中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 40/100
Last scan:18 hr ago Rescan
40 /100
Receipt Logger
Generate signed, append-only audit logs for agent actions. Solve the trust without vibes problem.
SKILL.md declares a 'receipt-logger' CLI tool with HMAC signing and append-only logging, but no implementation script exists in the file tree — only SKILL.md and config.json are present, constituting a severe documentation-to-code mismatch.
Skill NameReceipt Logger
Duration37.7s
Enginepi
Use with caution
Do not use this skill until the 'receipt-logger' implementation script is provided and verified. The documentation describes functional behavior (shell-based CLI with HMAC signing) that is entirely absent from the package.

Findings 2 items

Severity Finding Location
High
Implementation script missing — documented functionality absent Doc Mismatch
SKILL.md declares 'receipt-logger' as the main CLI entry point with full functionality (log, list, verify, export commands with HMAC signing), but the file tree contains only SKILL.md and config.json. No shell script, Python script, or any implementation file exists. This is a severe doc-to-code mismatch where the stated capabilities cannot be executed.
# Receipt Logger
...
receipt-logger log --action "query_weather"
→ Provide the 'receipt-logger' implementation script or remove the documentation claiming its existence. If this is a template/stub, it should be clearly labeled as non-functional.
 SKILL.md:1
Low
Config.json marked as sensitive without justification Doc Mismatch
Pre-scan metadata flags config.json as 'sensitive', but the file contains only standard skill metadata (name, slug, version, tags, license). No credentials, tokens, or secrets are present. Either the sensitivity flag is incorrect, or there is hidden content not visible in the scan.
{"name": "Receipt Logger", "slug": "receipt-logger", "version": "1.0.0", ...}
→ Verify config.json contains no hidden or encoded data. If it only holds metadata, the sensitivity flag should be corrected.
 config.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No implementation code present to analyze filesystem access patterns
Shell NONE NONE SKILL.md references 'receipt-logger' as a shell CLI, but no shell script exists …
Network NONE NONE No implementation code to analyze network behavior

File Tree

2 files · 2.2 KB · 76 lines
Markdown 1f · 63L JSON 1f · 13L
├─ 🔑 config.json JSON 13L · 410 B
└─ 📝 SKILL.md Markdown 63L · 1.8 KB

Security Positives

✓ No malicious code patterns found (base64, reverse shells, eval calls) — however, there is no code to analyze
✓ No credential harvesting attempts identified
✓ No data exfiltration infrastructure present
✓ No network communication patterns observed
✓ No obfuscation techniques detected
✓ config.json contains no actual secrets despite sensitivity flag