chinese-bank-forex-rates 安全扫描报告 — 可疑 | ClawSafe

50 /100

chinese-bank-forex-rates

Use when you need the latest bank forex rates from major Chinese banks

SKILL.md declares forex rate fetching with a node index.js invocation, but no implementation code (index.js) exists in the repository—creating a significant doc-to-code mismatch.

技能名称chinese-bank-forex-rates

分析耗时30.9s

引擎pi

⚠

谨慎使用

Do not use this skill until the implementation is provided and verified. The missing index.js file means the skill cannot perform its documented function.

攻击链 3 步

⬡

提权 Skill published with SKILL.md claiming forex rate fetching capability

SKILL.md:1

⬡

提权 No implementation code (index.js) delivered despite documented invocation

N/A

⬡

提权 Cannot determine actual functionality—skill is incomplete or code was withheld

N/A

安全发现 2 项

严重性	安全发现	位置
高危	Missing implementation file 文档欺骗 SKILL.md declares the skill fetches Chinese bank forex rates and shows an invocation command 'node index.js --bank ...', but no index.js file exists in the repository. The only files present are SKILL.md and package.json. `node index.js --bank 中国银行 --currencies 美元,EUR` → Request the full implementation code before using this skill. A published skill with no code is either incomplete or potentially malicious placeholder.	`SKILL.md:48`
中危	Repository claims executable code 文档欺骗 package.json and SKILL.md reference Node.js execution (engines.node: '>=18.3' and 'node index.js' command) but no JavaScript source files are present. This creates uncertainty about what the skill actually does. `"engines": { "node": ">=18.3" }` → Verify the repository contains all necessary source files. An npm package with no actual code is non-functional and suspicious.	`package.json:9`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No code files present to analyze
网络访问	`NONE`	`NONE`	—	No code files present to analyze
命令执行	`NONE`	`NONE`	—	No code files present to analyze
环境变量	`NONE`	`NONE`	—	No code files present to analyze
技能调用	`NONE`	`NONE`	—	No code files present to analyze
剪贴板	`NONE`	`NONE`	—	No code files present to analyze
浏览器	`NONE`	`NONE`	—	No code files present to analyze
数据库	`NONE`	`NONE`	—	No code files present to analyze

目录结构

2 文件 · 2.0 KB · 62 行

Markdown 1f · 48L JSON 1f · 14L

├─ 📋 package.json JSON 14L · 423 B

└─ 📝 SKILL.md Markdown 48L · 1.5 KB

安全亮点

✓ No credential theft patterns observed (no code to analyze)

✓ No network exfiltration detected (no code to analyze)

✓ No obfuscation techniques found (no code to analyze)

✓ No sensitive file access attempted (no code to analyze)

✓ package.json has MIT license and links to a public GitHub repository

✓ No environment variable harvesting observed