中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 45/100
Last scan:17 hr ago Rescan
45 /100
Self-Audit
Audit your own tool usage. Discover which calls are necessary vs reflexive.
Skill declares a 'self-audit' CLI script and 'audit/' directory that do not exist; undeclared sensitive config.json with LLM tool permissions is present but not documented.
Skill NameSelf-Audit
Duration35.9s
Enginepi
Use with caution
Do not use. The skill has no implementation files despite SKILL.md declaring a main CLI script. The undeclared config.json with system prompts and tool permissions should be removed or documented.

Findings 3 items

Severity Finding Location
Medium
Declared entry point does not exist Doc Mismatch
SKILL.md lists 'self-audit' as the 'Main CLI script' but no such file exists in the package. This is a significant doc-to-code mismatch.
- `self-audit` — Main CLI script
→ Either implement the declared script or remove the reference from documentation.
 SKILL.md:66
Medium
Undeclared sensitive configuration file Doc Mismatch
config.json contains LLM system prompts and tool permission mappings but is not mentioned anywhere in SKILL.md. This file includes allowed-tools definitions (Bash, Read, Write, WebFetch) which map to resource permissions.
{"role":"system","content":"You are a helpful coding assistant...","tools":{"Bash":{...},"Read":{...},"Write":{...}}}
→ Document all configuration files in SKILL.md or remove unnecessary sensitive files.
 config.json:1
Low
Declared storage directory does not exist Doc Mismatch
SKILL.md mentions an 'audit/' directory for audit log storage that does not exist.
- `audit/` — Audit log storage (created on first run)
→ Either implement the directory creation or remove from documentation.
 SKILL.md:67
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No scripts exist to infer capabilities
Network NONE NONE No network code exists
Shell NONE NONE No shell scripts exist
Environment NONE NONE No env access code exists

File Tree

2 files · 2.4 KB · 88 lines
Markdown 1f · 75L JSON 1f · 13L
├─ 🔑 config.json JSON 13L · 387 B
└─ 📝 SKILL.md Markdown 75L · 2.0 KB

Security Positives

✓ No executable malicious code present in the package
✓ No credential harvesting or exfiltration mechanisms
✓ No network communication code detected
✓ No obfuscated or base64-encoded payloads