check-test-code-quality
Fail
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded credentials for a PKCS12 keystore and signing keys are included in the instructions and shell scripts.
- Evidence in
guides/R012_p7b_signature/signature_tools/signatureP7b.bat: The parameters-keyPwd "123456"and-keystorePwd "123456"expose the password for the accompanyingOpenHarmony.p12file. - Evidence in
guides/R012_p7b_signature/R012_FIX_GUIDE.md: Manual fix instructions explicitly use-keystorePwd "123456". - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute a local Java archive and system utilities for file processing. - Evidence in
guides/R012_p7b_signature/R012_FIX_GUIDE.md: The skill executesjava -jar hap-sign-tool.jar sign-profile ...using a binary file provided within the skill folder. - [REMOTE_CODE_EXECUTION]: The skill employs a dynamic execution pattern where the orchestrator instructions guide the AI to generate and run Python scanning logic at runtime based on markdown files.
- Evidence in
SKILL.md: "所有规则的扫描代码由模型在运行时根据 rules/Rxxx/SKILL.md 中的检测逻辑和正则模式动态生成并执行" (Scanning code for all rules is dynamically generated and executed by the model at runtime based on the logic in rules/Rxxx/SKILL.md). - [EXTERNAL_DOWNLOADS]: The tool's configuration logic for rule R010 fetches data from remote repositories hosted on Gitee and Gitcode.
- Source URLs:
https://gitee.com/openharmony/vendor_hihope/raw/master/rk3568/config.jsonandhttps://gitcode.com/openharmony/productdefine_common/raw/master/inherit/rich.json.
Recommendations
- AI detected serious security threats
Audit Metadata