🚀 Skill Retriever
A graph-based MCP server for retrieving Claude Code components. Given a task description, it returns the minimal correct set of components (agents, skills, commands, hooks, MCPs) with all dependencies resolved.
🚀 Quick Start
Skill Retriever is a powerful tool for retrieving Claude Code components. To get started, follow these steps:
- Add to Claude Code's MCP config (
~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"skill-retriever": {
"command": "uv",
"args": ["run", "--directory", "/path/to/skill-retriever", "skill-retriever"]
}
}
}
- Restart Claude Code to load the MCP server.
Once configured, you can use the available tools in Claude Code to search for, install, and manage components.
✨ Features
Current Index
- 2,561 components from 56 repositories, auto-discovered and synced hourly.
| Type | Count | Description |
|------|-------|-------------|
| Skills | 1,952 | Portable instruction sets that package domain expertise and procedural knowledge |
| Agents | 492 | Specialized AI personas with isolated context and fine-grained permissions |
| Commands | 40 | Slash commands (
/commit, /review, etc.) |
| Hooks | 37 | Event handlers (SessionStart, PreCompact, etc.) |
| MCPs | 37 | Model Context Protocol servers for external integrations |
| Settings | 3 | Configuration presets |
Top Repositories
| Repository |
Components |
Description |
| sickn33/antigravity-awesome-skills |
722 |
Large curated skills collection across domains |
| VoltAgent/awesome-agent-skills |
232 |
200+ curated skills compatible with Codex, Gemini CLI |
| wshobson/agents |
226 |
Multi-agent orchestration with 129 skills |
| davepoon/buildwithclaude |
158 |
Full-stack development skills |
| hesreallyhim/awesome-claude-code |
155 |
Comprehensive Claude Code skills collection |
| K-Dense-AI/claude-scientific-skills |
123 |
Scientific computing and research skills |
| zhayujie/chatgpt-on-wechat |
113 |
WeChat bot with multi-platform agent skills |
| ComposioHQ/awesome-claude-skills |
85 |
Automation skills with Rube MCP integration (Gmail, Slack, Calendar) |
| Orchestra-Research/AI-Research-SKILLs |
80 |
AI research skills (fine-tuning, interpretability, distributed training, MLOps) |
| assafelovic/gpt-researcher |
78 |
Deep research agent skills |
| BehiSecc/awesome-claude-skills |
61 |
Document processing, security, scientific skills |
| jeffallan/claude-skills |
56 |
Community Claude skills collection |
| trailofbits/skills |
46 |
Security-focused skills from Trail of Bits |
| remotion-dev/skills |
35 |
Remotion video rendering skills |
| anthropics/skills |
17 |
Official Anthropic skills (Excel, PowerPoint, PDF, skill-creator) |
Problem Solving
- Agent Skills Standard: Skills are folders of instructions extending Claude's capabilities. They work across multiple platforms and are progressively disclosed to avoid context window issues.
- Component Types: Different component types (Skill, Agent, Command, Hook, MCP) serve different purposes and are used in different scenarios.
- Skills vs Tools vs Subagents: Skills solve the context window problem by progressively loading instructions.
- Skill Retriever's Solution: It indexes component repositories, understands dependencies, and returns the exact components needed for a task, installing them directly into the
.claude/ directory.
📦 Installation
Setup
- Add to Claude Code's MCP config (
~/.claude/claude_desktop_config.json):
{
"mcpServers": {
"skill-retriever": {
"command": "uv",
"args": ["run", "--directory", "/path/to/skill-retriever", "skill-retriever"]
}
}
}
- Restart Claude Code to load the MCP server.
💻 Usage Examples
Example Conversation
User: I need to set up git commit automation with conventional commits
Claude: Let me search for relevant components.
[Calls search_components with query="git commit automation conventional commits"]
I found 3 components that would help:
1. **commit-command** (command) - Automated git commits with conventional format
- Score: 0.92
- Health: active (updated 2 days ago)
- Token cost: 450
2. **git-utils** (skill) - Git helper functions
- Score: 0.85
- Required by: commit-command
3. **conventional-commits-hook** (hook) - Pre-commit validation
- Score: 0.78
- Health: active
Would you like me to install these?
User: Yes, install them
Claude: [Calls install_components with ids=["davila7/commit-command", "davila7/conventional-commits-hook"]]
Installed 4 components to .claude/:
- commands/commit.md
- skills/git-utils.md
- skills/shell-helpers.md (dependency)
- hooks/conventional-commits.md
You can now use `/commit` to create conventional commits!
Workflow with Security Integration
┌─────────────────────────────────────────────────────────────────┐
│ Claude Code + Skill Retriever Workflow │
│ │
│ 1. USER: "I need JWT authentication" │
│ │ │
│ ▼ │
│ 2. CLAUDE: search_components("JWT authentication") │
│ │ │
│ ▼ │
│ 3. SKILL RETRIEVER returns: │
│ ┌────────────────────────────────────────────────────┐ │
│ │ auth-jwt-skill │ │
│ │ Score: 0.89 │ │
│ │ Health: active (2 days ago) │ │
│ │ Security: ⚠️ MEDIUM (env_sensitive_keys) │ │
│ │ Tokens: 320 │ │
│ │ │ │
│ │ crypto-utils │ │
│ │ Score: 0.72 │ │
│ │ Health: active │ │
│ │ Security: ✅ SAFE │ │
│ │ Tokens: 180 │ │
│ └────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ 4. CLAUDE: "auth-jwt-skill has MEDIUM security risk │
│ (accesses JWT_SECRET from env). Proceed?" │
│ │ │
│ ▼ │
│ 5. USER: "Yes, that's expected for JWT" │
│ │ │
│ ▼ │
│ 6. CLAUDE: install_components(["auth-jwt-skill"]) │
│ │ │
│ ▼ │
│ 7. SKILL RETRIEVER: │
│ - Resolves dependencies (adds crypto-utils) │
│ - Writes to .claude/skills/ │
│ - Records INSTALL_SUCCESS outcome │
│ │ │
│ ▼ │
│ 8. CLAUDE: "Installed auth-jwt-skill + crypto-utils. │
│ Note: Requires JWT_SECRET env variable." │
└─────────────────────────────────────────────────────────────────┘
📚 Documentation
Available Tools
| Tool |
Purpose |
| Search & Install |
|
search_components |
Find components for a task description |
get_component_detail |
Get full info about a specific component |
install_components |
Install components to .claude/ (auto-records outcome) |
check_dependencies |
Check deps and conflicts before install |
| Ingestion |
|
ingest_repo |
Index a new component repository |
| Sync Management |
|
register_repo |
Track a repo for auto-sync |
unregister_repo |
Stop tracking a repo |
list_tracked_repos |
List all tracked repos |
sync_status |
Get sync system status |
start_sync_server |
Start webhook + poller |
stop_sync_server |
Stop sync services |
poll_repos_now |
Trigger immediate poll |
| Discovery Pipeline |
|
run_discovery_pipeline |
Discover + ingest new skill repos from GitHub |
discover_repos |
Search GitHub for skill repositories |
get_pipeline_status |
Get discovery pipeline configuration |
get_heal_status |
View auto-heal failures and status |
clear_heal_failures |
Clear tracked failures |
| Outcome Tracking |
|
report_outcome |
Record usage outcome (used, removed, deprecated) |
get_outcome_stats |
Get success/failure stats for a component |
get_outcome_report |
View problematic components and conflicts |
| Feedback Engine |
|
analyze_feedback |
Analyze patterns to suggest graph improvements |
get_feedback_suggestions |
View pending edge suggestions |
review_suggestion |
Accept or reject a suggested edge |
apply_feedback_suggestions |
Apply accepted suggestions to the graph |
| Security Scanning |
|
security_scan |
Scan a specific component for vulnerabilities (regex) |
security_scan_llm |
Scan with LLM false-positive reduction (requires API key) |
security_audit |
Audit all components, report by risk level |
backfill_security_scans |
Scan existing components that haven't been scanned |
Data Flow Summary
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ GitHub │────▶│ Ingestion │────▶│ Graph Store │
│ Repos │ │ Pipeline │ │ (FalkorDB/NX) │
└─────────────┘ └──────────────┘ └─────────────────┘
│
▼
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ Claude │◀───▶│ MCP │◀───▶│ Retrieval │
│ Code │ │ Server │ │ Pipeline │
└─────────────┘ └──────────────┘ └─────────────────┘
│ │
▼ ▼
┌──────────────┐ ┌─────────────────┐
│ .claude/ │ │ Vector Store │
│ directory │ │ (FAISS) │
└──────────────┘ └─────────────────┘
Performance
| Metric |
Value |
| MCP server startup |
~1s (lazy-loaded, non-blocking) |
| First search (cold) |
~7s (embedding model loads once) |
| Subsequent searches |
~120ms (vector + graph + fusion) |
| Cached searches |
<0.1ms (LRU cache) |
| Auto-sync interval |
1 hour (56 repos tracked, polled via GitHub API) |
Key Design Decisions
- Hybrid retrieval (vector + graph) — Semantic similarity alone misses dependency relationships
- Incremental ingestion — Only re-index changed files, not entire repos
- Entity resolution — Deduplicate similar components across repos
- Token budgeting — Don't overwhelm Claude's context window
- Health signals — Surface stale/abandoned components
- MCP protocol — Native integration with Claude Code (no plugins needed)
- Security-first scanning — 26% of skills contain vulnerabilities; scan before installation
Requirements Coverage
v1 (Complete)
- Ingestion: crawl any repo structure, extract metadata + git signals
- Retrieval: semantic search + graph traversal + score fusion
- Dependencies: transitive resolution + conflict detection
- Integration: MCP server + component installation
v2 (Implemented)
- SYNC-01: Webhook server for GitHub push events
- SYNC-02: Auto-reingest on detected changes
- SYNC-03: Incremental ingestion
- OSS-01: GitHub-based repository discovery (OSS Scout)
- HEAL-01: Auto-heal for failed ingestions with retry logic
- RETR-06: Abstraction level awareness
- RETR-07: Fuzzy entity extraction with RapidFuzz + synonym expansion
- LRNG-03: Co-occurrence tracking
- LRNG-04: Usage-based score boosting (selection rate + co-selection)
- LRNG-05: Outcome tracking (install success/failure, usage, removal)
- LRNG-06: Feedback engine for implicit edge discovery
- HLTH-01: Component health status
- SEC-01: Security vulnerability scanning (based on Yi Liu et al. research)
- SEC-02: LLM-assisted false positive reduction for security scanning
Deferred
- RETR-05: LLM-assisted query rewriting
- LRNG-01/02: Collaborative filtering from usage patterns
- HLTH-02: Deprecation warnings
- SEC-02: LLM-assisted false positive reduction ✅ IMPLEMENTED
- SEC-03: Real-time re-scanning of installed components
🔧 Technical Details
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Claude Code │
│ │
│ "I need to add git commit automation" │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ MCP Client (built into Claude Code) │ │
│ │ │ │
│ │ tools/call: search_components │ │
│ │ tools/call: install_components │ │
│ │ tools/call: check_dependencies │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
│ stdio (JSON-RPC)
▼
┌─────────────────────────────────────────────────────────────────┐
│ Skill Retriever MCP Server │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ Vector │ │ Graph │ │ Metadata │ │
│ │ Store │ │ Store │ │ Store │ │
│ │ (FAISS) │ │(FalkorDB/NX)│ │ (JSON) │ │
│ └─────────────┘ └─────────────┘ └─────────────────────────┘ │
│ │ │ │ │
│ └────────────────┼────────────────────┘ │
│ ▼ │
│ ┌───────────────────────┐ │
│ │ Retrieval Pipeline │ │
│ │ │ │
│ │ 1. Vector Search │ │
│ │ 2. Graph PPR │ │
│ │ 3. Score Fusion │ │
│ │ 4. Dep Resolution │ │
│ │ 5. Conflict Check │ │
│ │ 6. Context Assembly │ │
│ └───────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
How It Works
1. Ingestion (Indexing Repositories)
Repository (GitHub)
│
▼
┌──────────────────┐
│ Clone to temp │
└──────────────────┘
│
▼
┌──────────────────┐ Strategies (first match wins):
│ Crawler │ 1. Davila7Strategy: cli-tool/components/{type}/
│ (Strategy-based)│ 2. PluginMarketplaceStrategy: plugins/{name}/skills/
└──────────────────┘ 3. FlatDirectoryStrategy: .claude/{type}/
│ 4. GenericMarkdownStrategy: Any *.md with name frontmatter
│ 5. AwesomeListStrategy: README.md curated lists
│ 6. PythonModuleStrategy: *.py with docstrings
▼
┌──────────────────┐
│ Entity Resolver │ Deduplicates similar components using:
│ (Fuzzy + Embed) │ - RapidFuzz token_sort_ratio (Phase 1)
└──────────────────┘ - Embedding cosine similarity (Phase 2)
│
▼
┌──────────────────┐
│ Index into: │
│ - Graph nodes │ Component → Node with type, label
│ - Graph edges │ Dependencies → DEPENDS_ON edges
│ - Vector store │ Embeddings for semantic search
│ - Metadata │ Full content for installation
└──────────────────┘
2. Retrieval (Finding Components)
Query: "git commit automation with conventional commits"
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Query Planning │
│ │
│ - Extract entities (keywords, component names) │
│ - Determine complexity (simple/medium/complex) │
│ - Decide: use PPR? use flow pruning? │
│ - Detect abstraction level (agent vs command vs hook) │
└───────────────────────────────────────────────────────────────┘
│
┌───────────┴───────────┐
▼ ▼
┌───────────────┐ ┌───────────────────────┐
│ Vector Search │ │ Graph PPR (PageRank) │
│ │ │ │
│ Semantic │ │ Follows dependency │
│ similarity │ │ edges to find │
│ via FAISS │ │ related components │
└───────────────┘ └───────────────────────┘
│ │
└───────────┬───────────┘
▼
┌───────────────────────────────────────────────────────────────┐
│ Score Fusion │
│ │
│ Combined score = α × vector_score + (1-α) × graph_score │
│ Filtered by component type if specified │
└───────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Transitive Dependency Resolution │
│ │
│ If "commit-command" depends on "git-utils" which depends │
│ on "shell-helpers" → all three are included │
└───────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Conflict Detection │
│ │
│ Check CONFLICTS_WITH edges between selected components │
│ Warn if incompatible components would be installed │
└───────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Context Assembly │
│ │
│ - Sort by type priority (agents > skills > commands) │
│ - Estimate token cost per component │
│ - Stay within token budget │
│ - Generate rationale for each recommendation │
└───────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Results │
│ │
│ [ │
│ { id: "davila7/commit-command", score: 0.92, │
│ rationale: "High semantic match + 3 dependents" }, │
│ { id: "davila7/git-utils", score: 0.85, │
│ rationale: "Required dependency of commit-command" } │
│ ] │
└───────────────────────────────────────────────────────────────┘
3. Installation
install_components(["davila7/commit-command"])
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Resolve Dependencies │
│ │
│ commit-command → [git-utils, shell-helpers] │
│ Total: 3 components to install │
└───────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────┐
│ Write to .claude/ │
│ │
│ .claude/ │
│ ├── commands/ │
│ │ └── commit.md ← commit-command │
│ └── skills/ │
│ ├── git-utils.md ← dependency │
│ └── shell-helpers.md ← transitive dependency │
└───────────────────────────────────────────────────────────────┘
4. Discovery Pipeline (OSS-01, HEAL-01)
┌─────────────────────────────────────────────────────────────────┐
│ Discovery Pipeline │
│ │
│ ┌──────────────────┐ │
│ │ OSS Scout │ Searches GitHub for skill repos: │
│ │ │ - 8 search queries (claude, skills, etc) │
│ │ discover() │ - MIN_STARS: 5 │
│ │ ─────────────▶ │ - Recent activity: 180 days │
│ └────────┬─────────┘ - Quality scoring (stars, topics, etc) │
│ │ │
│ ▼ │
│ ┌──────────────────┐ │
│ │ Filter & Score │ Score = stars (40) + recency (20) │
│ │ │ + topics (20) + description (10) │
│ │ min_score: 30 │ + forks (10) │
│ └────────┬─────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────┐ │
│ │ Ingest New │ Clone → Crawl → Dedupe → Index │
│ │ (max 10/run) │ Uses same pipeline as ingest_repo │
│ └────────┬─────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────┐ │
│ │ Auto-Healer │ Tracks failures: │
│ │ │ - CLONE_FAILED, NO_COMPONENTS │
│ │ MAX_RETRIES: 3 │ - NETWORK_ERROR, RATE_LIMITED │
│ └──────────────────┘ Automatically retries healable failures │
└─────────────────────────────────────────────────────────────────┘
5. Auto-Sync (SYNC-01, SYNC-02)
┌─────────────────────────────────────────────────────────────────┐
│ Sync Manager │
│ │
│ ┌──────────────────┐ ┌──────────────────────────────┐ │
│ │ Webhook Server │ │ Repo Poller │ │
│ │ (port 9847) │ │ (hourly by default) │ │
│ │ │ │ │ │
│ │ POST /webhook │ │ GET /repos/{owner}/{repo} │ │
│ │ ← GitHub push │ │ → GitHub API │ │
│ └────────┬─────────┘ └──────────────┬───────────────┘ │
│ │ │ │
│ └─────────────┬─────────────────────┘ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Change Detected? │ │
│ │ (new commit SHA) │ │
│ └──────────┬──────────┘ │
│ │ yes │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Re-ingest Repo │ │
│ │ (incremental) │ │
│ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
6. Feedback Loop (LRNG-04, LRNG-05, LRNG-06)
┌─────────────────────────────────────────────────────────────────┐
│ Feedback Loop │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Outcome Tracking (LRNG-05) │ │
│ │ │ │
│ │ install_components() │ │
│ │ │ │ │
│ │ ├── success → INSTALL_SUCCESS + bump usage │ │
│ │ └── failure → INSTALL_FAILURE + track context │ │
│ │ │ │
│ │ report_outcome() │ │
│ │ ├── USED_IN_SESSION → usage count++ │ │
│ │ ├── REMOVED_BY_USER → negative feedback │ │
│ │ └── DEPRECATED → deprecation flag │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Usage-Based Boosting (LRNG-04) │ │
│ │ │ │
│ │ Selection Rate Boost: │ │
│ │ high_selection_rate → +50% score boost │ │
│ │ low_selection_rate → no boost │ │
│ │ │ │
│ │ Co-Selection Boost: │ │
│ │ frequently_selected_together → +10% each (max 30%) │ │
│ │ │ │
│ │ Final score = base_score × boost_factor │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Feedback Engine (LRNG-06) │ │
│ │ │ │
│ │ analyze_feedback() discovers patterns: │ │
│ │ │ │
│ │ Co-selections (≥3) → suggest BUNDLES_WITH edge │ │
│ │ Co-failures (≥2) → suggest CONFLICTS_WITH edge │ │
│ │ │ │
│ │ Human reviews suggestions via review_suggestion() │ │
│ │ Accepted suggestions → apply_feedback_suggestions() │ │
│ │ New edges added to graph with confidence scores │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
7. Security Scanning (SEC-01)
┌─────────────────────────────────────────────────────────────────┐
│ Security Scanner │
│ │
│ Based on Yi Liu et al. "Agent Skills in the Wild" research: │
│ - 26.1% of skills contain vulnerable patterns │
│ - 5.2% show malicious intent indicators │
│ - Skills with scripts are 2.12x more likely to be vulnerable │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Vulnerability Detection │ │
│ │ │ │
│ │ Data Exfiltration (13.3%) │ │
│ │ - HTTP POST with data payload │ │
│ │ - File read + external request │ │
│ │ - Webhook endpoints │ │
│ │ │ │
│ │ Credential Access │ │
│ │ - Environment variable harvesting │ │
│ │ - SSH key / AWS credential access │ │
│ │ - Sensitive env vars (API_KEY, SECRET, TOKEN) │ │
│ │ │ │
│ │ Privilege Escalation (11.8%) │ │
│ │ - Shell injection via variable interpolation │ │
│ │ - Dynamic code execution (eval/exec) │ │
│ │ - sudo execution, chmod 777 │ │
│ │ - Download and execute patterns │ │
│ │ │ │
│ │ Obfuscation (malicious intent) │ │
│ │ - Hex-encoded strings │ │
│ │ - Unicode escapes │ │
│ │ - String concatenation obfuscation │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Risk Assessment │ │
│ │ │ │
│ │ Risk Levels: safe → low → medium → high → critical │ │
│ │ │ │
│ │ Risk Score (0-100): │ │
│ │ Base = sum of finding weights │ │
│ │ Script multiplier = 1.5x if has_scripts │ │
│ │ │ │
│ │ Each component stores: │ │
│ │ - security_risk_level │ │
│ │ - security_risk_score │ │
│ │ - security_findings_count │ │
│ │ - has_scripts │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Integration Points │ │
│ │ │ │
│ │ Ingestion: scan during ingest_repo() │ │
│ │ Retrieval: include SecurityStatus in search results │ │
│ │ On-demand: security_scan() and security_audit() tools │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
8. LLM-Assisted Security Analysis (SEC-02)
┌─────────────────────────────────────────────────────────────────┐
│ LLM Security Analyzer (SEC-02) │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ When to Use │ │
│ │ │ │
│ │ - Component flagged HIGH/CRITICAL by regex scanner │ │
│ │ - Suspected false positives (shell commands in docs) │ │
│ │ - Need confidence before installing critical component │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Analysis Process │ │
│ │ │ │
│ │ 1. Run regex scan (SEC-01) to get findings │ │
│ │ 2. Send findings + component content to Claude │ │
│ │ 3. Claude analyzes each finding: │ │
│ │ - Is it in documentation vs executable code? │ │
│ │ - Is it legitimate functionality (JWT accessing env)?│ │
│ │ - Context: webhook in notification skill = expected │ │
│ │ 4. Returns verdict per finding: │ │
│ │ - TRUE_POSITIVE: Real security concern │ │
│ │ - FALSE_POSITIVE: Safe, incorrectly flagged │ │
│ │ - CONTEXT_DEPENDENT: Depends on usage │ │
│ │ - NEEDS_REVIEW: Cannot determine, human review │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Adjusted Risk Score │ │
│ │ │ │
│ │ Original score = 75 (CRITICAL, 5 findings) │ │
│ │ │ │
│ │ LLM analysis: │ │
│ │ - 3 × FALSE_POSITIVE (bash in markdown) │ │
│ │ - 1 × TRUE_POSITIVE (env var harvesting) │ │
│ │ - 1 × CONTEXT_DEPENDENT │ │
│ │ │ │
│ │ Adjusted score = 75 × (1 + 0.5) / 5 = 22.5 (MEDIUM) │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
📄 License
This project is licensed under the MIT License.
%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%230080ff;%20}%20%3c/style%3e%3c/defs%3e%3cpath%20class='st0'%20d='M16.2,11.1c.4.5.4,1.2,0,1.8l-4.7,7.1h-3.8l5.3-8L7.6,4h3.8l4.7,7.1Z'/%3e%3c/svg%3e)
