安全决策报告
chinese-bank-forex-rates
SKILL.md declares forex rate fetching with a node index.js invocation, but no implementation code (index.js) exists in the repository—creating a significant doc-to-code mismatch.
最直接的威胁证据
01
Skill published with SKILL.md claiming forex rate fetching capability reconnaissance · SKILL.md
02
No implementation code (index.js) delivered despite documented invocation delivery · N/A
03
Cannot determine actual functionality—skill is incomplete or code was withheld uncertainty · N/A
为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
通过
隐藏执行与外联
当前没有明显的高危外联或执行信号。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 1 项高危或严重发现。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
攻击链
01
Skill published with SKILL.md claiming forex rate fetching capability
reconnaissance · SKILL.md:1
02
No implementation code (index.js) delivered despite documented invocation
delivery · N/A
03
Cannot determine actual functionality—skill is incomplete or code was withheld
uncertainty · N/A
风险分是怎么被拉高的
Missing implementation +30
SKILL.md invokes 'node index.js' but no index.js file exists in the repository
Doc deception +20
Skill claims to fetch Chinese bank forex rates but provides no code to do so
最关键的证据
高危 文档欺骗
Missing implementation file
SKILL.md declares the skill fetches Chinese bank forex rates and shows an invocation command 'node index.js --bank ...', but no index.js file exists in the repository. The only files present are SKILL.md and package.json.
SKILL.md:48 Request the full implementation code before using this skill. A published skill with no code is either incomplete or potentially malicious placeholder.
中危 文档欺骗
Repository claims executable code
package.json and SKILL.md reference Node.js execution (engines.node: '>=18.3' and 'node index.js' command) but no JavaScript source files are present. This creates uncertainty about what the skill actually does.
package.json:9 Verify the repository contains all necessary source files. An npm package with no actual code is non-functional and suspicious.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 网络访问 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 命令执行 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 环境变量 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 技能调用 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 剪贴板 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 浏览器 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 数据库 通过
声明 NONE
→ 推断 NONE
No code files present to analyze 可疑产物与外联
没有提取到明显 IOC。
依赖与供应链
没有结构化依赖告警。
文件构成
2 个文件 · 62 行
Markdown 1 个文件 · 48 行JSON 1 个文件 · 14 行
需关注文件 · 2
SKILL.md Missing implementation file
package.json Repository claims executable code
安全亮点
No credential theft patterns observed (no code to analyze)
No network exfiltration detected (no code to analyze)
No obfuscation techniques found (no code to analyze)
No sensitive file access attempted (no code to analyze)
package.json has MIT license and links to a public GitHub repository
No environment variable harvesting observed