Scan Report
22 /100
api-translator
將 API 文檔翻譯成繁體中文
Skill provides legitimate API translation but uses undocumented shell execution via subprocess to invoke web_fetch CLI, creating a minor doc-to-code mismatch without actual malicious behavior.
Safe to install
Add explicit declaration of shell execution and subprocess usage in SKILL.md capabilities section. Implement the documented --format, --preserve-code, and --taiwan parameters in the scripts.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Undocumented Shell Execution via Subprocess Doc Mismatch | scripts/api-translator.py:17 |
| Low | Documented Parameters Not Implemented Doc Mismatch | SKILL.md:48 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md declares web_fetch tool usage |
| Shell | NONE | WRITE | ✗ Violation | scripts/api-translator.py:17 uses subprocess.run() |
| Filesystem | NONE | NONE | — | No filesystem access in scripts |
| Environment | NONE | NONE | — | No environment variable access |
| Skill Invoke | NONE | NONE | — | No skill invocation |
2 findings
Medium External URL 外部 URL
https://platform.openai.com/docs/api-reference/introduction SKILL.md:76 Medium External URL 外部 URL
https://api.example.com/docs scripts/api-translator.py:23 File Tree
4 files · 3.9 KB · 172 lines Markdown 1f · 82L
Python 1f · 50L
Shell 1f · 33L
JSON 1f · 7L
├─
▾
scripts
│ ├─
api-translator.py
Python
│ └─
api-translator.sh
Shell
├─
_meta.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ No credential theft or harvesting behavior observed
✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env)
✓ No data exfiltration to external IPs
✓ No obfuscation techniques (base64, eval, etc.)
✓ No curl|bash or wget|sh remote script execution
✓ No malicious dependencies detected
✓ web_fetch tool usage is properly declared in documentation
✓ Scripts are straightforward wrappers without hidden functionality