扫描报告
0 /100
todo-webapp
Deploy a local TODO web app that reads and writes a Markdown TODO.md file. Serves a beautiful dark-themed, glassmorphism UI on the LAN.
A legitimate zero-dependency Node.js TODO web app that reads/writes local Markdown files and serves a web UI over LAN. No malicious behavior detected.
可以安装
No action needed. This skill is safe to use as described.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ+WRITE | ✓ 一致 | SKILL.md: 'reads and writes a Markdown TODO.md file'; server.js: lines 15, 42, 5… |
| 网络访问 | NONE | READ+WRITE | ✓ 一致 | SKILL.md: 'Serves a beautiful dark-themed, glassmorphism UI on the LAN'; server.… |
| 命令执行 | NONE | NONE | — | No child_process, exec, spawn, or shell invocation found |
| 环境变量 | NONE | NONE | — | No os.environ or process.env access beyond standard Node.js |
| 技能调用 | NONE | NONE | — | No skill-to-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
1 项发现
中危 外部 URL 外部 URL
https://i.imgur.com/noOCejM.jpeg SKILL.md:10 目录结构
2 文件 · 17.1 KB · 565 行 JavaScript 1f · 485L
Markdown 1f · 80L
├─
▾
scripts
│ └─
server.js
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ Zero dependencies — no external packages to audit, eliminates supply chain risk
✓ No shell execution — pure Node.js built-in modules only (http, fs, path)
✓ No credential access — does not read .env, ~/.ssh, or any sensitive paths
✓ No external network requests — serves only on local LAN (0.0.0.0:3456)
✓ No obfuscation — all code is readable and human-understandable
✓ SKILL.md accurately describes all behavior — no hidden functionality
✓ Input sanitization via escHtml() prevents XSS in rendered output
✓ Local-only file operations with predictable paths (TODO.md, TODO-done.md, bg.jpg)
✓ HTML output uses Content-Type headers appropriately
✓ SSE connections properly cleaned up on client disconnect