Scan Report
5 /100
tencent-ads-assistant
腾讯广告官方「妙问」AI 营销助手 — 广告营销知识库问答、数据查询、账户分析、广告诊断、创意灵感、素材审核
Legitimate Tencent Ads marketing assistant skill (腾讯广告「妙问」AI 营销助手) with well-documented functionality, proper file permissions (0600), and exclusively legitimate API interactions with Tencent's official endpoints.
Safe to install
This skill is safe to use. No malicious indicators found. The setup_token.js flagged as sensitive is standard credential storage functionality, not credential theft.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ+WRITE | ✓ Aligned | SKILL.md lines 51-60 describe setup_token.js token saving; chat.js/upload.js rea… |
| Network | READ | READ | ✓ Aligned | SKILL.md line 11: API URL https://miaowen.qq.com/; all 4 scripts make POST reque… |
| Shell | NONE | WRITE | ✓ Aligned | SKILL.md lines 60,70,93,109: 'node scripts/*.js' commands executed via Bash |
| Environment | NONE | NONE | — | No os.environ iteration found in any script |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation observed |
| Clipboard | NONE | NONE | — | No clipboard access in any script |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access in any script |
5 findings
Medium External URL 外部 URL
https://miaowen.qq.com/)提供 SKILL.md:11 Medium External URL 外部 URL
https://miaowen.qq.com/ SKILL.md:45 Medium External URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/open_api/chat references/miaowen_openapi_spec.md:16 Medium External URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/skill_update/chat scripts/check_update.js:24 Medium External URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/file_tool/upload scripts/upload.js:36 File Tree
6 files · 31.9 KB · 898 lines JavaScript 4f · 539L
Markdown 2f · 359L
├─
▾
references
│ └─
miaowen_openapi_spec.md
Markdown
├─
▾
scripts
│ ├─
chat.js
JavaScript
│ ├─
check_update.js
JavaScript
│ ├─
setup_token.js
⚠
JavaScript
│ └─
upload.js
JavaScript
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
Node.js >= 18 | 18+ | runtime | No | No npm packages used — only built-in Node.js modules (fs, path, os, fetch, FormData, Blob) |
Security Positives
✓ Token stored in ~/.MIAOWEN_ACCESS_TOKEN with mode 0o600 (user-only read/write) — proper permission handling
✓ All network requests go exclusively to official Tencent Ads API endpoints (ad.qq.com, miaowen.qq.com)
✓ No credential exfiltration: token is stored locally, not sent anywhere unexpected
✓ No base64-encoded payloads, no eval(), no obfuscation
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No curl|bash or wget|sh remote script execution
✓ No hidden functionality: all scripts' behavior matches their filenames and SKILL.md descriptions
✓ No environment variable enumeration for sensitive keys
✓ upload.js reads only user-specified file paths, not directory enumeration
✓ check_update.js sends only version/client/os metadata, no user data or credentials
✓ Clean dependency footprint: uses only Node.js 18+ built-in APIs (fs, path, os, fetch, FormData, Blob) — no external npm packages