中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:1 day ago Rescan
0 /100
flyai-weekend-trip
周末去哪儿2天1夜说走就走方案助手
This is a pure-documentation travel planning assistant (weekend getaways) with no executable code, no credential access, and no data exfiltration — all behavior is correctly declared in SKILL.md.
Skill Nameflyai-weekend-trip
Duration26.0s
Enginepi
Safe to install
No action needed. Consider adding a note in SKILL.md clarifying that flyai CLI commands are invoked via the tool harness, not direct shell access.
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned SKILL.md declares ~/.flyai/user-profile.md read/write for user preference storag…
4 findings
🔗
Medium External URL 外部 URL
https://img.alicdn.com/...
reference/search-hotel.md:44
🔗
Medium External URL 外部 URL
https://img.alicdn.com/tfscom/...
reference/search-poi.md:32
🔗
Medium External URL 外部 URL
https://nodejs.org/
reference/workflow.md:19
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com
reference/workflow.md:21

File Tree

11 files · 26.6 KB · 863 lines
Markdown 11f · 863L
├─ 📁 reference
│ ├─ 📝 ai-search.md Markdown 26L · 659 B
│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB
│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB
│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB
│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB
│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B
│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB
│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB
│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB
│ └─ 📝 workflow.md Markdown 144L · 4.1 KB
└─ 📝 SKILL.md Markdown 91L · 3.9 KB

Security Positives

✓ All 11 files are Markdown documentation — no executable code present
✓ All declared capabilities (keyword-search, search-flight, search-train, search-hotel, search-poi) are documented in SKILL.md with clear parameter descriptions
✓ User profile storage to ~/.flyai/user-profile.md is declared and documented with proper data schema
✓ Qoder Memory mode (search_memory/update_memory) vs file-mode fallback is clearly specified in user-profile-storage.md
✓ No credential harvesting, no environment variable iteration, no sensitive path access (SSH, AWS, .env)
✓ No obfuscation techniques (base64, eval, atob) observed
✓ No remote script execution (curl|bash, wget|sh) present
✓ No supply chain risk — no dependencies (requirements.txt, package.json, etc.)
✓ No data exfiltration, C2 communication, or outbound data transfer
✓ No persistence mechanisms (cron, startup hooks, backdoors)