中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
csv-documentation-generator
Generate Computerized System Validation (CSV) documentation for pharmaceutical and medical device industries
A legitimate GxP compliance documentation generator with no malicious behavior detected. All subprocess usage is for documented purposes (pip install, git operations) and all capabilities are properly declared in SKILL.md.
技能名称csv-documentation-generator
分析耗时57.5s
引擎pi
可以安装
This skill is safe to use. The only minor concern is the missing post-commit hook file referenced in install.sh, which should be created to avoid installation failures.

安全发现 3 项

严重性 安全发现 位置
低危
Missing post-commit hook file
The install.sh script references scripts/git-hooks/post-commit but this file doesn't exist in the file tree, which will cause installation failures
HOOK_SOURCE="$SCRIPT_DIR/git-hooks/post-commit"
→ Create the post-commit hook file or update install.sh to not require it
 scripts/git-hooks/install.sh:11
提示
Unpinned dependency versions
requirements.txt uses >= version constraints instead of exact versions. While not a security risk, this may lead to inconsistent behavior.
python-docx>=1.1.0
→ Consider pinning exact versions for reproducibility
 requirements.txt:1
提示
venv auto-creation in skill directory
The skill automatically creates a .venv directory in the skill root on first run to install dependencies
venv.create(skill_root / ".venv", with_pip=True)
→ This is documented in SKILL.md but may be unexpected. Consider using a system-wide installation instead.
 scripts/generate.py:58
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md:requiredTools declares 'write'
命令执行 WRITE WRITE ✓ 一致 SKILL.md:requiredTools declares 'exec'; scripts/generate.py:78 uses subprocess f…
环境变量 READ READ ✓ 一致 scripts/agent.py:52 reads environment variables for agent detection
网络访问 NONE NONE No network requests found
5 项发现
🔗
中危 外部 URL 外部 URL
https://semver.org/
CHANGELOG.md:321
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/version-1.6.4-blue.svg
README.md:3
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/GAMP-5%20Second%20Edition-green.svg
README.md:4
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/21%20CFR%20Part%2011-Compliant-orange.svg
README.md:5
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/status-beta-yellow.svg
README.md:6

目录结构

58 文件 · 486.5 KB · 14584 行
Python 26f · 7998L Markdown 24f · 5916L JSON 4f · 365L YAML 2f · 216L Shell 1f · 85L Text 1f · 4L
├─ 📁 references
│ ├─ 📝 21cfr-part11.md Markdown 122L · 3.3 KB
│ ├─ 📝 annex-11.md Markdown 87L · 2.0 KB
│ ├─ 📝 data-integrity.md Markdown 169L · 3.9 KB
│ └─ 📝 gamp-5.md Markdown 147L · 4.7 KB
├─ 📁 scripts
│ ├─ 📁 audit
│ │ ├─ 🐍 __init__.py Python 5L · 134 B
│ │ └─ 🐍 log.py Python 240L · 7.7 KB
│ ├─ 📁 fill
│ │ ├─ 🐍 __init__.py Python 5L · 116 B
│ │ └─ 🐍 filler.py Python 235L · 8.9 KB
│ ├─ 📁 git-hooks
│ │ └─ 🔧 install.sh Shell 85L · 2.2 KB
│ ├─ 📁 requirements
│ │ ├─ 🐍 __init__.py Python 5L · 160 B
│ │ ├─ 🐍 linker.py Python 216L · 7.7 KB
│ │ ├─ 🐍 parser.py Python 657L · 20.4 KB
│ │ ├─ 🐍 risk_analyzer.py Python 470L · 15.9 KB
│ │ └─ 🐍 versioning.py Python 223L · 6.5 KB
│ ├─ 📁 tests
│ │ ├─ 🐍 __init__.py Python 5L · 149 B
│ │ ├─ 🐍 parser.py Python 344L · 11.5 KB
│ │ ├─ 🐍 test_bidirectional_sync.py Python 190L · 6.1 KB
│ │ ├─ 🐍 test_compliance_checker.py Python 234L · 7.8 KB
│ │ ├─ 🐍 test_core.py Python 290L · 8.8 KB
│ │ ├─ 🐍 test_git_hooks.py Python 122L · 3.5 KB
│ │ └─ 🐍 test_versioning.py Python 246L · 7.7 KB
│ ├─ 🐍 __init__.py Python 3L · 65 B
│ ├─ 🐍 agent.py Python 137L · 4.0 KB
│ ├─ 🐍 cli.py Python 593L · 19.3 KB
│ ├─ 🐍 compliance_checker.py Python 311L · 9.9 KB
│ ├─ 🐍 config.py Python 164L · 5.6 KB
│ ├─ 🐍 excel_generator.py Python 325L · 11.6 KB
│ ├─ 🐍 generate.py Python 1928L · 61.5 KB
│ ├─ 🐍 standards_reader.py Python 332L · 11.6 KB
│ ├─ 🐍 template_loader.py Python 155L · 5.3 KB
│ └─ 🐍 word_generator.py Python 563L · 20.7 KB
├─ 📁 standards
│ └─ 📋 code-annotations.json JSON 141L · 6.7 KB
├─ 📁 templates
│ ├─ 📁 ci
│ │ ├─ 📋 github-actions.yml YAML 124L · 3.3 KB
│ │ └─ 📋 gitlab-ci.yml YAML 92L · 2.1 KB
│ ├─ 📁 examples
│ │ ├─ 📝 fs-example.md Markdown 138L · 5.5 KB
│ │ ├─ 📝 iq-example.md Markdown 86L · 3.2 KB
│ │ ├─ 📝 ra-example.md Markdown 82L · 3.0 KB
│ │ └─ 📝 urs-example.md Markdown 136L · 8.3 KB
│ ├─ 📝 fs.md Markdown 198L · 5.7 KB
│ ├─ 📝 iq.md Markdown 148L · 4.9 KB
│ ├─ 📝 oq.md Markdown 281L · 16.4 KB
│ ├─ 📝 pq.md Markdown 328L · 11.3 KB
│ ├─ 📝 ra.md Markdown 220L · 7.1 KB
│ ├─ 📝 ts.md Markdown 255L · 7.1 KB
│ ├─ 📝 urs.md Markdown 215L · 7.7 KB
│ ├─ 📝 vp.md Markdown 159L · 5.1 KB
│ └─ 📝 vsr.md Markdown 275L · 8.1 KB
├─ 📋 .csv-docs-config.json JSON 72L · 1.6 KB
├─ 📋 audit-log.json JSON 63L · 1.4 KB
├─ 📝 CHANGELOG_en.md Markdown 308L · 12.1 KB
├─ 📝 CHANGELOG.md Markdown 324L · 11.9 KB
├─ 📝 prompts.md Markdown 381L · 11.7 KB
├─ 📝 README_en.md Markdown 446L · 14.9 KB
├─ 📝 README.md Markdown 393L · 13.2 KB
├─ 📋 requirements.json JSON 89L · 2.4 KB
├─ 📄 requirements.txt Text 4L · 72 B
├─ 📝 SKILL.md Markdown 838L · 27.2 KB
└─ 📝 STANDARDS.md Markdown 180L · 5.8 KB

依赖分析 4 项

包名版本来源已知漏洞备注
python-docx >=1.1.0 pip Version not pinned
openpyxl >=3.1.0 pip Version not pinned
jinja2 >=3.1.0 pip Version not pinned
python-dateutil >=2.8.0 pip Version not pinned

安全亮点

✓ All subprocess usage is for legitimate documented purposes (pip install, git operations)
✓ No credential harvesting or environment variable iteration for sensitive keys
✓ No network exfiltration or external IP communication
✓ No base64/encoded commands or eval patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden functionality not declared in documentation
✓ Clean audit logging of all operations
✓ Comprehensive requirements parsing and compliance checking
✓ Agent detection uses only environment variables (CSV_DOCS_MODE) - no process scanning