Scan Report
5 /100
蘭泰式按摩预约
提供蘭泰式按摩的预约服务,包括门店查询、服务查询和创建预约功能
A legitimate Thai massage (蘭泰式按摩) booking skill with clean, straightforward code. No shell execution, no credential access, no sensitive path traversal, and no data exfiltration. The only external network call is a documented POST to the booking API.
Safe to install
This skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | index.js:5 — fs.readFileSync reads org_store.json and prod_service.json |
| Network | READ | WRITE | ✓ Aligned | index.js:96 — fetch POST to https://open.lannlife.com/mcp/book/create |
| Shell | NONE | NONE | — | No child_process, exec, spawn, or eval calls found |
| Environment | NONE | NONE | — | No os.environ or process.env access found |
| Skill Invoke | NONE | NONE | — | No recursive skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 findings
Medium External URL 外部 URL
https://open.lannlife.com/mcp/book/create SKILL.md:49 File Tree
6 files · 44.6 KB · 1266 lines JSON 3f · 574L
JavaScript 2f · 525L
Markdown 1f · 167L
├─
_meta.json
JSON
├─
index.js
JavaScript
├─
org_store.json
JSON
├─
prod_service.json
JSON
├─
SKILL.md
Markdown
└─
test.js
JavaScript
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
fs | built-in | Node.js core | No | Only reads static JSON files |
path | built-in | Node.js core | No | Path resolution only |
fetch | built-in | Node.js / Web API | No | Standard HTTP POST to documented endpoint |
Security Positives
✓ No shell execution (child_process, exec, spawn, eval) — code is purely JavaScript logic
✓ No credential harvesting — no access to ~/.ssh, ~/.aws, .env, or environment variables
✓ No sensitive path traversal — only reads two specific local JSON files in __dirname
✓ No base64/decode tricks — no obfuscated code or hidden payloads
✓ No remote code execution patterns — curl|bash, wget|sh, or eval(atob(...)) not present
✓ No data exfiltration — only POSTs booking data (mobile, store, service) to one documented API endpoint
✓ Input validation is comprehensive: phone number format, people count (1-20), ISO 8601 time, required string checks
✓ Smart matching provides safety against typosquatting of store/service names
✓ Dependencies: only Node.js built-in modules (fs, path) — no external npm packages with untracked vulnerabilities
✓ Full test suite in test.js for all major functions
✓ SKILL.md accurately documents all three capabilities and the external API endpoint