中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
skill-kit
Claude Code skill management toolkit: create, validate, merge, convert, deduplicate, and upgrade Agent Skills. Topics: writer, lint, merge, dedup, convert, upgrade, route, trigger.
Legitimate Claude Code skill management toolkit; all shell operations are documented and serve stated purposes, but shell:WRITE is not declared in allowed-tools despite being used throughout.
Skill Nameskill-kit
Duration69.6s
Enginepi
Safe to install
Add explicit allowed-tools declaration to SKILL.md frontmatter and consider pinning the Bash operations to specific commands rather than general shell access.

Findings 3 items

Severity Finding Location
Low
shell:WRITE not declared in allowed-tools Priv Escalation
SKILL.md declares only filesystem:READ/WRITE but the skill performs shell:WRITE operations (mkdir, mv, chmod, rm, jq writes) across merge.md, dedup.md, and trigger-compile.sh. No 'allowed-tools:' field is present in frontmatter.
SKILL.md declares no allowed-tools; shell WRITE operations are inferred from bash commands
→ Add allowed-tools declaration to SKILL.md frontmatter, e.g.: allowed-tools: [Read, Glob, Grep, Bash]
 SKILL.md:1
Low
settings.json modification not explicitly declared Doc Mismatch
trigger-compile.sh reads and modifies ~/.claude/settings.json to register hook entries. SKILL.md describes the trigger feature but does not explicitly state that it writes to settings.json.
cp "$tmp_settings" "$SETTINGS"  # register_hooks() function
→ Add 'Modifies ~/.claude/settings.json to register hooks' to the trigger topic description for transparency.
 trigger.md / scripts/trigger-compile.sh:228
Info
rm -rf documented for backup cleanup (legitimate) RCE
The dangerous 'rm -rf' command appears in merge.md:144 and dedup.md:129 for cleaning backup directories. These are explicitly documented as part of the safe-delete pattern and only target .bak folders.
rm -rf ~/.claude/.bak/{skill-name}  # Clean .bak/: rm -rf ~/.claude/.bak/{skill-name}
→ No action needed — rm -rf is scoped to backup directories and is a documented cleanup operation.
 merge.md:144, dedup.md:129:144
ResourceDeclaredInferredStatusEvidence
Filesystem READ,WRITE READ,WRITE ✓ Aligned SKILL.md frontmatter references and bash directory operations in merge.md:94-97
Shell NONE WRITE ✗ Violation merge.md:144 'rm -rf', dedup.md:129 'rm -rf', trigger-compile.sh:182 'chmod +x',…
Environment NONE NONE No os.environ access detected
Network NONE NONE No network requests detected
Skill Invoke NONE READ ✓ Aligned Skill tool invocations are the core functionality; read-only scan operations
Clipboard NONE NONE No clipboard access detected
Browser NONE NONE No browser access detected
Database NONE NONE No database access detected
1 Critical 1 findings
💀
Critical Dangerous Command 危险 Shell 命令
rm -rf ~
merge.md:144

File Tree

11 files · 55.9 KB · 2062 lines
Markdown 10f · 1720L Shell 1f · 342L
├─ 📁 scripts
│ └─ 🔧 trigger-compile.sh Shell 342L · 10.1 KB
├─ 📝 architecture.md Markdown 170L · 4.7 KB
├─ 📝 convert.md Markdown 78L · 1.6 KB
├─ 📝 dedup.md Markdown 119L · 2.5 KB
├─ 📝 lint.md Markdown 286L · 7.1 KB
├─ 📝 merge.md Markdown 144L · 3.4 KB
├─ 📝 route.md Markdown 132L · 3.8 KB
├─ 📝 SKILL.md Markdown 195L · 6.0 KB
├─ 📝 trigger.md Markdown 214L · 6.4 KB
├─ 📝 upgrade.md Markdown 187L · 5.8 KB
└─ 📝 writer.md Markdown 195L · 4.7 KB

Security Positives

✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env never accessed)
✓ No network requests or external data exfiltration detected
✓ No base64, obfuscation, or anti-analysis patterns found
✓ All rm -rf commands are scoped to .bak backup directories and explicitly documented
✓ trigger-compile.sh validates JSON syntax before writing settings.json (bash -n and jq validation)
✓ No supply chain risks — no package.json, requirements.txt, or external dependencies
✓ All operations are directly relevant to the stated skill management purpose