扫描报告
8 /100
multi_call
多路召回skill,用于将意图识别结果分析后,通过向量知识库召回QA问答对,通过图数据库召回表的DDL结构
Legitimate multi-path recall skill for SQL generation. Uses Neo4j and Milvus for knowledge retrieval, with well-defined boundaries and documented external dependencies. No malicious behavior detected.
可以安装
Approve for use. The skill only accesses declared workflow files and documented external services. No undeclared shell execution, credential harvesting, or data exfiltration.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | multi_call.py:reads intent_output.json from .workflow/; index.js:reads .env |
| 文件系统 | WRITE | WRITE | ✓ 一致 | multi_call.py:writes multicall_output.json to .workflow/ |
| 网络访问 | READ | READ | ✓ 一致 | multi_call.py:459; _RealMilvusQAService._vectorize calls dashscope.aliyuncs.com … |
| 命令执行 | NONE | NONE | — | No shell commands; only child_process.spawn for Python interpreter bridging |
1 项发现
中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/compatible-mode/v1 multi_call.py:459 目录结构
3 文件 · 35.5 KB · 878 行 Python 1f · 690L
JavaScript 1f · 136L
Markdown 1f · 52L
├─
index.js
JavaScript
├─
multi_call.py
Python
└─
SKILL.md
Markdown
依赖分析 4 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
neo4j | * | pip | 否 | Version not pinned; used only for database schema retrieval |
pymilvus | * | pip | 否 | Version not pinned; used for vector search |
openai | * | pip | 否 | Version not pinned; used for embeddings API (DashScope-compatible) |
python-dotenv | * | pip | 否 | Version not pinned; only reads local .env files |
安全亮点
✓ All file I/O scoped to documented .workflow/ directory (intent_output.json → multicall_output.json)
✓ External service access (Neo4j/Milvus/DashScope) explicitly declared in SKILL.md .env table
✓ Dependency injection pattern isolates real service implementations from core logic
✓ Graceful degradation: Neo4j failure → default DDL, Milvus failure → empty QA list
✓ No credential harvesting — .env values used only for connecting to declared services
✓ No subprocess, curl|bash, or remote script execution
✓ No obfuscation, base64 payloads, or eval() calls
✓ No sensitive path access (~/.ssh, ~/.aws, .env exfiltration)
✓ No persistence mechanisms (no cron, startup hooks, or backdoors)
✓ No prompt injection or LLM prompt manipulation