中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:23 hr ago Rescan
15 /100
auto-free-banana
Generates images in Google Flow through browser UI automation
This is a legitimate browser UI automation tool for Google Flow that stores OAuth tokens locally. No malicious behavior, credential theft, or data exfiltration detected. All shell/network access is declared and necessary for the tool's stated purpose.
Skill Nameauto-free-banana
Duration38.3s
Enginepi
Safe to install
No action required. The skill is safe for use within its documented scope of Google Flow UI automation.
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md: Script Directory section declares bun/npx execution
Filesystem WRITE WRITE ✓ Aligned SKILL.md: Cookie storage in ~/.local/share/baoyu-skills; cookies.json written lo…
Network READ READ ✓ Aligned SKILL.md: Network connectivity check (curl to labs.google/fx); HTTP requests to …
Browser WRITE WRITE ✓ Aligned SKILL.md: Chrome CDP automation declared; client.ts uses CDP for UI control
Environment READ READ ✓ Aligned SKILL.md: Environment variables section lists proxy, paths, and debug port setti…
6 findings
🔗
Medium External URL 外部 URL
https://labs.google/fx/
SKILL.md:162
🔗
Medium External URL 外部 URL
https://labs.google/fx/zh/tools/flow
scripts/flow-webapi/client.ts:83
🔗
Medium External URL 外部 URL
https://labs.google/fx/zh/tools/flow/project/$
scripts/flow-webapi/client.ts:174
🔗
Medium External URL 外部 URL
https://labs.google/fx/api/auth/session
scripts/flow-webapi/utils/get-auth-token.ts:15
🔗
Medium External URL 外部 URL
https://labs.google/
scripts/flow-webapi/utils/load-browser-cookies.ts:342
🔗
Medium External URL 外部 URL
https://accounts.google.com/
scripts/flow-webapi/utils/load-browser-cookies.ts:342

File Tree

15 files · 58.4 KB · 1811 lines
TypeScript 14f · 1529L Markdown 1f · 282L
├─ 📁 scripts
│ ├─ 📁 flow-webapi
│ │ ├─ 📁 types
│ │ │ ├─ 📜 index.ts TypeScript 1L · 78 B
│ │ │ └─ 📜 project.ts TypeScript 17L · 316 B
│ │ ├─ 📁 utils
│ │ │ ├─ 📜 cookie-file.ts TypeScript 56L · 1.5 KB
│ │ │ ├─ 🔑 get-auth-token.ts TypeScript 97L · 3.3 KB
│ │ │ ├─ 📜 http.ts TypeScript 72L · 2.0 KB
│ │ │ ├─ 📜 index.ts TypeScript 25L · 826 B
│ │ │ ├─ 📜 load-browser-cookies.ts TypeScript 392L · 12.9 KB
│ │ │ ├─ 📜 logger.ts TypeScript 40L · 1.1 KB
│ │ │ └─ 📜 paths.ts TypeScript 55L · 2.0 KB
│ │ ├─ 📜 client.ts TypeScript 418L · 14.8 KB
│ │ ├─ 📜 constants.ts TypeScript 38L · 1.4 KB
│ │ ├─ 📜 exceptions.ts TypeScript 34L · 681 B
│ │ └─ 📜 index.ts TypeScript 32L · 601 B
│ └─ 📜 main.ts TypeScript 252L · 6.9 KB
└─ 📝 SKILL.md Markdown 282L · 10.0 KB

Security Positives

✓ All shell executions (bun/npx) are declared in SKILL.md
✓ Network requests are limited to official Google domains (labs.google/fx, accounts.google.com)
✓ OAuth tokens are stored locally in cookie files, not exfiltrated
✓ No base64-encoded commands or obfuscation detected
✓ No access to sensitive system paths (~/.ssh, ~/.aws, .env)
✓ No credential harvesting for external exfiltration
✓ Chrome spawning uses documented paths and flags
✓ Consent check mechanism implemented before first use
✓ Source code is clean TypeScript without suspicious patterns
✓ No reverse shell, C2, or data theft functionality