中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
微信公众号文章深度分析
微信公众号文章深度分析工具,用于读取和分析微信公众号文章内容
Legitimate WeChat public account article analyzer with no malicious behavior; minor documentation mismatch regarding filesystem access for output files.
Skill Name微信公众号文章深度分析
Duration38.7s
Enginepi
Safe to install
Consider documenting filesystem:WRITE permission in SKILL.md for output file generation, otherwise safe to use.

Findings 1 items

Severity Finding Location
Low
Minor documentation mismatch Doc Mismatch
SKILL.md declares filesystem:NONE but the script writes output files when --output flag is provided. This is mentioned in usage examples but not in the resource declaration.
allowed-tools mapping does not include filesystem:WRITE
→ Update SKILL.md to declare filesystem:WRITE for output file generation capability
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned scripts/analyze_wechat.py:lines 377-385 (file write with --output flag)
Network READ READ ✓ Aligned scripts/analyze_wechat.py:lines 33-60 (requests.get only to user-provided URLs)
Shell NONE NONE No subprocess or shell execution found
Environment NONE NONE No os.environ access found
1 High 3 findings
📡
High IP Address 硬编码 IP 地址
123.0.0.0
scripts/analyze_wechat.py:20
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/s/pr6pCoRCFKeWDyr5xoBrjQ
README.md:58
🔗
Medium External URL 外部 URL
https://mp.weixin.qq.com/s/xxx
README.md:66

File Tree

4 files · 19.9 KB · 664 lines
Python 1f · 444L Markdown 2f · 218L Text 1f · 2L
├─ 📁 scripts
│ └─ 🐍 analyze_wechat.py Python 444L · 14.6 KB
├─ 📝 README.md Markdown 99L · 2.3 KB
├─ 📄 requirements.txt Text 2L · 31 B
└─ 📝 SKILL.md Markdown 119L · 2.9 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
requests >=2.25.0 pip No Version properly pinned with minimum constraint
pyyaml >=5.4.0 pip No Version properly pinned with minimum constraint

Security Positives

✓ No shell execution - uses only Python standard library
✓ No credential harvesting - does not access environment variables or sensitive paths
✓ No data exfiltration - all network requests are to user-provided WeChat URLs only
✓ No obfuscation - clean, readable code with no base64 or encoded payloads
✓ Dependencies are version-pinned (requests>=2.25.0, pyyaml>=5.4.0)
✓ Explicit user consent required for file writes via --output flag
✓ No external connections to suspicious IPs - pre-scan '123.0.0.0' flag is a false positive (it's Chrome browser version)