中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
GitHub Manager Skill
A comprehensive GitHub repository management tool with code review, auto-deployment, changelog generation, CI/CD configuration, bug tracking, and project management automation
A legitimate GitHub management CLI with minor documentation gaps around undeclared shell execution for git operations, but no malicious behavior detected.
技能名称GitHub Manager Skill
分析耗时47.6s
引擎pi
可以安装
Document the use of git CLI commands in the changelog feature and add explicit declarations about filesystem writes for CI/CD setup. Consider pinning chalk dependency to a safe version.

安全发现 3 项

严重性 安全发现 位置
低危
Undeclared git CLI execution 文档欺骗
The changelog generation feature uses execSync to run git log and git describe commands locally, but SKILL.md only states '基于commit消息自动生成changelog' without explaining it uses local git CLI.
const output = execSync(command, { encoding: 'utf8' });
→ Document that the changelog feature requires local git installation and runs git commands.
 scripts/generate-changelog.js:47
低危
Undeclared filesystem write for CI/CD 文档欺骗
The setupCICD function writes workflow YAML files to .github/workflows/ directory, but SKILL.md describes CI/CD configuration without explicitly stating local file writes occur.
fs.writeFileSync(filepath, content);
→ Add explicit documentation that CI/CD setup creates local workflow files.
 github-cli.js:262
低危
Unpinned dependency with known vulnerabilities 供应链
chalk ^4.1.2 has known low-severity vulnerabilities (CVE-2023-26141). While not critical, version pinning would improve security posture.
"chalk": "^4.1.2"
→ Pin chalk to ^5.0.0 or later which has addressed the vulnerability, or pin to specific safe version.
 package.json:13
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 github-cli.js:6 imports fs; github-cli.js:247-270 writes workflow files to .gith…
网络访问 READ READ ✓ 一致 Uses Octokit for GitHub API calls only; no external IPs or C2
命令执行 NONE READ ✓ 一致 scripts/generate-changelog.js:47 uses execSync('git log...'); scripts/generate-c…
环境变量 NONE NONE No iteration through os.environ; token loaded from config file only
3 项发现
🔗
中危 外部 URL 外部 URL
https://your-webhook-url.com
SKILL.md:191
🔗
中危 外部 URL 外部 URL
https://your-webhook-url.com/webhook
config-template.json:6
🔗
中危 外部 URL 外部 URL
https://staging.example.com/health
templates/github-actions/deploy-workflow.yml:141

目录结构

13 文件 · 89.9 KB · 3308 行
JavaScript 4f · 1898L Markdown 3f · 659L YAML 4f · 597L JSON 2f · 154L
├─ 📁 .github
│ └─ 📁 workflows
│ ├─ 📋 ci.yml YAML 58L · 1.1 KB
│ └─ 📋 deploy.yml YAML 30L · 567 B
├─ 📁 scripts
│ ├─ 📜 code-review.js JavaScript 459L · 12.9 KB
│ ├─ 📜 generate-changelog.js JavaScript 338L · 9.2 KB
│ └─ 📜 project-manager.js JavaScript 536L · 17.3 KB
├─ 📁 templates
│ └─ 📁 github-actions
│ ├─ 📋 ci-workflow.yml YAML 212L · 5.4 KB
│ └─ 📋 deploy-workflow.yml YAML 297L · 8.9 KB
├─ 📋 config-template.json JSON 103L · 2.6 KB
├─ 📜 github-cli.js JavaScript 565L · 16.2 KB
├─ 📋 package.json JSON 51L · 1.3 KB
├─ 📝 README.md Markdown 161L · 5.3 KB
├─ 📝 SKILL_CN.md Markdown 249L · 4.7 KB
└─ 📝 SKILL.md Markdown 249L · 4.7 KB

依赖分析 4 项

包名版本来源已知漏洞备注
@octokit/rest ^20.0.2 npm Official GitHub API client, legitimate
chalk ^4.1.2 npm Low-severity CVE-2023-26141; recommend upgrading to ^5.0.0
commander ^11.0.0 npm Standard CLI argument parsing
inquirer ^8.2.6 npm Interactive CLI prompts

安全亮点

✓ No credential exfiltration - GitHub token is stored locally in .github-manager.json and used only with official GitHub API
✓ No obfuscation detected - no base64-encoded strings, eval() usage, or anti-analysis techniques
✓ No remote code execution - execSync only runs documented git commands locally
✓ No C2 communication or data exfiltration - all network traffic goes to official GitHub API endpoints
✓ No sensitive file access - does not read ~/.ssh, ~/.aws, or .env files
✓ No persistence mechanisms - no cron jobs, startup hooks, or backdoor installations
✓ No supply chain compromise detected - all dependencies are from npm registry with known maintainers
✓ Uses official @octokit/rest library for GitHub API interactions
✓ No hidden functionality beyond documented features