中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
vipshop-product-search
唯品会商品搜索技能 - 在vip.com搜索商品、比价、找折扣
Legitimate VIP.com product search skill using official APIs with proper token management and no malicious indicators.
技能名称vipshop-product-search
分析耗时25.3s
引擎pi
可以安装
Approve for use. The skill performs standard e-commerce product search functionality with no credential exfiltration or suspicious network behavior.

安全发现 3 项

严重性 安全发现 位置
提示
Hardcoded IP placeholder
Pre-scan flagged '120.0.0.0' as hardcoded IP. Code analysis shows this is a mars_cid (device tracking ID) placeholder, not an active malicious connection. No exfiltration observed.
mars_cid = ''
→ No action required - this is standard tracking identifier, not malicious.
 scripts/search.py:59
提示
Token storage in user home directory
The skill stores session tokens in ~/.vipshop-user-login/tokens.json. This is appropriate for managing VIP.com authentication.
token_file = Path.home() / '.vipshop-user-login' / 'tokens.json'
→ No action required - standard token management pattern.
 scripts/search.py:22
提示
Uses only Python standard library
The skill uses only Python standard library modules (urllib, json, pathlib). No external dependencies required, reducing supply chain risk.
import sys, json, urllib.request, urllib.parse
→ Positive security feature - minimizes dependency attack surface.
 scripts/search.py:1
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 SKILL.md: Executes python3 scripts/search.py
文件系统 READ READ ✓ 一致 scripts/search.py: Reads ~/.vipshop-user-login/tokens.json
网络访问 READ READ ✓ 一致 scripts/search.py: Makes API calls to mapi-pc.vip.com
1 高危 9 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
scripts/search.py:59
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/detail-1710613281-6920685689731485274.html
README.md:136
🔗
中危 外部 URL 外部 URL
https://h2.appsimg.com/xxx.jpg
README.md:138
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/...
README.md:173
🔗
中危 外部 URL 外部 URL
https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/search/product/rank
README.md:410
🔗
中危 外部 URL 外部 URL
https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/product/module/list/v2
README.md:417
🔗
中危 外部 URL 外部 URL
https://www.vip.com/
scripts/search.py:62
🔗
中危 外部 URL 外部 URL
https://www.vip.com
scripts/search.py:63
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/detail-
scripts/search.py:214

目录结构

3 文件 · 41.9 KB · 1086 行
Markdown 2f · 680L Python 1f · 406L
├─ 📁 scripts
│ └─ 🐍 search.py Python 406L · 12.7 KB
├─ 📝 README.md Markdown 503L · 20.0 KB
└─ 📝 SKILL.md Markdown 177L · 9.2 KB

安全亮点

✓ Uses only Python standard library (urllib, json, pathlib) - no external dependencies
✓ Makes requests to official VIP.com API endpoints (mapi-pc.vip.com)
✓ Token management is standard and documented
✓ No credential exfiltration observed
✓ No base64/eval/exec patterns found
✓ No curl|bash or remote script execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ SKILL.md accurately declares all capabilities