中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:22 小时前 重新扫描
5 /100
seo-agi
Generative Engine Optimization skill that writes SEO pages using DataForSEO and GSC data
Legitimate SEO content generation skill with proper credential handling, documented network access to SEO APIs, and no malicious behavior detected.
技能名称seo-agi
分析耗时49.0s
引擎pi
可以安装
No action required. The skill performs standard SEO research operations. Consider documenting pip install behavior in SKILL.md for transparency.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned pip dependency in setup script 供应链
setup.py installs 'requests' via subprocess without strict version pinning. The requirements.txt does specify requests>=2.28.0, but setup.py does not use requirements.txt directly.
subprocess.check_call([sys.executable, '-m', 'pip', 'install', '--quiet'] + deps)
→ Consider using pip install from requirements.txt or pinning versions: pip install requests==2.31.0
 scripts/setup.py:48
提示
SKILL.md capability mapping is informal 文档欺骗
SKILL.md does not include a formal 'allowed_tools' or capability declaration section. Tool usage is inferred from the documented execution protocol.
SKILL.md uses documentation instead of formal metadata for tool declarations
→ Add a formal capability declaration section to SKILL.md for transparency
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares config writes to ~/.config/seo-agi/ and output writes to ~/Doc…
网络访问 READ READ ✓ 一致 SKILL.md declares DataForSEO and GSC API calls for research data
命令执行 NONE WRITE ✓ 一致 setup.py:48 uses subprocess for pip install, documented as setup step
环境变量 READ READ ✓ 一致 env.py:53-60 reads specific API key env vars (DATAFORSEO_*, GSC_*, AHREFS_*, SEM…
数据库 NONE NONE No database access observed
10 项发现
🔗
中危 外部 URL 外部 URL
https://dataforseo.com
README.md:241
🔗
中危 外部 URL 外部 URL
https://x.com/hreg15
README.md:361
🔗
中危 外部 URL 外部 URL
https://competitor1.com/jfk-parking
fixtures/serp_sample.json:25
🔗
中危 外部 URL 外部 URL
https://competitor2.com/airports/jfk/parking
fixtures/serp_sample.json:44
🔗
中危 外部 URL 外部 URL
https://schema.org
references/schema-patterns.md:10
🔗
中危 外部 URL 外部 URL
https://search.google.com/test/rich-results
references/schema-patterns.md:140
🔗
中危 外部 URL 外部 URL
https://validator.schema.org/
references/schema-patterns.md:141
🔗
中危 外部 URL 外部 URL
https://app.dataforseo.com/api-dashboard\n
scripts/setup.py:66
🔗
中危 外部 URL 外部 URL
https://other.com/page
tests/test_dataforseo.py:38
📧
提示 邮箱 邮箱地址
[email protected]
tests/test_dataforseo.py:137

目录结构

20 文件 · 111.5 KB · 3123 行
Python 10f · 1526L Markdown 7f · 1507L JSON 2f · 85L Text 1f · 5L
├─ 📁 fixtures
│ ├─ 📋 keywords_sample.json JSON 12L · 1.1 KB
│ └─ 📋 serp_sample.json JSON 73L · 2.5 KB
├─ 📁 references
│ ├─ 📝 page-templates.md Markdown 138L · 4.0 KB
│ ├─ 📝 quality-checklist.md Markdown 83L · 3.0 KB
│ └─ 📝 schema-patterns.md Markdown 141L · 2.8 KB
├─ 📁 scripts
│ ├─ 📁 lib
│ │ ├─ 🐍 __init__.py Python 1L · 26 B
│ │ ├─ 🐍 env.py Python 147L · 4.5 KB
│ │ ├─ 🐍 gsc_client.py Python 179L · 5.4 KB
│ │ └─ 🐍 serp_analyze.py Python 261L · 6.9 KB
│ ├─ 🐍 gsc_pull.py Python 96L · 3.3 KB
│ ├─ 🐍 research.py Python 358L · 11.0 KB
│ └─ 🐍 setup.py Python 160L · 5.3 KB
├─ 📁 tests
│ ├─ 🐍 test_dataforseo.py Python 149L · 4.6 KB
│ ├─ 🐍 test_env.py Python 50L · 1.4 KB
│ └─ 🐍 test_serp_analyze.py Python 125L · 4.0 KB
├─ 📝 CLAUDE.md Markdown 59L · 2.2 KB
├─ 📝 README.md Markdown 365L · 17.9 KB
├─ 📄 requirements.txt Text 5L · 115 B
├─ 📝 SKILL.md Markdown 522L · 25.2 KB
└─ 📝 SPEC.md Markdown 199L · 6.3 KB

依赖分析 3 项

包名版本来源已知漏洞备注
requests >=2.28.0 pip Minimum version specified in requirements.txt
google-auth * pip (optional) Optional dependency for GSC support, not installed by default
google-api-python-client * pip (optional) Optional dependency for GSC support, not installed by default

安全亮点

✓ No credential exfiltration detected - API keys stored locally in ~/.config/seo-agi/.env only
✓ No obfuscation techniques - no base64, eval(), or dynamic code execution
✓ No sensitive path access - does not read ~/.ssh, ~/.aws, or similar credential directories
✓ No hidden functionality - all operations match documented behavior
✓ No reverse shell, C2 communication, or data theft patterns
✓ Environment variable access is targeted (specific API keys only), not enumerating all env vars
✓ Proper error handling with graceful fallbacks (mock mode when no API keys)
✓ Test suite includes unit tests for all core modules