Scan Report
5 /100
guoshun-bid-doc-analyzer
国顺招标文件分析技能 - 江苏国顺智能科技有限公司专用。自动分析招标文件(PDF),输出结构化投标决策支持报告。
A legitimate Chinese bidding document analyzer skill with no security issues. The skill uses pdfplumber to extract PDF text and generates structured tender/bid analysis reports for a construction company.
Safe to install
No action required. The skill is safe to deploy and use.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Dependency not pinned in SKILL.md Supply Chain | SKILL.md:190 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md states PDF file upload; extract_pdf.py reads PDF files only |
| Network | NONE | NONE | — | No network requests found in any file |
| Shell | NONE | NONE | — | No subprocess or shell execution in scripts/extract_pdf.py |
| Environment | NONE | NONE | — | No os.environ access in Python script |
| Skill Invoke | READ | READ | ✓ Aligned | SKILL.md documents invocation via user file upload |
File Tree
3 files · 23.8 KB · 696 lines Markdown 2f · 631L
Python 1f · 65L
├─
▾
references
│ └─
sample-projects.md
Markdown
├─
▾
scripts
│ └─
extract_pdf.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
pdfplumber | * | pip | No | Not pinned; ImportError handled gracefully |
Security Positives
✓ No credential access or harvesting detected
✓ No network requests or data exfiltration
✓ No shell execution or code obfuscation
✓ Documentation accurately reflects the Python script's functionality
✓ No suspicious file paths accessed (~/.ssh, ~/.aws, .env)
✓ Clean Python code with no high-risk patterns (base64, eval, subprocess)
✓ References sample projects for legitimate business context
✓ Skill is scoped to PDF analysis only with no hidden functionality