Scan Report
5 /100
wip-readme-format
Reformat any repo's README to follow the WIP Computer standard. Agent-first, human-readable.
The wip-readme-format skill is a straightforward README reformatting tool with no security issues. All behavior is declared, file operations are limited to the target repo, and there is no network access, credential harvesting, or obfuscation.
Safe to install
This skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ+WRITE | READ+WRITE | ✓ Aligned | SKILL.md: reads package.json, SKILL.md, README.md, LICENSE; writes README-init-*… |
| Network | NONE | NONE | — | No network calls in format.mjs |
| Shell | NONE | READ | ✓ Aligned | format.mjs:294 - execSync('git status --porcelain') is not declared in SKILL.md;… |
| Environment | NONE | NONE | — | No environment variable access |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://img.shields.io/badge/interface-$ format.mjs:82 Medium External URL 外部 URL
https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black format.mjs:506 File Tree
4 files · 24.4 KB · 745 lines JavaScript 1f · 597L
Markdown 2f · 133L
JSON 1f · 15L
├─
format.mjs
JavaScript
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
node built-ins only | N/A | node:fs, node:path, node:url, node:child_process | No | No external npm dependencies in package.json; all imports are Node.js built-in modules |
Security Positives
✓ All file operations are scoped to the target repo path provided as an argument
✓ No network requests or external IP communication
✓ No credential, key, or token harvesting of any kind
✓ No obfuscation (base64, eval, atob) or anti-analysis techniques
✓ Backup of original README.md and TECHNICAL.md to ai/_trash/ before overwriting provides a safety net
✓ DEPLOY mode gates on git status check (untracked files must be reviewed before deploy)
✓ All operations are read-focused (parse existing README, extract features, reassemble) — minimal blast radius
✓ Imported dependency detect.mjs is not actually invoked in this file (dynamic import but never awaited/called)
✓ No supply chain risk: only node built-in modules used (fs, path, url, child_process for safety check)