中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:20 小时前 重新扫描
5 /100
fb-video-downloader
Download Facebook videos, Reels, and Stories in HD quality via savefbs.com API
A straightforward Facebook video downloader that uses a third-party API (savefbs.com) to retrieve download links, with no malicious behavior, credential access, or hidden functionality.
技能名称fb-video-downloader
分析耗时36.7s
引擎pi
可以安装
No action needed. The skill performs exactly what it declares — fetches video download links from a public API and returns them. The hardcoded IP 120.0.0.0 flagged in pre-scan appears in a non-executable context and does not represent a network IOCs.

安全发现 2 项

严重性 安全发现 位置
低危
Minor data collection not disclosed in SKILL.md 文档欺骗
fetch_fb_video.py lines 38-41 set Accept headers and lines 45-47 perform a session-establishing GET request to collect cookies before the API call. SKILL.md states 'no data collection' and 'privacy-first'. While this is standard HTTP behavior (not malicious), it contradicts the stated privacy claims.
headers = { 'User-Agent': ..., 'Accept': ..., 'Origin': ..., 'Referer': ... }
→ Update SKILL.md to accurately reflect that the script sends standard HTTP headers and may set session cookies when connecting to the savefbs.com API.
 scripts/fetch_fb_video.py:38
提示
requests library version not pinned 供应链
The fetch_fb_video.py imports 'requests' without version pinning. No requirements.txt or dependency manifest exists.
import requests
→ Add a requirements.txt with pinned versions for reproducibility.
 scripts/fetch_fb_video.py:4
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No filesystem access in fetch_fb_video.py
网络访问 READ READ ✓ 一致 Lines 45-51: GET to savefbs.com and POST to savefbs.com/api/v1/aio/search — decl…
命令执行 NONE NONE No subprocess or shell execution
环境变量 NONE NONE No os.environ access
技能调用 NONE NONE No skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 高危 5 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
scripts/fetch_fb_video.py:27
🔗
中危 外部 URL 外部 URL
https://www.facebook.com/watch?v=123456789
SKILL.md:42
🔗
中危 外部 URL 外部 URL
https://savefbs.com
scripts/fetch_fb_video.py:30
🔗
中危 外部 URL 外部 URL
https://savefbs.com/
scripts/fetch_fb_video.py:31
🔗
中危 外部 URL 外部 URL
https://savefbs.com/api/v1/aio/search
scripts/fetch_fb_video.py:42

目录结构

2 文件 · 6.6 KB · 228 行
Python 1f · 122L Markdown 1f · 106L
├─ 📁 scripts
│ └─ 🐍 fetch_fb_video.py Python 122L · 3.7 KB
└─ 📝 SKILL.md Markdown 106L · 2.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests unpinned import No requirements.txt; requests is imported without version pinning

安全亮点

✓ No credential theft — script never accesses environment variables, SSH keys, AWS credentials, or .env files
✓ No code execution — no subprocess, eval, base64 decode, or shell command invocation
✓ No data exfiltration — all network IOCs are exclusively to savefbs.com, exactly as declared in SKILL.md
✓ No obfuscation — no base64, no encoded payloads, no anti-analysis techniques
✓ No persistence mechanisms — no cron jobs, startup scripts, or backdoor installations
✓ No sensitive path access — no reads of ~/.ssh, ~/.aws, .env, or similar credential-adjacent paths
✓ No prompt injection — no hidden instructions or jailbreak content in documentation
✓ Inferred capabilities match declared capabilities for all 8 resources