安全决策报告
lowcode-platform-development
SKILL.md declares executable scripts and shell operations that do not exist in the package - this is a doc-to-code mismatch where documentation describes potentially dangerous capabilities (PowerShell execution, npm/maven builds) without any actual implementation.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Missing implementation files +15
SKILL.md references scripts/generate_project.ps1 but hasScripts: false in pre-scan
Doc-to-code mismatch +15
Describes shell execution (npm install, mvn package) without any executable code present
Placeholder templates only +5
Template directories contain README.md files only, no actual scaffold code
最关键的证据
中危 文档欺骗
Declared PowerShell script missing
SKILL.md references 'scripts/generate_project.ps1' as the execution mechanism but this file does not exist in the package. Pre-scan confirms hasScripts: false.
SKILL.md:26 Remove script reference or provide the actual implementation file
中危 文档欺骗
Template files are placeholders only
Both template directories (vue-template, spring-boot-template) contain only README.md files stating 'files are omitted for brevity'. No actual scaffold code exists.
assets/vue-template/README.md:1 Provide actual template files or indicate this is a documentation-only skill
低危 文档欺骗
Shell execution described but not implemented
SKILL.md describes running 'npm install' and 'mvn package' commands, implying shell:WRITE capability, but no script exists to perform these operations.
SKILL.md:32 If shell execution is intended, provide the implementation; otherwise update docs
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No implementation files exist to verify file operations 命令执行 通过
声明 NONE
→ 推断 NONE
SKILL.md:31 mentions scripts/generate_project.ps1 but file does not exist 网络访问 通过
声明 NONE
→ 推断 NONE
No network access observed 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
5 个文件 · 114 行
Markdown 4 个文件 · 96 行YAML 1 个文件 · 18 行
需关注文件 · 2
SKILL.md Declared PowerShell script missing · Shell execution described but not implemented
assets/vue-template/README.md Template files are placeholders only
其他文件 · architecture.md · README.md · docker-compose.yml
安全亮点
No actual malicious code present in the package
No credential harvesting or exfiltration mechanisms
No obfuscated or base64-encoded payloads
No suspicious network requests or C2 indicators
No sensitive path access observed (no ~/.ssh, ~/.aws, .env access)
No reverse shell or RCE payloads