技能 chart-generator 審計紀錄
📦

審計紀錄

chart-generator - 6 審計

審計版本 6

最新 低風險

Jun 29, 2026, 03:18 AM

Static analysis reported many high-risk matches, but review found the command execution, weak cryptography, environment access, and reconnaissance matches are false positives from Markdown fences or ordinary chart text. The only confirmed risk is expected filesystem output behavior for generated chart files, so publication is acceptable with normal file path caution.

1
已掃描檔案
844
分析行數
5
Review items
0
False positives ignored

Confirmed security concerns (3)

Command Execution Findings Are Markdown Fence False Positives
The reported Ruby backtick execution locations are Markdown code block delimiters or starts and ends of documentation examples. No shell command execution or Ruby source code was found at these locations.
Every cited location is a Markdown fence or adjacent documentation boundary. The surrounding context contains chart examples, not executable shell or Ruby code.
Environment Access Findings Are Dictionary Lookup False Positives
The reported environment-access locations are calls to config.get in chart configuration dictionaries. No process.env, os.environ, dotenv loading, or secret-reading behavior was found.
The code uses a local config dictionary for chart options. Searches found no environment-variable access primitives in the skill file.
Weak Cryptography and Reconnaissance Findings Are Textual False Positives
The reported blocker locations contain chart descriptions, responsive design guidance, best-practice text, or a grid comment. No cryptographic algorithm, hashing operation, host inspection, or system reconnaissance behavior was found.
The cited lines contain ordinary chart documentation. Additional keyword searches found no cryptography or reconnaissance APIs in SKILL.md.
Capability review items (1)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Caller-Controlled Chart Output Paths
The skill includes examples that write chart files and create output directories from configurable output values. This is expected for a chart generator, but agents should avoid using untrusted absolute paths or parent-directory traversal values.
The file-writing behavior is explicit and semantically relevant to chart export. It appears legitimate, but path values can come from caller-provided chart configuration.

風險因素

偵測到的模式

Caller-Controlled File Output
審計單位: codex

審計版本 5

安全

Jan 16, 2026, 11:47 PM

This is a documentation-only skill containing example code snippets for chart generation using legitimate data visualization libraries (matplotlib, seaborn, plotly, chartjs). All static findings are false positives: markdown code block markers were misidentified as shell backticks, normal documentation text triggered false cryptographic/reconnaissance patterns, and no actual network calls or credential access exist. The skill provides templates for creating static and interactive charts.

2
已掃描檔案
1,021
分析行數
3
Review items
0
False positives ignored
審計單位: claude

審計版本 4

安全

Jan 16, 2026, 11:47 PM

This is a documentation-only skill containing example code snippets for chart generation using legitimate data visualization libraries (matplotlib, seaborn, plotly, chartjs). All static findings are false positives: markdown code block markers were misidentified as shell backticks, normal documentation text triggered false cryptographic/reconnaissance patterns, and no actual network calls or credential access exist. The skill provides templates for creating static and interactive charts.

2
已掃描檔案
1,021
分析行數
3
Review items
0
False positives ignored
審計單位: claude

審計版本 3

安全

Jan 10, 2026, 01:07 PM

This is a documentation-only skill containing example code snippets for chart generation. No executable code, network calls, or file system operations are present. The skill provides templates and examples for creating visualizations using popular libraries.

1
已掃描檔案
844
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 2

安全

Jan 10, 2026, 01:07 PM

This is a documentation-only skill containing example code snippets for chart generation. No executable code, network calls, or file system operations are present. The skill provides templates and examples for creating visualizations using popular libraries.

1
已掃描檔案
844
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude

審計版本 1

安全

Jan 10, 2026, 01:07 PM

This is a documentation-only skill containing example code snippets for chart generation. No executable code, network calls, or file system operations are present. The skill provides templates and examples for creating visualizations using popular libraries.

1
已掃描檔案
844
分析行數
0
Review items
0
False positives ignored
未發現安全問題
審計單位: claude