中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:20 小时前 重新扫描
25 /100
file-download-server
快速搭建临时文件下载服务器,支持HTTP下载、美观的下载页面、防火墙端口自动开放
A legitimate HTTP file download server with hardcoded IP address in documentation but no malicious code or hidden behavior detected.
技能名称file-download-server
分析耗时48.8s
引擎pi
可以安装
Remove the hardcoded IP address (81.70.47.140) from QUICKSTART.md and replace with a placeholder. Otherwise, the skill's functionality is straightforward and its capabilities are properly documented.

安全发现 3 项

严重性 安全发现 位置
中危
Hardcoded IP address in documentation 文档欺骗
references/QUICKSTART.md contains a hardcoded IP address 81.70.47.140 as an example download URL. While this appears to be a tutorial example, it raises questions about whether the author tested this skill against their own infrastructure. No code in any script actually connects to this IP.
print("📥 请访问: http://81.70.47.140:4000/")
→ Replace the hardcoded IP with a placeholder like 'YOUR_SERVER_IP' in the documentation to avoid implying a fixed remote endpoint.
 references/QUICKSTART.md:57
低危
Undeclared shell WRITE for iptables 权限提升
Both open_port.py and start_server.py execute iptables commands via subprocess with root privileges. This shell:WRITE capability is not explicitly declared in the SKILL.md capability section, though it is mentioned in the script parameter descriptions.
subprocess.run(["iptables", "-I", "INPUT", "-p", "tcp", "--dport", str(port), "-j", "ACCEPT"])
→ Add 'shell: WRITE' to the declared allowed-tools mapping and clarify that iptables requires root/sudo privileges.
 scripts/open_port.py:25
低危
os.chdir() modifies process working directory 权限提升
start_server.py calls os.chdir(args.directory) which changes the process working directory. This is a filesystem WRITE-level side effect not explicitly declared.
os.chdir(args.directory)
→ Document that the server changes its working directory to the shared folder.
 scripts/start_server.py:38
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 os.path.isdir/isfile checks, os.listdir for directory listing
文件系统 NONE WRITE ✓ 一致 generate_index.py writes HTML files; start_server.py calls os.chdir()
命令执行 NONE WRITE ✓ 一致 open_port.py:25 subprocess.run iptables; start_server.py:49,71 subprocess calls
网络访问 READ READ ✓ 一致 http.server serves files on TCP port (inbound), no outbound network calls except…
环境变量 NONE NONE No access to os.environ for credentials
1 高危 5 项发现
📡
高危 IP 地址 硬编码 IP 地址
81.70.47.140
references/QUICKSTART.md:57
🔗
中危 外部 URL 外部 URL
http://your-server-ip:4000/
SKILL.md:74
🔗
中危 外部 URL 外部 URL
http://your-ip:8080/
SKILL.md:83
🔗
中危 外部 URL 外部 URL
https://netfilter.org/projects/iptables/
SKILL.md:210
🔗
中危 外部 URL 外部 URL
http://81.70.47.140:4000/
references/QUICKSTART.md:57

目录结构

6 文件 · 18.5 KB · 682 行
Python 3f · 347L Markdown 2f · 330L JSON 1f · 5L
├─ 📁 references
│ └─ 📝 QUICKSTART.md Markdown 120L · 2.7 KB
├─ 📁 scripts
│ ├─ 🐍 generate_index.py Python 216L · 6.5 KB
│ ├─ 🐍 open_port.py Python 45L · 1.3 KB
│ └─ 🐍 start_server.py Python 86L · 2.7 KB
├─ 📋 _meta.json JSON 5L · 139 B
└─ 📝 SKILL.md Markdown 210L · 5.2 KB

安全亮点

✓ No obfuscation detected — all code is plain, readable Python
✓ No credential theft or environment variable enumeration
✓ No base64, eval, or anti-analysis techniques
✓ No external dependencies — uses only Python standard library (no supply chain risk)
✓ All core functionality (HTTP server, HTML generation, firewall config) is declared in SKILL.md
✓ No network exfiltration or C2 communication in code
✓ Server binds to 0.0.0.0 (standard for file serving) and serves only the specified directory
✓ Download links in SKILL.md use placeholders (your-server-ip) rather than hardcoded IPs