中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
flyai-packing-list
场景化智能行李清单生成器。根据目的地、出行日期、出行目的和同行人,结合 FlyAI 实时搜索目的地信息,生成个性化分类行李清单
Purely documentation-based skill with no executable code. Minor security concern around NODE_TLS_REJECT_UNAUTHORIZED=0 usage, but this is documented and necessary for FlyAI CLI functionality in certain network environments.
技能名称flyai-packing-list
分析耗时33.9s
引擎pi
可以安装
Accept for use. Consider documenting the TLS bypass rationale and ensuring FlyAI CLI is from a trusted source.

安全发现 2 项

严重性 安全发现 位置
低危
User profile file access 敏感访问
Skill reads/writes user travel preferences to ~/.flyai/user-profile.md. This is expected behavior for a travel assistant and does not constitute credential theft since it stores user-declared preferences only.
~/.flyai/user-profile.md
→ No action needed - this is intended functionality
 reference/user-profile-storage.md:45
低危
TLS verification bypass documented 供应链
The skill sets NODE_TLS_REJECT_UNAUTHORIZED=0 to bypass SSL certificate verification when calling FlyAI CLI. This is documented behavior and appears necessary for the tool to function in certain network environments (e.g., corporate proxies, development environments with self-signed certs).
NODE_TLS_REJECT_UNAUTHORIZED=0 flyai keyword-search
→ Document the specific reason for TLS bypass and consider using proper certificate configuration if possible
 SKILL.md:82
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md: Reads ~/.flyai/user-profile.md for user preferences
网络访问 READ READ ✓ 一致 SKILL.md: Calls FlyAI CLI for search operations
命令执行 WRITE WRITE ✓ 一致 SKILL.md: Executes npm install and flyai commands via shell
环境变量 READ READ ✓ 一致 SKILL.md: Sets NODE_TLS_REJECT_UNAUTHORIZED=0 environment variable
4 项发现
🔗
中危 外部 URL 外部 URL
https://nodejs.org/
SKILL.md:57
🔗
中危 外部 URL 外部 URL
https://registry.npmmirror.com
SKILL.md:59
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/...
reference/search-hotel.md:44
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/tfscom/...
reference/search-poi.md:32

目录结构

11 文件 · 25.8 KB · 888 行
Markdown 11f · 888L
├─ 📁 reference
│ ├─ 📝 ai-search.md Markdown 26L · 659 B
│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB
│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB
│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB
│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB
│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B
│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB
│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB
│ ├─ 📝 tools.md Markdown 34L · 782 B
│ └─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB
└─ 📝 SKILL.md Markdown 226L · 6.5 KB

安全亮点

✓ Pure documentation skill with no executable code (100% Markdown files)
✓ All declared capabilities align with inferred capabilities
✓ No credential harvesting or data exfiltration detected
✓ No obfuscation techniques present
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded payloads or eval() calls
✓ No reverse shell or C2 communication patterns
✓ User profile storage is appropriate for a travel assistant skill