中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 8/100
Last scan:1 day ago Rescan
8 /100
skill-factory
Autonomous skill creation agent that analyzes requests and delivers production-ready skills
Skill-factory is a legitimate autonomous skill creation agent that uses documented shell scripts for installing dependencies and creating skills, with no malicious indicators found.
Skill Nameskill-factory
Duration34.1s
Enginepi
Safe to install
This skill is safe to use. Standard security hygiene applies: verify external dependencies before installation and review skill outputs before deploying to production.

Findings 1 items

Severity Finding Location
Low
Unpinned Python dependencies Supply Chain
The install-skill-seekers.sh script uses 'pip install -r requirements.txt' without version pinning, which could lead to unexpected behavior if dependencies are updated
pip3 install -r requirements.txt
→ Consider pinning dependency versions: pip3 install -r requirements.txt --require-hashes or use pip-tools for reproducible builds
 scripts/install-skill-seekers.sh:50
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md line 196: scripts/install-skill-seekers.sh, SKILL.md line 397: scripts/…
Filesystem WRITE WRITE ✓ Aligned SKILL.md line 147: 'Create skill directory structure', 'Generate .zip for easy u…
Network READ READ ✓ Aligned SKILL.md line 56: 'git clone https://github.com/yusufkaraaslan/Skill_Seekers', l…
8 findings
🔗
Medium External URL 外部 URL
https://www.apache.org/licenses/
LICENSE.txt:3
🔗
Medium External URL 外部 URL
https://console.anthropic.com/settings/keys
references/quickstart.md:9
🔗
Medium External URL 外部 URL
https://react.dev
references/request-analysis.md:250
🔗
Medium External URL 外部 URL
https://vuejs.org
references/skill-seekers-integration.md:193
🔗
Medium External URL 外部 URL
https://docs.djangoproject.com
references/skill-seekers-integration.md:194
🔗
Medium External URL 外部 URL
https://fastapi.tiangolo.com
references/skill-seekers-integration.md:195
🔗
Medium External URL 外部 URL
https://docs.rs/[crate
references/skill-seekers-integration.md:196
🔗
Medium External URL 外部 URL
https://docs.rs/
references/skill-seekers-integration.md:257

File Tree

13 files · 133.4 KB · 4311 lines
Markdown 9f · 3797L Python 1f · 220L Text 1f · 162L Shell 2f · 132L
├─ 📁 references
│ ├─ 📝 anthropic-best-practices.md Markdown 187L · 5.0 KB
│ ├─ 📝 best-practices.md Markdown 1055L · 37.1 KB
│ ├─ 📝 obra-tdd-methodology.md Markdown 278L · 7.4 KB
│ ├─ 📝 overview.md Markdown 269L · 14.0 KB
│ ├─ 📝 quality-loops.md Markdown 379L · 9.9 KB
│ ├─ 📝 quickstart.md Markdown 513L · 13.0 KB
│ ├─ 📝 request-analysis.md Markdown 326L · 8.4 KB
│ └─ 📝 skill-seekers-integration.md Markdown 389L · 8.2 KB
├─ 📁 scripts
│ ├─ 🔧 check-skill-seekers.sh Shell 29L · 781 B
│ ├─ 🔧 install-skill-seekers.sh Shell 103L · 3.0 KB
│ └─ 🐍 quality-check.py Python 220L · 5.8 KB
├─ 📄 LICENSE.txt Text 162L · 8.9 KB
└─ 📝 SKILL.md Markdown 401L · 11.8 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
Skill_Seekers latest git clone No External repo, verify integrity manually
cli.doc_scraper unpinned requirements.txt No Part of Skill_Seekers package

Security Positives

✓ All shell operations are fully documented in SKILL.md Dependencies section
✓ No credential harvesting or environment variable iteration for secrets
✓ No obfuscation techniques (base64, eval) detected
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env access)
✓ No C2 communication or data exfiltration patterns
✓ No persistence mechanisms (no cron, startup hooks, backdoors)
✓ Uses legitimate open-source tools (Skill_Seekers, obra TDD)
✓ Script behavior matches documentation exactly
✓ Quality checker is a pure analysis tool with no side effects