中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 50/100
Last scan:23 hr ago Rescan
50 /100
chinese-bank-forex-rates
Use when you need the latest bank forex rates from major Chinese banks
SKILL.md declares forex rate fetching with a node index.js invocation, but no implementation code (index.js) exists in the repository—creating a significant doc-to-code mismatch.
Skill Namechinese-bank-forex-rates
Duration30.9s
Enginepi
Use with caution
Do not use this skill until the implementation is provided and verified. The missing index.js file means the skill cannot perform its documented function.

Attack Chain 3 steps

Escalation Skill published with SKILL.md claiming forex rate fetching capability
SKILL.md:1
Escalation No implementation code (index.js) delivered despite documented invocation
N/A
Escalation Cannot determine actual functionality—skill is incomplete or code was withheld
N/A

Findings 2 items

Severity Finding Location
High
Missing implementation file Doc Mismatch
SKILL.md declares the skill fetches Chinese bank forex rates and shows an invocation command 'node index.js --bank ...', but no index.js file exists in the repository. The only files present are SKILL.md and package.json.
node index.js --bank 中国银行 --currencies 美元,EUR
→ Request the full implementation code before using this skill. A published skill with no code is either incomplete or potentially malicious placeholder.
 SKILL.md:48
Medium
Repository claims executable code Doc Mismatch
package.json and SKILL.md reference Node.js execution (engines.node: '>=18.3' and 'node index.js' command) but no JavaScript source files are present. This creates uncertainty about what the skill actually does.
"engines": { "node": ">=18.3" }
→ Verify the repository contains all necessary source files. An npm package with no actual code is non-functional and suspicious.
 package.json:9
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No code files present to analyze
Network NONE NONE No code files present to analyze
Shell NONE NONE No code files present to analyze
Environment NONE NONE No code files present to analyze
Skill Invoke NONE NONE No code files present to analyze
Clipboard NONE NONE No code files present to analyze
Browser NONE NONE No code files present to analyze
Database NONE NONE No code files present to analyze

File Tree

2 files · 2.0 KB · 62 lines
Markdown 1f · 48L JSON 1f · 14L
├─ 📋 package.json JSON 14L · 423 B
└─ 📝 SKILL.md Markdown 48L · 1.5 KB

Security Positives

✓ No credential theft patterns observed (no code to analyze)
✓ No network exfiltration detected (no code to analyze)
✓ No obfuscation techniques found (no code to analyze)
✓ No sensitive file access attempted (no code to analyze)
✓ package.json has MIT license and links to a public GitHub repository
✓ No environment variable harvesting observed