中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:20 小时前 重新扫描
20 /100
landing-page-angle-tester
针对同一产品生成多种 landing page 叙事角度,并标注适配人群和证据要求
A legitimate landing-page copywriting skill with mostly clean code; a minor doc-to-code mismatch exists where filesystem WRITE via script output is not declared in SKILL.md frontmatter.
技能名称landing-page-angle-tester
分析耗时44.4s
引擎pi
可以安装
Add filesystem:WRITE to SKILL.md frontmatter's allowed-tools mapping since scripts/run.py writes output files. Otherwise the skill is safe and suitable for use.

安全发现 3 项

严重性 安全发现 位置
低危
Undeclared filesystem WRITE capability 文档欺骗
scripts/run.py accepts --output to write rendered reports to user-specified paths (line 262: output_path.write_text). This is filesystem WRITE but is not declared in SKILL.md frontmatter allowed-tools. The behavior is documented in README.md but not in the machine-readable metadata.
output_path.write_text(rendered, encoding="utf-8")
→ Add 'filesystem:WRITE' to SKILL.md frontmatter allowed-tools mapping to match the script's --output functionality.
 scripts/run.py:262
低危
Shell execution referenced in body but not frontmatter 文档欺骗
SKILL.md line 31 states '如运行环境允许 shell / exec,可使用 python3 scripts/run.py', yet the frontmatter allowed-tools does not declare shell:WRITE. This is a doc-to-metadata mismatch.
python3 "{baseDir}/scripts/run.py" --input <输入文件> --output <输出文件>
→ Add shell:WRITE to the frontmatter allowed-tools mapping if shell execution is a supported execution path.
 SKILL.md:31
提示
Credential-pattern scanning in pattern_audit mode 敏感访问
run.py defines PATTERNS dict including 'secret_like' regex to detect API keys and tokens. This is a security-audit feature (not exfiltration) that reads files looking for leaked secrets. The behavior is benign but accesses file content for pattern matching.
"secret_like": r"(api[_-]?key|token|secret|password)\s*[:=]\s*['\"]?[A-Za-z0-9_\-]{8,}"
→ This is legitimate defensive scanning. No action needed; it matches the skill_audit mode documented in spec.json.
 scripts/run.py:150
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 scripts/run.py:262 — output_path.write_text(rendered)
命令执行 NONE WRITE ✗ 越权 SKILL.md:31 — '如运行环境允许 shell / exec,可使用 python3 scripts/run.py ...'
网络访问 NONE NONE No network calls in run.py; only file I/O and regex scanning
环境变量 NONE NONE run.py imports os but only for Path operations; no os.environ iteration
技能调用 NONE NONE No inter-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 项发现
🔗
中危 外部 URL 外部 URL
https://example.invalid/skills/landing-page-angle-tester
SKILL.md:6

目录结构

9 文件 · 20.6 KB · 561 行
Python 1f · 282L Markdown 7f · 243L JSON 1f · 36L
├─ 📁 examples
│ ├─ 📝 example-input.md Markdown 18L · 613 B
│ └─ 📝 example-output.md Markdown 24L · 616 B
├─ 📁 resources
│ ├─ 📋 spec.json JSON 36L · 913 B
│ └─ 📝 template.md Markdown 23L · 904 B
├─ 📁 scripts
│ └─ 🐍 run.py Python 282L · 11.1 KB
├─ 📁 tests
│ └─ 📝 smoke-test.md Markdown 34L · 888 B
├─ 📝 README.md Markdown 70L · 2.2 KB
├─ 📝 SELF_CHECK.md Markdown 19L · 1.1 KB
└─ 📝 SKILL.md Markdown 55L · 2.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
python3 (stdlib only) any stdlib No third-party packages — uses only Python standard library (argparse, csv, json, os, re, sys, pathlib, collections)

安全亮点

✓ No external network requests or C2 communication detected
✓ No base64-encoded execution, eval(), or obfuscation present
✓ No curl|bash or wget|sh remote script execution
✓ No credential harvesting or exfiltration — PATTERNS are for scanning, not stealing
✓ No hidden HTML content or prompt injection detected
✓ No unauthorized access to ~/.ssh, ~/.aws, .env, or other sensitive paths
✓ Python standard library only — no third-party dependencies
✓ Script is well-structured with proper argument parsing and error handling
✓ Intentions clearly documented: read-only by default, explicit dry-run support
✓ SELF_CHECK.md self-assessment correctly identifies the skill's safe nature