安全决策报告

affiliate-skills

Name: affiliate-skills 可信度判断报告
Item: affiliate-skills
Rating: 60
Author: ClawSafe

Skill contains documented but risky curl|bash remote execution pattern for Bun installation, with legitimate but undeclared shell spawning. No malicious behavior detected, but the execution patterns warrant caution.

安装决策优先来源: 手动上传扫描时间: 2026/4/3

文件 149

IOC 97

越权项 2

发现 3

最直接的威胁证据

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 2 项声明之外的能力或越权行为。

阻止

隐藏执行与外联

提取到 5 个高危 IOC 或外联信号。

通过

攻击链与高危发现

没有形成明确的恶意路径。

复核

依赖与供应链卫生

发现 1 项需要关注的依赖或供应链线索。

风险分是怎么被拉高的

Remote script execution via curl|bash +20

SKILL.md:39 instructs 'curl -fsSL https://bun.sh/install | bash' for Bun installation. Pattern is documented but uses dangerous pipe-to-shell execution.

Undeclared shell spawning +10

tools/src/cli.ts:78 uses Bun.spawn() to start daemon. Not declared in allowed-tools (only Bash, Read declared).

Hardcoded IP addresses +5

GitHub Pages IPs hardcoded at github-pages-deployer/SKILL.md:182-185. Legitimate use case but creates maintenance risk if GitHub changes IPs.

API key access undeclared in capability mapping +5

AFFITOR_API_KEY access via process.env in server.ts not documented in SKILL.md allowed-tools section.

最关键的证据

中危

Remote Script Execution via Pipe-to-Shell

SKILL.md instructs users to run 'curl -fsSL https://bun.sh/install | bash' for Bun installation. While documented and for a legitimate purpose, this pattern is a known attack vector.

SKILL.md:39

Replace with verified installation method: check for bun in PATH first, then guide user to official package managers (npm install -g bun, brew install bun, etc.)

低危

Hardcoded GitHub Pages IP Addresses

GitHub's A record IPs are hardcoded in documentation. These are legitimate GitHub infrastructure IPs, but hardcoding creates maintenance risk if GitHub updates them.

skills/distribution/github-pages-deployer/SKILL.md:182

Link to official GitHub documentation instead: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site

低危

Process Environment Access Without Declaration

The daemon reads AFFITOR_API_KEY from process.env but this capability is not declared in SKILL.md allowed-tools section.

tools/src/server.ts:26

Document environment variable access in SKILL.md or add 'Read' to allowed-tools for environment access

声明能力 vs 实际能力

文件系统 通过

声明 READ

→

推断 READ

SKILL.md:6 declares Read tool

命令执行 通过

声明 WRITE

→

推断 WRITE

SKILL.md:6 declares Bash tool; CLI spawns bun daemon

网络访问 阻止

声明 NONE

→

推断 READ

tools/src/cli.ts:78, tools/src/api.ts:6 - Makes fetch calls to localhost and list.affitor.com without declaration

环境变量 阻止

声明 NONE

→

推断 READ

tools/src/server.ts:26 reads AFFITOR_API_KEY from process.env

可疑产物与外联

严重危险命令

curl -fsSL https://bun.sh/install | bash

SKILL.md:39

高危 IP 地址

185.199.108.153

skills/distribution/github-pages-deployer/SKILL.md:182

高危 IP 地址

185.199.109.153

skills/distribution/github-pages-deployer/SKILL.md:183

高危 IP 地址

185.199.110.153

skills/distribution/github-pages-deployer/SKILL.md:184

高危 IP 地址

185.199.111.153

skills/distribution/github-pages-deployer/SKILL.md:185

中危外部 URL

https://list.affitor.com/api/v1

API.md:5

中危外部 URL

https://list.affitor.com/settings

API.md:13

中危外部 URL

https://heygen.com

API.md:59

中危外部 URL

https://list.affitor.com/api/v1/programs?q=AI+video&sort=top&limit=5

API.md:196

中危外部 URL

https://list.affitor.com/api/v1/programs?q=AI&reward_type=cps_recurring&min_cookie_days=30&sort=top&limit=20

API.md:204

中危外部 URL

https://list.affitor.com/api/v1/programs/3f2a1b4c-0000-0000-0000-000000000000

API.md:212

中危外部 URL

https://list.affitor.com/api/v1/programs

API.md:223

依赖与供应链

包名	版本	来源	漏洞	备注
bun	`*`	runtime	否	Bun runtime required but not pinned as dependency

文件构成

149 个文件 · 22579 行

Markdown 92 个文件 · 17452 行HTML 3 个文件 · 1294 行JSON 4 个文件 · 1281 行TypeScript 5 个文件 · 856 行Shell 2 个文件 · 721 行Text 32 个文件 · 672 行

需关注文件 · 3

skills/landing/landing-page-creator/templates/comparison.html HTML · 540 行

https://www.heygen.com/?ref=YOUR_AFFILIATE_ID · https://www.synthesia.io · https://www.colossyan.com

scripts/distribute.sh Shell · 507 行

https://skills.sh/$REPO · https://supertools.therundown.ai/submit · https://producthunt.com/posts/new

README.md Markdown · 303 行

https://img.shields.io/badge/License-MIT-blue.svg · https://img.shields.io/badge/skills-45-brightgreen · https://img.shields.io/badge/standard-agentskills.io-purple · https://agentskills.io · https://affitor.com

其他文件 · registry.json · evals.json · SKILL.md · SKILL.md · SKILL.md · SKILL.md +3

149 文件 · 907.4 KB · 22579 行

Markdown 92f · 17452LHTML 3f · 1294LJSON 4f · 1281LTypeScript 5f · 856LShell 2f · 721LText 32f · 672LJavaScript 2f · 263LYAML 9f · 40L

├─ ▾ 📁 docs

│ ├─ ▾ 📁 launch-content

│ │ ├─ 📝 devto-article.md Markdown 71L · 2.6 KB

│ │ ├─ 📝 linkedin-post.md Markdown 33L · 1.1 KB

│ │ ├─ 📝 reddit-claudeai.md Markdown 38L · 1.4 KB

│ │ ├─ 📝 show-hn.md Markdown 24L · 1.2 KB

│ │ └─ 📝 twitter-thread.md Markdown 56L · 1.6 KB

│ ├─ ▾ 📁 pr-templates

│ │ ├─ 📝 awesome-list-pr-body.md Markdown 28L · 818 B

│ │ └─ 📝 list-entries.md Markdown 19L · 1.6 KB

│ ├─ 📝 affiliate-funnel-overview.md Markdown 94L · 3.1 KB

│ ├─ 📝 distribution-strategy.md Markdown 227L · 13.7 KB

│ ├─ 📝 sdd-review-prompt.md Markdown 227L · 12.3 KB

│ └─ 📝 skill-roadmap.md Markdown 99L · 6.8 KB

├─ ▾ 📁 evals

│ └─ 📋 evals.json JSON 540L · 29.5 KB

├─ ▾ 📁 platforms

│ ├─ 📝 chatgpt.md Markdown 82L · 3.1 KB

│ ├─ 📝 cursor.md Markdown 99L · 2.8 KB

│ ├─ 📝 gemini.md Markdown 90L · 3.4 KB

│ └─ 📝 openclaw.md Markdown 142L · 4.6 KB

├─ ▾ 📁 prompts

│ └─ 📝 bootstrap.md Markdown 105L · 5.8 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 distribute.sh Shell 507L · 17.2 KB

│ ├─ 📜 fix-frontmatter.js JavaScript 148L · 5.8 KB

│ ├─ 📜 generate-registry.js JavaScript 115L · 4.1 KB

│ └─ 🔧 run-evals.sh Shell 214L · 6.7 KB

├─ ▾ 📁 shared

│ └─ ▾ 📁 references

│ ├─ 📝 affiliate-glossary.md Markdown 50L · 3.0 KB

│ ├─ 📝 affitor-branding.md Markdown 42L · 1.0 KB

│ ├─ 📝 case-studies.md Markdown 84L · 4.1 KB

│ ├─ 📝 flywheel-connections.md Markdown 114L · 6.3 KB

│ ├─ 📝 ftc-compliance.md Markdown 69L · 2.6 KB

│ ├─ 📝 offer-frameworks.md Markdown 126L · 4.9 KB

│ ├─ 📝 platform-rules.md Markdown 49L · 2.8 KB

│ ├─ 📋 sample-api-response.json JSON 126L · 4.4 KB

│ └─ 📝 seo-strategy.md Markdown 138L · 5.4 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 analytics

│ │ ├─ ▾ 📁 ab-test-generator

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 201L · 8.6 KB

│ │ ├─ ▾ 📁 conversion-tracker

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 3L · 143 B

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 tracking-templates.md Markdown 59L · 2.4 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 201L · 8.3 KB

│ │ ├─ ▾ 📁 internal-linking-optimizer

│ │ │ └─ 📝 SKILL.md Markdown 222L · 7.8 KB

│ │ ├─ ▾ 📁 performance-report

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 3L · 138 B

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 benchmarks.md Markdown 58L · 2.8 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 225L · 9.8 KB

│ │ └─ ▾ 📁 seo-audit

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 232L · 9.6 KB

│ ├─ ▾ 📁 automation

│ │ ├─ ▾ 📁 content-repurposer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 204L · 8.8 KB

│ │ ├─ ▾ 📁 email-automation-builder

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 218L · 9.9 KB

│ │ ├─ ▾ 📁 multi-program-manager

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 220L · 9.2 KB

│ │ ├─ ▾ 📁 paid-ad-copy-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 258L · 10.5 KB

│ │ └─ ▾ 📁 proprietary-data-generator

│ │ └─ 📝 SKILL.md Markdown 238L · 9.5 KB

│ ├─ ▾ 📁 blog

│ │ ├─ ▾ 📁 affiliate-blog-builder

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 6L · 265 B

│ │ │ ├─ ▾ 📁 references

│ │ │ │ ├─ 📝 blog-templates.md Markdown 320L · 7.8 KB

│ │ │ │ ├─ 📝 seo-checklist.md Markdown 131L · 5.3 KB

│ │ │ │ └─ 📝 wordpress-deploy.md Markdown 149L · 5.3 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 358L · 16.6 KB

│ │ ├─ ▾ 📁 comparison-post-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 350L · 14.0 KB

│ │ ├─ ▾ 📁 content-decay-detector

│ │ │ └─ 📝 SKILL.md Markdown 228L · 8.0 KB

│ │ ├─ ▾ 📁 content-moat-calculator

│ │ │ └─ 📝 SKILL.md Markdown 238L · 8.8 KB

│ │ ├─ ▾ 📁 how-to-tutorial-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 349L · 14.2 KB

│ │ ├─ ▾ 📁 keyword-cluster-architect

│ │ │ └─ 📝 SKILL.md Markdown 254L · 9.4 KB

│ │ └─ ▾ 📁 listicle-generator

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 336L · 13.7 KB

│ ├─ ▾ 📁 content

│ │ ├─ ▾ 📁 content-pillar-atomizer

│ │ │ └─ 📝 SKILL.md Markdown 266L · 9.3 KB

│ │ ├─ ▾ 📁 reddit-post-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 373L · 14.7 KB

│ │ ├─ ▾ 📁 tiktok-script-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 329L · 11.8 KB

│ │ ├─ ▾ 📁 twitter-thread-writer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 328L · 12.7 KB

│ │ └─ ▾ 📁 viral-post-writer

│ │ ├─ ▾ 📁 agents

│ │ │ └─ 📋 openai.yaml YAML 6L · 178 B

│ │ ├─ ▾ 📁 references

│ │ │ ├─ 📝 platform-specs.md Markdown 130L · 5.4 KB

│ │ │ └─ 📝 viral-frameworks.md Markdown 306L · 8.4 KB

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 308L · 12.2 KB

│ ├─ ▾ 📁 distribution

│ │ ├─ ▾ 📁 bio-link-deployer

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 5L · 218 B

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 domain-setup.md Markdown 81L · 3.1 KB

│ │ │ ├─ ▾ 📁 templates

│ │ │ │ └─ 📄 bio-link.html HTML 319L · 9.5 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 260L · 10.6 KB

│ │ ├─ ▾ 📁 email-drip-sequence

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 266L · 11.9 KB

│ │ ├─ ▾ 📁 github-pages-deployer

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 352L · 13.5 KB

│ │ └─ ▾ 📁 social-media-scheduler

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 285L · 12.6 KB

│ ├─ ▾ 📁 landing

│ │ ├─ ▾ 📁 bonus-stack-builder

│ │ │ └─ 📝 SKILL.md Markdown 220L · 8.8 KB

│ │ ├─ ▾ 📁 grand-slam-offer

│ │ │ └─ 📝 SKILL.md Markdown 269L · 10.6 KB

│ │ ├─ ▾ 📁 guarantee-generator

│ │ │ └─ 📝 SKILL.md Markdown 219L · 8.0 KB

│ │ ├─ ▾ 📁 landing-page-creator

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 6L · 253 B

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 conversion-principles.md Markdown 142L · 5.2 KB

│ │ │ ├─ ▾ 📁 templates

│ │ │ │ ├─ 📄 comparison.html HTML 540L · 17.2 KB

│ │ │ │ └─ 📄 single-product.html HTML 435L · 13.3 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 324L · 14.3 KB

│ │ ├─ ▾ 📁 product-showcase-page

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 conversion-principles.md Markdown 142L · 5.2 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 341L · 14.1 KB

│ │ ├─ ▾ 📁 squeeze-page-builder

│ │ │ ├─ ▾ 📁 references

│ │ │ │ └─ 📝 conversion-principles.md Markdown 142L · 5.2 KB

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 322L · 14.1 KB

│ │ ├─ ▾ 📁 value-ladder-architect

│ │ │ └─ 📝 SKILL.md Markdown 248L · 9.9 KB

│ │ └─ ▾ 📁 webinar-registration-page

│ │ ├─ ▾ 📁 references

│ │ │ └─ 📝 conversion-principles.md Markdown 142L · 5.2 KB

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 391L · 17.1 KB

│ ├─ ▾ 📁 meta

│ │ ├─ ▾ 📁 category-designer

│ │ │ └─ 📝 SKILL.md Markdown 230L · 9.4 KB

│ │ ├─ ▾ 📁 compliance-checker

│ │ │ ├─ ▾ 📁 agents

│ │ │ │ └─ 📋 openai.yaml YAML 3L · 131 B

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 200L · 9.0 KB

│ │ ├─ ▾ 📁 funnel-planner

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 208L · 8.8 KB

│ │ ├─ ▾ 📁 self-improver

│ │ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ │ └─ 📝 SKILL.md Markdown 228L · 10.1 KB

│ │ └─ ▾ 📁 skill-finder

│ │ ├─ ▾ 📁 agents

│ │ │ └─ 📋 openai.yaml YAML 3L · 106 B

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 167L · 6.6 KB

│ └─ ▾ 📁 research

│ ├─ ▾ 📁 affiliate-program-search

│ │ ├─ ▾ 📁 agents

│ │ │ └─ 📋 openai.yaml YAML 5L · 297 B

│ │ ├─ ▾ 📁 references

│ │ │ ├─ 📝 list-affitor-api.md Markdown 111L · 3.2 KB

│ │ │ ├─ 📝 platform-rules.md Markdown 49L · 2.8 KB

│ │ │ └─ 📝 scoring-criteria.md Markdown 115L · 5.1 KB

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 230L · 9.2 KB

│ ├─ ▾ 📁 commission-calculator

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 333L · 13.1 KB

│ ├─ ▾ 📁 competitor-spy

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 300L · 12.2 KB

│ ├─ ▾ 📁 monopoly-niche-finder

│ │ └─ 📝 SKILL.md Markdown 226L · 8.8 KB

│ ├─ ▾ 📁 niche-opportunity-finder

│ │ ├─ 📄 LICENSE.txt Text 21L · 1.0 KB

│ │ └─ 📝 SKILL.md Markdown 263L · 10.6 KB

│ └─ ▾ 📁 purple-cow-audit

│ └─ 📝 SKILL.md Markdown 211L · 8.2 KB

├─ ▾ 📁 spec

│ └─ 📝 README.md Markdown 51L · 2.0 KB

├─ ▾ 📁 template

│ └─ 📝 SKILL.md Markdown 146L · 3.4 KB

├─ ▾ 📁 tools

│ └─ ▾ 📁 src

│ ├─ 📜 api.ts TypeScript 113L · 3.1 KB

│ ├─ 📜 cache.ts TypeScript 61L · 1.6 KB

│ ├─ 📜 cli.ts TypeScript 242L · 7.3 KB

│ ├─ 📜 format.ts TypeScript 142L · 4.8 KB

│ └─ 📜 server.ts TypeScript 298L · 8.7 KB

├─ 📝 API.md Markdown 304L · 8.6 KB

├─ 📝 CLAUDE.md Markdown 78L · 4.2 KB

├─ 📝 CONTRIBUTING.md Markdown 109L · 4.2 KB

├─ 📝 QUICKSTART.md Markdown 137L · 5.1 KB

├─ 📝 README.md Markdown 303L · 14.2 KB

├─ 📝 SKILL.md Markdown 112L · 3.3 KB

├─ 📋 package.json JSON 12L · 359 B

└─ 📋 registry.json JSON 603L · 36.4 KB

安全亮点

No base64, eval(), or obfuscated code patterns found

No credential exfiltration detected - AFFITOR_API_KEY only used locally for API auth

No access to sensitive paths (~/.ssh, ~/.aws, .env files)

No external C2 communications or suspicious network activity

Network requests limited to expected endpoints (127.0.0.1, list.affitor.com)

All dependencies declared, MIT licensed, no malicious packages

Skills generate content for user copy-paste, not automatic file writes

Distribution script requires explicit user interaction before execution