技能 genesis 審計紀錄
📦

審計紀錄

genesis - 7 審計

審計版本 7

最新 中風險

Jun 28, 2026, 03:41 PM

Static analysis reported many high-risk patterns, but manual review found most were false positives from markdown examples, CSS color tokens, Go checksum data, fixed build paths, and SQLModel session.exec calls. The skill is still medium risk because it guides agents to copy files, run package managers and dev servers, read environment configuration, and generate networked backend templates. Publish with a warning to review commands and dependencies before execution.

75
已掃描檔案
6,346
分析行數
10
發現
codex
審計單位
中風險問題 (3)
SKILL.md:59-62SKILL.md:87-90SKILL.md:113-118SKILL.md:148-154
Project Initialization Runs Shell Commands
The skill instructs agents to copy template directories, edit files with sed, install dependencies, and start development servers. These are legitimate scaffolding actions, but user-supplied project names and target directories should be validated before command execution.
templates/backend-python/app/config.py:24-35templates/backend-python/local-run.sh:3-7templates/backend-go/internal/config/config.go:112-118
Template Reads Environment and Database Secrets
The Python and Go backend templates load database settings from environment files or environment variables, including database passwords. This is normal backend configuration, but generated projects must avoid logging or committing these secrets.
templates/backend-python/app/main.py:60-66
Permissive CORS in FastAPI Template
The FastAPI template allows all origins, methods, and headers while also allowing credentials. This can be unsafe if copied into production without narrowing allowed origins.
低風險問題 (2)
references/backend-python.md:143-149templates/backend-python/app/db/session.py:48-54references/taro-miniapp.md:89-92templates/miniapp/src/app.css:3-6templates/backend-go/go.sum:1-8
Most Static Findings Are Benign Template or Documentation Patterns
Several flagged patterns are false positives: SQLModel session.exec is not Python exec, Taro path.resolve uses a fixed source path, CSS hexadecimal color values are not cryptographic algorithms, and Go checksum entries are expected dependency metadata.
templates/backend-go/cmd/api/main.go:68-70
Hardcoded Local Development URLs
The Go template logs localhost service and health-check URLs. These are local development endpoints, not evidence of data exfiltration.

風險因素

⚙️ 外部命令 (7)
SKILL.md:59-62 SKILL.md:87-90 SKILL.md:113-118 SKILL.md:148-154 templates/backend-python/local-run.sh:1-7 templates/backend-go/magefile.go:26-29 templates/backend-go/magefile.go:56-62
🌐 網路存取 (3)
templates/backend-go/cmd/api/main.go:68-70 templates/backend-python/app/main.py:60-66 references/taro-miniapp.md:113
📁 檔案系統存取 (5)
SKILL.md:59-60 SKILL.md:87-88 SKILL.md:113-114 SKILL.md:148-149 templates/miniapp/config/index.js:53-56
⚡ 包含腳本 (4)
templates/backend-go/magefile.go:26-29 templates/backend-go/magefile.go:35-50 templates/backend-python/local-run.sh:1-7 templates/miniapp/config/index.js:17-18
🔑 環境變數 (5)
templates/backend-python/app/config.py:34-35 templates/backend-python/local-run.sh:3-7 templates/backend-go/internal/config/config.go:30-34 templates/backend-go/internal/config/config.go:112-118 templates/miniapp/config/index.js:110-115

偵測到的模式

External Command WorkflowEnvironment File Loading

審計版本 6

低風險

Jan 16, 2026, 06:46 PM

Legitimate project scaffolding skill with standard development tools. Shell commands and script execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected. Static findings are false positives from pattern matching limitations on documentation and configuration files.

76
已掃描檔案
7,058
分析行數
4
發現
claude
審計單位
低風險問題 (1)
README.md:29references/backend-go.md:24
Hardcoded URL references in documentation
Hardcoded URL references in documentation

風險因素

⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:148-155 README.md:28-30
⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
🌐 網路存取 (2)
README.md:29 references/backend-go.md:24

審計版本 5

低風險

Jan 16, 2026, 06:46 PM

Legitimate project scaffolding skill with standard development tools. Shell commands and script execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected. Static findings are false positives from pattern matching limitations on documentation and configuration files.

76
已掃描檔案
7,058
分析行數
4
發現
claude
審計單位
低風險問題 (1)
README.md:29references/backend-go.md:24
Hardcoded URL references in documentation
Hardcoded URL references in documentation

風險因素

⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:148-155 README.md:28-30
⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
🌐 網路存取 (2)
README.md:29 references/backend-go.md:24

審計版本 4

低風險

Jan 16, 2026, 06:46 PM

Legitimate project scaffolding skill with standard development tools. Shell commands and script execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected. Static findings are false positives from pattern matching limitations on documentation and configuration files.

76
已掃描檔案
7,058
分析行數
4
發現
claude
審計單位
低風險問題 (1)
undefined:undefinedundefined:undefined
Hardcoded URL references in documentation

風險因素

⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:148-155 README.md:28-30
⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
🌐 網路存取 (2)
README.md:29 references/backend-go.md:24

審計版本 3

低風險

Jan 10, 2026, 11:10 AM

Legitimate project scaffolding skill with standard development tools. Shell scripts and command execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected.

100
已掃描檔案
30,341
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:114-119 SKILL.md:148-155

審計版本 2

低風險

Jan 10, 2026, 11:10 AM

Legitimate project scaffolding skill with standard development tools. Shell scripts and command execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected.

100
已掃描檔案
30,341
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:114-119 SKILL.md:148-155

審計版本 1

低風險

Jan 10, 2026, 11:10 AM

Legitimate project scaffolding skill with standard development tools. Shell scripts and command execution are directly related to project initialization purpose. No credential theft, network exfiltration, or obfuscation patterns detected.

100
已掃描檔案
30,341
分析行數
2
發現
claude
審計單位
未發現安全問題

風險因素

⚡ 包含腳本 (1)
templates/backend-python/local-run.sh:1-7
⚙️ 外部命令 (4)
SKILL.md:59-63 SKILL.md:87-91 SKILL.md:114-119 SKILL.md:148-155
← 回到技能