中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
siyuan-notes-skill
思源笔记工具——搜索、阅读、编辑、组织用户的笔记
A legitimate SiYuan Notes management tool with solid security posture. Minor doc-to-code gaps exist (undeclared filesystem writes for caching, undeclared credential environment variable access) but no malicious behavior, exfiltration, or exploitation was found.
Skill Namesiyuan-notes-skill
Duration99.4s
Enginepi
Safe to install
Consider documenting the filesystem:WRITE capability (for read-guard cache) and network:READ (GitHub version check) in SKILL.md. The codebase is trustworthy for use.

Findings 3 items

Severity Finding Location
Low
Filesystem write capability not declared Doc Mismatch
SKILL.md declares only 'Bash' as allowed-tools but the code writes to .siyuan-read-guard-cache.json for safety guards. This is legitimate internal behavior but undocumented.
fs.writeFileSync(READ_GUARD_CACHE_FILE, JSON.stringify(readGuardCache, null, 2));
→ Document filesystem:WRITE in SKILL.md for transparency.
 index.js:322
Low
Credential environment variables not declared Doc Mismatch
SIYUAN_API_TOKEN and SIYUAN_BASIC_AUTH_PASS are read from process.env but not declared in SKILL.md. Credentials are used only for local SiYuan server authentication and not exfiltrated.
const SIYUAN_API_TOKEN = process.env.SIYUAN_API_TOKEN || '';
→ Consider documenting credential environment variable access in SKILL.md.
 index.js:96
Low
package.json has zero dependencies declared Supply Chain
The skill has no dependencies listed in package.json, relying solely on Node.js built-ins (fs, path, https, child_process). This is clean but worth noting.
"dependencies": {}
→ No action needed; zero dependencies is a positive supply-chain signal.
 package.json:1
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md:allowed-tools:"Bash"; index.js:10 execSync for hardcoded git commands
Network NONE READ ✓ Aligned index.js:733 fetchJson() calls api.github.com for version-check; index.js:790 fe…
Filesystem NONE WRITE ✓ Aligned index.js:107 READ_GUARD_CACHE_FILE path; index.js:322-341 fs.writeFileSync for .…
Environment NONE READ ✓ Aligned index.js:94-101 reads SIYUAN_API_TOKEN, SIYUAN_BASIC_AUTH_PASS; used only for lo…
Filesystem READ READ ✓ Aligned index.js:55-85 loads .env via fs.readFileSync; index.js:645 reads package.json
3 findings
🔗
Medium External URL 外部 URL
https://claude.com/claude-code
README.md:5
🔗
Medium External URL 外部 URL
https://b3log.org/siyuan/
README.md:5
🔗
Medium External URL 外部 URL
http://127.0.0.1:6806
README.md:38

File Tree

14 files · 225.2 KB · 7034 lines
JavaScript 5f · 4853L Markdown 8f · 2153L JSON 1f · 28L
├─ 📁 docs
│ ├─ 📝 command-reference.md Markdown 798L · 22.7 KB
│ ├─ 📝 Command-Reference.md Markdown 350L · 11.1 KB
│ ├─ 📝 Error-Recovery.md Markdown 17L · 2.1 KB
│ ├─ 📝 pmf-spec.md Markdown 165L · 5.6 KB
│ ├─ 📝 sql-reference.md Markdown 134L · 4.0 KB
│ └─ 📝 SQL-Reference.md Markdown 196L · 4.3 KB
├─ 📁 lib
│ ├─ 📜 pmf-utils.js JavaScript 316L · 9.0 KB
│ └─ 📜 query-services.js JavaScript 298L · 8.8 KB
├─ 📜 cli.js JavaScript 697L · 25.9 KB
├─ 📜 format-utils.js JavaScript 177L · 4.9 KB
├─ 📜 index.js JavaScript 3365L · 102.5 KB
├─ 📋 package.json JSON 28L · 616 B
├─ 📝 README.md Markdown 98L · 3.1 KB
└─ 📝 SKILL.md Markdown 395L · 20.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A none No Zero external dependencies; uses only Node.js built-in modules (fs, path, https, child_process)

Security Positives

✓ No obfuscation, base64-decode-execute, or eval patterns found
✓ No credential exfiltration or data theft
✓ No reverse shell, C2, or remote code execution
✓ execSync is limited to hardcoded git commands with no user input reaching the shell
✓ Credentials stay local — API token used only for local SiYuan server authentication
✓ Basic Auth password is Base64-encoded in header only, never transmitted outside local process
✓ No hidden functionality: all code paths traced back to documented operations
✓ GitHub network calls are restricted to version-check command, clearly described in SKILL.md
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env outside skill dir)
✓ Read-guard cache is a legitimate safety mechanism (optimistic locking)
✓ SQL queries use string escaping for SQLite (standard pattern for this tool type)