中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
calibre-catalog-read
Read-only Calibre catalog lookup and one-book analysis workflow over a running Content server
Legitimate Calibre catalog read skill with minor documentation inconsistencies; no malicious behavior detected.
Skill Namecalibre-catalog-read
Duration44.4s
Enginepi
Safe to install
Consider clarifying in SKILL.md that the analysis pipeline writes to Calibre comments. Passwords on command-line is acceptable given the tooling context.

Findings 2 items

Severity Finding Location
Low
Metadata write not clearly declared as exception to read-only claim Doc Mismatch
SKILL.md repeatedly states 'read-only for catalog lookup + analysis workflow' and 'Never for... metadata edits'. However, run_analysis_pipeline.py (line 178-191) calls 'calibredb set_metadata' to write analysis HTML to Calibre comments field. This is intentional functionality but conflicts with read-only framing.
run(["calibredb", "--with-library", ns.with_library, *auth, "set_metadata", str(ns.book_id), "--field", f"comments:{merged_comments}"])
→ Add explicit note in SKILL.md that the analysis pipeline applies HTML comments to Calibre metadata as part of the workflow.
 scripts/run_analysis_pipeline.py:178
Low
Password passed on command line Credential Theft
CALIBRE_PASSWORD is passed as --password argument to calibredb subprocess. This exposes the credential in process listings and shell history.
if (auth.password) cmd.push('--password', auth.password);
→ Acceptable for CLI tooling context. If stricter security needed, use environment variable passing or credential prompting.
 scripts/calibredb_read.mjs:195
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md metadata declares bin dependencies; scripts use subprocess for calibred…
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares localWrites to state/*; scripts write runs.json, sqlite DB, an…
Network READ READ ✓ Aligned HTTP requests to Calibre Content Server for catalog operations; no arbitrary net…
Environment READ READ ✓ Aligned Reads CALIBRE_PASSWORD, CALIBRE_USERNAME, CALIBRE_WITH_LIBRARY; no exfiltration …
2 findings
🔗
Medium External URL 外部 URL
http://192.168.11.20:8080/#Calibreライブラリ
README.md:52
🔗
Medium External URL 外部 URL
https://json-schema.org/draft/2020-12/schema
references/subagent-analysis.schema.json:2

File Tree

11 files · 68.1 KB · 1890 lines
JavaScript 4f · 948L Markdown 3f · 477L Python 2f · 404L JSON 2f · 61L
├─ 📁 references
│ ├─ 📝 subagent-analysis.prompt.md Markdown 63L · 1.9 KB
│ ├─ 📋 subagent-analysis.schema.json JSON 42L · 1.4 KB
│ └─ 📋 subagent-input.schema.json JSON 19L · 575 B
├─ 📁 scripts
│ ├─ 🐍 analysis_db.py Python 97L · 4.1 KB
│ ├─ 📜 calibredb_read.mjs JavaScript 393L · 12.3 KB
│ ├─ 📜 handle_completion.mjs JavaScript 393L · 12.4 KB
│ ├─ 📜 prepare_subagent_input.mjs JavaScript 67L · 2.1 KB
│ ├─ 🐍 run_analysis_pipeline.py Python 307L · 11.8 KB
│ └─ 📜 run_state.mjs JavaScript 95L · 3.0 KB
├─ 📝 README.md Markdown 140L · 5.6 KB
└─ 📝 SKILL.md Markdown 274L · 13.0 KB

Security Positives

✓ Subagent architecture cleanly separates heavy analysis from main agent - reduces risk of prompt injection
✓ State management with runs.json prevents duplicate processing and race conditions
✓ Input validation on book_id and analysis JSON paths before processing
✓ No external network connections except to configured Calibre server
✓ No base64/encoded execution, no reverse shell patterns, no credential exfiltration
✓ Clean separation between read-only catalog operations (calibredb_read.mjs) and analysis workflow (run_analysis_pipeline.py)
✓ Uses hash-based deduplication to avoid re-analysis of unchanged files
✓ Subagent prompt template includes strict read contract preventing unauthorized tool usage