中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
find-everything
Cross-platform resource search orchestrator for skills, MCP servers, prompts, and GitHub repos
This is a legitimate cross-platform resource search aggregator with a built-in security scanning tool. All capabilities are clearly documented, shell commands are explicitly declared, and no malicious behavior is present.
技能名称find-everything
分析耗时41.2s
引擎pi
可以安装
This skill is safe to use. The security_scan.py script is a defensive tool that helps identify risks in other skills.

安全发现 1 项

严重性 安全发现 位置
低危
Script uses eval/exec pattern detection
security_scan.py contains patterns for detecting eval() and exec() calls, which may produce false positives for legitimate template engines or REPL tools
{"pattern": r"\beval\s*\(", "severity": "medium", "name": "eval_call"}
→ This is intentional defensive detection. The security-checklist.md notes this should be filtered for context.
 scripts/security_scan.py:77
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md Step 10: reads SKILL.md, scripts/, package.json, README.md of target sk…
网络访问 READ READ ✓ 一致 SKILL.md Step 10: WebFetch for GitHub/npm registry details; Step 6: WebFetch for…
命令执行 WRITE WRITE ✓ 一致 SKILL.md Step 3: uses Bash tool for npx/gh/clawhub CLI commands (lines 42-44); S…
环境变量 NONE NONE No environment variable access detected
技能调用 NONE NONE SKILL.md Step 3: calls other installed skills via skill_invoke if available
11 项发现
🔗
中危 外部 URL 外部 URL
https://skills.sh
references/registry.json:13
🔗
中危 外部 URL 外部 URL
https://clawhub.ai
references/registry.json:35
🔗
中危 外部 URL 外部 URL
https://prompts.chat
references/registry.json:47
🔗
中危 外部 URL 外部 URL
https://www.skillhub.club
references/registry.json:103
🔗
中危 外部 URL 外部 URL
https://mcpservers.org
references/registry.json:113
🔗
中危 外部 URL 外部 URL
https://skillsmp.com
references/registry.json:123
🔗
中危 外部 URL 外部 URL
https://www.aishort.top
references/registry.json:134
🔗
中危 外部 URL 外部 URL
https://nanoprompts.org
references/registry.json:144
🔗
中危 外部 URL 外部 URL
https://aiart.pics
references/registry.json:154
🔗
中危 外部 URL 外部 URL
https://www.localbanana.io
references/registry.json:164
🔗
中危 外部 URL 外部 URL
https://aiskillsshow.com
references/registry.json:174

目录结构

5 文件 · 35.0 KB · 1074 行
Python 1f · 426L Markdown 2f · 242L Text 1f · 223L JSON 1f · 183L
├─ 📁 references
│ ├─ 📄 known_skills.txt Text 223L · 4.2 KB
│ ├─ 📋 registry.json JSON 183L · 4.8 KB
│ └─ 📝 security-checklist.md Markdown 76L · 2.7 KB
├─ 📁 scripts
│ └─ 🐍 security_scan.py Python 426L · 16.2 KB
└─ 📝 SKILL.md Markdown 166L · 7.0 KB

依赖分析 5 项

包名版本来源已知漏洞备注
json (stdlib) bundled Python standard library No external dependencies
re (stdlib) bundled Python standard library No external dependencies
pathlib (stdlib) bundled Python standard library No external dependencies
unicodedata (stdlib) bundled Python standard library No external dependencies
base64 (stdlib) bundled Python standard library No external dependencies

安全亮点

✓ Comprehensive SKILL.md with explicit declaration of all capabilities
✓ Shell commands (npx, gh, clawhub) explicitly documented with 15s timeout
✓ Python security scanning tool uses only standard library (no external dependencies)
✓ No credential harvesting patterns - security_scan.py only scans for access patterns, doesn't exfiltrate
✓ No base64 obfuscation, no zero-width characters, no hidden HTML instructions in the skill itself
✓ Typosquat detection uses edit distance and homoglyph mapping for defense
✓ No external IP connections, no data exfiltration behavior
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths
✓ Registry references known platforms with install hints for missing CLI tools
✓ Explicit permission checks using 'which' command before executing CLI tools