技能 wsdiscovery 審計紀錄
📦

審計紀錄

wsdiscovery - 6 審計

審計版本 6

最新 中風險

Jun 28, 2026, 05:18 PM

The static external-command findings are partly true because the skill instructs an agent to run the wsdiscovery command against user-provided hosts. The hardcoded IP addresses are documentation examples, and the weak-cryptography alert at SKILL.md line 3 is a false positive with no matching cryptographic code. This is a legitimate but dual-use network discovery skill and should be published with an authorization warning.

1
已掃描檔案
78
分析行數
6
發現
codex
審計單位
中風險問題 (2)
Agent-Guided External Scanner Execution
The skill tells the AI agent to run wsdiscovery commands with a user-supplied hostname or IP address. This is expected for the tool, but it can initiate network probing if used without authorization.
Dual-Use Network Discovery Capability
The skill is designed to discover and enumerate WS-Discovery, ONVIF, and IoT devices. This can expose IP addresses, device UUIDs, firmware versions, serial numbers, and service endpoints on networks where the user has access.
低風險問題 (2)
Hardcoded IP Addresses Are Documentation Examples
The detected IP addresses appear only in example commands. No evidence found that the skill silently contacts those addresses or embeds a fixed external endpoint.
Weak Cryptography Alert Has No Supporting Evidence
The static weak-cryptography alert points to the YAML description line. No evidence found of cryptographic algorithms, hashing functions, or encryption routines in that line.

偵測到的模式

Network Command Examples With User-Controlled Targets

審計版本 5

低風險

Jan 16, 2026, 08:18 PM

Pure prompt-based skill that provides instructions for using the external wsdiscovery CLI tool. No executable code, no network calls, no filesystem access. The static analyzer produced false positives by misinterpreting JSON metadata and markdown documentation as code patterns. All reported findings are false positives from documentation, not actual security risks.

2
已掃描檔案
256
分析行數
2
發現
claude
審計單位
未發現安全問題

審計版本 4

低風險

Jan 16, 2026, 08:18 PM

Pure prompt-based skill that provides instructions for using the external wsdiscovery CLI tool. No executable code, no network calls, no filesystem access. The static analyzer produced false positives by misinterpreting JSON metadata and markdown documentation as code patterns. All reported findings are false positives from documentation, not actual security risks.

2
已掃描檔案
256
分析行數
2
發現
claude
審計單位
未發現安全問題

審計版本 3

低風險

Jan 10, 2026, 11:44 AM

Pure prompt-based skill with no executable code. This skill only provides instructions for an AI to help users use the external wsdiscovery command-line tool. No network calls, filesystem access, or code execution are performed by the skill itself. The actual scanning capability depends on the external wsdiscovery binary being installed separately.

1
已掃描檔案
78
分析行數
0
發現
claude
審計單位
未發現安全問題

審計版本 2

低風險

Jan 10, 2026, 11:44 AM

Pure prompt-based skill with no executable code. This skill only provides instructions for an AI to help users use the external wsdiscovery command-line tool. No network calls, filesystem access, or code execution are performed by the skill itself. The actual scanning capability depends on the external wsdiscovery binary being installed separately.

1
已掃描檔案
78
分析行數
0
發現
claude
審計單位
未發現安全問題

審計版本 1

低風險

Jan 10, 2026, 11:44 AM

Pure prompt-based skill with no executable code. This skill only provides instructions for an AI to help users use the external wsdiscovery command-line tool. No network calls, filesystem access, or code execution are performed by the skill itself. The actual scanning capability depends on the external wsdiscovery binary being installed separately.

1
已掃描檔案
78
分析行數
0
發現
claude
審計單位
未發現安全問題