中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
torrent-search
搜尋 BT4G 上的 Torrent 檔案,並輸出含 Trackers 的 Magnet 連結;支援直接新增到 qBittorrent
A legitimate torrent search skill that hardcodes qBittorrent WebUI credentials but does not exfiltrate them; network access is confined to declared BT4G and tracker domains.
技能名称torrent-search
分析耗时34.6s
引擎pi
可以安装
Remove hardcoded credentials from add_to_qbittorrent.py and use environment variables or a config file instead. Otherwise, this skill performs its declared function safely.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded qBittorrent credentials not documented as security consideration 文档欺骗
add_to_qbittorrent.py lines 21-23 hardcode QB_USER='admin' and QB_PASS='adminadmin'. SKILL.md warns about changing the password but does not mention credentials are embedded in source code. No exfiltration is observed, but this is a documentation gap.
QB_USER = "admin"
QB_PASS = "adminadmin"
→ Move credentials to environment variables or a config file; document the credential handling in SKILL.md
 add_to_qbittorrent.py:21
低危
network:WRITE to qBittorrent WebUI not explicitly declared in capability section 文档欺骗
SKILL.md describes browser/WebFetch network access but does not explicitly state that the skill makes HTTP POST requests to qBittorrent's WebUI at localhost:8080. This is partially visible in the prose but missing from a formal capability declaration.
SKILL.md describes browser usage and qBittorrent integration but lacks a formal capability declaration for network:WRITE
→ Add a formal 'Capabilities' or 'Permissions' section to SKILL.md listing all network endpoints (bt4gprx.com, localhost:8080, tracker URLs)
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares write to C:/butler_sumo/docs/torrent/; torrent_search.py lines…
网络访问 READ READ+WRITE ✓ 一致 SKILL.md declares browser/WebFetch (READ) to bt4gprx.com; add_to_qbittorrent.py …
数据库 WRITE WRITE ✓ 一致 SKILL.md line ~216 declares qBittorrent WebUI integration; add_to_qbittorrent.py…
环境变量 NONE READ ✓ 一致 add_to_qbittorrent.py reads QB_URL/QB_USER/QB_PASS as hardcoded constants, not f…
12 项发现
🔗
中危 外部 URL 外部 URL
https://bt4gprx.com/search?q=關鍵字
SKILL.md:19
🔗
中危 外部 URL 外部 URL
https://tracker.zhuqiy.com:443/announce
SKILL.md:189
🔗
中危 外部 URL 外部 URL
https://tracker.pmman.tech:443/announce
SKILL.md:190
🔗
中危 外部 URL 外部 URL
https://tracker.nekomi.cn:443/announce
SKILL.md:191
🔗
中危 外部 URL 外部 URL
https://tracker.moeblog.cn:443/announce
SKILL.md:192
🔗
中危 外部 URL 外部 URL
https://tracker.bt4g.com:443/announce
SKILL.md:193
🔗
中危 外部 URL 外部 URL
http://tracker.opentrackr.org:1337/announce
add_to_qbittorrent.py:38
🔗
中危 外部 URL 外部 URL
http://tracker.torrent.eu.org:451/announce
add_to_qbittorrent.py:39
🔗
中危 外部 URL 外部 URL
https://tracker.lilith档.com:443/announce
add_to_qbittorrent.py:40
🔗
中危 外部 URL 外部 URL
https://tr.highhopes.xyz:443/announce
add_to_qbittorrent.py:41
🔗
中危 外部 URL 外部 URL
https://t.trackers.net:443/announce
add_to_qbittorrent.py:42
🔗
中危 外部 URL 外部 URL
https://bt4gprx.com/search?q=
torrent_search.py:89

目录结构

4 文件 · 25.3 KB · 795 行
Python 2f · 433L Markdown 2f · 362L
├─ 🐍 add_to_qbittorrent.py Python 280L · 9.7 KB
├─ 📝 SKILL_zh.md Markdown 128L · 3.7 KB
├─ 📝 SKILL.md Markdown 234L · 6.7 KB
└─ 🐍 torrent_search.py Python 153L · 5.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip (stdlib-equivalent) Version not pinned; no specific CVE exploitation observed

安全亮点

✓ No base64-encoded execution, eval(), or obfuscated code found
✓ No credential harvesting loops or environment variable iteration for sensitive keys
✓ No curl|bash or wget|sh remote script execution
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths
✓ No reverse shell, C2 communication, or data exfiltration to external IPs
✓ No hidden instructions in HTML comments or prompt injection detected
✓ No supply chain risks — only uses the standard 'requests' library, version unpinned but no known vulnerabilities exploited
✓ Pre-scan confirmed no sensitive files (.env, .git/credentials) present
✓ Functionality is entirely consistent with declared purpose: torrent search and qBittorrent integration