中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
q-wms
千易 SaaS 智能助手(WMS/ERP),负责库存、仓库、货主、库存日志、订单池、订单/任务/库内绩效/进销存(新)查询
This is a legitimate WMS/ERP business intelligence skill for warehouse management queries. The implementation uses standard OAuth device-code authorization flow, caches tokens to disk for session persistence, and forwards business requests to a named backend service. No malicious indicators detected.
Skill Nameq-wms
Duration34.1s
Enginepi
Safe to install
This skill is safe to use. No security concerns require action.
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned index.js:26 — reads package.json and config.runtime.json from plugin directory
Network READ READ ✓ Aligned index.js:262 — postJson() calls backend API endpoints with scene/params payload
Shell NONE NONE No shell execution in runtime JS; scripts/ are build-time only
2 findings
🔗
Medium External URL 外部 URL
http://qlink-portal-test.800best.com
README.md:64
🔗
Medium External URL 外部 URL
http://qlink-portal.800best.com
README.md:71

File Tree

11 files · 62.6 KB · 1865 lines
JavaScript 1f · 1031L Markdown 3f · 552L Shell 3f · 195L JSON 4f · 87L
├─ 📁 config
│ ├─ 📋 production.json JSON 9L · 239 B
│ └─ 📋 test.json JSON 9L · 260 B
├─ 📁 plugin
│ └─ 📁 q-wms-flow
│ ├─ 📜 index.js JavaScript 1031L · 35.3 KB
│ ├─ 📋 openclaw.plugin.json JSON 38L · 1.3 KB
│ ├─ 📋 package.json JSON 31L · 633 B
│ └─ 📝 README.md Markdown 75L · 2.0 KB
├─ 📁 scripts
│ ├─ 🔧 build.sh Shell 76L · 1.9 KB
│ ├─ 🔧 install_complete.sh Shell 63L · 1.5 KB
│ └─ 🔧 publish_skill.sh Shell 56L · 1.6 KB
├─ 📝 README.md Markdown 235L · 4.3 KB
└─ 📝 SKILL.md Markdown 242L · 13.5 KB

Security Positives

✓ No base64-encoded execution, eval(), or atob() usage
✓ No direct IP network requests — uses DNS-named endpoints (qlink-portal-test.800best.com)
✓ No credential harvesting from environment variables or sensitive paths
✓ No curl|bash or wget|sh remote script execution
✓ No hidden instructions in comments or HTML
✓ No access to ~/.ssh, ~/.aws, .env, or similar sensitive paths
✓ Standard OAuth device-code authorization flow with proper token management
✓ Auth tokens scoped to plugin-specific storage (not global)
✓ Version check mechanism prevents use of outdated plugin versions
✓ No third-party dependencies with known vulnerabilities