中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 18/100
上次扫描:1 天前 重新扫描
18 /100
claude-code-framework
Claude Code Framework - A defensive execution framework providing permission checks, context budget monitoring, and lifecycle hooks for AI agents
A defensive security framework providing permission checks, context budget management, and lifecycle hooks. No malicious behavior detected; code matches documented functionality.
技能名称claude-code-framework
分析耗时36.5s
引擎pi
可以安装
This skill is safe to use. Monitor the 'leaked source code' branding claim for accuracy. No changes needed.

安全发现 2 项

严重性 安全发现 位置
低危
Questionable source attribution 文档欺骗
SKILL.md claims this framework was extracted from 'Claude Code 泄露源码' (leaked Claude Code source code). While the code itself is legitimate, the provenance claim cannot be verified.
基于 Claude Code v2.1.88 泄露源码分析,2026-04-03
→ Verify the source attribution or remove the 'leaked source' claim to avoid misrepresentation
 SKILL.md:1
提示
Config file flagged as sensitive 敏感访问
config.json was flagged as sensitive by pre-scan but contains only framework configuration (rules, thresholds, hook settings) with no actual secrets or credentials.
Configuration contains permission rules and thresholds, no credentials
→ No action needed - this is a false positive from the sensitive file heuristic
 config.json:1
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations in code
网络访问 NONE NONE No network calls in code
命令执行 NONE NONE No subprocess/exec calls
环境变量 NONE NONE No os.environ access
技能调用 NONE NONE No skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database operations

目录结构

6 文件 · 32.0 KB · 1269 行
TypeScript 4f · 926L Markdown 1f · 263L JSON 1f · 80L
├─ 🔑 config.json JSON 80L · 2.3 KB
├─ 📜 context-budget.ts TypeScript 204L · 5.3 KB
├─ 📜 handler.ts TypeScript 281L · 8.0 KB
├─ 📜 hook-manager.ts TypeScript 303L · 7.0 KB
├─ 📜 risk-classifier.ts TypeScript 138L · 3.8 KB
└─ 📝 SKILL.md Markdown 263L · 5.7 KB

安全亮点

✓ No credential harvesting or environment variable enumeration
✓ No network calls or external data exfiltration
✓ No shell execution (subprocess, exec, eval)
✓ No obfuscation techniques (base64, atob, eval patterns)
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ Defensive security controls properly implemented (permission checks, risk classification, hook system)
✓ Code is clean and follows TypeScript best practices