扫描报告
15 /100
icosmos-shopify
Shopify 店铺运营/诊断技能:从 Supabase 拉取店铺域名与 token,做装修/产品/结账/指标异常检测,并支持发布引流博文(唯一写操作)
This is a documentation-only package (SKILL.md) with no executable code. Declared capabilities are reasonable for a Shopify read-only diagnostic tool with one documented write operation.
可以安装
Request the actual implementation code/binary before trusting. The skill references a local `./icosmos-shopify` binary that does not exist in this package.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Package contains no executable code 文档欺骗 | SKILL.md:40 |
| 低危 | User credentials stored to environment variables 敏感访问 | SKILL.md:36 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | No code to analyze |
| 网络访问 | READ | READ | ✓ 一致 | Shopify API calls declared in SKILL.md |
| 命令执行 | NONE | NONE | — | References ./icosmos-shopify binary but file absent |
| 环境变量 | READ+WRITE | READ+WRITE | ✓ 一致 | SKILL.md line 36: '两个字段需要保存到系统环境变量' |
| 数据库 | READ | READ | ✓ 一致 | Supabase sync declared in setup flow |
| 技能调用 | NONE | NONE | — | N/A |
| 剪贴板 | NONE | NONE | — | N/A |
| 浏览器 | NONE | NONE | — | N/A |
3 项发现
中危 外部 URL 外部 URL
https://shopify.dev/docs/api/admin-graphql/latest SKILL.md:76 中危 外部 URL 外部 URL
https://shopify.dev/docs/api/admin-rest/latest SKILL.md:77 中危 外部 URL 外部 URL
https://shopify.dev/docs/api/storefront/latest SKILL.md:78 目录结构
1 文件 · 4.1 KB · 79 行 Markdown 1f · 79L
└─
SKILL.md
Markdown
安全亮点
✓ Declares read-only default; write operations limited to blog publish with --confirm flag
✓ Token sanitization declared: only first/last 4 characters shown in logs
✓ Sensitive order fields (email) masked by default
✓ No base64-encoded payloads, no curl|bash, no direct IP calls observed in docs
✓ No suspicious IOCs in documentation (legitimate Shopify dev URLs only)