中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:18 hr ago Rescan
5 /100
fb-video-downloader
Download Facebook videos, Reels, and Stories in HD quality via savefbs.com API
A straightforward Facebook video downloader that uses a third-party API (savefbs.com) to retrieve download links, with no malicious behavior, credential access, or hidden functionality.
Skill Namefb-video-downloader
Duration36.7s
Enginepi
Safe to install
No action needed. The skill performs exactly what it declares — fetches video download links from a public API and returns them. The hardcoded IP 120.0.0.0 flagged in pre-scan appears in a non-executable context and does not represent a network IOCs.

Findings 2 items

Severity Finding Location
Low
Minor data collection not disclosed in SKILL.md Doc Mismatch
fetch_fb_video.py lines 38-41 set Accept headers and lines 45-47 perform a session-establishing GET request to collect cookies before the API call. SKILL.md states 'no data collection' and 'privacy-first'. While this is standard HTTP behavior (not malicious), it contradicts the stated privacy claims.
headers = { 'User-Agent': ..., 'Accept': ..., 'Origin': ..., 'Referer': ... }
→ Update SKILL.md to accurately reflect that the script sends standard HTTP headers and may set session cookies when connecting to the savefbs.com API.
 scripts/fetch_fb_video.py:38
Info
requests library version not pinned Supply Chain
The fetch_fb_video.py imports 'requests' without version pinning. No requirements.txt or dependency manifest exists.
import requests
→ Add a requirements.txt with pinned versions for reproducibility.
 scripts/fetch_fb_video.py:4
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No filesystem access in fetch_fb_video.py
Network READ READ ✓ Aligned Lines 45-51: GET to savefbs.com and POST to savefbs.com/api/v1/aio/search — decl…
Shell NONE NONE No subprocess or shell execution
Environment NONE NONE No os.environ access
Skill Invoke NONE NONE No skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
1 High 5 findings
📡
High IP Address 硬编码 IP 地址
120.0.0.0
scripts/fetch_fb_video.py:27
🔗
Medium External URL 外部 URL
https://www.facebook.com/watch?v=123456789
SKILL.md:42
🔗
Medium External URL 外部 URL
https://savefbs.com
scripts/fetch_fb_video.py:30
🔗
Medium External URL 外部 URL
https://savefbs.com/
scripts/fetch_fb_video.py:31
🔗
Medium External URL 外部 URL
https://savefbs.com/api/v1/aio/search
scripts/fetch_fb_video.py:42

File Tree

2 files · 6.6 KB · 228 lines
Python 1f · 122L Markdown 1f · 106L
├─ 📁 scripts
│ └─ 🐍 fetch_fb_video.py Python 122L · 3.7 KB
└─ 📝 SKILL.md Markdown 106L · 2.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests unpinned import No No requirements.txt; requests is imported without version pinning

Security Positives

✓ No credential theft — script never accesses environment variables, SSH keys, AWS credentials, or .env files
✓ No code execution — no subprocess, eval, base64 decode, or shell command invocation
✓ No data exfiltration — all network IOCs are exclusively to savefbs.com, exactly as declared in SKILL.md
✓ No obfuscation — no base64, no encoded payloads, no anti-analysis techniques
✓ No persistence mechanisms — no cron jobs, startup scripts, or backdoor installations
✓ No sensitive path access — no reads of ~/.ssh, ~/.aws, .env, or similar credential-adjacent paths
✓ No prompt injection — no hidden instructions or jailbreak content in documentation
✓ Inferred capabilities match declared capabilities for all 8 resources