中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 5/100
Last scan:18 hr ago Rescan
5 /100
skill-creator
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
This is a legitimate skill-creation meta-skill providing guidance and utilities for creating AI skills. The scripts perform standard operations (directory creation, YAML validation, zip packaging) using only Python standard library with no security concerns.
Skill Nameskill-creator
Duration32.7s
Enginepi
Safe to install
Skill is safe to use. Consider adding an `allowed-tools` declaration in SKILL.md frontmatter to document expected filesystem access patterns for the bundled scripts.

Findings 1 items

Severity Finding Location
Low
Missing allowed-tools declaration Doc Mismatch
The SKILL.md frontmatter lacks an allowed-tools field to document the filesystem access required by bundled scripts. While not a security risk, declaring this would improve transparency.
---
→ Add allowed-tools field if specific tool permissions are required
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned scripts/init_skill.py:96 - mkdir(parents=True) and write_text()
Filesystem NONE READ ✓ Aligned scripts/package_skill.py:28 - rglob('*') for zip creation
2 findings
🔗
Medium External URL 外部 URL
http://www.apache.org/licenses/
LICENSE.txt:4
🔗
Medium External URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0
LICENSE.txt:196

File Tree

8 files · 48.5 KB · 1178 lines
Python 3f · 507L Markdown 3f · 465L Text 1f · 201L JSON 1f · 5L
├─ 📁 references
│ ├─ 📝 output-patterns.md Markdown 82L · 1.8 KB
│ └─ 📝 workflows.md Markdown 27L · 818 B
├─ 📁 scripts
│ ├─ 🐍 init_skill.py Python 303L · 10.6 KB
│ ├─ 🐍 package_skill.py Python 110L · 3.2 KB
│ └─ 🐍 quick_validate.py Python 94L · 3.4 KB
├─ 📋 _meta.json JSON 5L · 132 B
├─ 📄 LICENSE.txt Text 201L · 11.1 KB
└─ 📝 SKILL.md Markdown 356L · 17.4 KB

Security Positives

✓ Uses only Python standard library (no external dependencies)
✓ No credential theft, API key harvesting, or environment variable access
✓ No base64 encoding, obfuscation, or eval() patterns
✓ No network requests or data exfiltration
✓ No shell execution (subprocess/os.system)
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ No persistence mechanisms or backdoors
✓ YAML validation uses safe yaml.safe_load()