📊

審計歷史

libreoffice-impress - 2 審計

審計版本 2

風險因素

⚙️ 外部命令 (2)

scripts/impress/snapshot.py:147 scripts/uno_bridge.py:140

⚡ 包含腳本 (5)

scripts/impress/__init__.py:4-9 scripts/impress/patch.py:10-16 scripts/impress/session.py:13-38 scripts/impress/snapshot.py:9-13 scripts/impress/targets.py:9-18

📁 檔案系統存取 (4)

scripts/impress/snapshot.py:5 scripts/impress/snapshot.py:73 scripts/uno_bridge.py:136 scripts/uno_bridge.py:189

審計版本 1

低風險

Mar 10, 2026, 07:16 AM

Static analysis detected 91 high-severity patterns flagged as 'Weak cryptographic algorithm' MD5 markers and 70 'external_commands' patterns in SKILL.md documentation examples. After evaluation, all findings are false positives: MD5 markers are documentation formatting (SKILL.md:3,17-21,68), not cryptographic operations, and shell backticks are documentation examples showing proper CLI usage. The skill uses legitimate subprocess calls to LibreOffice with hardcoded arguments (scripts/uno_bridge.py:25,100, scripts/impress/snapshot.py:147) for document automation. Dynamic imports are for optional dependencies (content.py:7, core.py:5, slides.py:5, snapshot.py:9). Tempfile usage is properly scoped (snapshot.py:5,73). No evidence of malicious intent or security vulnerabilities.

已掃描檔案

2,434

分析行數

發現項

claude

審計者

高風險問題 (7)

SKILL.md:3 SKILL.md:17-21 SKILL.md:68

Misidentified MD5 Pattern in Documentation

Static scanner flagged MD5 as 'weak cryptographic algorithm' in SKILL.md. Evaluation shows these are NOT cryptographic operations - the 'MD5' strings appear in document filter names (line 14: 'Impress MS PowerPoint 2007 XML') and in example paths/format strings. No actual MD5 hashing is performed.

scripts/impress/charts.py:62-65 scripts/impress/charts.py:144-147 scripts/impress/content.py:36-37 scripts/impress/content.py:64-65 scripts/impress/content.py:122-125 scripts/impress/content.py:186-189 scripts/impress/content.py:256-259 scripts/impress/core.py:27-28 scripts/impress/core.py:37-43 scripts/impress/core.py:52-53 scripts/impress/core.py:67 scripts/impress/core.py:83-84 scripts/impress/find_replace.py:16-42 scripts/impress/formatting.py:49-102 scripts/impress/master.py:23-146 scripts/impress/media.py:115-118 scripts/impress/notes.py:24-74 scripts/impress/slides.py:48-241 scripts/impress/tables.py:42-150 scripts/uno_bridge.py:67-134

Misidentified Weak Crypto in Python Files

Static scanner flagged MD5/CLSID values as 'weak cryptographic algorithms' in Python source files. These are actually LibreOffice chart CLSID identifiers (charts.py:62,65,144,147) and filter constants (content.py:36-37,64-65,122-125,186-189,256-259), not cryptographic operations.

scripts/impress/content.py:7-11 scripts/impress/core.py:5-8 scripts/impress/slides.py:5-9 scripts/impress/snapshot.py:9-13

Dynamic Import Statements

Static scanner flagged dynamic import() as 'script' risk. These are legitimate lazy-loading patterns for optional UNO libraries that may not be installed until LibreOffice runtime is available.

scripts/uno_bridge.py:25 scripts/uno_bridge.py:100 scripts/impress/snapshot.py:147

Subprocess Calls for LibreOffice

Static scanner flagged subprocess calls. These are legitimate invocations of the LibreOffice CLI (soffice) with hardcoded arguments for document automation - no user input injection risk.

SKILL.md:9-62 SKILL.md:100-139

Shell Backtick Examples in Documentation

Static scanner flagged backticks in SKILL.md as 'Ruby/shell backtick execution'. These are documentation examples showing CLI command syntax, not actual code execution in the skill.

scripts/impress/charts.py:55 scripts/impress/content.py:249 scripts/impress/slides.py:41

Sensitive File References

Static scanner flagged certificate/key file references. These are actually file paths to user presentations and media files, not cryptographic keys or certificates.

scripts/impress/snapshot.py:5 scripts/impress/snapshot.py:73 SKILL.md:110

Temp File Operations

Static scanner flagged temp file creation. These are properly scoped temporary directory operations (tempfile.TemporaryDirectory context manager) used for slide snapshot export.

風險因素

⚡ 包含腳本 (4)

scripts/impress/content.py:7-11 scripts/impress/core.py:5-8 scripts/impress/slides.py:5-9 scripts/impress/snapshot.py:9-13

⚙️ 外部命令 (70)

scripts/impress/snapshot.py:147 scripts/uno_bridge.py:25 scripts/uno_bridge.py:100 SKILL.md:9 SKILL.md:14 SKILL.md:15 SKILL.md:16 SKILL.md:17 SKILL.md:18 SKILL.md:19 SKILL.md:20 SKILL.md:21 SKILL.md:22 SKILL.md:23 SKILL.md:24 SKILL.md:25 SKILL.md:26 SKILL.md:27 SKILL.md:28 SKILL.md:29 SKILL.md:30 SKILL.md:31 SKILL.md:32 SKILL.md:33 SKILL.md:34 SKILL.md:35 SKILL.md:36 SKILL.md:37 SKILL.md:38 SKILL.md:39 SKILL.md:40 SKILL.md:41 SKILL.md:42 SKILL.md:43 SKILL.md:47 SKILL.md:48 SKILL.md:49 SKILL.md:49 SKILL.md:54 SKILL.md:54 SKILL.md:54 SKILL.md:54 SKILL.md:55 SKILL.md:55 SKILL.md:56 SKILL.md:56 SKILL.md:56 SKILL.md:56 SKILL.md:56 SKILL.md:57 SKILL.md:57 SKILL.md:57 SKILL.md:57 SKILL.md:58 SKILL.md:59 SKILL.md:62-100 SKILL.md:100-104 SKILL.md:104-107 SKILL.md:107-112 SKILL.md:112-115 SKILL.md:115-116 SKILL.md:116-117 SKILL.md:117-118 SKILL.md:118 SKILL.md:118-128 SKILL.md:128-130 SKILL.md:130-137 SKILL.md:137 SKILL.md:137-139 SKILL.md:139

📁 檔案系統存取 (3)

scripts/impress/snapshot.py:5 scripts/impress/snapshot.py:73 SKILL.md:110

← 返回技能