技能 security-guardian 審計紀錄
📦

審計紀錄

security-guardian - 6 審計

審計版本 6

最新 中風險

Jun 28, 2026, 03:16 PM

Static analysis detected many dangerous command, network, filesystem, script, and secret patterns. Manual review found these are primarily security-training examples and audit checklists, not executable code or hidden exfiltration. The skill is publishable with a medium dual-use warning because it documents exploit payloads and sensitive target examples.

26
已掃描檔案
7,813
分析行數
10
發現
codex
審計單位
中風險問題 (2)
vulnerabilities/command-injection.md:28-33vulnerabilities/path-traversal.md:14-16vulnerabilities/ssrf.md:46-54vulnerabilities/xxe.md:16vulnerabilities/xss.md:52-56
Dual-use exploit reference content
The skill includes concrete examples of command injection, path traversal, SSRF metadata access, XXE file disclosure, and XSS sink patterns. These are presented as vulnerability examples and audit targets, but they can also help users construct tests or payloads.
SKILL.md:4SKILL.md:186-189
Bash tool permission in a security audit skill
The skill declares Bash as an allowed tool while also instructing users to search vulnerability patterns. This is expected for code auditing, but command execution should remain limited to local inspection commands and user-approved project analysis.
低風險問題 (3)
vulnerabilities/command-injection.md:26-34api-security/rate-limiting.md:22-26authentication/jwt-security.md:13-19
Static command execution findings are documentation examples
Most external command findings are code snippets or pattern lists used to teach auditors what vulnerable code looks like. I did not find evidence that the skill itself executes these snippets.
vulnerabilities/path-traversal.md:266-286secrets-management/secrets-detection.md:230-237secrets-management/secrets-detection.md:296-300
Sensitive file and credential strings are audit targets
Sensitive paths, credential filenames, and placeholder API key strings appear in checklists and training examples. They describe what to detect or exclude, not files being read by the skill.
vulnerabilities/path-traversal.md:278vulnerabilities/xxe.md:294
No prompt injection attempt found
Targeted review found no instructions claiming special authority, telling the evaluator to ignore prior instructions, or asking to skip security analysis. Administrator appears only inside a Windows path example.

風險因素

⚙️ 外部命令 (3)
vulnerabilities/command-injection.md:28-33 vulnerabilities/command-injection.md:63-64 SKILL.md:188-189
🌐 網路存取 (3)
vulnerabilities/ssrf.md:46-54 vulnerabilities/ssrf.md:295-297 vulnerabilities/xxe.md:299-300
⚡ 包含腳本 (3)
vulnerabilities/command-injection.md:39-43 vulnerabilities/xss.md:52-56 checklists/owasp-top-10.md:29
📁 檔案系統存取 (3)
vulnerabilities/path-traversal.md:14-16 vulnerabilities/path-traversal.md:266-286 input-validation/file-upload-security.md:32
🔑 環境變數 (1)
secrets-management/secrets-detection.md:300

偵測到的模式

Dynamic code execution patternsCommand injection payload examplesSensitive path traversal targetsCloud metadata endpoint examples

審計版本 5

安全

Jan 16, 2026, 07:37 PM

This skill is purely security documentation and guidance. All 1546 static findings are FALSE POSITIVES because they come from markdown documentation files containing examples of vulnerable code patterns for educational purposes. The skill provides read-only analysis tools (Read, Grep, Glob, Bash) to help developers identify and fix security issues.

27
已掃描檔案
8,194
分析行數
4
發現
claude
審計單位
未發現安全問題

風險因素

⚙️ 外部命令 (2)
vulnerabilities/command-injection.md:26-34 api-security/cors-configuration.md:13-25
🌐 網路存取 (2)
vulnerabilities/ssrf.md:43-55 checklists/owasp-top-10.md:101-117
⚡ 包含腳本 (2)
vulnerabilities/command-injection.md:17-43 vulnerabilities/xss.md:52-56
📁 檔案系統存取 (2)
vulnerabilities/path-traversal.md:14-25 vulnerabilities/xxe.md:16-42

審計版本 4

安全

Jan 16, 2026, 07:37 PM

This skill is purely security documentation and guidance. All 1546 static findings are FALSE POSITIVES because they come from markdown documentation files containing examples of vulnerable code patterns for educational purposes. The skill provides read-only analysis tools (Read, Grep, Glob, Bash) to help developers identify and fix security issues.

27
已掃描檔案
8,194
分析行數
4
發現
claude
審計單位
未發現安全問題

風險因素

⚙️ 外部命令 (2)
vulnerabilities/command-injection.md:26-34 api-security/cors-configuration.md:13-25
🌐 網路存取 (2)
vulnerabilities/ssrf.md:43-55 checklists/owasp-top-10.md:101-117
⚡ 包含腳本 (2)
vulnerabilities/command-injection.md:17-43 vulnerabilities/xss.md:52-56
📁 檔案系統存取 (2)
vulnerabilities/path-traversal.md:14-25 vulnerabilities/xxe.md:16-42

審計版本 3

安全

Jan 10, 2026, 11:28 AM

Pure prompt-based skill containing only markdown documentation about security best practices. No executable code, no scripts, no network operations, no data collection. Provides educational guidance on OWASP Top 10, authentication, authorization, cryptography, and vulnerability detection.

28
已掃描檔案
8,500
分析行數
0
發現
claude
審計單位
未發現安全問題

審計版本 2

安全

Jan 10, 2026, 11:28 AM

Pure prompt-based skill containing only markdown documentation about security best practices. No executable code, no scripts, no network operations, no data collection. Provides educational guidance on OWASP Top 10, authentication, authorization, cryptography, and vulnerability detection.

28
已掃描檔案
8,500
分析行數
0
發現
claude
審計單位
未發現安全問題

審計版本 1

安全

Jan 10, 2026, 11:28 AM

Pure prompt-based skill containing only markdown documentation about security best practices. No executable code, no scripts, no network operations, no data collection. Provides educational guidance on OWASP Top 10, authentication, authorization, cryptography, and vulnerability detection.

28
已掃描檔案
8,500
分析行數
0
發現
claude
審計單位
未發現安全問題
← 回到技能