1)
Node.js fs operations for reading theme.json files

風險因素

📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68

審計版本 3

低風險

Jan 10, 2026, 10:42 AM

This skill provides guidance and tooling for WordPress block theme development. The included script (detect_block_themes.mjs) safely scans repositories for theme.json files with bounded filesystem access and no network or command execution capabilities. All behavior matches the stated purpose.

8
已掃描檔案
304
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
scripts/detect_block_themes.mjs:1-117
📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68

審計版本 2

低風險

Jan 10, 2026, 10:42 AM

This skill provides guidance and tooling for WordPress block theme development. The included script (detect_block_themes.mjs) safely scans repositories for theme.json files with bounded filesystem access and no network or command execution capabilities. All behavior matches the stated purpose.

8
已掃描檔案
304
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
scripts/detect_block_themes.mjs:1-117
📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68

審計版本 1

低風險

Jan 10, 2026, 10:42 AM

This skill provides guidance and tooling for WordPress block theme development. The included script (detect_block_themes.mjs) safely scans repositories for theme.json files with bounded filesystem access and no network or command execution capabilities. All behavior matches the stated purpose.

8
已掃描檔案
304
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
scripts/detect_block_themes.mjs:1-117
📁 檔案系統存取 (1)
scripts/detect_block_themes.mjs:15-68
← 回到技能