Skill Trust Decision
wip-readme-format
README格式化工具存在文档-行为差异:声明filesystem权限为NONE但实际执行WRITE操作,同时动态导入child_process模块执行git命令检查文件状态。
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
What drove the risk score up
未声明的文件系统写入 +20
SKILL.md声明filesystem:NONE,但代码执行writeFileSync写入README-init-*.md和README.md
动态导入child_process +15
format.mjs:322 使用await import('node:child_process')动态导入,未声明shell执行能力
git命令执行 +10
execSync执行git status --porcelain检查文件状态,属于隐式shell操作
供应链依赖 +5
从wip-universal-installer/detect.mjs导入detectInterfaces/detectToolbox,来源未声明
Most important evidence
Medium Priv Escalation
未声明的文件系统写入权限
SKILL.md声明filesystem为NONE,但format.mjs执行writeFileSync写入README-init-*.md、README.md和TECHNICAL.md,另有mkdirSync创建ai/_trash目录、unlinkSync删除临时文件。
format.mjs:310 在SKILL.md的capabilities或allowed-tools中声明Write权限,说明工具会生成和修改README文件
Medium Obfuscation
动态导入child_process模块
format.mjs第322行使用await import('node:child_process')动态导入模块,在DEPLOY模式下执行git status命令检查文件状态。动态导入可能意图规避静态分析。
format.mjs:322 使用静态import声明或将git检查逻辑改为Node.js原生API实现
Low Supply Chain
外部依赖模块来源未声明
format.mjs从../wip-universal-installer/detect.mjs导入detectInterfaces和detectToolbox函数。该模块的功能和安全性未在SKILL.md中说明。
format.mjs:27 在SKILL.md的requires.dependencies中声明此依赖,或说明其用途和来源可信性
Low Doc Mismatch
shields.io外部URL引用
代码生成shields.io badge URLs用于README,包含外部链接。预扫描标记为medium risk。
format.mjs:82 确认这些URL仅用于生成静态链接,非主动请求。当前实现仅生成URL无HTTP请求,风险可接受
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
format.mjs:310 writeFileSync写入README-init-*.md, format.mjs:370 writeFileSync写入README.md Shell Block
Declared NONE
→ Inferred READ
format.mjs:322 await import('node:child_process'), format.mjs:334 execSync('git status') Network Pass
Declared NONE
→ Inferred READ
仅生成shields.io badge URLs,无实际HTTP请求 Skill Invoke Pass
Declared NONE
→ Inferred NONE
导入外部模块detectInterfaces但仅用于检测接口类型 Suspicious artifacts and egress
Medium External URL
https://img.shields.io/badge/interface-$ format.mjs:82
Medium External URL
https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black format.mjs:506
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| wip-universal-installer/detect.mjs | unknown | local sibling module | No | 内部依赖,来源为同仓库tools目录 |
| node:fs | bundled | node built-in | No | Node.js标准库,用于文件读写 |
| node:path | bundled | node built-in | No | Node.js标准库,用于路径处理 |
| node:child_process | bundled | node built-in | No | 动态导入,用于git status命令执行 |
File composition
4 files · 745 lines
JavaScript 1 files · 597 linesMarkdown 2 files · 133 linesJSON 1 files · 15 lines
Files of concern · 1
format.mjs 未声明的文件系统写入权限 · 动态导入child_process模块 · 外部依赖模块来源未声明 · shields.io外部URL引用 · https://img.shields.io/badge/interface-$ · https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black
Other files · SKILL.md · README.md · package.json
Security positives
代码结构清晰,主要功能为纯文本处理和文件生成
包含dry-run和--check模式,允许预览和验证而不实际写入
DEPLOY模式有安全检查:阻止未审查的init文件直接部署
自动备份旧文件到ai/_trash/目录,防止数据丢失
无凭证读取、无数据外传、无网络主动请求
依赖简单(Node.js标准库为主),攻击面较小