Skill Trust Decision
buymeacoffee-autobot
空壳Skill:仅含文档无实际代码,声明的凭证收集行为缺少实现证据,文档与声称功能严重不符
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
文档-行为严重不符 +20
SKILL.md声明多个脚本文件但实际不存在
凭证收集声明 +15
要求用户存储BMC_EMAIL和BMC_PASSWORD但未说明处理方式
无代码可审计 +10
仅含pass函数占位,无实际实现
Most important evidence
Medium Doc Mismatch
声明脚本不存在
SKILL.md声明存在scripts/bmc_autoposter.py、scripts/autoposter.py、scripts/supporter_thanker.py等脚本文件,但文件列表中完全没有scripts目录
SKILL.md:17 要求开发者提供实际代码后再评估
Medium Doc Mismatch
配置声明不存在
声称有config/content_calendar.json配置文件但实际不存在
SKILL.md:55 确认文件是否存在
Medium Doc Mismatch
凭证收集无说明
要求用户设置BMC_EMAIL和BMC_PASSWORD环境变量,但文档未说明这些凭证如何存储、使用或保护
SKILL.md:64 明确说明凭证不会外传,或使用更安全的认证方式
Low Doc Mismatch
空实现函数
代码示例仅含pass占位符,无实际功能实现
SKILL.md:21 提供实际可用的实现代码
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
无脚本文件 Network Pass
Declared NONE
→ Inferred NONE
无代码实现 Shell Pass
Declared NONE
→ Inferred NONE
无代码实现 credential Block
Declared NONE
→ Inferred READ
SKILL.md:64 要求用户提供凭证但无说明 Suspicious artifacts and egress
Medium External URL
https://buymeacoffee.com SKILL.md:62
Medium External URL
https://ko-fi.com SKILL.md:62
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 72 lines
Markdown 1 files · 72 lines
Files of concern · 1
SKILL.md 声明脚本不存在 · 配置声明不存在 · 凭证收集无说明 · 空实现函数 · https://buymeacoffee.com · https://ko-fi.com
Security positives
无实际恶意代码可执行
无文件写入或网络通信实现
不包含混淆或编码执行
预扫描未发现敏感IOC