扫描报告
15 /100
AI Coach · 个人铁三教练
智能生成每日训练计划,根据你的比赛目标和身体状态动态调整。支持 TrainingPeaks 和 Garmin 数据集成。
Legitimate triathlon training coach skill with proper TrainingPeaks/Garmin integration. No malicious behavior detected; all operations align with documented functionality.
可以安装
Accept for use. The skill requires filesystem:WRITE and network:READ for credential/token caching and API access, which are necessary for its legitimate fitness tracking features.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 中危 | Plain-text credential storage in user_config.json | user_config.json |
| 低危 | Missing version pinning for garminconnect | SKILL.md:143 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md: Config, cookie, and token storage |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md: TP and Garmin API integration |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution found |
| 环境变量 | READ | READ | ✓ 一致 | tp_client.py:15 - reads TP_AUTH_COOKIE env var |
3 项发现
中危 外部 URL 外部 URL
https://tpstack.trainingpeaks.com SKILL.md:31 中危 外部 URL 外部 URL
https://tpapi.trainingpeaks.com scripts/tp_client.py:22 提示 邮箱 邮箱地址
[email protected] SKILL.md:69 目录结构
5 文件 · 40.9 KB · 1260 行 Python 3f · 1104L
Markdown 1f · 143L
JSON 1f · 13L
├─
▾
scripts
│ ├─
daily_plan.py
Python
│ ├─
data_fetcher.py
Python
│ └─
tp_client.py
Python
├─
SKILL.md
Markdown
└─
user_config.json
JSON
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
garminconnect | * | pip | 否 | Version not pinned - consider pinning for reproducibility |
安全亮点
✓ No external script execution (curl|bash, wget|sh)
✓ No credential exfiltration or suspicious network destinations
✓ No base64 encoding, eval(), or obfuscated code
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Token caching uses proper chmod 0o600 permissions
✓ No hidden functionality - all operations match documented behavior
✓ Standard library (urllib) used for HTTP requests, minimizing attack surface
✓ Rate limiting implemented (MIN_REQUEST_INTERVAL = 0.15s)