中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:19 hr ago Rescan
5 /100
skill-creator
Create new skills, modify and improve existing skills, and measure skill performance
The skill-creator is a legitimate meta-skill for creating and improving AI agent skills. All functionality (subprocess usage, file operations, subagent spawning) is properly documented and aligned with the skill's purpose.
Skill Nameskill-creator
Duration50.8s
Enginepi
Safe to install
No action required. This is a safe, well-documented skill for skill development.

Findings 2 items

Severity Finding Location
Info
Unversioned Python dependencies Supply Chain
quick_validate.py imports yaml without version constraints. No known vulnerabilities in the functions used.
import yaml
→ Optional: pin to specific version if dependencies are added later
 scripts/quick_validate.py:3
Info
Broad documentation scope Doc Mismatch
SKILL.md is extensive (485 lines) covering multiple workflows. All functionality is properly declared.
SKILL.md covers skill creation, testing, evaluation, improvement, and description optimization
→ No action needed - documentation is comprehensive
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares file reading; scripts read/write workspace directories
Shell WRITE WRITE ✓ Aligned subprocess used for claude -p CLI invocations, documented as required tool
Network NONE READ ✓ Aligned viewer.html fetches cdn.sheetjs.com for Excel rendering (legitimate library)
Skill Invoke WRITE WRITE ✓ Aligned Spawns subagents for eval runs, documented in SKILL.md
3 findings
🔗
Medium External URL 外部 URL
http://www.apache.org/licenses/
LICENSE.txt:4
🔗
Medium External URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0
LICENSE.txt:196
🔗
Medium External URL 外部 URL
https://cdn.sheetjs.com/xlsx-0.20.3/package/dist/xlsx.full.min.js
eval-viewer/viewer.html:10

File Tree

24 files · 263.0 KB · 6954 lines
Python 11f · 2926L Markdown 9f · 2300L HTML 2f · 1471L Text 1f · 201L JSON 1f · 56L
├─ 📁 .codebuddy
│ └─ 📁 memory
│ └─ 📝 2026-03-18.md Markdown 17L · 899 B
├─ 📁 agents
│ ├─ 📝 analyzer.md Markdown 274L · 10.1 KB
│ ├─ 📝 comparator.md Markdown 202L · 7.1 KB
│ └─ 📝 grader.md Markdown 223L · 8.8 KB
├─ 📁 assets
│ └─ 📄 eval_review.html HTML 146L · 6.9 KB
├─ 📁 daily-menu
│ ├─ 📁 evals
│ │ └─ 📋 evals.json JSON 56L · 1.8 KB
│ ├─ 📁 references
│ │ ├─ 📝 ingredients.md Markdown 147L · 8.4 KB
│ │ └─ 📝 recipes.md Markdown 389L · 12.5 KB
│ ├─ 📁 scripts
│ │ └─ 🐍 generate_menu.py Python 558L · 15.8 KB
│ └─ 📝 SKILL.md Markdown 133L · 3.8 KB
├─ 📁 eval-viewer
│ ├─ 🐍 generate_review.py Python 471L · 16.0 KB
│ └─ 📄 viewer.html HTML 1325L · 43.9 KB
├─ 📁 references
│ └─ 📝 schemas.md Markdown 430L · 11.8 KB
├─ 📁 scripts
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 aggregate_benchmark.py Python 401L · 14.0 KB
│ ├─ 🐍 generate_report.py Python 326L · 12.5 KB
│ ├─ 🐍 improve_description.py Python 247L · 10.9 KB
│ ├─ 🐍 package_skill.py Python 136L · 4.1 KB
│ ├─ 🐍 quick_validate.py Python 102L · 3.9 KB
│ ├─ 🐍 run_eval.py Python 310L · 11.2 KB
│ ├─ 🐍 run_loop.py Python 328L · 13.3 KB
│ └─ 🐍 utils.py Python 47L · 1.6 KB
├─ 📄 LICENSE.txt Text 201L · 11.1 KB
└─ 📝 SKILL.md Markdown 485L · 32.4 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
yaml unspecified pip No Used for YAML frontmatter parsing in quick_validate.py; no vulnerable code paths
sheetjs 0.20.3 CDN No Legitimate Excel/CSV library loaded from cdn.sheetjs.com

Security Positives

✓ No credential harvesting or sensitive file access (no ~/.ssh, ~/.aws, .env access)
✓ No data exfiltration - all network activity is localhost for web server
✓ No obfuscation - all code is clear and readable Python
✓ No base64-encoded payloads or eval() patterns
✓ No reverse shell or C2 communication patterns
✓ No curl|bash or wget|sh remote script execution
✓ Temporary command files are properly cleaned up after eval runs
✓ Subprocess usage (claude -p) is documented and necessary for skill functionality
✓ Uses standard library concurrent.futures for parallelization (safe)
✓ External URLs are legitimate: SheetJS for Excel rendering, Apache license