中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
cloudbase
CloudBase is a full-stack development and deployment toolkit for building and launching websites, Web apps, WeChat Mini Programs, and mobile apps with backend, database, hosting, cloud functions, AI capabilities, Agent, and UI guidance.
CloudBase skill is a legitimate documentation package for Tencent CloudBase platform with no malicious behavior found. All code snippets are documentation examples, all URLs point to official/legitimate services, and no security violations detected.
Skill Namecloudbase
Duration67.4s
Enginepi
Safe to install
This skill is safe to use. No additional security controls needed.

Findings 2 items

Severity Finding Location
Info
HTML Comment Markers in Deployment Docs Doc Mismatch
Found '<!-- INSTRUCTION (AI MUST EXECUTE) -->' markers in agent-deployment.md. These are legitimate documentation markers instructing AI agents on deployment steps, not hidden malicious instructions.
<!-- INSTRUCTION (AI MUST EXECUTE EVERY STEP IN ORDER) -->
→ No action needed - these are documented AI routing markers
 references/cloudbase-agent/py/agent-deployment.md:26
Info
Environment Variable References in Documentation Sensitive Access
Code examples reference os.environ.get() and process.env for configuration. These are legitimate usage patterns documented for developers setting up CloudBase services.
port = int(os.environ.get("SCF_RUNTIME_PORT", "9000"))
→ No action needed - standard configuration pattern
 references/cloudbase-agent/py/skill.md:109
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE Documentation-only; no filesystem operations in skill
Network NONE NONE Skill documents API usage; no network operations performed by skill itself
Shell NONE NONE subprocess mentioned only in deployment documentation examples
Environment NONE NONE os.environ.get() documented for configuration purposes only
Skill Invoke NONE NONE Skill references other CloudBase skills for routing
Clipboard NONE NONE No clipboard operations found
Browser NONE NONE No browser automation found
Database NONE NONE Skill documents CloudBase DB usage; no direct database operations
31 findings
🔗
Medium External URL 外部 URL
https://static.cloudbase.net/cloudbase-js-sdk/latest/cloudbase.full.js
SKILL.md:67
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/document/product/876/75213
SKILL.md:158
🔗
Medium External URL 外部 URL
https://tcb.cloud.tencent.com/dev?envId=$
SKILL.md:242
🔗
Medium External URL 外部 URL
https://open.weixin.qq.com/cgi-bin/readtemplate?t=regist/regist_tmpl
references/auth-tool/SKILL.md:273
🔗
Medium External URL 外部 URL
https://console.cloud.google.com/apis/credentials
references/auth-tool/SKILL.md:309
🔗
Medium External URL 外部 URL
https://accounts.google.com/o/oauth2/v2/auth
references/auth-tool/SKILL.md:328
🔗
Medium External URL 外部 URL
https://qcloudimg.tencent-cloud.cn/raw/f9131c00dcbcbccd5899a449d68da3ba.png
references/auth-tool/SKILL.md:337
🔗
Medium External URL 外部 URL
https://tcb.cloud.tencent.com/dev?envId=
references/auth-tool/SKILL.md:395
🔗
Medium External URL 外部 URL
https://your-app.com
references/cloud-storage-web/SKILL.md:154
🔗
Medium External URL 外部 URL
https://api.coze.com
references/cloudbase-agent/py/adapter-coze.md:49
🔗
Medium External URL 外部 URL
https://[email protected]/xxx
references/cloudbase-agent/py/references/observability.md:233
🔗
Medium External URL 外部 URL
http://apm-server:8200
references/cloudbase-agent/py/references/observability.md:301
🔗
Medium External URL 外部 URL
http://grafana:3000/api/dashboards/import
references/cloudbase-agent/py/references/observability.md:328
🔗
Medium External URL 外部 URL
https://api.example.com/data
references/cloudbase-agent/py/references/tools.md:55
🔗
Medium External URL 外部 URL
https://api.example.com/search?q=
references/cloudbase-agent/py/references/tools.md:87
🔗
Medium External URL 外部 URL
https://your-frontend.com
references/cloudbase-agent/py/server-quickstart.md:430
🔗
Medium External URL 外部 URL
https://docs.ag-ui.com/concepts/events
references/cloudbase-agent/ts/adapter-development.md:51
🔗
Medium External URL 外部 URL
https://cloud.langfuse.com/api/public/otlp/v1/traces
references/cloudbase-agent/ts/server-quickstart.md:128
🔗
Medium External URL 外部 URL
https://docs.ag-ui.com
references/cloudbase-agent/ts/ui-clients.md:27
🔗
Medium External URL 外部 URL
https://console.cloud.tencent.com/tcb/hosting
references/cloudbase-platform/SKILL.md:251
🔗
Medium External URL 外部 URL
https://tcb.cloud.tencent.com/dev?#/identity/token-management
references/http-api/SKILL.md:145
🔗
Medium External URL 外部 URL
https://cloud1-abc.api.tcloudbasegateway.com
references/http-api/SKILL.md:174
🔗
Medium External URL 外部 URL
https://cloud1-abc.api.intl.tcloudbasegateway.com
references/http-api/SKILL.md:188
🔗
Medium External URL 外部 URL
https://your-env-id.api.tcloudbasegateway.com/v1/functions/YOUR_FUNCTION_NAME
references/http-api/SKILL.md:214
🔗
Medium External URL 外部 URL
https://your-env.api.tcloudbasegateway.com/v1/rdb/rest/course?select=name
references/http-api/SKILL.md:265
🔗
Medium External URL 外部 URL
https://your-env.api.tcloudbasegateway.com/v1/rdb/rest/course
references/http-api/SKILL.md:287
🔗
Medium External URL 外部 URL
https://your-env.api.tcloudbasegateway.com/v1/rdb/rest/course?id=eq.1
references/http-api/SKILL.md:306
🔗
Medium External URL 外部 URL
https://tcb.cloud.tencent.com/dev
references/no-sql-web-sdk/security-rules.md:45
🔗
Medium External URL 外部 URL
https://tcb.cloud.tencent.com/dev#/db/doc/model
references/no-sql-web-sdk/security-rules.md:69
🔗
Medium External URL 外部 URL
https://cloud.tencent.com/document/product/876/123478
references/no-sql-web-sdk/security-rules.md:890
📧
Info Email 邮箱地址
[email protected]
references/cloudbase-agent/py/references/observability.md:233

File Tree

68 files · 513.5 KB · 17057 lines
Markdown 68f · 17057L
├─ 📁 references
│ ├─ 📁 ai-model-nodejs
│ │ └─ 📝 SKILL.md Markdown 244L · 7.3 KB
│ ├─ 📁 ai-model-web
│ │ └─ 📝 SKILL.md Markdown 178L · 5.2 KB
│ ├─ 📁 ai-model-wechat
│ │ └─ 📝 SKILL.md Markdown 215L · 6.1 KB
│ ├─ 📁 auth-nodejs
│ │ └─ 📝 SKILL.md Markdown 439L · 16.0 KB
│ ├─ 📁 auth-tool
│ │ ├─ 📝 checklist.md Markdown 32L · 1.1 KB
│ │ └─ 📝 SKILL.md Markdown 395L · 10.7 KB
│ ├─ 📁 auth-web
│ │ └─ 📝 SKILL.md Markdown 338L · 10.0 KB
│ ├─ 📁 auth-wechat
│ │ └─ 📝 SKILL.md Markdown 470L · 13.0 KB
│ ├─ 📁 cloud-functions
│ │ ├─ 📁 references
│ │ │ ├─ 📝 event-functions.md Markdown 150L · 3.3 KB
│ │ │ ├─ 📝 http-functions.md Markdown 175L · 4.1 KB
│ │ │ └─ 📝 operations-and-config.md Markdown 166L · 4.4 KB
│ │ ├─ 📝 checklist.md Markdown 26L · 1.1 KB
│ │ ├─ 📝 references.md Markdown 46L · 1.3 KB
│ │ └─ 📝 SKILL.md Markdown 197L · 7.3 KB
│ ├─ 📁 cloud-storage-web
│ │ └─ 📝 SKILL.md Markdown 176L · 4.5 KB
│ ├─ 📁 cloudbase-agent
│ │ ├─ 📁 py
│ │ │ ├─ 📁 references
│ │ │ │ ├─ 📝 observability.md Markdown 415L · 8.6 KB
│ │ │ │ ├─ 📝 recipes.md Markdown 379L · 8.9 KB
│ │ │ │ ├─ 📝 server.md Markdown 146L · 4.7 KB
│ │ │ │ ├─ 📝 storage.md Markdown 312L · 6.7 KB
│ │ │ │ └─ 📝 tools.md Markdown 225L · 4.7 KB
│ │ │ ├─ 📝 adapter-coze.md Markdown 414L · 9.4 KB
│ │ │ ├─ 📝 adapter-development.md Markdown 571L · 16.8 KB
│ │ │ ├─ 📝 adapter-langgraph.md Markdown 611L · 14.3 KB
│ │ │ ├─ 📝 agent-deployment.md Markdown 434L · 14.0 KB
│ │ │ ├─ 📝 authentication.md Markdown 494L · 14.3 KB
│ │ │ ├─ 📝 server-quickstart.md Markdown 457L · 11.1 KB
│ │ │ └─ 📝 skill.md Markdown 245L · 11.8 KB
│ │ ├─ 📁 ts
│ │ │ ├─ 📝 adapter-development.md Markdown 51L · 1.9 KB
│ │ │ ├─ 📝 adapter-langchain.md Markdown 94L · 2.6 KB
│ │ │ ├─ 📝 adapter-langgraph.md Markdown 157L · 5.3 KB
│ │ │ ├─ 📝 agent-deployment.md Markdown 140L · 5.0 KB
│ │ │ ├─ 📝 agui-protocol.md Markdown 93L · 2.3 KB
│ │ │ ├─ 📝 server-quickstart.md Markdown 149L · 3.6 KB
│ │ │ ├─ 📝 skill.md Markdown 86L · 3.7 KB
│ │ │ ├─ 📝 ui-clients.md Markdown 53L · 1.3 KB
│ │ │ └─ 📝 ui-miniprogram.md Markdown 156L · 4.1 KB
│ │ └─ 📝 SKILL.md Markdown 28L · 1.5 KB
│ ├─ 📁 cloudbase-platform
│ │ └─ 📝 SKILL.md Markdown 293L · 15.2 KB
│ ├─ 📁 cloudrun-development
│ │ └─ 📝 SKILL.md Markdown 168L · 6.2 KB
│ ├─ 📁 data-model-creation
│ │ └─ 📝 SKILL.md Markdown 176L · 5.5 KB
│ ├─ 📁 http-api
│ │ ├─ 📝 checklist.md Markdown 23L · 991 B
│ │ └─ 📝 SKILL.md Markdown 487L · 19.2 KB
│ ├─ 📁 miniprogram-development
│ │ ├─ 📁 references
│ │ │ └─ 📝 cloudbase-integration.md Markdown 145L · 5.4 KB
│ │ └─ 📝 SKILL.md Markdown 159L · 6.2 KB
│ ├─ 📁 no-sql-web-sdk
│ │ ├─ 📝 aggregation.md Markdown 384L · 8.5 KB
│ │ ├─ 📝 complex-queries.md Markdown 232L · 5.0 KB
│ │ ├─ 📝 crud-operations.md Markdown 558L · 13.6 KB
│ │ ├─ 📝 geolocation.md Markdown 441L · 11.6 KB
│ │ ├─ 📝 pagination.md Markdown 315L · 8.7 KB
│ │ ├─ 📝 realtime.md Markdown 135L · 3.8 KB
│ │ ├─ 📝 security-rules.md Markdown 894L · 31.8 KB
│ │ └─ 📝 SKILL.md Markdown 155L · 4.5 KB
│ ├─ 📁 no-sql-wx-mp-sdk
│ │ ├─ 📝 aggregation.md Markdown 384L · 8.5 KB
│ │ ├─ 📝 complex-queries.md Markdown 232L · 5.0 KB
│ │ ├─ 📝 crud-operations.md Markdown 523L · 11.8 KB
│ │ ├─ 📝 geolocation.md Markdown 441L · 11.6 KB
│ │ ├─ 📝 pagination.md Markdown 315L · 8.7 KB
│ │ ├─ 📝 security-rules.md Markdown 63L · 1.8 KB
│ │ └─ 📝 SKILL.md Markdown 130L · 4.3 KB
│ ├─ 📁 relational-database-tool
│ │ └─ 📝 SKILL.md Markdown 193L · 7.8 KB
│ ├─ 📁 relational-database-web
│ │ └─ 📝 SKILL.md Markdown 133L · 3.6 KB
│ ├─ 📁 spec-workflow
│ │ └─ 📝 SKILL.md Markdown 155L · 4.7 KB
│ ├─ 📁 ui-design
│ │ ├─ 📝 checklist.md Markdown 23L · 838 B
│ │ └─ 📝 SKILL.md Markdown 322L · 14.3 KB
│ └─ 📁 web-development
│ ├─ 📝 browser-testing.md Markdown 31L · 1.1 KB
│ ├─ 📝 frameworks.md Markdown 26L · 1.4 KB
│ └─ 📝 SKILL.md Markdown 131L · 5.7 KB
└─ 📝 SKILL.md Markdown 433L · 24.7 KB

Security Positives

✓ Documentation-only skill with no executable code files
✓ All code snippets are example patterns with placeholder values
✓ No credential harvesting, data exfiltration, or C2 communication
✓ All external URLs point to official Tencent CloudBase and legitimate third-party services (OpenAI, Coze, Sentry)
✓ No obfuscation, base64 execution, or anti-analysis techniques
✓ Standard JWT parsing (atob for base64 decode of JWT payload) is legitimate
✓ HTML comments are documented AI instruction markers, not hidden malicious code
✓ Pre-scan flagged no scripts, no .env files, no sensitive file access