扫描报告
0 /100
TimeFriend 时迹
通过自然语言向 TimeFriend 记录时间、写复盘日记、创建待办,并查询今日统计
This is a pure Markdown documentation skill describing how to interact with the TimeFriend API. It contains no executable code, scripts, or dependencies, and all described capabilities are declared and benign.
可以安装
No action needed. This skill is safe to use — it is a documentation-only skill that provides natural-language-to-API instruction mapping for time tracking.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | NONE | — | N/A — no file operations in SKILL.md |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md describes only outbound HTTPS API calls to timefriend.xin |
| 命令执行 | NONE | NONE | — | N/A — no shell execution described |
| 环境变量 | NONE | READ | ✓ 一致 | SKILL.md line 7: reads TIMEFRIEND_TOKEN from env vars; this is declared and scop… |
| 技能调用 | NONE | NONE | — | N/A |
| 剪贴板 | NONE | NONE | — | N/A |
| 浏览器 | NONE | NONE | — | N/A |
| 数据库 | NONE | NONE | — | N/A |
7 项发现
中危 外部 URL 外部 URL
https://timefriend.xin/api/records SKILL.md:21 中危 外部 URL 外部 URL
https://timefriend.xin/api/daily-reviews/ SKILL.md:49 中危 外部 URL 外部 URL
https://timefriend.xin/api/todos SKILL.md:81 中危 外部 URL 外部 URL
https://timefriend.xin/api/inbox-categories SKILL.md:103 中危 外部 URL 外部 URL
https://timefriend.xin/api/todos?taskDate=今天日期(YYYY-MM-DD SKILL.md:145 中危 外部 URL 外部 URL
https://timefriend.xin/api/todos?taskDate=null SKILL.md:170 中危 外部 URL 外部 URL
https://timefriend.xin/api/records?date=今天日期(YYYY-MM-DD SKILL.md:200 目录结构
1 文件 · 7.5 KB · 230 行 Markdown 1f · 230L
└─
SKILL.md
Markdown
安全亮点
✓ No executable code — skill is pure Markdown documentation
✓ All 6 API operations (records, diary, todos, inbox, queries) are explicitly declared in SKILL.md
✓ No shell execution, subprocess, or file writes described
✓ No credential harvesting beyond the scoped TIMEFRIEND_TOKEN for a single declared service
✓ No obfuscation, base64 payloads, or hidden instructions
✓ Network access is limited to a single known HTTPS endpoint (timefriend.xin)
✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed
✓ No dependencies or package files present — no supply chain risk