中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
csv-documentation-generator
Generate Computerized System Validation (CSV) documentation for pharmaceutical and medical device industries
A legitimate GxP compliance documentation generator with no malicious behavior detected. All subprocess usage is for documented purposes (pip install, git operations) and all capabilities are properly declared in SKILL.md.
Skill Namecsv-documentation-generator
Duration57.5s
Enginepi
Safe to install
This skill is safe to use. The only minor concern is the missing post-commit hook file referenced in install.sh, which should be created to avoid installation failures.

Findings 3 items

Severity Finding Location
Low
Missing post-commit hook file
The install.sh script references scripts/git-hooks/post-commit but this file doesn't exist in the file tree, which will cause installation failures
HOOK_SOURCE="$SCRIPT_DIR/git-hooks/post-commit"
→ Create the post-commit hook file or update install.sh to not require it
 scripts/git-hooks/install.sh:11
Info
Unpinned dependency versions
requirements.txt uses >= version constraints instead of exact versions. While not a security risk, this may lead to inconsistent behavior.
python-docx>=1.1.0
→ Consider pinning exact versions for reproducibility
 requirements.txt:1
Info
venv auto-creation in skill directory
The skill automatically creates a .venv directory in the skill root on first run to install dependencies
venv.create(skill_root / ".venv", with_pip=True)
→ This is documented in SKILL.md but may be unexpected. Consider using a system-wide installation instead.
 scripts/generate.py:58
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md:requiredTools declares 'write'
Shell WRITE WRITE ✓ Aligned SKILL.md:requiredTools declares 'exec'; scripts/generate.py:78 uses subprocess f…
Environment READ READ ✓ Aligned scripts/agent.py:52 reads environment variables for agent detection
Network NONE NONE No network requests found
5 findings
🔗
Medium External URL 外部 URL
https://semver.org/
CHANGELOG.md:321
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.6.4-blue.svg
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/GAMP-5%20Second%20Edition-green.svg
README.md:4
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/21%20CFR%20Part%2011-Compliant-orange.svg
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/status-beta-yellow.svg
README.md:6

File Tree

58 files · 486.5 KB · 14584 lines
Python 26f · 7998L Markdown 24f · 5916L JSON 4f · 365L YAML 2f · 216L Shell 1f · 85L Text 1f · 4L
├─ 📁 references
│ ├─ 📝 21cfr-part11.md Markdown 122L · 3.3 KB
│ ├─ 📝 annex-11.md Markdown 87L · 2.0 KB
│ ├─ 📝 data-integrity.md Markdown 169L · 3.9 KB
│ └─ 📝 gamp-5.md Markdown 147L · 4.7 KB
├─ 📁 scripts
│ ├─ 📁 audit
│ │ ├─ 🐍 __init__.py Python 5L · 134 B
│ │ └─ 🐍 log.py Python 240L · 7.7 KB
│ ├─ 📁 fill
│ │ ├─ 🐍 __init__.py Python 5L · 116 B
│ │ └─ 🐍 filler.py Python 235L · 8.9 KB
│ ├─ 📁 git-hooks
│ │ └─ 🔧 install.sh Shell 85L · 2.2 KB
│ ├─ 📁 requirements
│ │ ├─ 🐍 __init__.py Python 5L · 160 B
│ │ ├─ 🐍 linker.py Python 216L · 7.7 KB
│ │ ├─ 🐍 parser.py Python 657L · 20.4 KB
│ │ ├─ 🐍 risk_analyzer.py Python 470L · 15.9 KB
│ │ └─ 🐍 versioning.py Python 223L · 6.5 KB
│ ├─ 📁 tests
│ │ ├─ 🐍 __init__.py Python 5L · 149 B
│ │ ├─ 🐍 parser.py Python 344L · 11.5 KB
│ │ ├─ 🐍 test_bidirectional_sync.py Python 190L · 6.1 KB
│ │ ├─ 🐍 test_compliance_checker.py Python 234L · 7.8 KB
│ │ ├─ 🐍 test_core.py Python 290L · 8.8 KB
│ │ ├─ 🐍 test_git_hooks.py Python 122L · 3.5 KB
│ │ └─ 🐍 test_versioning.py Python 246L · 7.7 KB
│ ├─ 🐍 __init__.py Python 3L · 65 B
│ ├─ 🐍 agent.py Python 137L · 4.0 KB
│ ├─ 🐍 cli.py Python 593L · 19.3 KB
│ ├─ 🐍 compliance_checker.py Python 311L · 9.9 KB
│ ├─ 🐍 config.py Python 164L · 5.6 KB
│ ├─ 🐍 excel_generator.py Python 325L · 11.6 KB
│ ├─ 🐍 generate.py Python 1928L · 61.5 KB
│ ├─ 🐍 standards_reader.py Python 332L · 11.6 KB
│ ├─ 🐍 template_loader.py Python 155L · 5.3 KB
│ └─ 🐍 word_generator.py Python 563L · 20.7 KB
├─ 📁 standards
│ └─ 📋 code-annotations.json JSON 141L · 6.7 KB
├─ 📁 templates
│ ├─ 📁 ci
│ │ ├─ 📋 github-actions.yml YAML 124L · 3.3 KB
│ │ └─ 📋 gitlab-ci.yml YAML 92L · 2.1 KB
│ ├─ 📁 examples
│ │ ├─ 📝 fs-example.md Markdown 138L · 5.5 KB
│ │ ├─ 📝 iq-example.md Markdown 86L · 3.2 KB
│ │ ├─ 📝 ra-example.md Markdown 82L · 3.0 KB
│ │ └─ 📝 urs-example.md Markdown 136L · 8.3 KB
│ ├─ 📝 fs.md Markdown 198L · 5.7 KB
│ ├─ 📝 iq.md Markdown 148L · 4.9 KB
│ ├─ 📝 oq.md Markdown 281L · 16.4 KB
│ ├─ 📝 pq.md Markdown 328L · 11.3 KB
│ ├─ 📝 ra.md Markdown 220L · 7.1 KB
│ ├─ 📝 ts.md Markdown 255L · 7.1 KB
│ ├─ 📝 urs.md Markdown 215L · 7.7 KB
│ ├─ 📝 vp.md Markdown 159L · 5.1 KB
│ └─ 📝 vsr.md Markdown 275L · 8.1 KB
├─ 📋 .csv-docs-config.json JSON 72L · 1.6 KB
├─ 📋 audit-log.json JSON 63L · 1.4 KB
├─ 📝 CHANGELOG_en.md Markdown 308L · 12.1 KB
├─ 📝 CHANGELOG.md Markdown 324L · 11.9 KB
├─ 📝 prompts.md Markdown 381L · 11.7 KB
├─ 📝 README_en.md Markdown 446L · 14.9 KB
├─ 📝 README.md Markdown 393L · 13.2 KB
├─ 📋 requirements.json JSON 89L · 2.4 KB
├─ 📄 requirements.txt Text 4L · 72 B
├─ 📝 SKILL.md Markdown 838L · 27.2 KB
└─ 📝 STANDARDS.md Markdown 180L · 5.8 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
python-docx >=1.1.0 pip No Version not pinned
openpyxl >=3.1.0 pip No Version not pinned
jinja2 >=3.1.0 pip No Version not pinned
python-dateutil >=2.8.0 pip No Version not pinned

Security Positives

✓ All subprocess usage is for legitimate documented purposes (pip install, git operations)
✓ No credential harvesting or environment variable iteration for sensitive keys
✓ No network exfiltration or external IP communication
✓ No base64/encoded commands or eval patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No hidden functionality not declared in documentation
✓ Clean audit logging of all operations
✓ Comprehensive requirements parsing and compliance checking
✓ Agent detection uses only environment variables (CSV_DOCS_MODE) - no process scanning