中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 12/100
Last scan:1 day ago Rescan
12 /100
skill-safety-auditor
Perform comprehensive security audits on skills to identify vulnerabilities, unsafe patterns, and compliance issues
This is a legitimate security audit tool that performs static analysis via grep-based pattern matching with no malicious functionality found. The two 'critical' findings in the included audit report are false positives where the tool detects its own defensive regex patterns as hardcoded secrets.
Skill Nameskill-safety-auditor
Duration47.6s
Enginepi
Safe to install
No action needed. The skill performs documented static security analysis on target skills using pattern matching. The flagged 'secrets' are the tool's own detection patterns (e.g., "password.*=.*'") which are false positives - a known limitation of signature-based scanners. Consider improving the self-skip logic to prevent false positives when auditing the tool itself.

Findings 2 items

Severity Finding Location
Info
False positive secrets detection Doc Mismatch
The included audit report (data/AUDIT-20260313-001.json) flags 2 'critical' findings, but these are false positives. The tool's defensive regex patterns (e.g., 'password.*=.*['"]') in the PATTERNS array match the scanner's own detection signatures.
password.*=.*['\"][^'\"]+['\"]
→ This is a known limitation of signature-based scanners. The self-skip check on line 145 partially addresses this but misses when patterns are on different lines from the skip logic.
 scripts/audit-skill.sh:137
Info
quick-scan.sh lacks self-skip check Doc Mismatch
The quick-scan.sh script does not have a self-skip check like audit-skill.sh, causing it to report its own detection patterns as secrets when scanning itself.
grep -rn -E "api[_-]?key.*=.*['\"]|password.*=.*['\"]...
→ Add exclusion logic similar to audit-skill.sh to skip the scanner's own files.
 scripts/quick-scan.sh:36
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned Reads target skill files for scanning (grep -rn)

File Tree

7 files · 21.2 KB · 775 lines
Shell 4f · 476L Markdown 2f · 280L JSON 1f · 19L
├─ 📁 data
│ └─ 📋 AUDIT-20260313-001.json JSON 19L · 1016 B
├─ 📁 scripts
│ ├─ 🔧 audit-skill.sh Shell 281L · 8.7 KB
│ ├─ 🔧 list-audits.sh Shell 79L · 2.0 KB
│ ├─ 🔧 quick-scan.sh Shell 66L · 1.7 KB
│ └─ 🔧 test.sh Shell 50L · 1.2 KB
├─ 📝 README.md Markdown 46L · 1.2 KB
└─ 📝 SKILL.md Markdown 234L · 5.4 KB

Security Positives

✓ No credential harvesting or exfiltration detected
✓ No reverse shells, C2, or data theft mechanisms
✓ No base64-encoded payloads or obfuscation
✓ No malicious network connections
✓ No supply chain attacks or unpinned dependencies
✓ Documentation accurately describes tool capabilities
✓ Capability declarations match actual behavior
✓ Appropriate use of shell:WRITE for security scanning (documented and necessary)