技能 maintenance 審計紀錄
📦

審計紀錄

maintenance - 6 審計

審計版本 6

最新 中風險

Jun 28, 2026, 08:07 PM

Static analysis reported many command-execution, filesystem, weak-crypto, and entropy findings. Review found no malicious payload, network access, credential handling, or prompt-injection text, but the skill intentionally allows Bash and file editing for project cleanup, so it should publish with a medium-risk warning.

2
已掃描檔案
341
分析行數
6
發現
codex
審計單位
中風險問題 (2)
Bash-Enabled File Maintenance Workflow
The skill declares Bash as an allowed tool and instructs the agent to read auto-cleanup guidance before acting. The referenced guidance includes shell commands that inspect project files and create archive directories. This is legitimate for cleanup work, but it can alter local project state if used without review.
Project File Modification and Archiving
The skill is designed to move old tasks, split session logs, create archive directories, and make backups. These actions are expected for maintenance, but accidental data movement or deletion could occur if the agent applies the guidance too broadly.
低風險問題 (2)
Static Weak-Crypto and Entropy Alerts Are False Positives
The high weak-cryptographic-algorithm and entropy alerts point to front matter and Japanese prose, including references to Markdown files. No evidence found of cryptographic code, encoded payloads, binary blobs, or malware-like obfuscation.
Device File Access Alert Is Benign stderr Redirection
The filesystem alert on /dev/null appears in a date parsing fallback that redirects errors. It does not read sensitive device files or persist data.

偵測到的模式

External Shell Command ExamplesFilesystem Cleanup Instructions

審計版本 5

低風險

Jan 16, 2026, 07:53 PM

All 60 static findings are FALSE POSITIVES. The flagged code exists in documentation files (auto-cleanup/doc.md), not executable code. Bash command examples use hardcoded strings with no user input. The YAML frontmatter '---' was misidentified as weak cryptography. This is a benign file cleanup utility for managing Plans.md, session-log.md, and CLAUDE.md.

3
已掃描檔案
592
分析行數
3
發現
claude
審計單位
未發現安全問題

審計版本 4

低風險

Jan 16, 2026, 07:53 PM

All 60 static findings are FALSE POSITIVES. The flagged code exists in documentation files (auto-cleanup/doc.md), not executable code. Bash command examples use hardcoded strings with no user input. The YAML frontmatter '---' was misidentified as weak cryptography. This is a benign file cleanup utility for managing Plans.md, session-log.md, and CLAUDE.md.

3
已掃描檔案
592
分析行數
3
發現
claude
審計單位
未發現安全問題

審計版本 3

低風險

Jan 10, 2026, 12:14 PM

This is a file cleanup utility skill with minimal risk. It uses bash scripts for standard file operations (read, write, move) on project documentation files. No network access, no credential exposure, and no persistence mechanisms detected. The skill operates within its documented scope of cleaning Plans.md, session-log.md, and CLAUDE.md files.

2
已掃描檔案
293
分析行數
3
發現
claude
審計單位
未發現安全問題

審計版本 2

低風險

Jan 10, 2026, 12:14 PM

This is a file cleanup utility skill with minimal risk. It uses bash scripts for standard file operations (read, write, move) on project documentation files. No network access, no credential exposure, and no persistence mechanisms detected. The skill operates within its documented scope of cleaning Plans.md, session-log.md, and CLAUDE.md files.

2
已掃描檔案
293
分析行數
3
發現
claude
審計單位
未發現安全問題

審計版本 1

低風險

Jan 10, 2026, 12:14 PM

This is a file cleanup utility skill with minimal risk. It uses bash scripts for standard file operations (read, write, move) on project documentation files. No network access, no credential exposure, and no persistence mechanisms detected. The skill operates within its documented scope of cleaning Plans.md, session-log.md, and CLAUDE.md files.

2
已掃描檔案
293
分析行數
3
發現
claude
審計單位
未發現安全問題