中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:21 小时前 重新扫描
0 /100
save-all-resource
打开一个可见浏览器,让用户手动浏览目标网站,并在浏览过程中持续监听同域原始响应内容,实时落盘到本地桌面目录。
save-all-resource is a legitimate Puppeteer-based web scraping skill that faithfully implements its documented behavior: opening a visible browser, listening to same-origin HTTP responses, and saving them to ~/Desktop. All declared capabilities match the implementation with no hidden functionality.
技能名称save-all-resource
分析耗时44.1s
引擎pi
可以安装
No action needed. The skill is safe for use as described in SKILL.md.
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 fs.writeFileSync throughout; ~/Desktop/{domain} output — declared in SKILL.md ('…
网络访问 READ READ ✓ 一致 page.goto + response interception via Puppeteer — declared in SKILL.md ('持续监听同域原…
浏览器 WRITE WRITE ✓ 一致 puppeteer.launch({ headless: false }) — declared in SKILL.md ('打开一个可见浏览器')
命令执行 WRITE WRITE ✓ 一致 node scripts/main.js invocation — declared in SKILL.md ('运行:node scripts/main.js…
4 项发现
🔗
中危 外部 URL 外部 URL
https://www.google.com/
SKILL.md:13
🔗
中危 外部 URL 外部 URL
https://site.com/
scripts/main.js:94
🔗
中危 外部 URL 外部 URL
https://site.com/ai/login/
scripts/main.js:95
🔗
中危 外部 URL 外部 URL
https://site.com/comments/123
scripts/main.js:96

目录结构

4 文件 · 48.6 KB · 1438 行
JSON 2f · 1145L JavaScript 1f · 241L Markdown 1f · 52L
├─ 📁 scripts
│ ├─ 📜 main.js JavaScript 241L · 6.5 KB
│ ├─ 📋 package-lock.json JSON 1134L · 40.1 KB
│ └─ 📋 package.json JSON 11L · 203 B
└─ 📝 SKILL.md Markdown 52L · 1.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
puppeteer ^24.39.1 npm Major version pinned. Standard Chromium automation library.

安全亮点

✓ All capabilities declared in SKILL.md match implementation exactly
✓ No base64-encoded strings, eval(), or obfuscation techniques present
✓ No credential harvesting, API key scanning, or environment variable iteration
✓ No curl|bash or wget|sh remote script execution
✓ No hardcoded malicious URLs or C2 infrastructure
✓ No supply chain risks: puppeteer is a widely-used, reputable library with pinned major version
✓ Saves only GET requests with 200-399 status codes (no POST/PUT data exfiltration)
✓ Origin-domain restriction prevents cross-site saving
✓ Special protocols (blob:, data:, chrome-extension:) are explicitly skipped
✓ Clean exit on tab close and SIGINT, no background persistence
✓ No ~/.ssh, ~/.aws, .env, or other sensitive path access