中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
Torrent Search Skill
Searches BT4G for torrent files and outputs magnet links with public trackers, optionally adding them directly to qBittorrent
A legitimate torrent search and qBittorrent integration skill with minor security flaws (hardcoded credentials, undocumented allowed-tools references) but no malicious behavior detected.
技能名称Torrent Search Skill
分析耗时39.8s
引擎pi
可以安装
Hardcode removal for qBittorrent credentials should use environment variables. Consider declaring the full toolset (browser, filesystem, network, shell) used by this skill in SKILL.md for full transparency.

安全发现 3 项

严重性 安全发现 位置
低危
Hardcoded qBittorrent credentials 凭证窃取
qBittorrent WebUI username and password are hardcoded as string literals in add_to_qbittorrent.py. While they target a localhost-only service (not exposed externally), hardcoding credentials is a poor security practice.
QB_USER = "admin"
QB_PASS = "adminadmin"
→ Move credentials to environment variables (os.environ.get('QB_USER'), os.environ.get('QB_PASS')) with a fallback warning
 add_to_qbittorrent.py:29
低危
Browser tool usage undeclared in allowed-tools 文档欺骗
SKILL.md instructs the agent to use the browser tool extensively (open, snapshot, act) but the skill declares no allowed-tools. The browser:WRITE capability should be declared in _meta.json or within SKILL.md for transparency.
browser(action="open", profile="my-daily-chrome", url=...)
→ Declare browser:WRITE in the skill's allowed-tools metadata
 SKILL.md:62
低危
Hardcoded local path references 敏感访问
Both Python scripts hardcode Windows paths (C:\butler_sumo\) which leak information about the host environment. This is minor but contributes to information disclosure.
output_dir = r"C:\butler_sumo\docs\torrent"
→ Use a configurable path or environment variable for output directory
 torrent_search.py:78
资源类型声明权限推断权限状态证据
浏览器 NONE WRITE ✓ 一致 SKILL.md:62 — browser(action="open", profile="my-daily-chrome", ...)
文件系统 NONE WRITE ✓ 一致 torrent_search.py:95 — os.makedirs(output_dir, exist_ok=True)
网络访问 NONE READ ✓ 一致 add_to_qbittorrent.py:67 — requests.Session POST to localhost:8080
命令执行 NONE NONE No shell execution found in any file
12 项发现
🔗
中危 外部 URL 外部 URL
https://bt4gprx.com/search?q=關鍵字
SKILL.md:24
🔗
中危 外部 URL 外部 URL
https://tracker.zhuqiy.com:443/announce
SKILL.md:168
🔗
中危 外部 URL 外部 URL
https://tracker.pmman.tech:443/announce
SKILL.md:169
🔗
中危 外部 URL 外部 URL
https://tracker.nekomi.cn:443/announce
SKILL.md:170
🔗
中危 外部 URL 外部 URL
https://tracker.moeblog.cn:443/announce
SKILL.md:171
🔗
中危 外部 URL 外部 URL
https://tracker.bt4g.com:443/announce
SKILL.md:172
🔗
中危 外部 URL 外部 URL
http://tracker.opentrackr.org:1337/announce
add_to_qbittorrent.py:38
🔗
中危 外部 URL 外部 URL
http://tracker.torrent.eu.org:451/announce
add_to_qbittorrent.py:39
🔗
中危 外部 URL 外部 URL
https://tracker.lilith档.com:443/announce
add_to_qbittorrent.py:40
🔗
中危 外部 URL 外部 URL
https://tr.highhopes.xyz:443/announce
add_to_qbittorrent.py:41
🔗
中危 外部 URL 外部 URL
https://t.trackers.net:443/announce
add_to_qbittorrent.py:42
🔗
中危 外部 URL 外部 URL
https://bt4gprx.com/search?q=
torrent_search.py:89

目录结构

4 文件 · 24.8 KB · 774 行
Python 2f · 433L Markdown 2f · 341L
├─ 🐍 add_to_qbittorrent.py Python 280L · 9.7 KB
├─ 📝 SKILL_zh.md Markdown 128L · 3.7 KB
├─ 📝 SKILL.md Markdown 213L · 6.1 KB
└─ 🐍 torrent_search.py Python 153L · 5.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests unspecified import only No requirements.txt; requests is a standard library-equivalent import. Version not pinned but only used for localhost HTTP calls.

安全亮点

✓ No shell command execution, subprocess, or os.system calls found
✓ No credential exfiltration or data theft behavior
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No remote script download (curl|bash, wget|sh)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No environment variable iteration for key harvesting
✓ Network requests are limited to localhost (qBittorrent WebUI) and legitimate torrent tracker domains
✓ All functionality aligns with the stated torrent-search purpose