中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:17 hr ago Rescan
0 /100
workflow-runner
Orchestrate small development workflows: parse requirements, spawn two persistent subagents (coding and testing), loop until tests pass, and produce local git commits.
The skill is a proof-of-concept workflow orchestrator with no malicious behavior. All shell and file operations are declared in SKILL.md, there is no credential theft, data exfiltration, obfuscation, or hidden functionality.
Skill Nameworkflow-runner
Duration35.7s
Enginepi
Safe to install
Skill is safe to use. The execSync usage in orchestrator.js is documented as part of spawning subagents. No action required.
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares results/ writes; orchestrator.js creates results/ dir; scripts…
Shell WRITE WRITE ✓ Aligned orchestrator.js:12 uses execSync; scripts/ create and execute local scripts
Network NONE NONE No network calls found in any script
Environment NONE NONE No env iteration for secrets
Skill Invoke READ READ ✓ Aligned session-store.js reads/writes workflow session state
Clipboard NONE NONE Not accessed anywhere
Browser NONE NONE Not accessed anywhere
Database NONE NONE No database access

File Tree

9 files · 7.2 KB · 214 lines
Shell 4f · 75L JavaScript 2f · 68L Markdown 1f · 45L JSON 1f · 20L Text 1f · 6L
├─ 📁 examples
│ └─ 📄 sample_spec.txt Text 6L · 234 B
├─ 📁 scripts
│ ├─ 🔧 coding_worker.sh Shell 24L · 743 B
│ ├─ 📜 orchestrator.js JavaScript 52L · 1.9 KB
│ ├─ 🔧 reporter.sh Shell 8L · 292 B
│ ├─ 📜 session-store.js JavaScript 16L · 566 B
│ ├─ 🔧 spawn_worker.sh Shell 20L · 436 B
│ └─ 🔧 testing_worker.sh Shell 23L · 667 B
├─ 📋 session-store.json JSON 20L · 532 B
└─ 📝 SKILL.md Markdown 45L · 1.9 KB

Security Positives

✓ No credential harvesting — no iteration of os.environ or reading of ~/.ssh, ~/.aws, .env
✓ No network exfiltration — no curl, wget, or outbound POSTs
✓ No obfuscation — no base64, atob, or hidden instructions
✓ Doc-to-code alignment — all capabilities declared in SKILL.md match implementation
✓ No remote script execution — scripts are local file-based operations
✓ No supply-chain risk — no dependencies declared (vanilla Node.js + bash)
✓ Git commits are local-only (no push) as declared
✓ All file writes scoped to results/ and /tmp working directories
✓ Testing worker executes only its own locally-produced artifact, not arbitrary code
✓ Placeholders clearly labeled as proof-of-concept with comments