中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
calibre-catalog-read
Read-only Calibre catalog lookup and one-book analysis workflow over a running Content server
Legitimate Calibre catalog read skill with minor documentation inconsistencies; no malicious behavior detected.
技能名称calibre-catalog-read
分析耗时44.4s
引擎pi
可以安装
Consider clarifying in SKILL.md that the analysis pipeline writes to Calibre comments. Passwords on command-line is acceptable given the tooling context.

安全发现 2 项

严重性 安全发现 位置
低危
Metadata write not clearly declared as exception to read-only claim 文档欺骗
SKILL.md repeatedly states 'read-only for catalog lookup + analysis workflow' and 'Never for... metadata edits'. However, run_analysis_pipeline.py (line 178-191) calls 'calibredb set_metadata' to write analysis HTML to Calibre comments field. This is intentional functionality but conflicts with read-only framing.
run(["calibredb", "--with-library", ns.with_library, *auth, "set_metadata", str(ns.book_id), "--field", f"comments:{merged_comments}"])
→ Add explicit note in SKILL.md that the analysis pipeline applies HTML comments to Calibre metadata as part of the workflow.
 scripts/run_analysis_pipeline.py:178
低危
Password passed on command line 凭证窃取
CALIBRE_PASSWORD is passed as --password argument to calibredb subprocess. This exposes the credential in process listings and shell history.
if (auth.password) cmd.push('--password', auth.password);
→ Acceptable for CLI tooling context. If stricter security needed, use environment variable passing or credential prompting.
 scripts/calibredb_read.mjs:195
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md metadata declares bin dependencies; scripts use subprocess for calibred…
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares localWrites to state/*; scripts write runs.json, sqlite DB, an…
网络访问 READ READ ✓ 一致 HTTP requests to Calibre Content Server for catalog operations; no arbitrary net…
环境变量 READ READ ✓ 一致 Reads CALIBRE_PASSWORD, CALIBRE_USERNAME, CALIBRE_WITH_LIBRARY; no exfiltration …
2 项发现
🔗
中危 外部 URL 外部 URL
http://192.168.11.20:8080/#Calibreライブラリ
README.md:52
🔗
中危 外部 URL 外部 URL
https://json-schema.org/draft/2020-12/schema
references/subagent-analysis.schema.json:2

目录结构

11 文件 · 68.1 KB · 1890 行
JavaScript 4f · 948L Markdown 3f · 477L Python 2f · 404L JSON 2f · 61L
├─ 📁 references
│ ├─ 📝 subagent-analysis.prompt.md Markdown 63L · 1.9 KB
│ ├─ 📋 subagent-analysis.schema.json JSON 42L · 1.4 KB
│ └─ 📋 subagent-input.schema.json JSON 19L · 575 B
├─ 📁 scripts
│ ├─ 🐍 analysis_db.py Python 97L · 4.1 KB
│ ├─ 📜 calibredb_read.mjs JavaScript 393L · 12.3 KB
│ ├─ 📜 handle_completion.mjs JavaScript 393L · 12.4 KB
│ ├─ 📜 prepare_subagent_input.mjs JavaScript 67L · 2.1 KB
│ ├─ 🐍 run_analysis_pipeline.py Python 307L · 11.8 KB
│ └─ 📜 run_state.mjs JavaScript 95L · 3.0 KB
├─ 📝 README.md Markdown 140L · 5.6 KB
└─ 📝 SKILL.md Markdown 274L · 13.0 KB

安全亮点

✓ Subagent architecture cleanly separates heavy analysis from main agent - reduces risk of prompt injection
✓ State management with runs.json prevents duplicate processing and race conditions
✓ Input validation on book_id and analysis JSON paths before processing
✓ No external network connections except to configured Calibre server
✓ No base64/encoded execution, no reverse shell patterns, no credential exfiltration
✓ Clean separation between read-only catalog operations (calibredb_read.mjs) and analysis workflow (run_analysis_pipeline.py)
✓ Uses hash-based deduplication to avoid re-analysis of unchanged files
✓ Subagent prompt template includes strict read contract preventing unauthorized tool usage