Scan Report
15 /100
Gerrit Action Skill
Query Gerrit resources and apply actions to matching changes through the Gerrit API
A legitimate Gerrit code review management tool with documented behavior; minor concern around unpinned pip installation but no malicious indicators detected.
Safe to install
Consider pinning gerritaction version in SKILL.md (e.g., pip install gerritaction==1.0.0) to mitigate supply chain risks. Otherwise safe to use.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned package dependency Supply Chain | SKILL.md:52 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file read/write operations detected |
| Network | READ | READ | ✓ Aligned | Only configured Gerrit API access documented |
| Shell | WRITE | WRITE | ✓ Aligned | pip install and gerritaction CLI documented in SKILL.md |
| Environment | NONE | NONE | — | No environment variable access detected |
| Skill Invoke | NONE | NONE | — | Standard worker invocation pattern |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No direct database access |
1 findings
Medium External URL 外部 URL
http://127.0.0.1/ SKILL.md:28 File Tree
2 files · 4.3 KB · 162 lines Markdown 1f · 152L
YAML 1f · 10L
├─
config.yml
YAML
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
gerritaction | * | pip | No | Version not pinned in SKILL.md |
Security Positives
✓ No credential harvesting from environment variables
✓ No filesystem write operations beyond output files
✓ No obfuscation or encoded payloads detected
✓ No hidden functionality beyond documented features
✓ Credentials in config.yml are placeholder/example values only
✓ All shell commands explicitly documented in SKILL.md
✓ No network requests to undeclared external endpoints
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)