扫描报告
5 /100
Dev & Deploy
快速创建并部署 Web 应用到 Cloudflare Pages;包含文件覆盖、Git推送与系统修改的安全确认机制
Legitimate Dev & Deploy tool for Cloudflare Pages with properly documented shell execution and filesystem operations.
可以安装
No security concerns. The skill is safe to use with standard precautions.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | deploy.js:360 (fs.writeFileSync), deploy.js:280 (fs.cpSync) |
| 命令执行 | WRITE | WRITE | ✓ 一致 | deploy.js:115 (execSync for git --version), deploy.js:490 (git operations), depl… |
| 网络访问 | READ | READ | ✓ 一致 | deploy.js:575 (fetch() for deployment testing) |
| 环境变量 | READ | READ | ✓ 一致 | deploy.js:80 (CLOUDFLARE_API_TOKEN read for deployment) |
2 项发现
中危 外部 URL 外部 URL
https://dash.cloudflare.com/profile/api-tokens SKILL.md:62 中危 外部 URL 外部 URL
https://developers.cloudflare.com/fundamentals/api/get-started/create-token/ SKILL.md:63 目录结构
2 文件 · 26.2 KB · 917 行 JavaScript 1f · 765L
Markdown 1f · 152L
├─
deploy.js
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ Comprehensive SKILL.md documentation with security confirmation workflow
✓ User confirmation required before destructive operations (file overwrite, git push, system installs)
✓ Project name validation to prevent arbitrary path traversal
✓ Cloudflare API token read from environment only, not hardcoded or exfiltrated
✓ No arbitrary code execution - only documented CLI tools (git, gh, wrangler)
✓ Git operations limited to user-authorized repositories
✓ Clean subprocess usage with proper argument handling (execFileSync over execSync for arguments)
✓ No credential exfiltration - token used only for Cloudflare API calls
✓ No obfuscation or base64-encoded commands
✓ Native Node.js only - no external dependencies to供应链 attack surface