中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:20 小时前 重新扫描
20 /100
docx-trackchanges-and-comments
Word文档 (.docx) 处理,支持修订模式(Track Changes)和批注操作
A legitimate Word document processing skill with no malicious behavior; minor issue is an over-broad shell:WRITE declaration in allowed-tools that doesn't match actual usage.
技能名称docx-trackchanges-and-comments
分析耗时31.7s
引擎pi
可以安装
Narrow the allowed-tools declaration: remove shell:WRITE since the Python script uses no subprocess, and pin the python-docx dependency to a specific version for supply-chain safety.

安全发现 2 项

严重性 安全发现 位置
低危
Shell:WRITE declared but never used 文档欺骗
SKILL.md maps Bash → shell:WRITE in its allowed-tools section, but the Python implementation (scripts/track_changes.py) contains zero subprocess, os.system, Popen, or any other shell invocation. The bash examples in SKILL.md are purely documentation; no Bash tool is actually called by the skill.
allowed-tools mapping: Bash→shell:WRITE
→ Remove shell:WRITE from allowed-tools since the skill only uses python-docx for file I/O. If shell tools are needed for edge cases (e.g., zip/unzip CLI), declare them with a specific scoped use-case in SKILL.md.
 SKILL.md:1
低危
python-docx dependency not pinned to a version 供应链
The script imports 'from docx import Document' and 'from docx.oxml import OxmlElement' but there is no requirements.txt, pyproject.toml, or Pipfile specifying a version. The latest python-docx release includes CVE fixes.
from docx import Document
→ Add a requirements.txt pinning python-docx to an exact version (e.g., python-docx==1.1.2) to prevent supply-chain surprises from automatic upgrades.
 scripts/track_changes.py:9
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 scripts/track_changes.py:135 — shutil.copy(input_file, output_file); lines 140-1…
命令执行 WRITE NONE ✓ 一致 scripts/track_changes.py — no subprocess, no os.system, no Popen anywhere in the…

目录结构

2 文件 · 10.1 KB · 396 行
Python 1f · 201L Markdown 1f · 195L
├─ 📁 scripts
│ └─ 🐍 track_changes.py Python 201L · 5.3 KB
└─ 📝 SKILL.md Markdown 195L · 4.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
python-docx * import No version pinned; no requirements.txt or pyproject.toml found

安全亮点

✓ No network requests (no urllib, requests, httpx, socket calls)
✓ No credential or environment variable access
✓ No base64, eval, or obfuscation
✓ No sensitive file/path access (~/.ssh, ~/.aws, .env)
✓ No data exfiltration or C2 communication
✓ No reverse shell, no subprocess abuse
✓ Clean OOXML manipulation using the python-docx library API
✓ No hidden instructions in comments or documentation