Scan Report
8 /100
multi_call
多路召回skill,用于将意图识别结果分析后,通过向量知识库召回QA问答对,通过图数据库召回表的DDL结构
Legitimate multi-path recall skill for SQL generation. Uses Neo4j and Milvus for knowledge retrieval, with well-defined boundaries and documented external dependencies. No malicious behavior detected.
Safe to install
Approve for use. The skill only accesses declared workflow files and documented external services. No undeclared shell execution, credential harvesting, or data exfiltration.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | multi_call.py:reads intent_output.json from .workflow/; index.js:reads .env |
| Filesystem | WRITE | WRITE | ✓ Aligned | multi_call.py:writes multicall_output.json to .workflow/ |
| Network | READ | READ | ✓ Aligned | multi_call.py:459; _RealMilvusQAService._vectorize calls dashscope.aliyuncs.com … |
| Shell | NONE | NONE | — | No shell commands; only child_process.spawn for Python interpreter bridging |
1 findings
Medium External URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1 multi_call.py:459 File Tree
3 files · 35.5 KB · 878 lines Python 1f · 690L
JavaScript 1f · 136L
Markdown 1f · 52L
├─
index.js
JavaScript
├─
multi_call.py
Python
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
neo4j | * | pip | No | Version not pinned; used only for database schema retrieval |
pymilvus | * | pip | No | Version not pinned; used for vector search |
openai | * | pip | No | Version not pinned; used for embeddings API (DashScope-compatible) |
python-dotenv | * | pip | No | Version not pinned; only reads local .env files |
Security Positives
✓ All file I/O scoped to documented .workflow/ directory (intent_output.json → multicall_output.json)
✓ External service access (Neo4j/Milvus/DashScope) explicitly declared in SKILL.md .env table
✓ Dependency injection pattern isolates real service implementations from core logic
✓ Graceful degradation: Neo4j failure → default DDL, Milvus failure → empty QA list
✓ No credential harvesting — .env values used only for connecting to declared services
✓ No subprocess, curl|bash, or remote script execution
✓ No obfuscation, base64 payloads, or eval() calls
✓ No sensitive path access (~/.ssh, ~/.aws, .env exfiltration)
✓ No persistence mechanisms (no cron, startup hooks, or backdoors)
✓ No prompt injection or LLM prompt manipulation