中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
vipshop-product-detail
唯品会商品详情查询技能 - VIP.com product detail query skill
This is a legitimate VIP.com product detail query skill with declared network access and token storage. One unused hardcoded placeholder IP address (120.0.0.0) found but not used for any network connections.
技能名称vipshop-product-detail
分析耗时25.6s
引擎pi
可以安装
Remove the unused hardcoded IP placeholder (120.0.0.0) at line 56 for code cleanliness. Otherwise, the skill is safe to use.

安全发现 1 项

严重性 安全发现 位置
低危
Unused hardcoded placeholder IP address
Line 56 contains hardcoded IP '120.0.0.0' which is a reserved IP and appears to be an unused placeholder. No network requests are made to this address.
# placeholder IP reference
→ Remove the unused hardcoded IP to clean up the code. This does not pose a security risk as it's not used for any network communication.
 scripts/detail.py:56
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:56 ~/.vipshop-user-login/tokens.json
网络访问 READ READ ✓ 一致 SKILL.md:64 mapi-pc.vip.com API endpoints
1 高危 10 项发现
📡
高危 IP 地址 硬编码 IP 地址
120.0.0.0
scripts/detail.py:56
🔗
中危 外部 URL 外部 URL
https://img.vip.vip.com/xxxxx.jpg
README.md:86
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/detail-123456-6921714935983149512.html
README.md:126
🔗
中危 外部 URL 外部 URL
https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/detail/main/v6
README.md:341
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/xxx?f=AIClaw
SKILL.md:47
🔗
中危 外部 URL 外部 URL
https://www.vip.com/
scripts/detail.py:59
🔗
中危 外部 URL 外部 URL
https://www.vip.com
scripts/detail.py:60
🔗
中危 外部 URL 外部 URL
https://mapi-pc.vip.com/vips-mobile/rest/shopping/skill/detail/more/v2
scripts/detail.py:177
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/detail-$
scripts/detail.py:416
🔗
中危 外部 URL 外部 URL
https://detail.vip.com/detail-
scripts/detail.py:419

目录结构

3 文件 · 42.6 KB · 1127 行
Markdown 2f · 607L Python 1f · 520L
├─ 📁 scripts
│ └─ 🐍 detail.py Python 520L · 21.5 KB
├─ 📝 README.md Markdown 399L · 12.7 KB
└─ 📝 SKILL.md Markdown 208L · 8.4 KB

安全亮点

✓ No shell execution (subprocess, os.system) detected
✓ No credential exfiltration or data theft patterns
✓ No base64 encoded payloads or obfuscated code
✓ No reverse shell or C2 communication patterns
✓ Network requests target only legitimate vip.com domains
✓ Token storage location declared in SKILL.md
✓ Uses only Python standard library (urllib, json, pathlib)
✓ No sensitive path access beyond declared token file
✓ No hidden functionality beyond documentation