中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 40/100
上次扫描:1 天前 重新扫描
40 /100
birthday
中文农历/公历生日提醒管理,支持身份证生日提取与独立提醒天数
The birthday management skill contains undeclared network access (webhook, SMTP email) and shell execution (JS sendmail), with sensitive personal data capable of external transmission.
技能名称birthday
分析耗时55.3s
引擎pi
谨慎使用
Update SKILL.md to explicitly declare network:WRITE capability if email/webhook channels are supported, or remove these features. Consider documenting the subprocess usage in JS version. Review whether email and webhook channels are essential features.

安全发现 4 项

严重性 安全发现 位置
中危
Undeclared email notification channel 文档欺骗
SKILL.md only documents 'agent' notification channel but Python implementation includes full SMTP email support via smtplib.SMTP. Email channel requires BIRTHDAY_SMTP_HOST, BIRTHDAY_SMTP_PORT, BIRTHDAY_SMTP_USERNAME, BIRTHDAY_SMTP_PASSWORD environment variables.
with smtplib.SMTP(host, port, timeout=10) as smtp:
    if channel.get('use_tls', True):
        smtp.starttls()
    username = channel.get('username')
    password = channel.get('password')
→ Add email channel documentation to SKILL.md if intentional, or remove smtplib code
 scripts/birthday_manager.py:309
中危
Undeclared webhook notification channel 文档欺骗
Python implementation includes webhook support via urllib.request that POSTs notification data to user-configured URLs. This is not documented in SKILL.md.
req = request.Request(channel['url'], data=payload, headers=headers, method='POST')
with request.urlopen(req, timeout=10):
→ Add webhook channel documentation to SKILL.md if intentional, or remove urllib.request code
 scripts/birthday_manager.py:316
中危
Undeclared shell command execution (JS) 文档欺骗
JavaScript implementation uses child_process.spawnSync to execute 'which sendmail' and sendmail binary for email notifications. This shell:WRITE capability is not declared in SKILL.md.
const sendmailPath = childProcess.spawnSync('which', ['sendmail'], { encoding: 'utf8' }).stdout.trim();
→ Document shell execution if email via sendmail is intentional, or refactor to use Node.js net module
 scripts/birthday_manager.js:290
低危
Environment variable access for credentials 敏感访问
Both scripts read SMTP credentials from environment variables (BIRTHDAY_SMTP_HOST, BIRTHDAY_SMTP_PASSWORD, etc.) via resolveConfigValue() function. This is legitimate for notification configuration but not documented.
match = re.fullmatch(r'\$\{([A-Z0-9_]+)\}', value)
if match:
    return os.environ.get(match.group(1), '')
→ Document required environment variables in SKILL.md under notification configuration section
 scripts/birthday_manager.py:201
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 Both scripts read/write birthdays.json for data persistence - documented
网络访问 NONE WRITE ✗ 越权 Python: smtplib.SMTP, urllib.request (webhook); JS: none; SKILL.md only declares…
命令执行 NONE WRITE ✗ 越权 JS: child_process.spawnSync for 'which sendmail' and sendmail binary execution -…
环境变量 NONE READ ✓ 一致 Scripts read SMTP config from env vars (BIRTHDAY_SMTP_*), but only for notificat…

目录结构

7 文件 · 58.1 KB · 1752 行
JavaScript 1f · 760L Python 1f · 695L Markdown 2f · 254L JSON 2f · 39L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 242 B
├─ 📁 data
│ └─ 📋 notification.json JSON 22L · 462 B
├─ 📁 references
│ └─ 📝 data-format.md Markdown 88L · 2.4 KB
├─ 📁 scripts
│ ├─ 📜 birthday_manager.js JavaScript 760L · 23.7 KB
│ └─ 🐍 birthday_manager.py Python 695L · 24.8 KB
├─ 📋 package.json JSON 17L · 484 B
└─ 📝 SKILL.md Markdown 166L · 6.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
None (pure stdlib) N/A Python stdlib + Node.js stdlib No npm dependencies in package.json, no pip requirements.txt - all code uses standard library only

安全亮点

✓ ID card numbers are properly masked (first 6 and last 4 digits only)
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ Package has zero third-party dependencies (no supply chain risk)
✓ No base64-encoded or obfuscated code detected
✓ No reverse shell, C2, or credential harvesting patterns
✓ Email/webhook channels require explicit user configuration via notification.json
✓ Webhook URL is user-controlled, not hardcoded to external servers
✓ Lunar calendar conversion table is embedded (no external dependencies)
✓ Both scripts are well-structured with proper error handling