中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:20 hr ago Rescan
20 /100
conference-schedule-optimizer
Conference schedule optimization tool for scientific/medical conferences
Conference scheduling tool with declared shell permissions not actually used in code - mismatch between docs and implementation but no malicious behavior detected.
Skill Nameconference-schedule-optimizer
Duration37.0s
Enginepi
Safe to install
This skill is safe to use. Consider pinning allowed-tools to only Read and Write since no shell commands are executed in the actual implementation.

Findings 2 items

Severity Finding Location
Low
Shell permission declared but never used Doc Mismatch
SKILL.md declares 'Bash' in allowed-tools implying shell:WRITE capability, but the actual Python implementation in scripts/main.py contains zero subprocess, os.system, or shell execution calls. The code is a pure scheduling algorithm using only stdlib json and argparse.
allowed-tools: "Read Write Bash Edit"
→ Remove 'Bash' from allowed-tools since no shell commands are executed. Use only Read and Write if file output is needed.
 SKILL.md:1
Low
No dependency documentation Supply Chain
The skill relies solely on Python standard library (argparse, json, datetime) but does not document this. While this is a positive security trait (no external dependencies), it should be explicitly noted.
import argparse, import json, from datetime import datetime
→ Document that the skill uses only stdlib, reducing supply chain risk.
 scripts/main.py:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned scripts/main.py:42 - open(schedule_file)
Filesystem WRITE READ ✓ Aligned SKILL.md declares Write but code only writes to --output path with json.dump
Shell WRITE NONE ✗ Violation SKILL.md declares 'Bash' but scripts/main.py contains no subprocess, os.system, …
Network NONE NONE No network requests in code
Environment NONE NONE No os.environ access
Skill Invoke NONE NONE No skill invocation patterns

File Tree

3 files · 10.5 KB · 364 lines
Markdown 1f · 220L Python 1f · 133L JSON 1f · 11L
├─ 📁 scripts
│ └─ 🐍 main.py Python 133L · 4.1 KB
├─ 📝 SKILL.md Markdown 220L · 6.0 KB
└─ 📋 tile.json JSON 11L · 345 B

Security Positives

✓ No network requests or external communications detected
✓ No credential or sensitive data access patterns
✓ No obfuscation techniques (base64, eval, or dynamic code execution)
✓ No file system abuse beyond reading/writing user-specified schedule files
✓ Uses only Python standard library - no external dependencies means no supply chain risk
✓ Clean, straightforward scheduling algorithm with no suspicious logic
✓ No hidden functionality or shadow operations
✓ MIT license provides transparency
✓ No credential harvesting or environment variable enumeration