中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 42/100
Last scan:17 hr ago Rescan
42 /100
complianceradar-ai-monitor
Monitor regulatory changes across SEC, FDA, FINRA, and GDPR with AI impact assessment
Documentation-only skill with no implementation code but exhibits suspicious branding ('empire-skills') and placeholder API keys that could be mistaken for real configuration.
Skill Namecomplianceradar-ai-monitor
Duration42.5s
Enginepi
Use with caution
Verify the 'empire-skills' repository is legitimate before use. The SKILL.md describes behavior but contains no executable code - confirm the actual implementation exists in a trusted source before relying on this skill.

Findings 4 items

Severity Finding Location
Medium
Suspicious 'empire-skills' branding Doc Mismatch
The homepage references 'github.com/ncreighton/empire-skills'. The term 'empire' in security contexts often references post-exploitation frameworks. This branding choice is unusual for a compliance monitoring tool and warrants verification.
homepage: https://github.com/ncreighton/empire-skills
→ Verify this repository is legitimate. Cross-reference with official sources before trusting this skill.
 SKILL.md:4
Medium
Placeholder API keys in example configuration Doc Mismatch
Lines 116, 119, and 132 contain API key placeholders (e.g., 'your-sec-api-key') in a format that resembles real configuration. While clearly intended as examples, users may copy-paste these as actual credentials.
export SEC_API_KEY="your-sec-api-key"
→ Use clearly marked placeholder syntax like '<YOUR_SEC_API_KEY>' or 'INSERT_YOUR_KEY_HERE' to prevent accidental credential misconfiguration.
 SKILL.md:116
Medium
Unverifiable security claims Doc Mismatch
The documentation makes security claims ('API keys never logged or transmitted to third parties') without any implementation code to verify. This is classic doc-to-code mismatch - the behavior cannot be audited.
API keys are stored in environment variables only; never logged or transmitted to third parties
→ Since no code exists, these claims cannot be verified. Request or verify actual implementation code before trusting security guarantees.
 SKILL.md:249
Low
No implementation code present Supply Chain
This SKILL.md describes capabilities but contains zero executable code, scripts, or implementation files. The skill cannot function as documented.
Documentation describes monitoring, notifications, and policy generation but no actual code exists
→ Confirm the actual implementation exists in the referenced repository before use. This may be an incomplete or placeholder skill.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file operations present - documentation only
Network READ NONE ✓ Aligned _meta declares curl/jq binaries but no implementation code exists to verify netw…
Shell NONE NONE No shell execution code present
Environment READ NONE ✓ Aligned _meta declares env vars but no code reads them - can't verify actual usage
3 High 9 findings
🔑
High API Key 疑似硬编码凭证
API_KEY="your-sec-api-key"
SKILL.md:116
🔑
High API Key 疑似硬编码凭证
API_KEY="your-fda-api-key"
SKILL.md:119
🔑
High API Key 疑似硬编码凭证
API_KEY="your-google-api-key"
SKILL.md:132
🔗
Medium External URL 外部 URL
https://www.sec.gov/cgi-bin/browse-edgar
SKILL.md:115
🔗
Medium External URL 外部 URL
https://open.fda.gov/
SKILL.md:118
🔗
Medium External URL 外部 URL
https://hooks.slack.com/services/YOUR/WEBHOOK/URL
SKILL.md:125
🔗
Medium External URL 外部 URL
https://www.sec.gov/cgi-bin/browse-edgar.
SKILL.md:314
🔗
Medium External URL 外部 URL
https://api.fda.gov/status.json
SKILL.md:320
📧
Info Email 邮箱地址
[email protected]
SKILL.md:384

File Tree

1 files · 15.4 KB · 387 lines
Markdown 1f · 387L
└─ 📝 SKILL.md Markdown 387L · 15.4 KB

Security Positives

✓ No executable code present - cannot perform malicious actions without additional implementation
✓ No base64-encoded payloads or obfuscated commands detected
✓ No credential exfiltration mechanisms present
✓ No network requests to suspicious IPs or domains
✓ No sensitive path access patterns detected