Scan Report
5 /100
environment-doc-author
Verify real local environment facts and create environment baseline JSON/policy documents
This is a legitimate environment detection and documentation skill with no malicious behavior. All functionality is declared, necessary, and properly scoped.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | spawnSync/subprocess.run used for version probes only |
| Filesystem | READ|WRITE | READ|WRITE | ✓ Aligned | Reads baselines, writes JSON/Markdown outputs |
| Environment | READ | READ | ✓ Aligned | Reads dev-tool env vars (JAVA_HOME, PATH) for detection only |
| Network | NONE | READ | ✓ Aligned | Probe-file allows local service checks only |
| Skill Invoke | NONE | NONE | — | No skill chaining observed |
File Tree
7 files · 139.7 KB · 3945 lines JavaScript 2f · 1832L
Python 2f · 1643L
Markdown 3f · 470L
├─
▾
references
│ ├─
document-contracts.md
Markdown
│ └─
probe-file.md
Markdown
├─
▾
scripts
│ ├─
detect_environment.js
JavaScript
│ ├─
detect_environment.py
Python
│ ├─
render_environment_docs.js
JavaScript
│ └─
render_environment_docs.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ All shell commands are version probes (git --version, java -version) - no arbitrary execution
✓ Environment variable reading is limited to dev-tool paths (JAVA_HOME, PATH) - no credential harvesting
✓ No sensitive path access (~/.ssh, ~/.aws, .env files) observed
✓ No obfuscation, base64 payloads, or eval() patterns
✓ No external IP connections or C2 communication
✓ Code is clean and well-structured - no hidden functionality
✓ SKILL.md accurately describes all capabilities and behavior
✓ No supply chain risks - only uses standard library (Node.js os/fs/path, Python subprocess)