扫描报告
10 /100
quick-music
轻量快捷的音乐搜索工具。一条命令搜歌、拿播放链接,零依赖即开即用。
A simple music search tool that makes HTTP requests to two declared APIs and prints results — no malicious behavior, shell execution, credential access, or hidden functionality detected.
可以安装
The skill is safe to use. The sole IOC (IP 146.0.0.0) is a false positive: it is part of the Chrome browser version string in the User-Agent header, not a hard-coded C2 IP. No action required.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | API endpoints not declared in SKILL.md | scripts/quick-music.js:9 |
| 提示 | Pre-scan IOC is a false positive | scripts/quick-music.js:24 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | scripts/quick-music.js — no fs module imported or used |
| 网络访问 | NONE | READ | ✓ 一致 | scripts/quick-music.js:9-10 — fetch() calls to two external APIs; not declared i… |
| 命令执行 | NONE | NONE | — | scripts/quick-music.js — no child_process or exec usage |
| 环境变量 | NONE | NONE | — | No os.environ access in the script |
| 技能调用 | NONE | NONE | — | No inter-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
1 高危 3 项发现
高危 IP 地址 硬编码 IP 地址
146.0.0.0 scripts/quick-music.js:24 中危 外部 URL 外部 URL
https://kw-api.cenguigui.cn/ scripts/quick-music.js:9 中危 外部 URL 外部 URL
https://api.xcvts.cn/api/music/migu scripts/quick-music.js:10 目录结构
2 文件 · 5.1 KB · 159 行 JavaScript 1f · 118L
Markdown 1f · 41L
├─
▾
scripts
│ └─
quick-music.js
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ Zero dependencies as advertised — no npm packages or external libraries imported
✓ No shell execution or command injection vectors
✓ No credential or environment variable access
✓ No file system operations
✓ No obfuscation, base64, or eval patterns
✓ Code behavior matches the SKILL.md description (music search + play URL retrieval)
✓ No sensitive file paths (~/.ssh, ~/.aws, .env) accessed