中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
design-norm-quantity
度量衡测不准关键因子配比估量估价系统 v3.3 - Construction cost estimation with Monte Carlo simulation
Legitimate construction cost estimation system with no malicious behavior detected. All functionality is declared and serves legitimate engineering purposes.
Skill Namedesign-norm-quantity
Duration46.7s
Enginepi
Safe to install
This skill is safe to use. The web crawling and PDF download capabilities are explicitly declared and serve the stated purpose of fetching official construction cost data and international QS standards.

Findings 4 items

Severity Finding Location
Info
Web Crawling Declared
The crawler functionality for fetching official construction cost data from Chinese government websites is explicitly documented in SKILL.md
深圳市建设工程造价管理站, 广州市建设工程造价管理站, 苏州市工程造价协会
→ No action needed - this is the intended functionality
 scripts/crawler.py:1
Info
International Standards Download
PDF downloads from RICS, Arcadis, HKIS and other legitimate industry bodies are documented
RICS New Rules of Measurement, Arcadis Cost Handbook
→ No action needed - legitimate industry standards
 scripts/download_international_qs.py:33
Info
Local Data Storage
SQLite database created in ~/.workbuddy/data/ for storing cost indices - standard application data storage pattern
DEFAULT_DATA_DIR = os.path.join(os.path.expanduser('~'), '.workbuddy', 'data')
→ No action needed - appropriate use of user home directory
 scripts/db_connector.py:34
Low
HTTP URLs in Crawler
Some government URLs use HTTP instead of HTTPS (common in China)
http://www.gzgzc.com.cn
→ Consider using HTTPS where available for better security
 scripts/crawler.py
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares reference data access, code reads JSON files from references/ …
Network READ READ ✓ Aligned crawler.py and download_international_qs.py explicitly declared with URLs to gov…
Shell NONE NONE No subprocess or shell execution found in any script
Environment NONE NONE No os.environ access for credential harvesting
Database READ READ ✓ Aligned db_connector.py creates local SQLite database in ~/.workbuddy/data/ for cost ind…
14 findings
🔗
Medium External URL 外部 URL
https://www.szjs.gov.cn
scripts/crawler.py:137
🔗
Medium External URL 外部 URL
http://www.gzgzc.com.cn
scripts/crawler.py:150
🔗
Medium External URL 外部 URL
http://szgczjxh.com
scripts/crawler.py:163
🔗
Medium External URL 外部 URL
https://www.gldcost.com/
scripts/crawler.py:189
🔗
Medium External URL 外部 URL
https://api.gldcost.com/v1/indicator
scripts/crawler.py:195
🔗
Medium External URL 外部 URL
https://www.rics.org/content/dam/ricsglobal/documents/standards/nrm_1_order_of_cost_estimating_and_cost_planning_2nd_edi...
scripts/download_international_qs.py:33
🔗
Medium External URL 外部 URL
https://www.rics.org/content/dam/ricsglobal/documents/standards/october_2021_nrm_2.pdf
scripts/download_international_qs.py:38
🔗
Medium External URL 外部 URL
https://edshare.gcu.ac.uk/3948/2/PDF/NRM24~27.pdf
scripts/download_international_qs.py:43
🔗
Medium External URL 外部 URL
https://www.rics.org/content/dam/ricsglobal/documents/standards/Cost-analysis-and-benchmarking_2nd-edition.pdf
scripts/download_international_qs.py:50
🔗
Medium External URL 外部 URL
https://media.arcadis.com/-/media/project/arcadiscom/com/perspectives/asia/publications/cch/2025/2025-cnhk-cost-handbook...
scripts/download_international_qs.py:57
🔗
Medium External URL 外部 URL
https://wwvv.hkis.org.hk/ufiles/QS-costplans2016.pdf
scripts/download_international_qs.py:64
🔗
Medium External URL 外部 URL
https://dlsconsultant.com/wp-content/uploads/2024/02/DLS-Quarterly-Report-Q1-2023-20250509.pdf
scripts/download_international_qs.py:71
🔗
Medium External URL 外部 URL
https://www.iqytechnicalcollege.com/quantitysurveyorspocketbook.pdf
scripts/download_international_qs.py:78
🔗
Medium External URL 外部 URL
https://assets.thalia.media/doc/artikel/cfb/b63/cfbb6327f516071fbfc2bc715c9b854000f165f5.pdf
scripts/download_international_qs.py:85

File Tree

25 files · 455.5 KB · 10375 lines
Python 16f · 7170L JSON 6f · 1651L Markdown 3f · 1554L
├─ 📁 references
│ ├─ 📋 building-norms.json JSON 106L · 3.8 KB
│ ├─ 📋 design-quantity-ratios.json JSON 148L · 8.1 KB
│ ├─ 📋 innovative-ratios-v2.json JSON 655L · 39.4 KB
│ ├─ 📋 material-factors-v3.json JSON 544L · 23.7 KB
│ ├─ 📋 mep-quantity-ratios.json JSON 108L · 6.0 KB
│ └─ 📋 region-adjustments.json JSON 90L · 5.1 KB
├─ 📁 scripts
│ ├─ 🐍 crawler.py Python 348L · 11.7 KB
│ ├─ 🐍 data_calibrator.py Python 338L · 12.1 KB
│ ├─ 🐍 db_connector.py Python 598L · 24.2 KB
│ ├─ 🐍 download_international_qs.py Python 230L · 7.3 KB
│ ├─ 🐍 global_engineering_qs.py Python 803L · 27.9 KB
│ ├─ 🐍 interactive_demo.py Python 648L · 29.3 KB
│ ├─ 🐍 international_qs_methods.py Python 379L · 14.4 KB
│ ├─ 🐍 material_factor_engine.py Python 621L · 23.4 KB
│ ├─ 🐍 quantity_estimator_v2.py Python 1049L · 46.3 KB
│ ├─ 🐍 quantity_estimator.py Python 389L · 18.5 KB
│ ├─ 🐍 run_demo.py Python 232L · 7.7 KB
│ ├─ 🐍 test_calibrator.py Python 47L · 1.4 KB
│ ├─ 🐍 test_estimator_v2.py Python 36L · 928 B
│ ├─ 🐍 test_v32.py Python 64L · 1.9 KB
│ ├─ 🐍 uncertainty_calculator.py Python 493L · 20.3 KB
│ └─ 🐍 uncertainty_estimator.py Python 895L · 35.4 KB
├─ 📝 PROTOCOL.md Markdown 998L · 70.0 KB
├─ 📝 README.md Markdown 154L · 4.2 KB
└─ 📝 SKILL.md Markdown 402L · 12.6 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Standard HTTP library, version not pinned but no known vulnerabilities exploited
sqlite3 builtin stdlib No Python standard library

Security Positives

✓ No base64 encoded payloads or obfuscated code
✓ No reverse shell, C2, or data exfiltration mechanisms
✓ No credential harvesting from environment variables
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No eval() or dynamic code execution
✓ No remote script execution (curl|bash, wget|sh)
✓ All network activity is explicitly documented in SKILL.md
✓ Uses standard, well-known libraries (requests, sqlite3)
✓ Legitimate engineering cost estimation functionality
✓ Industry-standard Monte Carlo simulation implementation