Scan Report
0 /100
save-all-resource
打开一个可见浏览器,让用户手动浏览目标网站,并在浏览过程中持续监听同域原始响应内容,实时落盘到本地桌面目录。
save-all-resource is a legitimate Puppeteer-based web scraping skill that faithfully implements its documented behavior: opening a visible browser, listening to same-origin HTTP responses, and saving them to ~/Desktop. All declared capabilities match the implementation with no hidden functionality.
Safe to install
No action needed. The skill is safe for use as described in SKILL.md.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | fs.writeFileSync throughout; ~/Desktop/{domain} output — declared in SKILL.md ('… |
| Network | READ | READ | ✓ Aligned | page.goto + response interception via Puppeteer — declared in SKILL.md ('持续监听同域原… |
| Browser | WRITE | WRITE | ✓ Aligned | puppeteer.launch({ headless: false }) — declared in SKILL.md ('打开一个可见浏览器') |
| Shell | WRITE | WRITE | ✓ Aligned | node scripts/main.js invocation — declared in SKILL.md ('运行:node scripts/main.js… |
4 findings
Medium External URL 外部 URL
https://www.google.com/ SKILL.md:13 Medium External URL 外部 URL
https://site.com/ scripts/main.js:94 Medium External URL 外部 URL
https://site.com/ai/login/ scripts/main.js:95 Medium External URL 外部 URL
https://site.com/comments/123 scripts/main.js:96 File Tree
4 files · 48.6 KB · 1438 lines JSON 2f · 1145L
JavaScript 1f · 241L
Markdown 1f · 52L
├─
▾
scripts
│ ├─
main.js
JavaScript
│ ├─
package-lock.json
JSON
│ └─
package.json
JSON
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
puppeteer | ^24.39.1 | npm | No | Major version pinned. Standard Chromium automation library. |
Security Positives
✓ All capabilities declared in SKILL.md match implementation exactly
✓ No base64-encoded strings, eval(), or obfuscation techniques present
✓ No credential harvesting, API key scanning, or environment variable iteration
✓ No curl|bash or wget|sh remote script execution
✓ No hardcoded malicious URLs or C2 infrastructure
✓ No supply chain risks: puppeteer is a widely-used, reputable library with pinned major version
✓ Saves only GET requests with 200-399 status codes (no POST/PUT data exfiltration)
✓ Origin-domain restriction prevents cross-site saving
✓ Special protocols (blob:, data:, chrome-extension:) are explicitly skipped
✓ Clean exit on tab close and SIGINT, no background persistence
✓ No ~/.ssh, ~/.aws, .env, or other sensitive path access