中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
dual-brain-memory-guardian
Dual-brain memory skill for correction handling, rewrite quality, post-task reflection, and semantic recall of historical pitfalls using Markdown rules and Pinecone vector storage.
A legitimate dual-brain memory management skill with strong security practices including credential redaction, input sanitization, and a clear documentation structure.
技能名称dual-brain-memory-guardian
分析耗时48.2s
引擎pi
可以安装
The skill is safe to use. Consider pinning dependency versions to specific minor versions for enhanced supply chain security.

安全发现 1 项

严重性 安全发现 位置
低危
Incomplete environment variable documentation 文档欺骗
SKILL.md declares only PINECONE_API_KEY in requirements, but the implementation uses 7 additional optional environment variables: PINECONE_INDEX_NAME, PINECONE_CLOUD, PINECONE_REGION, PINECONE_MODEL, PINECONE_FIELD_MAP_TEXT, PINECONE_NAMESPACE_PREFIX, and MEMORY_TENANT.
apiKey: required(overrides.apiKey ?? env.PINECONE_API_KEY, ...), indexName: String(overrides.indexName ?? env.PINECONE_INDEX_NAME ?? DEFAULTS.indexName)
→ Document all supported environment variables in SKILL.md Requirements section, including optional ones.
 src/pinecone/config.js:22
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md: 'Local markdown brain: Root path defaults to ~/dual-brain-memory-guard…
网络访问 READ READ_WRITE ✓ 一致 SKILL.md: '@pinecone-database/pinecone', 'PINECONE_API_KEY'
命令执行 NONE NONE No shell execution found in codebase
环境变量 READ READ ✓ 一致 Only PINECONE_API_KEY declared; 7 additional PINECONE_* vars used (config.js:22-…
技能调用 READ READ ✓ 一致 SKILL.md: 'user-invocable: true', npm scripts defined in package.json
1 项发现
🔗
中危 外部 URL 外部 URL
https://dotenvx.com
package-lock.json:36

目录结构

22 文件 · 110.2 KB · 3758 行
JavaScript 6f · 2637L Markdown 13f · 1030L JSON 2f · 73L Ignore 1f · 18L
├─ 📁 scripts
│ ├─ 📜 memory-cli.js JavaScript 1466L · 42.5 KB
│ └─ 📜 verify.js JavaScript 388L · 10.1 KB
├─ 📁 src
│ └─ 📁 pinecone
│ ├─ 📜 client.js JavaScript 50L · 1.4 KB
│ ├─ 📜 config.js JavaScript 55L · 2.0 KB
│ ├─ 📜 gatekeeper.js JavaScript 161L · 4.0 KB
│ └─ 📜 memory-store.js JavaScript 517L · 13.5 KB
├─ 📄 .gitignore Ignore 18L · 243 B
├─ 📝 boundaries.md Markdown 78L · 3.1 KB
├─ 📝 corrections.md Markdown 39L · 1.0 KB
├─ 📝 heartbeat-rules.md Markdown 64L · 2.5 KB
├─ 📝 heartbeat-state.md Markdown 17L · 523 B
├─ 📝 HEARTBEAT.md Markdown 5L · 238 B
├─ 📝 learning.md Markdown 105L · 3.2 KB
├─ 📝 memory-template.md Markdown 102L · 2.2 KB
├─ 📝 memory.md Markdown 41L · 1.1 KB
├─ 📝 operations.md Markdown 179L · 8.0 KB
├─ 📋 package-lock.json JSON 40L · 1.2 KB
├─ 📋 package.json JSON 33L · 1.5 KB
├─ 📝 reflections.md Markdown 35L · 877 B
├─ 📝 scaling.md Markdown 78L · 2.5 KB
├─ 📝 setup.md Markdown 160L · 4.4 KB
└─ 📝 SKILL.md Markdown 127L · 4.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
@pinecone-database/pinecone ^7.1.0 npm Version range pinned (caret)
dotenv ^16.4.7 npm Version range pinned (caret)

安全亮点

✓ Comprehensive credential redaction in gatekeeper.js - blocks private keys, API tokens, JWTs, AWS keys, and IPs before vector storage
✓ Input sanitization with sanitizeForVectorStorage() applied to all user inputs (content, metadata, tags)
✓ AssertVectorPayloadSafe() throws errors on attempts to store blocked secrets
✓ No obfuscation techniques detected - clean JavaScript codebase
✓ No shell execution (child_process/spawn) found in any script
✓ No base64-encoded execution or eval() usage
✓ No curl|bash or wget|sh remote script execution
✓ No attempts to access ~/.ssh, ~/.aws, or other sensitive credential paths
✓ Dependency versions partially pinned: @pinecone-database/pinecone@^7.1.0, dotenv@^16.4.7
✓ Explicit security boundaries declared: 'This skill NEVER stores sensitive raw secrets in vector memory'
✓ All network traffic goes to managed Pinecone API (api.pinecone.io), not arbitrary IPs
✓ Destructive operations (forget-all) require explicit --yes confirmation flag