中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:18 小时前 重新扫描
5 /100
webmcp-bridge
Connect a website to the local-mcp browser bridge through a fixed UXC link. Use when the user needs to operate native WebMCP sites or adapter-backed sites through local-mcp, manage per-site browser profiles, or switch bridge presentation modes explicitly.
The WebMCP Bridge skill is a legitimate browser automation tool that creates CLI links for managing browser sessions through local-mcp, with well-documented shell usage and no malicious behavior detected.
技能名称webmcp-bridge
分析耗时49.5s
引擎pi
可以安装
This skill can be used safely. The shell execution and npx usage are necessary and documented. Consider pinning the @webmcp-bridge/local-mcp version in production environments for reproducibility.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned npm package dependency 供应链
The skill uses 'npx -y @webmcp-bridge/local-mcp' without version pinning. While this is common for CLI tools, it could lead to unexpected behavior if the package is updated.
local_mcp_command="${WEBMCP_LOCAL_MCP_COMMAND:-npx -y @webmcp-bridge/local-mcp}"
→ Consider pinning to a specific version (e.g., @webmcp-bridge/[email protected]) for reproducible builds, especially in CI/CD environments.
 scripts/ensure-links.sh:28
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md:scripts/ensure-links.sh
文件系统 READ WRITE ✓ 一致 Creates ~/.uxc/webmcp-profile/<site> directories for browser profiles
网络访问 READ READ ✓ 一致 Browser automation fetches target URLs; external URLs documented in references
浏览器 READ WRITE ✓ 一致 Manages browser profiles, sessions, and automation through local-mcp bridge
2 项发现
🔗
中危 外部 URL 外部 URL
https://board.holon.run
references/source-modes.md:12
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:4173
references/source-modes.md:13

目录结构

8 文件 · 19.2 KB · 657 行
Markdown 5f · 462L Shell 2f · 188L YAML 1f · 7L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 290 B
├─ 📁 references
│ ├─ 📝 link-patterns.md Markdown 63L · 1.2 KB
│ ├─ 📝 source-modes.md Markdown 70L · 1.6 KB
│ ├─ 📝 troubleshooting.md Markdown 156L · 3.9 KB
│ └─ 📝 usage-patterns.md Markdown 51L · 1.2 KB
├─ 📁 scripts
│ ├─ 🔧 ensure-links.sh Shell 149L · 3.4 KB
│ └─ 🔧 validate.sh Shell 39L · 1.7 KB
└─ 📝 SKILL.md Markdown 122L · 5.8 KB

依赖分析 3 项

包名版本来源已知漏洞备注
@webmcp-bridge/local-mcp unpinned npm No version pinning - uses latest with npx -y
uxc unpinned system Expected to be pre-installed by user
npx unpinned system Expected to be pre-installed by user

安全亮点

✓ Shell usage is fully documented in SKILL.md with clear explanation of each command
✓ No credential harvesting or sensitive data exfiltration detected
✓ No obfuscation, base64 encoding, or anti-analysis techniques observed
✓ Clear separation of concerns with well-structured reference documentation
✓ No unauthorized resource access to ~/.ssh, ~/.aws, .env or similar sensitive paths
✓ Guardrails are explicitly documented in SKILL.md (profile isolation, no credential script extraction)
✓ Explicit profile isolation guidance prevents cross-site data leakage
✓ Command validation script (validate.sh) helps catch documentation drift