技能 picocom 審計紀錄
📦

審計紀錄

picocom - 6 審計

審計版本 6

最新 高風險

Jun 28, 2026, 05:10 PM

Static analysis found many command, filesystem, network, and credential-access patterns. Many are expected for an IoT UART testing skill, but the documentation also includes persistence, backdoor user creation, reverse shells, privileged file access, and firmware exfiltration examples. No prompt injection attempt was found, so this is high-risk dual-use content rather than confirmed hidden malware.

4
已掃描檔案
2,611
分析行數
12
發現
codex
審計單位

高風險問題 (4)

Offensive Persistence and Backdoor Guidance
The skill instructs users to add SSH keys under root, create UID 0 backdoor accounts, and add startup backdoors. This is dangerous outside a tightly authorized lab or assessment scope.
Credential and Privileged File Access Guidance
The documentation directs users to read password databases, sudoers files, and password-bearing configuration files. This can expose credentials and privilege paths on target devices.
User-Controlled Shell Execution in Helper Script
serial_helper.py accepts a trigger command from the CLI and runs it with shell=True during monitor mode. This enables arbitrary local command execution by the agent or user invoking the helper.
Firmware Extraction and Network Transfer Instructions
The skill shows how to dump raw flash partitions and send the resulting root filesystem over the network. This can expose firmware, secrets, and proprietary code from a device.
中風險問題 (2)
Sensitive Session Logging to Temporary Paths
The skill defaults to logging serial commands and responses under /tmp, and the observer guide notes logs may contain passwords, keys, tokens, and device identifiers.
Restricted Shell Escape and Privilege Escalation Examples
The examples include shell escapes through editors, pagers, scripting languages, and SUID binaries. These are dual-use techniques that can bypass intended access controls.
低風險問題 (2)
Expected Serial Device Access
Many /dev/ttyUSB and /dev/ttyACM alerts are expected because the skill is designed for serial console access. These are not suspicious by themselves.
Weak Cryptography Static Alerts Appear Unconfirmed
The scanner reported weak cryptography keywords, but review found no cryptographic implementation or downgrade logic in the cited high-level description and helper header.

偵測到的模式

subprocess.run with shell=TrueBackdoor Account CreationReverse Shell PersistenceSensitive File Enumeration

審計版本 5

中風險

Jan 16, 2026, 08:12 PM

Legitimate IoT security testing tool. The static analysis flagged 664 patterns but these are FALSE POSITIVES - documentation of standard pentesting commands to run on TARGET DEVICES, not malicious host behavior. The only actual code (serial_helper.py) has one controlled subprocess feature for trigger scripts with 30-second timeout. Authorization requirements are documented. Safe for marketplace.

5
已掃描檔案
2,863
分析行數
5
發現
claude
審計單位
中風險問題 (1)
Controlled subprocess execution in monitor mode
The serial_helper.py script can execute external trigger scripts via subprocess.run with shell=True (lines 593-618). This is a documented feature for pentesting workflows where users trigger external events while monitoring UART output. The capability is user-controlled via --trigger-script argument, has a 30-second timeout limit, and requires explicit invocation.
低風險問題 (1)
File operations for logging
The script opens log files for writing session data and reads script files for batch command execution. Standard file operations for a serial communication tool. Log files can contain sensitive session data.

審計版本 4

中風險

Jan 16, 2026, 08:12 PM

Legitimate IoT security testing tool. The static analysis flagged 664 patterns but these are FALSE POSITIVES - documentation of standard pentesting commands to run on TARGET DEVICES, not malicious host behavior. The only actual code (serial_helper.py) has one controlled subprocess feature for trigger scripts with 30-second timeout. Authorization requirements are documented. Safe for marketplace.

5
已掃描檔案
2,863
分析行數
5
發現
claude
審計單位
中風險問題 (1)
Controlled subprocess execution in monitor mode
The serial_helper.py script can execute external trigger scripts via subprocess.run with shell=True (lines 593-618). This is a documented feature for pentesting workflows where users trigger external events while monitoring UART output. The capability is user-controlled via --trigger-script argument, has a 30-second timeout limit, and requires explicit invocation.
低風險問題 (1)
File operations for logging
The script opens log files for writing session data and reads script files for batch command execution. Standard file operations for a serial communication tool. Log files can contain sensitive session data.

審計版本 3

中風險

Jan 10, 2026, 11:40 AM

Legitimate IoT security testing tool with documented external command execution capability for trigger scripts in monitor mode. The subprocess execution is user-controlled, timeout-limited, and intended for legitimate security testing workflows. No network calls or credential theft patterns detected.

4
已掃描檔案
2,611
分析行數
4
發現
claude
審計單位
中風險問題 (1)
Subprocess execution in monitor mode
The serial_helper.py script can execute external trigger scripts via subprocess.run with shell=True (lines 593-598). This is a documented feature for pentesting workflows where users trigger external events (like API calls) while monitoring UART output. The capability is user-controlled via --trigger-script argument, has a 30-second timeout limit, and requires explicit invocation. While this could theoretically be misused, it is an intentional design for legitimate security testing scenarios.
低風險問題 (1)
File operations for logging
The script opens log files for writing session data (line 103) and reads script files for batch command execution (lines 819-820). These are standard file operations for a serial communication tool. Log files are created with user-specified paths and can contain sensitive session data including commands and device responses.

風險因素

審計版本 2

中風險

Jan 10, 2026, 11:40 AM

Legitimate IoT security testing tool with documented external command execution capability for trigger scripts in monitor mode. The subprocess execution is user-controlled, timeout-limited, and intended for legitimate security testing workflows. No network calls or credential theft patterns detected.

4
已掃描檔案
2,611
分析行數
4
發現
claude
審計單位
中風險問題 (1)
Subprocess execution in monitor mode
The serial_helper.py script can execute external trigger scripts via subprocess.run with shell=True (lines 593-598). This is a documented feature for pentesting workflows where users trigger external events (like API calls) while monitoring UART output. The capability is user-controlled via --trigger-script argument, has a 30-second timeout limit, and requires explicit invocation. While this could theoretically be misused, it is an intentional design for legitimate security testing scenarios.
低風險問題 (1)
File operations for logging
The script opens log files for writing session data (line 103) and reads script files for batch command execution (lines 819-820). These are standard file operations for a serial communication tool. Log files are created with user-specified paths and can contain sensitive session data including commands and device responses.

風險因素

審計版本 1

中風險

Jan 10, 2026, 11:40 AM

Legitimate IoT security testing tool with documented external command execution capability for trigger scripts in monitor mode. The subprocess execution is user-controlled, timeout-limited, and intended for legitimate security testing workflows. No network calls or credential theft patterns detected.

4
已掃描檔案
2,611
分析行數
4
發現
claude
審計單位
中風險問題 (1)
Subprocess execution in monitor mode
The serial_helper.py script can execute external trigger scripts via subprocess.run with shell=True (lines 593-598). This is a documented feature for pentesting workflows where users trigger external events (like API calls) while monitoring UART output. The capability is user-controlled via --trigger-script argument, has a 30-second timeout limit, and requires explicit invocation. While this could theoretically be misused, it is an intentional design for legitimate security testing scenarios.
低風險問題 (1)
File operations for logging
The script opens log files for writing session data (line 103) and reads script files for batch command execution (lines 819-820). These are standard file operations for a serial communication tool. Log files are created with user-specified paths and can contain sensitive session data including commands and device responses.

風險因素