中文 EN

扫描报告

扫描新文件

可信 — 风险评分 8/100
上次扫描:1 天前 重新扫描
8 /100
skill-factory
Autonomous skill creation agent that analyzes requests and delivers production-ready skills
Skill-factory is a legitimate autonomous skill creation agent that uses documented shell scripts for installing dependencies and creating skills, with no malicious indicators found.
技能名称skill-factory
分析耗时34.1s
引擎pi
可以安装
This skill is safe to use. Standard security hygiene applies: verify external dependencies before installation and review skill outputs before deploying to production.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned Python dependencies 供应链
The install-skill-seekers.sh script uses 'pip install -r requirements.txt' without version pinning, which could lead to unexpected behavior if dependencies are updated
pip3 install -r requirements.txt
→ Consider pinning dependency versions: pip3 install -r requirements.txt --require-hashes or use pip-tools for reproducible builds
 scripts/install-skill-seekers.sh:50
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md line 196: scripts/install-skill-seekers.sh, SKILL.md line 397: scripts/…
文件系统 WRITE WRITE ✓ 一致 SKILL.md line 147: 'Create skill directory structure', 'Generate .zip for easy u…
网络访问 READ READ ✓ 一致 SKILL.md line 56: 'git clone https://github.com/yusufkaraaslan/Skill_Seekers', l…
8 项发现
🔗
中危 外部 URL 外部 URL
https://www.apache.org/licenses/
LICENSE.txt:3
🔗
中危 外部 URL 外部 URL
https://console.anthropic.com/settings/keys
references/quickstart.md:9
🔗
中危 外部 URL 外部 URL
https://react.dev
references/request-analysis.md:250
🔗
中危 外部 URL 外部 URL
https://vuejs.org
references/skill-seekers-integration.md:193
🔗
中危 外部 URL 外部 URL
https://docs.djangoproject.com
references/skill-seekers-integration.md:194
🔗
中危 外部 URL 外部 URL
https://fastapi.tiangolo.com
references/skill-seekers-integration.md:195
🔗
中危 外部 URL 外部 URL
https://docs.rs/[crate
references/skill-seekers-integration.md:196
🔗
中危 外部 URL 外部 URL
https://docs.rs/
references/skill-seekers-integration.md:257

目录结构

13 文件 · 133.4 KB · 4311 行
Markdown 9f · 3797L Python 1f · 220L Text 1f · 162L Shell 2f · 132L
├─ 📁 references
│ ├─ 📝 anthropic-best-practices.md Markdown 187L · 5.0 KB
│ ├─ 📝 best-practices.md Markdown 1055L · 37.1 KB
│ ├─ 📝 obra-tdd-methodology.md Markdown 278L · 7.4 KB
│ ├─ 📝 overview.md Markdown 269L · 14.0 KB
│ ├─ 📝 quality-loops.md Markdown 379L · 9.9 KB
│ ├─ 📝 quickstart.md Markdown 513L · 13.0 KB
│ ├─ 📝 request-analysis.md Markdown 326L · 8.4 KB
│ └─ 📝 skill-seekers-integration.md Markdown 389L · 8.2 KB
├─ 📁 scripts
│ ├─ 🔧 check-skill-seekers.sh Shell 29L · 781 B
│ ├─ 🔧 install-skill-seekers.sh Shell 103L · 3.0 KB
│ └─ 🐍 quality-check.py Python 220L · 5.8 KB
├─ 📄 LICENSE.txt Text 162L · 8.9 KB
└─ 📝 SKILL.md Markdown 401L · 11.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
Skill_Seekers latest git clone External repo, verify integrity manually
cli.doc_scraper unpinned requirements.txt Part of Skill_Seekers package

安全亮点

✓ All shell operations are fully documented in SKILL.md Dependencies section
✓ No credential harvesting or environment variable iteration for secrets
✓ No obfuscation techniques (base64, eval) detected
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env access)
✓ No C2 communication or data exfiltration patterns
✓ No persistence mechanisms (no cron, startup hooks, backdoors)
✓ Uses legitimate open-source tools (Skill_Seekers, obra TDD)
✓ Script behavior matches documentation exactly
✓ Quality checker is a pure analysis tool with no side effects