扫描报告
15 /100
Gerrit Action Skill
Query Gerrit resources and apply actions to matching changes through the Gerrit API
A legitimate Gerrit code review management tool with documented behavior; minor concern around unpinned pip installation but no malicious indicators detected.
可以安装
Consider pinning gerritaction version in SKILL.md (e.g., pip install gerritaction==1.0.0) to mitigate supply chain risks. Otherwise safe to use.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned package dependency 供应链 | SKILL.md:52 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No file read/write operations detected |
| 网络访问 | READ | READ | ✓ 一致 | Only configured Gerrit API access documented |
| 命令执行 | WRITE | WRITE | ✓ 一致 | pip install and gerritaction CLI documented in SKILL.md |
| 环境变量 | NONE | NONE | — | No environment variable access detected |
| 技能调用 | NONE | NONE | — | Standard worker invocation pattern |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser access |
| 数据库 | NONE | NONE | — | No direct database access |
1 项发现
中危 外部 URL 外部 URL
http://127.0.0.1/ SKILL.md:28 目录结构
2 文件 · 4.3 KB · 162 行 Markdown 1f · 152L
YAML 1f · 10L
├─
config.yml
YAML
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
gerritaction | * | pip | 否 | Version not pinned in SKILL.md |
安全亮点
✓ No credential harvesting from environment variables
✓ No filesystem write operations beyond output files
✓ No obfuscation or encoded payloads detected
✓ No hidden functionality beyond documented features
✓ Credentials in config.yml are placeholder/example values only
✓ All shell commands explicitly documented in SKILL.md
✓ No network requests to undeclared external endpoints
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)