中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:21 小时前 重新扫描
5 /100
skill-creator
Create new skills, modify and improve existing skills, and measure skill performance
The skill-creator is a legitimate meta-skill for creating and improving AI agent skills. All functionality (subprocess usage, file operations, subagent spawning) is properly documented and aligned with the skill's purpose.
技能名称skill-creator
分析耗时50.8s
引擎pi
可以安装
No action required. This is a safe, well-documented skill for skill development.

安全发现 2 项

严重性 安全发现 位置
提示
Unversioned Python dependencies 供应链
quick_validate.py imports yaml without version constraints. No known vulnerabilities in the functions used.
import yaml
→ Optional: pin to specific version if dependencies are added later
 scripts/quick_validate.py:3
提示
Broad documentation scope 文档欺骗
SKILL.md is extensive (485 lines) covering multiple workflows. All functionality is properly declared.
SKILL.md covers skill creation, testing, evaluation, improvement, and description optimization
→ No action needed - documentation is comprehensive
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md declares file reading; scripts read/write workspace directories
命令执行 WRITE WRITE ✓ 一致 subprocess used for claude -p CLI invocations, documented as required tool
网络访问 NONE READ ✓ 一致 viewer.html fetches cdn.sheetjs.com for Excel rendering (legitimate library)
技能调用 WRITE WRITE ✓ 一致 Spawns subagents for eval runs, documented in SKILL.md
3 项发现
🔗
中危 外部 URL 外部 URL
http://www.apache.org/licenses/
LICENSE.txt:4
🔗
中危 外部 URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0
LICENSE.txt:196
🔗
中危 外部 URL 外部 URL
https://cdn.sheetjs.com/xlsx-0.20.3/package/dist/xlsx.full.min.js
eval-viewer/viewer.html:10

目录结构

24 文件 · 263.0 KB · 6954 行
Python 11f · 2926L Markdown 9f · 2300L HTML 2f · 1471L Text 1f · 201L JSON 1f · 56L
├─ 📁 .codebuddy
│ └─ 📁 memory
│ └─ 📝 2026-03-18.md Markdown 17L · 899 B
├─ 📁 agents
│ ├─ 📝 analyzer.md Markdown 274L · 10.1 KB
│ ├─ 📝 comparator.md Markdown 202L · 7.1 KB
│ └─ 📝 grader.md Markdown 223L · 8.8 KB
├─ 📁 assets
│ └─ 📄 eval_review.html HTML 146L · 6.9 KB
├─ 📁 daily-menu
│ ├─ 📁 evals
│ │ └─ 📋 evals.json JSON 56L · 1.8 KB
│ ├─ 📁 references
│ │ ├─ 📝 ingredients.md Markdown 147L · 8.4 KB
│ │ └─ 📝 recipes.md Markdown 389L · 12.5 KB
│ ├─ 📁 scripts
│ │ └─ 🐍 generate_menu.py Python 558L · 15.8 KB
│ └─ 📝 SKILL.md Markdown 133L · 3.8 KB
├─ 📁 eval-viewer
│ ├─ 🐍 generate_review.py Python 471L · 16.0 KB
│ └─ 📄 viewer.html HTML 1325L · 43.9 KB
├─ 📁 references
│ └─ 📝 schemas.md Markdown 430L · 11.8 KB
├─ 📁 scripts
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 aggregate_benchmark.py Python 401L · 14.0 KB
│ ├─ 🐍 generate_report.py Python 326L · 12.5 KB
│ ├─ 🐍 improve_description.py Python 247L · 10.9 KB
│ ├─ 🐍 package_skill.py Python 136L · 4.1 KB
│ ├─ 🐍 quick_validate.py Python 102L · 3.9 KB
│ ├─ 🐍 run_eval.py Python 310L · 11.2 KB
│ ├─ 🐍 run_loop.py Python 328L · 13.3 KB
│ └─ 🐍 utils.py Python 47L · 1.6 KB
├─ 📄 LICENSE.txt Text 201L · 11.1 KB
└─ 📝 SKILL.md Markdown 485L · 32.4 KB

依赖分析 2 项

包名版本来源已知漏洞备注
yaml unspecified pip Used for YAML frontmatter parsing in quick_validate.py; no vulnerable code paths
sheetjs 0.20.3 CDN Legitimate Excel/CSV library loaded from cdn.sheetjs.com

安全亮点

✓ No credential harvesting or sensitive file access (no ~/.ssh, ~/.aws, .env access)
✓ No data exfiltration - all network activity is localhost for web server
✓ No obfuscation - all code is clear and readable Python
✓ No base64-encoded payloads or eval() patterns
✓ No reverse shell or C2 communication patterns
✓ No curl|bash or wget|sh remote script execution
✓ Temporary command files are properly cleaned up after eval runs
✓ Subprocess usage (claude -p) is documented and necessary for skill functionality
✓ Uses standard library concurrent.futures for parallelization (safe)
✓ External URLs are legitimate: SheetJS for Excel rendering, Apache license