中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:19 hr ago Rescan
25 /100
ebook-downloader
下载中文电子书到用户电脑。通过搜索读书派(dushupai.com)等资源站获取城通网盘下载链接,自动完成密码输入、API调用获取直链、curl下载、zip解压等全流程。
Skill downloads ebooks from third-party sources with browser automation and file extraction; functionality is documented but enables potential copyright infringement via Z-Library and paywall bypass.
Skill Nameebook-downloader
Duration39.0s
Enginepi
Safe to install
Remove Z-Library from sources as it is a known piracy platform. Add content-type and file-size validation before extraction to prevent malicious file handling.

Findings 3 items

Severity Finding Location
Medium
Download source includes known piracy platform Sensitive Access
Z-Library (zh.z-library.sk) is listed as a download source. Z-Library is widely recognized as a platform distributing pirated copyrighted material, which could expose users to legal liability.
Z-Library (zh.z-library.sk) — 需要登录,作为最后手段
→ Remove Z-Library from the list of acceptable download sources.
 SKILL.md:98
Low
No download integrity or safety verification Doc Mismatch
The skill downloads ZIP files from third-party sources and extracts them without validating the content type, file magic bytes, or scanning for potentially malicious payloads. A malicious ZIP could contain executables or scripts.
file_size 为文件大小(字节)
→ Add verification steps: check file magic bytes, validate expected extensions, and optionally scan extracted files before delivery.
 SKILL.md:87
Low
Browser automation bypasses normal download flow Doc Mismatch
The skill uses browser automation to fill passwords and extract internal API variables (userid, file_id, file_chk, etc.) to programmatically call ctfile.com's API. This circumvents the site's intended download UI and could violate their terms of service.
获取变量: JSON.stringify({ api_server: api_server, userid: userid, ... })
→ This behavior is documented but should be reviewed against the target site's ToS.
 SKILL.md:41
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md - web_search, web_fetch declared
Browser WRITE WRITE ✓ Aligned SKILL.md - browser_action for password fill, navigation, snapshot
Shell WRITE WRITE ✓ Aligned SKILL.md - curl downloads to ~/Desktop, file verification
Filesystem WRITE WRITE ✓ Aligned SKILL.md - writes zip files, creates directories, extracts ebooks
Environment NONE NONE No environment variable access detected
4 findings
🔗
Medium External URL 外部 URL
https://www.dushupai.com/book-content-
SKILL.md:23
🔗
Medium External URL 外部 URL
https://url89.ctfile.com/f/
SKILL.md:28
🔗
Medium External URL 外部 URL
https://webapi.ctfile.com
SKILL.md:49
🔗
Medium External URL 外部 URL
https://z701.com/
SKILL.md:84

File Tree

1 files · 5.2 KB · 148 lines
Markdown 1f · 148L
└─ 📝 SKILL.md Markdown 148L · 5.2 KB

Security Positives

✓ All declared capabilities match documented behavior - no hidden functionality detected
✓ No credential harvesting or environment variable inspection
✓ No obfuscated code, base64 execution, or anti-analysis techniques
✓ No remote code execution or C2 communication patterns
✓ Python extraction restricts to known ebook formats (.epub, .azw3, .mobi, .pdf, .txt)