Scan Report
5 /100
gusnais-skill
Gusnais (Ruby-China/Homeland compatible) API integration with OAuth and plugin domain operations
This is a legitimate Gusnais/Ruby-China forum API integration skill with standard OAuth authentication and plugin domain operations. No malicious behavior detected.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | Both scripts use requests to communicate with hardcoded https://gusnais.com |
| Filesystem | WRITE | WRITE | ✓ Aligned | write_token_store() in gusnais_bootstrap.py line 134; save() in gusnais_plugin_c… |
| Environment | NONE | READ | ✓ Aligned | Both scripts read CLIENT_ID, CLIENT_SECRET, etc. from os.environ, which is stand… |
1 findings
Medium External URL 外部 URL
https://gusnais.com SKILL.md:18 File Tree
5 files · 30.5 KB · 891 lines Python 2f · 549L
Markdown 3f · 342L
├─
▾
references
│ ├─
endpoints.md
Markdown
│ └─
permission-parity.md
Markdown
├─
▾
scripts
│ ├─
gusnais_bootstrap.py
Python
│ └─
gusnais_plugin_client.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned; standard library with no security impact in this context |
Security Positives
✓ SKILL.md accurately describes all functionality implemented in scripts
✓ All network requests are to hardcoded, whitelisted domain https://gusnais.com
✓ Credentials (CLIENT_ID, CLIENT_SECRET) are user-provided inputs, not harvested
✓ Token store file is written with restrictive permissions (chmod 0o600)
✓ No shell execution, subprocess, or command injection vectors
✓ No obfuscation, base64 payloads, or hidden functionality
✓ OAuth flow is a standard, well-structured implementation
✓ No data exfiltration or C2 communication patterns
✓ Plugin API client has proper error handling and capability gating
✓ No supply chain risks beyond unpinned requests dependency