中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 42/100
上次扫描:19 小时前 重新扫描
42 /100
complianceradar-ai-monitor
Monitor regulatory changes across SEC, FDA, FINRA, and GDPR with AI impact assessment
Documentation-only skill with no implementation code but exhibits suspicious branding ('empire-skills') and placeholder API keys that could be mistaken for real configuration.
技能名称complianceradar-ai-monitor
分析耗时42.5s
引擎pi
谨慎使用
Verify the 'empire-skills' repository is legitimate before use. The SKILL.md describes behavior but contains no executable code - confirm the actual implementation exists in a trusted source before relying on this skill.

安全发现 4 项

严重性 安全发现 位置
中危
Suspicious 'empire-skills' branding 文档欺骗
The homepage references 'github.com/ncreighton/empire-skills'. The term 'empire' in security contexts often references post-exploitation frameworks. This branding choice is unusual for a compliance monitoring tool and warrants verification.
homepage: https://github.com/ncreighton/empire-skills
→ Verify this repository is legitimate. Cross-reference with official sources before trusting this skill.
 SKILL.md:4
中危
Placeholder API keys in example configuration 文档欺骗
Lines 116, 119, and 132 contain API key placeholders (e.g., 'your-sec-api-key') in a format that resembles real configuration. While clearly intended as examples, users may copy-paste these as actual credentials.
export SEC_API_KEY="your-sec-api-key"
→ Use clearly marked placeholder syntax like '<YOUR_SEC_API_KEY>' or 'INSERT_YOUR_KEY_HERE' to prevent accidental credential misconfiguration.
 SKILL.md:116
中危
Unverifiable security claims 文档欺骗
The documentation makes security claims ('API keys never logged or transmitted to third parties') without any implementation code to verify. This is classic doc-to-code mismatch - the behavior cannot be audited.
API keys are stored in environment variables only; never logged or transmitted to third parties
→ Since no code exists, these claims cannot be verified. Request or verify actual implementation code before trusting security guarantees.
 SKILL.md:249
低危
No implementation code present 供应链
This SKILL.md describes capabilities but contains zero executable code, scripts, or implementation files. The skill cannot function as documented.
Documentation describes monitoring, notifications, and policy generation but no actual code exists
→ Confirm the actual implementation exists in the referenced repository before use. This may be an incomplete or placeholder skill.
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations present - documentation only
网络访问 READ NONE ✓ 一致 _meta declares curl/jq binaries but no implementation code exists to verify netw…
命令执行 NONE NONE No shell execution code present
环境变量 READ NONE ✓ 一致 _meta declares env vars but no code reads them - can't verify actual usage
3 高危 9 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-sec-api-key"
SKILL.md:116
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-fda-api-key"
SKILL.md:119
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-google-api-key"
SKILL.md:132
🔗
中危 外部 URL 外部 URL
https://www.sec.gov/cgi-bin/browse-edgar
SKILL.md:115
🔗
中危 外部 URL 外部 URL
https://open.fda.gov/
SKILL.md:118
🔗
中危 外部 URL 外部 URL
https://hooks.slack.com/services/YOUR/WEBHOOK/URL
SKILL.md:125
🔗
中危 外部 URL 外部 URL
https://www.sec.gov/cgi-bin/browse-edgar.
SKILL.md:314
🔗
中危 外部 URL 外部 URL
https://api.fda.gov/status.json
SKILL.md:320
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:384

目录结构

1 文件 · 15.4 KB · 387 行
Markdown 1f · 387L
└─ 📝 SKILL.md Markdown 387L · 15.4 KB

安全亮点

✓ No executable code present - cannot perform malicious actions without additional implementation
✓ No base64-encoded payloads or obfuscated commands detected
✓ No credential exfiltration mechanisms present
✓ No network requests to suspicious IPs or domains
✓ No sensitive path access patterns detected