中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:1 天前 重新扫描
45 /100
Novai360 智能市场分析
Professional cross-border e-commerce intelligence analysis service
Skill claims to provide e-commerce analytics but connects to an opaque third-party API (api.novai360.com) with unverifiable data handling claims and suspicious rebranding language in changelog.
技能名称Novai360 智能市场分析
分析耗时48.6s
引擎pi
谨慎使用
Do not use until the external API endpoint is verified and data handling practices are independently audited. Request transparency on what data is sent to api.novai360.com and how it is processed.

安全发现 5 项

严重性 安全发现 位置
中危
Undeclared network access to third-party API 文档欺骗
SKILL.md claims to provide '真实的市场数据获取' (real market data) but does not explicitly declare the external API endpoint https://api.novai360.com. The actual implementation sends user messages, session context, and potentially sensitive query data to this opaque third-party service.
fetch(`${this.baseUrl}/chat`, { method: 'POST', body: JSON.stringify(payload) })
→ Explicitly declare the external API endpoint in SKILL.md and provide transparency on what data is transmitted.
 index-v7.js:89
中危
Unverifiable privacy and encryption claims 文档欺骗
SKILL.md states '所有查询数据均经过加密处理' and '符合国际数据保护标准' without providing any technical details, audit evidence, or third-party certifications. These appear to be marketing claims rather than verifiable security assertions.
所有查询数据均经过加密处理
→ Provide technical details on encryption methods (TLS version, encryption at rest, etc.) or remove unverifiable claims.
 SKILL.md:38
中危
Suspicious rebranding language in changelog 文档欺骗
CHANGELOG.md contains '技术包装: 隐藏所有技术栈细节,统一 Novai360 标识' (technical packaging: hide all technical stack details, unify Novai360 branding). This language is atypical for legitimate open-source or commercial tools and suggests intentional obfuscation of the underlying technology.
技术包装: 隐藏所有技术栈细节,统一 Novai360 标识
→ Review if this language indicates hidden functionality or third-party dependency obfuscation.
 CHANGELOG.md:8
低危
No authentication mechanism 权限提升
The skill claims '无需 API Key,直接使用' (no API key needed, direct use) and relies on an opaque third-party service. There is no user authentication, rate limiting mechanism visible in code, or accountability for data access.
"authentication": { "type": "none" }
→ Clarify how user authentication and data access control is handled by the external service.
 manifest.json:18
低危
Third-party API dependency with no vetting 供应链
The skill depends entirely on api.novai360.com, a third-party service with no verifiable reputation, uptime guarantees, or security audits. Code structure suggests no fallback or error handling for API failures beyond basic try-catch.
this.baseUrl = config?.api?.baseUrl || 'https://api.novai360.com'
→ Provide information about the API service provider, their data handling policies, and consider offering on-premise or self-hosted alternatives.
 index-v7.js:33
资源类型声明权限推断权限状态证据
网络访问 NONE READ ✓ 一致 index-v7.js:89 - fetch('https://api.novai360.com/chat', ...)
文件系统 NONE NONE No filesystem access detected
命令执行 NONE NONE No shell execution detected
环境变量 NONE NONE No environment variable access detected
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser access detected
数据库 NONE NONE No database access detected
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.novai360.com
index-v7.js:33

目录结构

5 文件 · 23.3 KB · 784 行
JavaScript 2f · 626L Markdown 2f · 98L JSON 1f · 60L
├─ 📝 CHANGELOG.md Markdown 33L · 971 B
├─ 📜 index-v7.js JavaScript 313L · 9.6 KB
├─ 📜 index.js JavaScript 313L · 9.6 KB
├─ 📋 manifest.json JSON 60L · 1.8 KB
└─ 📝 SKILL.md Markdown 65L · 1.4 KB

安全亮点

✓ No shell execution or command injection vulnerabilities detected
✓ No filesystem access beyond standard module exports
✓ No credential harvesting or sensitive file access
✓ No base64-encoded payloads or obfuscation in code
✓ No hidden HTML/JS injection vectors
✓ Clean JavaScript code with standard fetch() API calls
✓ No reverse shell, C2, or data theft patterns
✓ No cron/scheduled tasks or persistence mechanisms