扫描报告
5 /100
q-wms
千易 SaaS 智能助手(WMS/ERP),负责库存、仓库、货主、库存日志、订单池、订单/任务/库内绩效/进销存(新)查询
This is a legitimate WMS/ERP business intelligence skill for warehouse management queries. The implementation uses standard OAuth device-code authorization flow, caches tokens to disk for session persistence, and forwards business requests to a named backend service. No malicious indicators detected.
可以安装
This skill is safe to use. No security concerns require action.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ | ✓ 一致 | index.js:26 — reads package.json and config.runtime.json from plugin directory |
| 网络访问 | READ | READ | ✓ 一致 | index.js:262 — postJson() calls backend API endpoints with scene/params payload |
| 命令执行 | NONE | NONE | — | No shell execution in runtime JS; scripts/ are build-time only |
2 项发现
中危 外部 URL 外部 URL
http://qlink-portal-test.800best.com README.md:64 中危 外部 URL 外部 URL
http://qlink-portal.800best.com README.md:71 目录结构
11 文件 · 62.6 KB · 1865 行 JavaScript 1f · 1031L
Markdown 3f · 552L
Shell 3f · 195L
JSON 4f · 87L
├─
▾
config
│ ├─
production.json
JSON
│ └─
test.json
JSON
├─
▾
plugin
│ └─
▾
q-wms-flow
│ ├─
index.js
JavaScript
│ ├─
openclaw.plugin.json
JSON
│ ├─
package.json
JSON
│ └─
README.md
Markdown
├─
▾
scripts
│ ├─
build.sh
Shell
│ ├─
install_complete.sh
Shell
│ └─
publish_skill.sh
Shell
├─
README.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ No base64-encoded execution, eval(), or atob() usage
✓ No direct IP network requests — uses DNS-named endpoints (qlink-portal-test.800best.com)
✓ No credential harvesting from environment variables or sensitive paths
✓ No curl|bash or wget|sh remote script execution
✓ No hidden instructions in comments or HTML
✓ No access to ~/.ssh, ~/.aws, .env, or similar sensitive paths
✓ Standard OAuth device-code authorization flow with proper token management
✓ Auth tokens scoped to plugin-specific storage (not global)
✓ Version check mechanism prevents use of outdated plugin versions
✓ No third-party dependencies with known vulnerabilities