中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
velora-chat
Chat with AI companions on Velora (velora.cloudm8.net)
Legitimate browser automation script for testing Velora AI companion platform. All functionality is declared in SKILL.md with no hidden behavior, credential exfiltration, or suspicious network activity.
技能名称velora-chat
分析耗时25.0s
引擎pi
可以安装
This skill is safe to use. Ensure users don't share credentials in shared environments and consider using test accounts instead of production credentials.

安全发现 2 项

严重性 安全发现 位置
低危
Browser capability not explicitly declared in SKILL.md
The skill uses Playwright's chromium.launch() which requires browser WRITE control, but SKILL.md only mentions 'browser automation' without specifying the required permission level.
Requires Playwright and Chromium for browser automation.
→ Add explicit declaration: 'browser:WRITE (required for Playwright chromium.launch)'
 SKILL.md:5
提示
Credentials passed via CLI arguments
The script accepts email/password as command-line arguments which may be visible in process listings.
node scripts/velora-chat.js <email> <password>
→ Consider documenting that environment variables are the preferred method for credential passing
 scripts/velora-chat.js:68
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:47, scripts/velora-chat.js:24 - Only connects to velora.cloudm8.net
浏览器 READ WRITE ✓ 一致 scripts/velora-chat.js:16 - Uses chromium.launch() which requires browser contro…
文件系统 NONE NONE No file operations detected
命令执行 NONE NONE No shell commands executed
环境变量 READ READ ✓ 一致 SKILL.md documents VELORA_EMAIL/VELORA_PASSWORD usage
4 项发现
🔗
中危 外部 URL 外部 URL
https://velora.cloudm8.net/login
SKILL.md:100
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:33
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:54
📧
提示 邮箱 邮箱地址
[email protected]
scripts/velora-chat.js:71

目录结构

3 文件 · 7.9 KB · 268 行
Markdown 2f · 197L JavaScript 1f · 71L
├─ 📁 references
│ └─ 📝 companions.md Markdown 40L · 1.6 KB
├─ 📁 scripts
│ └─ 📜 velora-chat.js JavaScript 71L · 2.4 KB
└─ 📝 SKILL.md Markdown 157L · 3.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
playwright * npm Version not pinned in documentation

安全亮点

✓ No credential exfiltration or transmission to third parties
✓ All network activity limited to declared velora.cloudm8.net domain
✓ No shell execution, subprocess calls, or eval() usage
✓ No file system access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No base64-encoded payloads or obfuscated code
✓ No hidden functionality or steganography in comments
✓ Credentials documented as user-provided only
✓ Clear SKILL.md documentation of intended behavior