Scan Report
5 /100
find-everything
Cross-platform resource search orchestrator for skills, MCP servers, prompts, and GitHub repos
This is a legitimate cross-platform resource search aggregator with a built-in security scanning tool. All capabilities are clearly documented, shell commands are explicitly declared, and no malicious behavior is present.
Safe to install
This skill is safe to use. The security_scan.py script is a defensive tool that helps identify risks in other skills.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Script uses eval/exec pattern detection | scripts/security_scan.py:77 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md Step 10: reads SKILL.md, scripts/, package.json, README.md of target sk… |
| Network | READ | READ | ✓ Aligned | SKILL.md Step 10: WebFetch for GitHub/npm registry details; Step 6: WebFetch for… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md Step 3: uses Bash tool for npx/gh/clawhub CLI commands (lines 42-44); S… |
| Environment | NONE | NONE | — | No environment variable access detected |
| Skill Invoke | NONE | NONE | — | SKILL.md Step 3: calls other installed skills via skill_invoke if available |
11 findings
Medium External URL 外部 URL
https://skills.sh references/registry.json:13 Medium External URL 外部 URL
https://clawhub.ai references/registry.json:35 Medium External URL 外部 URL
https://prompts.chat references/registry.json:47 Medium External URL 外部 URL
https://www.skillhub.club references/registry.json:103 Medium External URL 外部 URL
https://mcpservers.org references/registry.json:113 Medium External URL 外部 URL
https://skillsmp.com references/registry.json:123 Medium External URL 外部 URL
https://www.aishort.top references/registry.json:134 Medium External URL 外部 URL
https://nanoprompts.org references/registry.json:144 Medium External URL 外部 URL
https://aiart.pics references/registry.json:154 Medium External URL 外部 URL
https://www.localbanana.io references/registry.json:164 Medium External URL 外部 URL
https://aiskillsshow.com references/registry.json:174 File Tree
5 files · 35.0 KB · 1074 lines Python 1f · 426L
Markdown 2f · 242L
Text 1f · 223L
JSON 1f · 183L
├─
▾
references
│ ├─
known_skills.txt
Text
│ ├─
registry.json
JSON
│ └─
security-checklist.md
Markdown
├─
▾
scripts
│ └─
security_scan.py
Python
└─
SKILL.md
Markdown
Dependencies 5 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
json (stdlib) | bundled | Python standard library | No | No external dependencies |
re (stdlib) | bundled | Python standard library | No | No external dependencies |
pathlib (stdlib) | bundled | Python standard library | No | No external dependencies |
unicodedata (stdlib) | bundled | Python standard library | No | No external dependencies |
base64 (stdlib) | bundled | Python standard library | No | No external dependencies |
Security Positives
✓ Comprehensive SKILL.md with explicit declaration of all capabilities
✓ Shell commands (npx, gh, clawhub) explicitly documented with 15s timeout
✓ Python security scanning tool uses only standard library (no external dependencies)
✓ No credential harvesting patterns - security_scan.py only scans for access patterns, doesn't exfiltrate
✓ No base64 obfuscation, no zero-width characters, no hidden HTML instructions in the skill itself
✓ Typosquat detection uses edit distance and homoglyph mapping for defense
✓ No external IP connections, no data exfiltration behavior
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths
✓ Registry references known platforms with install hints for missing CLI tools
✓ Explicit permission checks using 'which' command before executing CLI tools