Scan Report
This report was generated in Chinese. Some content may be in Chinese.
15 /100
markdown-ai-rewriter
基于 markdown-ai-rewriter 的 Markdown AI 改写 Skill(保留结构、章节/全文模式、多模型)
合法 Markdown AI 改写工具,供应链风险已声明,代码行为与文档一致,无恶意发现
Safe to install
使用前确保 npm 源可信,定期检查 markdown-ai-rewriter 包更新历史
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Medium | 供应链依赖 - npx 动态拉取 Supply Chain | scripts/run.js:17 |
| Low | 访问配置目录 Sensitive Access | config.json:41 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ+WRITE | READ+WRITE | ✓ Aligned | config.json:permissions.filesystem - 读取 *.md 文件,写入 ~/.markdown-ai-rewriter/ |
| Network | READ | READ | ✓ Aligned | config.json:permissions.network - 仅限 AI 服务商域名 |
| Shell | NONE | WRITE | ✓ Aligned | scripts/run.js:17 - spawnSync 执行 npx,声明为包装器行为 |
5 findings
Medium External URL 外部 URL
https://www.npmjs.com/package/markdown-ai-rewriter README.md:3 Medium External URL 外部 URL
https://api.minimaxi.com/v1 README.md:71 Medium External URL 外部 URL
https://your-resource.openai.azure.com README.md:117 Info Email 邮箱地址
[email protected] README.md:20 Info Email 邮箱地址
[email protected] README.md:153 File Tree
5 files · 24.7 KB · 720 lines Markdown 2f · 521L
JavaScript 2f · 100L
JSON 1f · 99L
├─
▾
scripts
│ ├─
postinstall.js
JavaScript
│ └─
run.js
JavaScript
├─
config.json
⚠
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
markdown-ai-rewriter | ^1.1.3 | npm (npx dynamic pull) | No | 通过 npx 动态拉取,非本地预装;config.json 已声明供应链风险 |
Security Positives
✓ 供应链风险已在 config.json 中明确声明(riskLevel: moderate)
✓ 代码逻辑简单清晰,仅为 npx 包装器,无复杂逻辑
✓ 权限声明完整,与实际功能匹配
✓ 网络访问限制为 AI 服务商域名白名单
✓ 支持 11+ 个模型提供商,透明度高
✓ GitHub 仓库可审计,MIT 许可证