中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 22/100
上次扫描:1 天前 重新扫描
22 /100
newapi
Assistant for newapi (new-api), an open-source unified AI gateway platform. Manages models, tokens, groups, and balances through secure token handling.
This is a legitimate New API token management skill with well-designed security controls; shell execution via exec-token is declared and scoped to token substitution, with no evidence of credential exfiltration or hidden malicious behavior.
技能名称newapi
分析耗时60.2s
引擎pi
可以安装
The skill is safe to use. The primary risk surface is exec-token's arbitrary command execution, which is intentional and documented. Audit whether users can be socially engineered into passing malicious commands through the placeholder substitution mechanism.

安全发现 4 项

严重性 安全发现 位置
中危
exec-token.js executes arbitrary shell commands 代码执行
The exec-token action accepts a user-supplied command string, substitutes the real token key, and executes it via execSync with shell:true. While declared in SKILL.md, this provides unrestricted shell:WRITE access. An attacker who can influence the command argument could execute arbitrary commands on the user's system with the token key available in the environment.
stdout = execSync(realCommand, { shell: true, stdio: ['inherit', 'pipe', 'pipe'], encoding: 'utf-8', timeout: 30000 });
→ Consider restricting exec-token to known-safe CLI patterns (e.g., allowlist of executables). Add input validation beyond placeholder presence. Document the risk clearly in the skill so users understand they are passing arbitrary commands.
 scripts/exec-token.js:58
低危
env.js traverses project root looking for .env files 敏感访问
The env.js script walks up the directory tree from cwd searching for .git or package.json to locate the project root, then loads .env from both project root and skill directory. While a legitimate pattern for config discovery, it could inadvertently expose .env files in parent directories that contain unrelated credentials.
loadEnv(path.join(projectRoot, '.env')); loadEnv(path.join(skillDir, '.env'));
→ Document that .env loading is scoped. Ensure the user's project .env does not contain unrelated secrets that could be inadvertently loaded by other tools.
 scripts/env.js:31
提示
inject-key.js --scan reads arbitrary files 敏感访问
The --scan action reads any file path provided by the user and applies regex-based redaction. While a legitimate feature, the path.resolve call means relative paths are resolved from cwd, and the regex-based sanitization is explicitly marked best-effort and not guaranteed to catch all secrets.
const content = fs.readFileSync(resolved, 'utf-8');
→ This is documented as best-effort. Ensure users understand the limitations of regex-based redaction and avoid using --scan as a substitute for proper secret scanning tools.
 scripts/inject-key.js:59
提示
copy-key.js writes real tokens to system clipboard 凭证窃取
The copy-token action retrieves the full real API key and writes it directly to the clipboard via pbcopy/xclip/xsel. While this is the intended design and the key never appears in stdout, clipboard contents can persist beyond the session and be accessed by other applications.
execSync(clipCmd, { input: fullKey, stdio: ['pipe', 'ignore', 'ignore'] });
→ Warn users that clipboard-copied secrets may linger. Consider advising users to clear the clipboard after use (e.g., with pbcopy < /dev/null on macOS).
 scripts/copy-key.js:62
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All scripts (api.js, fetch-key.js, inject-key.js, copy-key.js, exec-token.js) ma…
命令执行 WRITE WRITE ✓ 一致 exec-token.js:28 — execSync(realCommand, {shell:true}) executes user-constructed…
剪贴板 WRITE WRITE ✓ 一致 copy-key.js:62 — execSync(clipCmd, {input: fullKey}) writes token to system clip…
文件系统 READ+WRITE READ+WRITE ✓ 一致 inject-key.js reads and writes config files; env.js reads .env files from projec…
环境变量 READ READ ✓ 一致 env.js reads NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, NEWAPI_USER_ID from process.e…
技能调用 READ READ ✓ 一致 SKILL.md defines all actions and their invocation patterns; no undeclared cross-…
数据库 NONE NONE No direct database access; all persistence is via New API REST API
1 高危 7 项发现
🔑
高危 API 密钥 疑似硬编码凭证
api_key = "__NEWAPI_TOKEN_42__"
docs/actions-config.md:53
🔗
中危 外部 URL 外部 URL
https://api.example.com/v1
docs/actions-config.md:55
🔗
中危 外部 URL 外部 URL
https://www.newapi.ai
docs/help.md:13
🔗
中危 外部 URL 外部 URL
https://your-instance.com
docs/help.md:37
🔗
中危 外部 URL 外部 URL
https://apifox.newapi.ai/llms.txt
docs/help.md:63
🔗
中危 外部 URL 外部 URL
https://www.newapi.ai/llms.txt
docs/help.md:64
🔗
中危 外部 URL 外部 URL
https://your-newapi-instance.com
docs/setup.md:14

目录结构

14 文件 · 36.8 KB · 1063 行
JavaScript 7f · 604L Markdown 7f · 459L
├─ 📁 docs
│ ├─ 📝 actions-config.md Markdown 76L · 3.3 KB
│ ├─ 📝 actions-exec.md Markdown 43L · 1.9 KB
│ ├─ 📝 actions-query.md Markdown 40L · 658 B
│ ├─ 🔑 actions-token.md Markdown 78L · 2.7 KB
│ ├─ 📝 help.md Markdown 67L · 4.3 KB
│ └─ 📝 setup.md Markdown 95L · 3.6 KB
├─ 📁 scripts
│ ├─ 📜 api.js JavaScript 104L · 2.7 KB
│ ├─ 📜 copy-key.js JavaScript 76L · 2.0 KB
│ ├─ 📜 env.js JavaScript 77L · 2.2 KB
│ ├─ 🔑 exec-token.js JavaScript 90L · 2.4 KB
│ ├─ 📜 fetch-key.js JavaScript 45L · 1.2 KB
│ ├─ 📜 inject-key.js JavaScript 130L · 3.3 KB
│ └─ 📜 sanitize.js JavaScript 82L · 2.3 KB
└─ 📝 SKILL.md Markdown 60L · 4.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A none Zero external dependencies — scripts use only native Node.js/Bun/Deno APIs (fs, path, child_process, fetch)

安全亮点

✓ SKILL.md thoroughly documents all actions, capabilities, and security constraints — no documentation mismatch
✓ API keys are never printed to stdout/stderr — all key handling is in-memory via fetchTokenKey
✓ Token key substitution uses a well-defined placeholder pattern (__NEWAPI_TOKEN_{id}__) with validation
✓ Sanitization module (sanitize.js) provides regex-based redaction for sk- tokens, Bearer tokens, sensitive field values, and connection strings
✓ Atomic file writes in inject-key.js prevent partial overwrites of config files
✓ No external dependencies — zero-dependency scripts using native fetch/Node APIs reduce supply chain risk
✓ API responses are masked in api.js (keys shown as sk-xxxx**********xxxx)
✓ Security guidelines explicitly prohibit reading .env files, clipboard contents, or circumventing masking
✓ No base64-encoded payloads, no obfuscation, no anti-analysis patterns detected
✓ No attempts to access ~/.ssh, ~/.aws, or other sensitive system directories
✓ No curl|bash or wget|sh remote script execution patterns