Scan Report
0 /100
TimeFriend 时迹
通过自然语言向 TimeFriend 记录时间、写复盘日记、创建待办,并查询今日统计
This is a pure Markdown documentation skill describing how to interact with the TimeFriend API. It contains no executable code, scripts, or dependencies, and all described capabilities are declared and benign.
Safe to install
No action needed. This skill is safe to use — it is a documentation-only skill that provides natural-language-to-API instruction mapping for time tracking.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | N/A — no file operations in SKILL.md |
| Network | READ | READ | ✓ Aligned | SKILL.md describes only outbound HTTPS API calls to timefriend.xin |
| Shell | NONE | NONE | — | N/A — no shell execution described |
| Environment | NONE | READ | ✓ Aligned | SKILL.md line 7: reads TIMEFRIEND_TOKEN from env vars; this is declared and scop… |
| Skill Invoke | NONE | NONE | — | N/A |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
| Database | NONE | NONE | — | N/A |
7 findings
Medium External URL 外部 URL
https://timefriend.xin/api/records SKILL.md:21 Medium External URL 外部 URL
https://timefriend.xin/api/daily-reviews/ SKILL.md:49 Medium External URL 外部 URL
https://timefriend.xin/api/todos SKILL.md:81 Medium External URL 外部 URL
https://timefriend.xin/api/inbox-categories SKILL.md:103 Medium External URL 外部 URL
https://timefriend.xin/api/todos?taskDate=今天日期(YYYY-MM-DD SKILL.md:145 Medium External URL 外部 URL
https://timefriend.xin/api/todos?taskDate=null SKILL.md:170 Medium External URL 外部 URL
https://timefriend.xin/api/records?date=今天日期(YYYY-MM-DD SKILL.md:200 File Tree
1 files · 7.5 KB · 230 lines Markdown 1f · 230L
└─
SKILL.md
Markdown
Security Positives
✓ No executable code — skill is pure Markdown documentation
✓ All 6 API operations (records, diary, todos, inbox, queries) are explicitly declared in SKILL.md
✓ No shell execution, subprocess, or file writes described
✓ No credential harvesting beyond the scoped TIMEFRIEND_TOKEN for a single declared service
✓ No obfuscation, base64 payloads, or hidden instructions
✓ Network access is limited to a single known HTTPS endpoint (timefriend.xin)
✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed
✓ No dependencies or package files present — no supply chain risk