Scan Report
5 /100
hyfceph
Run the HYFCeph cephalometric workflow through the HYFCeph portal with an API key by uploading one or two local lateral ceph images
HYFCeph is a legitimate medical cephalometric analysis skill that uploads user-provided images to a remote API and renders analysis results. All capabilities are properly declared, and the flagged base64 IOCs are standard image data handling—not obfuscation.
Safe to install
No action required. The skill operates as documented.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Base64 IOCs are legitimate image decoding Doc Mismatch | scripts/hyfceph-service-client.mjs:110 |
| Low | Verbose SKILL.md with no security-relevant hidden behavior Doc Mismatch | SKILL.md:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ+WRITE | READ+WRITE | ✓ Aligned | SKILL.md declares local image upload and result file persistence; code reads use… |
| Network | READ | READ | ✓ Aligned | All fetch() calls go exclusively to https://hyfceph.52ortho.com/ API endpoint; n… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md declares 'node scripts/hyfceph-service-client.mjs' execution; no hidden… |
| Environment | NONE | READ | ✓ Aligned | hyfceph-service-client.mjs:292 reads HYFCEPH_API_KEY, HYFCEPH_PORTAL_BASE_URL, H… |
3 Critical 8 findings
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(base64, 'base64' scripts/hyfceph-service-client.mjs:110 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(artifacts.annotatedSvgBase64, 'base64' scripts/hyfceph-service-client.mjs:596 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(artifacts.contourSvgBase64, 'base64' scripts/hyfceph-service-client.mjs:605 Medium External URL 外部 URL
https://hyfceph.52ortho.com/ SKILL.md:39 Medium External URL 外部 URL
http://www.w3.org/2000/svg scripts/hyfceph-report-pdf.mjs:1946 Medium External URL 外部 URL
http://www.d-project.com/ scripts/vendor/qrcode.mjs:7 Medium External URL 外部 URL
http://www.opensource.org/licenses/mit-license.php scripts/vendor/qrcode.mjs:10 Medium External URL 外部 URL
http://www.denso-wave.com/qrcode/faqpatent-e.html scripts/vendor/qrcode.mjs:14 File Tree
5 files · 173.9 KB · 5314 lines JavaScript 3f · 5121L
Markdown 1f · 189L
YAML 1f · 4L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
scripts
│ ├─
▾
vendor
│ │ └─
qrcode.mjs
JavaScript
│ ├─
hyfceph-report-pdf.mjs
JavaScript
│ └─
hyfceph-service-client.mjs
JavaScript
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
qrcode.mjs | unversioned bundled | local vendor | No | Open-source QR code library, no external dependencies |
Security Positives
✓ All shell execution is declared and uses the documented node script entry point
✓ Network requests are confined to a single, legitimate medical API endpoint (https://hyfceph.52ortho.com/)
✓ API key is stored locally in ~/.codex/state/hyfceph-auth.json with user consent and validation
✓ Base64 usage is exclusively for decoding server-returned image data (PNG/SVG), not for executing encoded payloads
✓ No eval(), no exec() with user input, no curl|bash patterns, no direct IP connections
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No obfuscation, no steganography, no suspicious HTML comments
✓ No persistence mechanisms beyond legitimate state file storage
✓ PDF generation uses Chrome headless (documented) with graceful fallback
✓ Vendor library qrcode.mjs is a standard open-source QR code generator with no malicious modifications