扫描报告
5 /100
Almanac / Huangli Inquiry - 黄历查询
按公历日期查询农历、宜忌、吉神凶煞等黄历信息
Legitimate almanac inquiry skill with fully declared network and environment access; no malicious behavior or hidden functionality detected.
可以安装
This skill is safe to use. The API key placeholder in documentation is a standard example and poses no risk.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Documentation contains example API key placeholder | SKILL.md:23 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | huangli.py:14 - requests.get to api.jisuapi.com |
| 环境变量 | READ | READ | ✓ 一致 | huangli.py:62 - os.getenv('JISU_API_KEY') |
| 文件系统 | NONE | NONE | — | No file operations in huangli.py |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution in huangli.py |
1 高危 4 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_appkey_here" SKILL.md:23 中危 外部 URL 外部 URL
https://www.jisuapi.com/ SKILL.md:9 中危 外部 URL 外部 URL
https://www.jisuapi.com/api/huangli SKILL.md:17 中危 外部 URL 外部 URL
https://api.jisuapi.com/huangli/date huangli.py:14 目录结构
2 文件 · 8.5 KB · 264 行 Markdown 1f · 158L
Python 1f · 106L
├─
huangli.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
requests | * | pip | 否 | Version not pinned but requests is widely-used and maintained |
安全亮点
✓ No shell execution or subprocess calls
✓ No sensitive path access (~/.ssh, ~/.aws, .env files)
✓ No credential exfiltration or data theft
✓ No base64 encoded payloads or obfuscated code
✓ No hidden instructions in HTML comments
✓ No remote script execution (curl|bash, wget|sh)
✓ All capabilities declared and aligned with implementation
✓ Uses standard requests library for API calls
✓ Proper error handling with try/except blocks
✓ API key read from environment, not hardcoded