中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
flyai-reverse-budget
反向穷游助手 — reverse travel planning by budget (input: budget, origin city, days → AI searches all possible destinations and generates 3-tier plans)
This is a pure-documentation skill (14 Markdown files, no executable code) that wraps a legitimate travel planning CLI. No scripts, no dependencies, no obfuscation, and no credential access observed.
技能名称flyai-reverse-budget
分析耗时42.5s
引擎pi
可以安装
This skill is safe to use. The npm install -g command in workflow.md is a one-time CLI setup step, and NODE_TLS_REJECT_UNAUTHORIZED=0 is a common pattern for internal API tools. No action required beyond standard npm global install awareness.

安全发现 1 项

严重性 安全发现 位置
低危
NODE_TLS_REJECT_UNAUTHORIZED=0 disables SSL verification 文档欺骗
workflow.md instructs to prefix flyai commands with NODE_TLS_REJECT_UNAUTHORIZED=0, disabling TLS certificate verification. This is a known workaround for internal/corporate proxies but weakens security for HTTPS connections to the FlyAI API.
NODE_TLS_REJECT_UNAUTHORIZED=0 flyai keyword-search --query ...
→ Use this workaround only if the FlyAI CLI does not support custom CA certificates. Investigate whether the FlyAI API supports proper TLS configuration instead.
 reference/workflow.md:86
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 reference/user-profile-storage.md reads ~/.flyai/user-profile.md (documented)
网络访问 READ READ ✓ 一致 workflow.md invokes flyai CLI which makes HTTP calls to FlyAI API (documented)
命令执行 WRITE WRITE ✓ 一致 workflow.md declares npm install -g @fly-ai/flyai-cli (documented CLI setup)
环境变量 NONE NONE No environment variable access observed
技能调用 READ READ ✓ 一致 Uses ask_user_question, search_memory, update_memory tools (documented)
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
4 项发现
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/...
reference/search-hotel.md:44
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/tfscom/...
reference/search-poi.md:32
🔗
中危 外部 URL 外部 URL
https://nodejs.org/
reference/workflow.md:19
🔗
中危 外部 URL 外部 URL
https://registry.npmmirror.com
reference/workflow.md:21

目录结构

14 文件 · 31.7 KB · 1008 行
Markdown 14f · 1008L
├─ 📁 reference
│ ├─ 📝 ai-search.md Markdown 26L · 659 B
│ ├─ 📝 examples.md Markdown 32L · 998 B
│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB
│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB
│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB
│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB
│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B
│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB
│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB
│ ├─ 📝 self-learning.md Markdown 19L · 450 B
│ ├─ 📝 tools.md Markdown 34L · 782 B
│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB
│ └─ 📝 workflow.md Markdown 191L · 7.0 KB
└─ 📝 SKILL.md Markdown 104L · 3.9 KB

安全亮点

✓ Pure Markdown documentation skill — no executable code, scripts, or binaries present
✓ No credential harvesting, no API key theft, no environment variable enumeration
✓ No base64, obfuscation, or anti-analysis techniques
✓ All external tool usage (flyai CLI, npm install) is documented in SKILL.md and reference files
✓ User profile storage is opt-in and clearly documented with user consent
✓ No supply chain risk — no package.json, requirements.txt, or dependency files
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env file access)
✓ No persistence mechanisms, no reverse shell, no C2 communication
✓ All external URLs are Alibaba CDN image links — benign travel content