中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:19 hr ago Rescan
15 /100
wechat-xhs-publisher
微信公众号与小红书一键发布工具
A legitimate WeChat/Xiaohongshu publishing workflow tool with no malicious behavior; lacks declared permissions in frontmatter but no actual security violations detected.
Skill Namewechat-xhs-publisher
Duration23.2s
Enginepi
Safe to install
Add allowed-tools declaration to SKILL.md frontmatter for transparency, even though no code execution or credential handling is present.

Findings 1 items

Severity Finding Location
Low
Missing allowed-tools declaration Doc Mismatch
SKILL.md frontmatter lacks allowed-tools declaration, making it unclear what permissions this skill requests. However, analysis shows no actual dangerous operations occur.
---
name: wechat-xhs-publisher
...
---
→ Add 'allowed-tools' declaration to frontmatter for transparency, e.g., allowed-tools: {Read: filesystem:READ}
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file operations in implementation
Network NONE NONE Delegates to other skills for network operations
Shell NONE NONE No shell execution in code
Environment NONE NONE No environment variable access
Skill Invoke NONE READ ✓ Aligned Invokes wechat-ip-checker, baoyu-post-to-wechat, xiaohongshu MCP - declared in d…
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
1 findings
🔗
Medium External URL 外部 URL
https://www.ip38.com/
SKILL.md:75

File Tree

1 files · 3.9 KB · 150 lines
Markdown 1f · 150L
└─ 📝 SKILL.md Markdown 150L · 3.9 KB

Security Positives

✓ No code execution or shell commands present
✓ No credential harvesting or sensitive data access
✓ No base64 encoded or obfuscated content
✓ No network requests to suspicious endpoints
✓ Relies on documented external skills for functionality
✓ No supply chain dependencies to analyze
✓ No hidden functionality or shadow behavior