中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:21 小时前 重新扫描
5 /100
dida-coach
生产力管控系统与滴答执行层结合的任务教练,负责目标拆解、时间盒安排、管理视角、承诺跟踪、专注复盘,以及更自然的任务查询、创建、更新与闭环支持
Legitimate productivity coaching skill that manages a local task/goal system using Dida365 MCP and local file storage. All operations are clearly documented, purpose-built for task management, and use standard library APIs with no shell execution, credential exfiltration, or obfuscation.
技能名称dida-coach
分析耗时49.0s
引擎pi
可以安装
This skill is safe to use. No action required.
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares writes to ~/.dida-coach/productivity/; tools/productivity_syst…
网络访问 READ READ ✓ 一致 tools/openapi_auth.py uses urllib.request to POST credentials to official Dida36…
命令执行 NONE NONE No subprocess, os.system, or shell execution found across all 12 Python files
环境变量 READ READ ✓ 一致 tools/config_manager.py reads DIDA_COACH_* env vars for path overrides; no itera…
技能调用 NONE NONE No cross-skill invocation or tool remapping observed
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE scripts/dida_openapi_oauth.py uses webbrowser.open() for OAuth flow initiation o…
数据库 NONE NONE No database access detected
10 项发现
🔗
中危 外部 URL 外部 URL
https://img.shields.io/github/stars/siyuanfeng636-cpu/dida365-coach-skills?style=social
README.md:3
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg
README.md:4
🔗
中危 外部 URL 外部 URL
https://opensource.org/licenses/MIT
README.md:4
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/version-v1.2.0-blue.svg
README.md:5
🔗
中危 外部 URL 外部 URL
https://mcp.dida365.com/oauth/authorize
README.md:134
🔗
中危 外部 URL 外部 URL
https://mcp.dida365.com
README.md:165
🔗
中危 外部 URL 外部 URL
https://developer.dida365.com/docs#/openapi
references/openapi-auth-setup.md:14
🔗
中危 外部 URL 外部 URL
https://context7.com/mcp
tests/test_regressions.py:168
🔗
中危 外部 URL 外部 URL
https://dida365.com/oauth/authorize
tests/test_regressions.py:202
🔗
中危 外部 URL 外部 URL
https://api.dida365.com/oauth/token
tools/openapi_auth.py:19

目录结构

37 文件 · 152.4 KB · 4505 行
Python 12f · 2522L Markdown 22f · 1851L YAML 3f · 132L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 15L · 561 B
├─ 📁 prompts
│ ├─ 📁 coach_personas
│ │ ├─ 📝 humorous.md Markdown 27L · 734 B
│ │ ├─ 📝 rational_analyst.md Markdown 26L · 732 B
│ │ ├─ 📝 strict_coach.md Markdown 27L · 656 B
│ │ └─ 📝 warm_encouraging.md Markdown 27L · 788 B
│ ├─ 📝 checkpoint.md Markdown 77L · 2.3 KB
│ ├─ 📝 closure.md Markdown 57L · 1.4 KB
│ ├─ 📝 daily_review.md Markdown 68L · 1.8 KB
│ ├─ 📝 monthly_review.md Markdown 69L · 1.5 KB
│ ├─ 📝 productivity_management.md Markdown 131L · 4.0 KB
│ ├─ 📝 rescheduling.md Markdown 54L · 1.5 KB
│ ├─ 📝 setup.md Markdown 115L · 4.9 KB
│ ├─ 📝 system.md Markdown 98L · 6.6 KB
│ ├─ 📝 task_breakdown.md Markdown 77L · 1.9 KB
│ ├─ 📝 task_management.md Markdown 160L · 3.9 KB
│ ├─ 📝 timebox_creation.md Markdown 91L · 2.9 KB
│ └─ 📝 weekly_review.md Markdown 71L · 1.7 KB
├─ 📁 references
│ ├─ 📝 dida-field-semantics.md Markdown 51L · 1.7 KB
│ ├─ 📝 mcp-client-setup.md Markdown 132L · 3.3 KB
│ ├─ 📝 mcp-tool-routing.md Markdown 107L · 4.0 KB
│ └─ 📝 openapi-auth-setup.md Markdown 56L · 1.8 KB
├─ 📁 scripts
│ └─ 🐍 dida_openapi_oauth.py Python 71L · 1.9 KB
├─ 📁 tests
│ └─ 🐍 test_regressions.py Python 456L · 19.3 KB
├─ 📁 tools
│ ├─ 🐍 __init__.py Python 104L · 2.6 KB
│ ├─ 🐍 config_manager.py Python 107L · 3.2 KB
│ ├─ 🐍 dida_semantics.py Python 108L · 2.6 KB
│ ├─ 🐍 mcp_client.py Python 227L · 8.2 KB
│ ├─ 🐍 openapi_auth.py Python 205L · 6.1 KB
│ ├─ 🐍 productivity_system.py Python 519L · 17.2 KB
│ ├─ 🐍 review_analyzer.py Python 229L · 7.3 KB
│ ├─ 🐍 task_parser.py Python 248L · 7.9 KB
│ ├─ 🐍 timebox_calculator.py Python 175L · 5.5 KB
│ └─ 🐍 work_method_recommender.py Python 73L · 2.6 KB
├─ 📋 config.yaml YAML 77L · 1.6 KB
├─ 📝 README.md Markdown 245L · 8.1 KB
├─ 📝 SKILL.md Markdown 85L · 7.7 KB
└─ 📋 skill.yaml YAML 40L · 2.0 KB

安全亮点

✓ No shell execution: All Python files use standard library only (urllib, pathlib, json, yaml) with no subprocess, os.system, or popen calls
✓ No credential exfiltration: tools/openapi_auth.py stores tokens locally via write_openapi_env() to ~/.dida-coach/dida-openapi.env; no network exfiltration of credentials
✓ No obfuscation: All code is readable plain Python with no base64-encoded payloads, eval(), or exec() calls
✓ No hidden functionality: Every file's behavior matches its documentation in SKILL.md
✓ Legitimate OAuth flow: tools/openapi_auth.py uses standard urllib with Dida365's official OAuth endpoints (api.dida365.com/oauth/token) with proper state validation
✓ Local-only credential storage: Credentials never leave the machine; stored in ~/.dida-coach/ directory only
✓ All IOCs are benign: External URLs found are all legitimate Dida365 official endpoints (developer.dida365.com, mcp.dida365.com, api.dida365.com)
✓ No sensitive path access: No access to ~/.ssh, ~/.aws, .env files beyond the skill's own credential file
✓ No remote code execution: MCP configuration writes are local JSON edits only, no download-and-execute patterns