中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:17 hr ago Rescan
5 /100
webmcp-bridge
Connect a website to the local-mcp browser bridge through a fixed UXC link. Use when the user needs to operate native WebMCP sites or adapter-backed sites through local-mcp, manage per-site browser profiles, or switch bridge presentation modes explicitly.
The WebMCP Bridge skill is a legitimate browser automation tool that creates CLI links for managing browser sessions through local-mcp, with well-documented shell usage and no malicious behavior detected.
Skill Namewebmcp-bridge
Duration49.5s
Enginepi
Safe to install
This skill can be used safely. The shell execution and npx usage are necessary and documented. Consider pinning the @webmcp-bridge/local-mcp version in production environments for reproducibility.

Findings 1 items

Severity Finding Location
Low
Unpinned npm package dependency Supply Chain
The skill uses 'npx -y @webmcp-bridge/local-mcp' without version pinning. While this is common for CLI tools, it could lead to unexpected behavior if the package is updated.
local_mcp_command="${WEBMCP_LOCAL_MCP_COMMAND:-npx -y @webmcp-bridge/local-mcp}"
→ Consider pinning to a specific version (e.g., @webmcp-bridge/[email protected]) for reproducible builds, especially in CI/CD environments.
 scripts/ensure-links.sh:28
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md:scripts/ensure-links.sh
Filesystem READ WRITE ✓ Aligned Creates ~/.uxc/webmcp-profile/<site> directories for browser profiles
Network READ READ ✓ Aligned Browser automation fetches target URLs; external URLs documented in references
Browser READ WRITE ✓ Aligned Manages browser profiles, sessions, and automation through local-mcp bridge
2 findings
🔗
Medium External URL 外部 URL
https://board.holon.run
references/source-modes.md:12
🔗
Medium External URL 外部 URL
http://127.0.0.1:4173
references/source-modes.md:13

File Tree

8 files · 19.2 KB · 657 lines
Markdown 5f · 462L Shell 2f · 188L YAML 1f · 7L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 290 B
├─ 📁 references
│ ├─ 📝 link-patterns.md Markdown 63L · 1.2 KB
│ ├─ 📝 source-modes.md Markdown 70L · 1.6 KB
│ ├─ 📝 troubleshooting.md Markdown 156L · 3.9 KB
│ └─ 📝 usage-patterns.md Markdown 51L · 1.2 KB
├─ 📁 scripts
│ ├─ 🔧 ensure-links.sh Shell 149L · 3.4 KB
│ └─ 🔧 validate.sh Shell 39L · 1.7 KB
└─ 📝 SKILL.md Markdown 122L · 5.8 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
@webmcp-bridge/local-mcp unpinned npm No No version pinning - uses latest with npx -y
uxc unpinned system No Expected to be pre-installed by user
npx unpinned system No Expected to be pre-installed by user

Security Positives

✓ Shell usage is fully documented in SKILL.md with clear explanation of each command
✓ No credential harvesting or sensitive data exfiltration detected
✓ No obfuscation, base64 encoding, or anti-analysis techniques observed
✓ Clear separation of concerns with well-structured reference documentation
✓ No unauthorized resource access to ~/.ssh, ~/.aws, .env or similar sensitive paths
✓ Guardrails are explicitly documented in SKILL.md (profile isolation, no credential script extraction)
✓ Explicit profile isolation guidance prevents cross-site data leakage
✓ Command validation script (validate.sh) helps catch documentation drift