扫描报告
5 /100
Qutedance Quotes
A 股/港股/期货实时行情查询及板块涨跌榜单技能
Qutedance Quotes is a legitimate stock/commodity quote query skill with no malicious behavior detected — all functionality is accurately declared, no shell execution, credential harvesting, or hidden operations.
可以安装
No blocking action needed. Consider pinning the Node.js fetch dependency version and migrating the API key to an environment variable for production hardening.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | API key field in config.json | config.json:2 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | scripts/qutedance-quotes.js:55 — fetch GET to quotedance service URL |
| 文件系统 | NONE | READ | ✓ 一致 | scripts/qutedance-quotes.js:18 — reads config.json only for configuration |
| 命令执行 | NONE | NONE | — | No subprocess, exec, or shell invocation detected |
| 环境变量 | NONE | READ | ✓ 一致 | scripts/qutedance-quotes.js:26 — reads QUTEDANCE_API_KEY env var as fallback; do… |
1 项发现
中危 外部 URL 外部 URL
https://quotedance.api.gapgap.cc SKILL.md:19 目录结构
3 文件 · 11.3 KB · 441 行 JavaScript 1f · 281L
Markdown 1f · 150L
JSON 1f · 10L
├─
▾
scripts
│ └─
qutedance-quotes.js
JavaScript
├─
config.json
⚠
JSON
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
node (built-in fetch) | N/A | Node.js built-in (no external deps) | 否 | No external npm dependencies; uses native fetch API introduced in Node.js 18+ |
安全亮点
✓ No shell or subprocess execution — script uses only Node.js built-in fetch API
✓ No filesystem write operations — only reads config.json
✓ No credential harvesting — API key is service-scoped and not exfiltrated
✓ No base64, eval, or dynamic code execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No remote script download (curl|bash, wget|sh)
✓ No hidden HTML comments or steganographic content
✓ All capabilities match SKILL.md declarations — doc-to-code is consistent
✓ Timeout enforced on network requests (15s AbortController)
✓ Clean, well-structured Node.js with no obfuscation