中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:20 小时前 重新扫描
25 /100
ebook-downloader
下载中文电子书到用户电脑。通过搜索读书派(dushupai.com)等资源站获取城通网盘下载链接,自动完成密码输入、API调用获取直链、curl下载、zip解压等全流程。
Skill downloads ebooks from third-party sources with browser automation and file extraction; functionality is documented but enables potential copyright infringement via Z-Library and paywall bypass.
技能名称ebook-downloader
分析耗时39.0s
引擎pi
可以安装
Remove Z-Library from sources as it is a known piracy platform. Add content-type and file-size validation before extraction to prevent malicious file handling.

安全发现 3 项

严重性 安全发现 位置
中危
Download source includes known piracy platform 敏感访问
Z-Library (zh.z-library.sk) is listed as a download source. Z-Library is widely recognized as a platform distributing pirated copyrighted material, which could expose users to legal liability.
Z-Library (zh.z-library.sk) — 需要登录,作为最后手段
→ Remove Z-Library from the list of acceptable download sources.
 SKILL.md:98
低危
No download integrity or safety verification 文档欺骗
The skill downloads ZIP files from third-party sources and extracts them without validating the content type, file magic bytes, or scanning for potentially malicious payloads. A malicious ZIP could contain executables or scripts.
file_size 为文件大小(字节)
→ Add verification steps: check file magic bytes, validate expected extensions, and optionally scan extracted files before delivery.
 SKILL.md:87
低危
Browser automation bypasses normal download flow 文档欺骗
The skill uses browser automation to fill passwords and extract internal API variables (userid, file_id, file_chk, etc.) to programmatically call ctfile.com's API. This circumvents the site's intended download UI and could violate their terms of service.
获取变量: JSON.stringify({ api_server: api_server, userid: userid, ... })
→ This behavior is documented but should be reviewed against the target site's ToS.
 SKILL.md:41
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md - web_search, web_fetch declared
浏览器 WRITE WRITE ✓ 一致 SKILL.md - browser_action for password fill, navigation, snapshot
命令执行 WRITE WRITE ✓ 一致 SKILL.md - curl downloads to ~/Desktop, file verification
文件系统 WRITE WRITE ✓ 一致 SKILL.md - writes zip files, creates directories, extracts ebooks
环境变量 NONE NONE No environment variable access detected
4 项发现
🔗
中危 外部 URL 外部 URL
https://www.dushupai.com/book-content-
SKILL.md:23
🔗
中危 外部 URL 外部 URL
https://url89.ctfile.com/f/
SKILL.md:28
🔗
中危 外部 URL 外部 URL
https://webapi.ctfile.com
SKILL.md:49
🔗
中危 外部 URL 外部 URL
https://z701.com/
SKILL.md:84

目录结构

1 文件 · 5.2 KB · 148 行
Markdown 1f · 148L
└─ 📝 SKILL.md Markdown 148L · 5.2 KB

安全亮点

✓ All declared capabilities match documented behavior - no hidden functionality detected
✓ No credential harvesting or environment variable inspection
✓ No obfuscated code, base64 execution, or anti-analysis techniques
✓ No remote code execution or C2 communication patterns
✓ Python extraction restricts to known ebook formats (.epub, .azw3, .mobi, .pdf, .txt)