中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
historical-guide
博物馆讲解器升级版:召唤李白、苏轼、孔子等历史人物讲解文物
This is a legitimate museum guide AI skill that summons historical figures to narrate about artifacts. All functionality is documented, no malicious behavior detected.
技能名称historical-guide
分析耗时30.4s
引擎pi
可以安装
This skill is safe to use. Ensure API keys are properly secured and not committed to version control.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 scripts/character_loader.py:27-33 - reads persona JSON files from references/
网络访问 READ READ ✓ 一致 scripts/tour_guide.py:98-107 - makes HTTP POST requests to configured LLM API
命令执行 WRITE WRITE ✓ 一致 scripts/tour_guide.py:280-285 - subprocess.run() for persona_generator.py; docum…
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.example.com/v1/chat/completions
SKILL.md:45

目录结构

10 文件 · 47.4 KB · 1414 行
Python 7f · 1082L Markdown 1f · 316L JSON 2f · 16L
├─ 📁 scripts
│ ├─ 🐍 api_config.py Python 40L · 1.1 KB
│ ├─ 🐍 character_loader.py Python 147L · 3.9 KB
│ ├─ 🔑 config.json JSON 5L · 58 B
│ ├─ 🐍 persona_generator.py Python 191L · 6.4 KB
│ ├─ 🐍 relic_presenter.py Python 78L · 2.3 KB
│ ├─ 🐍 session_manager.py Python 133L · 4.7 KB
│ ├─ 🐍 tour_guide.py Python 415L · 15.4 KB
│ └─ 🐍 utils.py Python 78L · 3.0 KB
├─ 📋 _meta.json JSON 11L · 289 B
└─ 📝 SKILL.md Markdown 316L · 10.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned; standard HTTP library for LLM API calls

安全亮点

✓ No credential harvesting or exfiltration detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded shell commands
✓ No eval() with decoded content
✓ No remote script execution (curl|bash, wget|sh)
✓ API keys stored in environment or local config.json (empty by default)
✓ subprocess usage is documented and necessary for dynamic persona generation
✓ No hidden functionality - all features declared in SKILL.md
✓ No data exfiltration or suspicious network activity
✓ Simple dependency: only 'requests' library used for API calls