安全决策报告
Memory Pruner
The skill declares shell runtime and references a memory-pruner script that does not exist, constituting a documentation mismatch with no functional code present.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Documentation mismatch +25
SKILL.md declares 'memory-pruner' CLI script and 'memory/' directory that do not exist in the file tree
Undeclared runtime requirements +10
config.json declares runtime: 'shell' suggesting shell:WRITE permissions, but no scripts are present to review
最关键的证据
中危 文档欺骗
Referenced implementation files are missing
SKILL.md references 'memory-pruner' as the main CLI script and 'memory/' as the working directory, but these files do not exist in the package. The pre-scan confirms hasScripts: false.
SKILL.md:58 Do not trust this skill. Request actual implementation code before any evaluation.
低危 文档欺骗
Entry point declared but not present
config.json specifies 'entry': 'memory-pruner' with runtime: 'shell', indicating a shell script entry point that is absent from the package.
config.json:12 Verify the package contents match the declared structure before use.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 WRITE
config.json declares runtime: shell but no scripts exist to verify 命令执行 通过
声明 WRITE
→ 推断 UNKNOWN
config.json declares runtime: shell but memory-pruner script is missing 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 86 行
Markdown 1 个文件 · 73 行JSON 1 个文件 · 13 行
需关注文件 · 2
config.json Entry point declared but not present
SKILL.md Referenced implementation files are missing
安全亮点
No malicious code present in the package
No obfuscation, base64-encoded strings, or anti-analysis patterns detected
No credential harvesting or environment variable access attempted
No network requests or external IP communications
No suspicious IOCs (indicators of compromise) in the pre-scan