中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 40/100
Last scan:1 day ago Rescan
40 /100
birthday
中文农历/公历生日提醒管理,支持身份证生日提取与独立提醒天数
The birthday management skill contains undeclared network access (webhook, SMTP email) and shell execution (JS sendmail), with sensitive personal data capable of external transmission.
Skill Namebirthday
Duration55.3s
Enginepi
Use with caution
Update SKILL.md to explicitly declare network:WRITE capability if email/webhook channels are supported, or remove these features. Consider documenting the subprocess usage in JS version. Review whether email and webhook channels are essential features.

Findings 4 items

Severity Finding Location
Medium
Undeclared email notification channel Doc Mismatch
SKILL.md only documents 'agent' notification channel but Python implementation includes full SMTP email support via smtplib.SMTP. Email channel requires BIRTHDAY_SMTP_HOST, BIRTHDAY_SMTP_PORT, BIRTHDAY_SMTP_USERNAME, BIRTHDAY_SMTP_PASSWORD environment variables.
with smtplib.SMTP(host, port, timeout=10) as smtp:
    if channel.get('use_tls', True):
        smtp.starttls()
    username = channel.get('username')
    password = channel.get('password')
→ Add email channel documentation to SKILL.md if intentional, or remove smtplib code
 scripts/birthday_manager.py:309
Medium
Undeclared webhook notification channel Doc Mismatch
Python implementation includes webhook support via urllib.request that POSTs notification data to user-configured URLs. This is not documented in SKILL.md.
req = request.Request(channel['url'], data=payload, headers=headers, method='POST')
with request.urlopen(req, timeout=10):
→ Add webhook channel documentation to SKILL.md if intentional, or remove urllib.request code
 scripts/birthday_manager.py:316
Medium
Undeclared shell command execution (JS) Doc Mismatch
JavaScript implementation uses child_process.spawnSync to execute 'which sendmail' and sendmail binary for email notifications. This shell:WRITE capability is not declared in SKILL.md.
const sendmailPath = childProcess.spawnSync('which', ['sendmail'], { encoding: 'utf8' }).stdout.trim();
→ Document shell execution if email via sendmail is intentional, or refactor to use Node.js net module
 scripts/birthday_manager.js:290
Low
Environment variable access for credentials Sensitive Access
Both scripts read SMTP credentials from environment variables (BIRTHDAY_SMTP_HOST, BIRTHDAY_SMTP_PASSWORD, etc.) via resolveConfigValue() function. This is legitimate for notification configuration but not documented.
match = re.fullmatch(r'\$\{([A-Z0-9_]+)\}', value)
if match:
    return os.environ.get(match.group(1), '')
→ Document required environment variables in SKILL.md under notification configuration section
 scripts/birthday_manager.py:201
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned Both scripts read/write birthdays.json for data persistence - documented
Network NONE WRITE ✗ Violation Python: smtplib.SMTP, urllib.request (webhook); JS: none; SKILL.md only declares…
Shell NONE WRITE ✗ Violation JS: child_process.spawnSync for 'which sendmail' and sendmail binary execution -…
Environment NONE READ ✓ Aligned Scripts read SMTP config from env vars (BIRTHDAY_SMTP_*), but only for notificat…

File Tree

7 files · 58.1 KB · 1752 lines
JavaScript 1f · 760L Python 1f · 695L Markdown 2f · 254L JSON 2f · 39L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 242 B
├─ 📁 data
│ └─ 📋 notification.json JSON 22L · 462 B
├─ 📁 references
│ └─ 📝 data-format.md Markdown 88L · 2.4 KB
├─ 📁 scripts
│ ├─ 📜 birthday_manager.js JavaScript 760L · 23.7 KB
│ └─ 🐍 birthday_manager.py Python 695L · 24.8 KB
├─ 📋 package.json JSON 17L · 484 B
└─ 📝 SKILL.md Markdown 166L · 6.0 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
None (pure stdlib) N/A Python stdlib + Node.js stdlib No No npm dependencies in package.json, no pip requirements.txt - all code uses standard library only

Security Positives

✓ ID card numbers are properly masked (first 6 and last 4 digits only)
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ Package has zero third-party dependencies (no supply chain risk)
✓ No base64-encoded or obfuscated code detected
✓ No reverse shell, C2, or credential harvesting patterns
✓ Email/webhook channels require explicit user configuration via notification.json
✓ Webhook URL is user-controlled, not hardcoded to external servers
✓ Lunar calendar conversion table is embedded (no external dependencies)
✓ Both scripts are well-structured with proper error handling