中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:19 小时前 重新扫描
0 /100
workflow-runner
Orchestrate small development workflows: parse requirements, spawn two persistent subagents (coding and testing), loop until tests pass, and produce local git commits.
The skill is a proof-of-concept workflow orchestrator with no malicious behavior. All shell and file operations are declared in SKILL.md, there is no credential theft, data exfiltration, obfuscation, or hidden functionality.
技能名称workflow-runner
分析耗时35.7s
引擎pi
可以安装
Skill is safe to use. The execSync usage in orchestrator.js is documented as part of spawning subagents. No action required.
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares results/ writes; orchestrator.js creates results/ dir; scripts…
命令执行 WRITE WRITE ✓ 一致 orchestrator.js:12 uses execSync; scripts/ create and execute local scripts
网络访问 NONE NONE No network calls found in any script
环境变量 NONE NONE No env iteration for secrets
技能调用 READ READ ✓ 一致 session-store.js reads/writes workflow session state
剪贴板 NONE NONE Not accessed anywhere
浏览器 NONE NONE Not accessed anywhere
数据库 NONE NONE No database access

目录结构

9 文件 · 7.2 KB · 214 行
Shell 4f · 75L JavaScript 2f · 68L Markdown 1f · 45L JSON 1f · 20L Text 1f · 6L
├─ 📁 examples
│ └─ 📄 sample_spec.txt Text 6L · 234 B
├─ 📁 scripts
│ ├─ 🔧 coding_worker.sh Shell 24L · 743 B
│ ├─ 📜 orchestrator.js JavaScript 52L · 1.9 KB
│ ├─ 🔧 reporter.sh Shell 8L · 292 B
│ ├─ 📜 session-store.js JavaScript 16L · 566 B
│ ├─ 🔧 spawn_worker.sh Shell 20L · 436 B
│ └─ 🔧 testing_worker.sh Shell 23L · 667 B
├─ 📋 session-store.json JSON 20L · 532 B
└─ 📝 SKILL.md Markdown 45L · 1.9 KB

安全亮点

✓ No credential harvesting — no iteration of os.environ or reading of ~/.ssh, ~/.aws, .env
✓ No network exfiltration — no curl, wget, or outbound POSTs
✓ No obfuscation — no base64, atob, or hidden instructions
✓ Doc-to-code alignment — all capabilities declared in SKILL.md match implementation
✓ No remote script execution — scripts are local file-based operations
✓ No supply-chain risk — no dependencies declared (vanilla Node.js + bash)
✓ Git commits are local-only (no push) as declared
✓ All file writes scoped to results/ and /tmp working directories
✓ Testing worker executes only its own locally-produced artifact, not arbitrary code
✓ Placeholders clearly labeled as proof-of-concept with comments