中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 12/100
Last scan:2 days ago Rescan
12 /100
fanli
商品转链与跨平台比价助手
Legitimate shopping assistant skill for converting product links to affiliate links and comparing prices across platforms. All capabilities are documented and aligned with expected behavior.
Skill Namefanli
Duration36.6s
Enginepi
Safe to install
Safe to use. The skill requires FX_AI_API_KEY for fenxiang-ai platform authentication and sends product links to an external API for processing, which is expected functionality.

Findings 2 items

Severity Finding Location
Low
Documentation inconsistency
README.md states 'Python 3' and 'curl' as dependencies, but actual scripts are Node.js (ES modules with .mjs extension). SKILL.md correctly specifies 'Node.js 18+'.
- Python 3
- curl
→ Update README.md to reflect Node.js 18+ dependency instead of Python 3 and curl
 README.md:70
Info
External dependency on fx-base
Script imports fx-api.mjs from fx-base sibling directory. If fx-base is compromised, this skill could be affected.
const _fxApiPath = join(_scriptDir, '../../fx-base/scripts/fx-api.mjs')
→ Ensure fx-base is from a trusted source and verified
 scripts/convert.mjs:11
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned Bash(node {baseDir}/scripts/run.mjs:*) - uses spawn for Node.js script execution
Filesystem READ READ ✓ Aligned Read({baseDir}/**) - reads templates and reference files
Network READ READ ✓ Aligned Makes API calls to api-ai-brain.fenxianglife.com - declared in SKILL.md
Environment READ READ ✓ Aligned Accesses FX_AI_API_KEY - declared in metadata.requires.env
10 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-fanli-blue
README.md:3
🔗
Medium External URL 外部 URL
https://clawhub.ai/fangshan101-coder/fanli
README.md:3
🔗
Medium External URL 外部 URL
https://platform.fenxiang-ai.com/docs
README.md:21
🔗
Medium External URL 外部 URL
https://u.jd.com/xxx
README.md:40
🔗
Medium External URL 外部 URL
https://platform.fenxiang-ai.com/
SKILL.md:24
🔗
Medium External URL 外部 URL
https://api-ai-brain.fenxianglife.com
SKILL.md:25
🔗
Medium External URL 外部 URL
https://e.tb.cn/h.iWHhFu8oHNytYbb
references/convert-output.md:91
🔗
Medium External URL 外部 URL
https://img.alicdn.com/bao/uploaded/i3/3937219703/O1CN01C9uNI52LY28zuHGyn.jpg
references/convert-output.md:101
🔗
Medium External URL 外部 URL
https://s.click.taobao.com/na6oIkm
references/convert-output.md:117
🔗
Medium External URL 外部 URL
https://e.tb.cn/h.xxx
scripts/compare-price.mjs:34

File Tree

7 files · 23.0 KB · 731 lines
Markdown 4f · 371L JavaScript 3f · 360L
├─ 📁 references
│ ├─ 📝 compare-price-output.md Markdown 39L · 1.1 KB
│ └─ 📝 convert-output.md Markdown 148L · 4.5 KB
├─ 📁 scripts
│ ├─ 📜 compare-price.mjs JavaScript 116L · 3.6 KB
│ ├─ 📜 convert.mjs JavaScript 112L · 3.3 KB
│ └─ 📜 run.mjs JavaScript 132L · 3.9 KB
├─ 📝 README.md Markdown 87L · 2.0 KB
└─ 📝 SKILL.md Markdown 97L · 4.6 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
fx-base * local sibling directory No External library imported at runtime
Node.js 18+ 18+ system No Built-in fetch API used for HTTP requests

Security Positives

✓ All capabilities declared in SKILL.md match actual implementation
✓ No credential harvesting beyond required API key (expected for authentication)
✓ No data exfiltration beyond normal API functionality
✓ No base64, eval, or suspicious code patterns detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Data flow clearly documented (product links → external API)
✓ No remote script execution (curl|bash, wget|sh patterns)
✓ Error handling properly implemented with user-friendly messages