扫描报告
5 /100
tencent-ads-assistant
腾讯广告官方「妙问」AI 营销助手 — 广告营销知识库问答、数据查询、账户分析、广告诊断、创意灵感、素材审核
Legitimate Tencent Ads marketing assistant skill (腾讯广告「妙问」AI 营销助手) with well-documented functionality, proper file permissions (0600), and exclusively legitimate API interactions with Tencent's official endpoints.
可以安装
This skill is safe to use. No malicious indicators found. The setup_token.js flagged as sensitive is standard credential storage functionality, not credential theft.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ+WRITE | ✓ 一致 | SKILL.md lines 51-60 describe setup_token.js token saving; chat.js/upload.js rea… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md line 11: API URL https://miaowen.qq.com/; all 4 scripts make POST reque… |
| 命令执行 | NONE | WRITE | ✓ 一致 | SKILL.md lines 60,70,93,109: 'node scripts/*.js' commands executed via Bash |
| 环境变量 | NONE | NONE | — | No os.environ iteration found in any script |
| 技能调用 | NONE | NONE | — | No cross-skill invocation observed |
| 剪贴板 | NONE | NONE | — | No clipboard access in any script |
| 浏览器 | NONE | NONE | — | No browser automation found |
| 数据库 | NONE | NONE | — | No database access in any script |
5 项发现
中危 外部 URL 外部 URL
https://miaowen.qq.com/)提供 SKILL.md:11 中危 外部 URL 外部 URL
https://miaowen.qq.com/ SKILL.md:45 中危 外部 URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/open_api/chat references/miaowen_openapi_spec.md:16 中危 外部 URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/skill_update/chat scripts/check_update.js:24 中危 外部 URL 外部 URL
https://ad.qq.com/ai/gw/ai_customer_service/v1/file_tool/upload scripts/upload.js:36 目录结构
6 文件 · 31.9 KB · 898 行 JavaScript 4f · 539L
Markdown 2f · 359L
├─
▾
references
│ └─
miaowen_openapi_spec.md
Markdown
├─
▾
scripts
│ ├─
chat.js
JavaScript
│ ├─
check_update.js
JavaScript
│ ├─
setup_token.js
⚠
JavaScript
│ └─
upload.js
JavaScript
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
Node.js >= 18 | 18+ | runtime | 否 | No npm packages used — only built-in Node.js modules (fs, path, os, fetch, FormData, Blob) |
安全亮点
✓ Token stored in ~/.MIAOWEN_ACCESS_TOKEN with mode 0o600 (user-only read/write) — proper permission handling
✓ All network requests go exclusively to official Tencent Ads API endpoints (ad.qq.com, miaowen.qq.com)
✓ No credential exfiltration: token is stored locally, not sent anywhere unexpected
✓ No base64-encoded payloads, no eval(), no obfuscation
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No curl|bash or wget|sh remote script execution
✓ No hidden functionality: all scripts' behavior matches their filenames and SKILL.md descriptions
✓ No environment variable enumeration for sensitive keys
✓ upload.js reads only user-specified file paths, not directory enumeration
✓ check_update.js sends only version/client/os metadata, no user data or credentials
✓ Clean dependency footprint: uses only Node.js 18+ built-in APIs (fs, path, os, fetch, FormData, Blob) — no external npm packages