中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
Qutedance Quotes
A 股/港股/期货实时行情查询及板块涨跌榜单技能
Qutedance Quotes is a legitimate stock/commodity quote query skill with no malicious behavior detected — all functionality is accurately declared, no shell execution, credential harvesting, or hidden operations.
Skill NameQutedance Quotes
Duration23.2s
Enginepi
Safe to install
No blocking action needed. Consider pinning the Node.js fetch dependency version and migrating the API key to an environment variable for production hardening.

Findings 1 items

Severity Finding Location
Low
API key field in config.json
The config.json contains an `apiKey` field with an empty string. SKILL.md acknowledges this and recommends environment variables. No credential exfiltration risk since the value is empty.
"apiKey": ""
→ Keep apiKey empty and rely on QUTEDANCE_API_KEY environment variable in production.
 config.json:2
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned scripts/qutedance-quotes.js:55 — fetch GET to quotedance service URL
Filesystem NONE READ ✓ Aligned scripts/qutedance-quotes.js:18 — reads config.json only for configuration
Shell NONE NONE No subprocess, exec, or shell invocation detected
Environment NONE READ ✓ Aligned scripts/qutedance-quotes.js:26 — reads QUTEDANCE_API_KEY env var as fallback; do…
1 findings
🔗
Medium External URL 外部 URL
https://quotedance.api.gapgap.cc
SKILL.md:19

File Tree

3 files · 11.3 KB · 441 lines
JavaScript 1f · 281L Markdown 1f · 150L JSON 1f · 10L
├─ 📁 scripts
│ └─ 📜 qutedance-quotes.js JavaScript 281L · 7.5 KB
├─ 🔑 config.json JSON 10L · 137 B
└─ 📝 SKILL.md Markdown 150L · 3.6 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
node (built-in fetch) N/A Node.js built-in (no external deps) No No external npm dependencies; uses native fetch API introduced in Node.js 18+

Security Positives

✓ No shell or subprocess execution — script uses only Node.js built-in fetch API
✓ No filesystem write operations — only reads config.json
✓ No credential harvesting — API key is service-scoped and not exfiltrated
✓ No base64, eval, or dynamic code execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No remote script download (curl|bash, wget|sh)
✓ No hidden HTML comments or steganographic content
✓ All capabilities match SKILL.md declarations — doc-to-code is consistent
✓ Timeout enforced on network requests (15s AbortController)
✓ Clean, well-structured Node.js with no obfuscation