中文 EN

扫描报告

扫描新文件

高风险 — 风险评分 70/100
上次扫描:1 天前 重新扫描
70 /100
product-demo-video
Create product demo videos with voiceover, text overlays, and real browser interactions using Puppeteer, edge-tts, PIL, and FFmpeg
Skill contains a catastrophic `rm -rf /` command in install-deps.sh:23 with no declared shell permissions, plus undeclared shell execution and dynamically generated Python code in record-demo.mjs.
技能名称product-demo-video
分析耗时86.7s
引擎pi
不要安装此技能
Do not deploy this skill. The install-deps.sh script contains `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` where shell glob expansion could resolve to `/tmp/` or broader paths if the archive doesn't extract as expected. Additionally, SKILL.md declares zero permissions but the implementation requires shell:WRITE, filesystem:WRITE, and network:READ. Remove the shell scripts entirely and declare required capabilities explicitly.

攻击链 3 步

提权 Skill invoked with Bash:WRITE capability, allowing shell command execution
SKILL.md
提权 install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static` — glob expansion could resolve to /tmp/ or broader paths if archive structure is unexpected
scripts/install-deps.sh:23
影响 If run as root (e.g., in a Docker container), `rm -rf /tmp/` or broader path wipe could cause data loss across the system
scripts/install-deps.sh:23

安全发现 6 项

严重性 安全发现 位置
严重
Destructive `rm -rf` glob command in install script 代码执行
Line 23 of install-deps.sh uses `rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static`. The glob pattern `ffmpeg-*-amd64-static` could expand to /tmp/ itself or a broader path if the tarball extracts unexpectedly (e.g., flat files or to a parent directory). In a root container or misconfigured environment, this could wipe data beyond /tmp/. The intended use of a bare `rm -rf` with glob patterns near system directories is a severe operational hazard.
rm -rf /tmp/ffmpeg.tar.xz /tmp/ffmpeg-*-amd64-static
→ Replace with explicit directory removal: use `rm -rf "${tmpdir}"` after saving the extracted directory path to a variable, or use a trap/cleanup function. Never use bare globs with rm -rf near /tmp.
 scripts/install-deps.sh:23
高危
Undeclared shell execution capability 文档欺骗
SKILL.md declares zero permissions in its frontmatter, yet record-demo.mjs uses execSync to run 5+ shell commands (edge-tts, ffmpeg x3, ffprobe, python3). This is a direct doc-to-code mismatch. The skill does not declare shell:WRITE, filesystem:WRITE, or network:READ in allowed-tools.
execSync(`edge-tts --voice ${voice} --rate=${voiceRate} --text "${s.narration.replace(/"/g, '\\"')}" --write-media ${audioPath}`)
→ Declare all shell commands in SKILL.md frontmatter using allowed-tools mapping: Bash→shell:WRITE, Read→filesystem:READ, Write→filesystem:WRITE. Document why each tool is needed.
 scripts/record-demo.mjs:141
高危
Dynamically generated Python script executed at runtime 代码执行
record-demo.mjs builds a Python script as a string (generateOverlayScript, ~75 lines) containing scene configuration data and PIL image processing code, writes it to /tmp, and executes it via execSync. This dynamic code generation from configuration data is undeclared functionality.
fs.writeFileSync(`${workDir}/overlay.py`, pyScript);
execSync(`python3 ${workDir}/overlay.py`, { stdio: 'inherit' });
→ Either pre-write the overlay script and call it with scene data as arguments, or rewrite the overlay logic in Node.js using the canvas package. Document this behavior in SKILL.md.
 scripts/record-demo.mjs:148
中危
Unpinned pip dependencies 供应链
install-deps.sh installs edge-tts and Pillow without version constraints. Pip defaults to the latest version, which could introduce breaking changes or malicious updates.
pip3 install edge-tts 2>/dev/null && echo "✅ edge-tts" || echo "⚠️ edge-tts"
→ Pin versions: pip3 install edge-tts==6.1.0 (or current stable) Pillow==10.x.x. Add a requirements.txt for reproducibility.
 scripts/install-deps.sh:8
中危
Remote script download over plain HTTP 供应链
install-deps.sh downloads FFmpeg via curl from johnvansickle.com over HTTPS. The site may serve over plain HTTP, and the downloaded binary is copied directly to /usr/local/bin without integrity verification (no sha256 checksum).
curl -sL https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz -o /tmp/ffmpeg.tar.xz
→ Verify the downloaded binary with a published SHA256 hash before extraction. Consider using package managers (apt, dnf) for FFmpeg installation instead.
 scripts/install-deps.sh:19
低危
FFmpeg and ffprobe installed to /usr/local/bin 权限提升
The install script copies extracted binaries to /usr/local/bin, which requires write access to system directories. If run as a non-root user, it will fail; if run as root, it modifies system state.
cp /tmp/ffmpeg-*-amd64-static/ffmpeg /usr/local/bin/
→ Install to user-local bin (~/bin) or use the system's package manager. Document the privilege requirements.
 scripts/install-deps.sh:21
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✗ 越权 record-demo.mjs:141 execSync(`edge-tts ...`)
命令执行 NONE WRITE ✗ 越权 scripts/install-deps.sh:23 rm -rf glob command
文件系统 NONE WRITE ✗ 越权 record-demo.mjs:148 fs.writeFileSync(`${workDir}/overlay.py`, pyScript)
网络访问 NONE READ ✗ 越权 install-deps.sh:19 curl downloads FFmpeg from johnvansickle.com
网络访问 NONE READ ✗ 越权 record-demo.mjs:89 page.goto(s.url) — navigates to arbitrary URLs
1 严重 4 项发现
💀
严重 危险命令 危险 Shell 命令
rm -rf /
scripts/install-deps.sh:23
🔗
中危 外部 URL 外部 URL
https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz
scripts/install-deps.sh:19
🔗
中危 外部 URL 外部 URL
https://yourapp.dev/
scripts/record-demo.mjs:56
🔗
中危 外部 URL 外部 URL
https://yourapp.dev/feature1/
scripts/record-demo.mjs:67

目录结构

5 文件 · 21.3 KB · 601 行
JavaScript 1f · 303L Markdown 2f · 242L Shell 1f · 50L JSON 1f · 6L
├─ 📁 references
│ └─ 📝 demo-planning.md Markdown 77L · 2.3 KB
├─ 📁 scripts
│ ├─ 🔧 install-deps.sh Shell 50L · 1.7 KB
│ └─ 📜 record-demo.mjs JavaScript 303L · 11.3 KB
├─ 📋 _meta.json JSON 6L · 132 B
└─ 📝 SKILL.md Markdown 165L · 5.8 KB

依赖分析 3 项

包名版本来源已知漏洞备注
puppeteer not pinned npm i -g puppeteer Installed globally without version constraint
edge-tts not pinned pip3 install edge-tts No version constraint in install command
Pillow not pinned pip3 install Pillow No version constraint in install command

安全亮点

✓ No credential theft: skill does not access ~/.ssh, ~/.aws, .env, or iterate environment variables for secrets
✓ No data exfiltration: no HTTP POSTs of user data to external servers
✓ No obfuscation: all code is readable plain text, no base64-encoded payloads or eval(atob(...)) patterns
✓ No persistence mechanisms: no cron jobs, startup scripts, or backdoor installations
✓ Legitimate purpose: the core functionality (video demo creation) matches documented behavior