中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:18 hr ago Rescan
20 /100
Passport
Validate and format passport or identity document data
The 'Passport' skill is a simple bash CLI tool that logs user input to local log files in ~/.local/share/passport. No malicious behavior found; the doc-to-code gap is a feature-description mismatch rather than hidden malicious functionality.
Skill NamePassport
Duration33.1s
Enginepi
Safe to install
Approve for use. Be aware the 'validate' commands perform no real validation — they merely log input. If passport data processing is needed, verify the skill performs actual document validation.

Findings 1 items

Severity Finding Location
Low
Command descriptions are placeholders with no real functionality Doc Mismatch
SKILL.md and the script output list commands like 'Check', 'Validate', 'Generate' with single-word placeholder descriptions. The script does not perform any actual passport/ID validation, number checking, or document formatting — it merely logs input to files.
echo "$ts|$input" >> "$DATA_DIR/check.log"
→ If real passport/document validation is expected, this skill does not provide it. Clarify in documentation that the skill only logs input and does not perform actual validation.
 scripts/script.sh:82
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md declares filesystem access; script writes to ~/.local/share/passport/*.…
Shell NONE WRITE ✓ Aligned script.sh:1 shebang uses bash; script writes log files and uses standard utiliti…
Network NONE NONE No curl, wget, or outbound network calls found in script.sh
Environment NONE NONE Only uses $HOME to build data path; no iteration over environment variables for …
3 findings
🔗
Medium External URL 外部 URL
https://bytesagain.com
SKILL.md:6
🔗
Medium External URL 外部 URL
https://bytesagain.com/feedback/
SKILL.md:98
📧
Info Email 邮箱地址
[email protected]
SKILL.md:101

File Tree

2 files · 14.3 KB · 414 lines
Shell 1f · 313L Markdown 1f · 101L
├─ 📁 scripts
│ └─ 🔧 script.sh Shell 313L · 10.9 KB
└─ 📝 SKILL.md Markdown 101L · 3.5 KB

Security Positives

✓ No network requests — confirmed offline operation matching documentation
✓ No credential harvesting or environment variable scanning
✓ No base64, obfuscation, or anti-analysis techniques
✓ No remote script execution (no curl|bash, wget|sh, pip install, etc.)
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env, /etc/passwd)
✓ No data exfiltration or C2 communication
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)
✓ No supply chain risk — no external dependencies
✓ All operations are local to a defined data directory