安全决策报告
Receipt Logger
SKILL.md declares a 'receipt-logger' CLI tool with HMAC signing and append-only logging, but no implementation script exists in the file tree — only SKILL.md and config.json are present, constituting a severe documentation-to-code mismatch.
最直接的威胁证据
高危 文档欺骗
Implementation script missing — documented functionality absent SKILL.md declares 'receipt-logger' as the main CLI entry point with full functionality (log, list, verify, export commands with HMAC signing), but the file tree contains only SKILL.md and config.json. No shell script, Python script, or any implementation file exists. This is a severe doc-to-code mismatch where the stated capabilities cannot be executed.
SKILL.md:1 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Missing implementation (doc-to-code mismatch) +25
SKILL.md declares 'receipt-logger' as the entry point with full CLI functionality, but no such script exists in the file tree — only documentation and config metadata are present
False capability declaration +15
Skill claims 'Zero external dependencies — Pure shell + JSON' with HMAC-based cryptographic signing, but no code exists to verify or execute these claims
最关键的证据
高危 文档欺骗
Implementation script missing — documented functionality absent
SKILL.md declares 'receipt-logger' as the main CLI entry point with full functionality (log, list, verify, export commands with HMAC signing), but the file tree contains only SKILL.md and config.json. No shell script, Python script, or any implementation file exists. This is a severe doc-to-code mismatch where the stated capabilities cannot be executed.
SKILL.md:1 Provide the 'receipt-logger' implementation script or remove the documentation claiming its existence. If this is a template/stub, it should be clearly labeled as non-functional.
低危 文档欺骗
Config.json marked as sensitive without justification
Pre-scan metadata flags config.json as 'sensitive', but the file contains only standard skill metadata (name, slug, version, tags, license). No credentials, tokens, or secrets are present. Either the sensitivity flag is incorrect, or there is hidden content not visible in the scan.
config.json:1 Verify config.json contains no hidden or encoded data. If it only holds metadata, the sensitivity flag should be corrected.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No implementation code present to analyze filesystem access patterns 命令执行 通过
声明 NONE
→ 推断 NONE
SKILL.md references 'receipt-logger' as a shell CLI, but no shell script exists in the package 网络访问 通过
声明 NONE
→ 推断 NONE
No implementation code to analyze network behavior 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 76 行
Markdown 1 个文件 · 63 行JSON 1 个文件 · 13 行
需关注文件 · 2
config.json Config.json marked as sensitive without justification
SKILL.md Implementation script missing — documented functionality absent
安全亮点
No malicious code patterns found (base64, reverse shells, eval calls) — however, there is no code to analyze
No credential harvesting attempts identified
No data exfiltration infrastructure present
No network communication patterns observed
No obfuscation techniques detected
config.json contains no actual secrets despite sensitivity flag