中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:2 天前 重新扫描
10 /100
x-reader
Read and summarize X/Twitter links with low-token routing
This is a legitimate X/Twitter link reader skill with no malicious behavior detected; the flagged IOC is a false positive (Chrome browser version number in user-agent string).
技能名称x-reader
分析耗时57.7s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性 安全发现 位置
提示
Chrome version misinterpreted as IP
The pre-scan flagged 122.0.0.0 as a hardcoded IP address at line 253. This is a false positive - the value is part of the Chrome browser version number in the user-agent string: 'Chrome/122.0.0.0'. This is legitimate browser automation configuration.
userAgent: 'Mozilla/5.0...Chrome/122.0.0.0 Safari/537.36'
→ No action needed - this is a legitimate user-agent string.
 scripts/xreader.mjs:251
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 xreader.mjs:38-50 reads session.json
文件系统 WRITE WRITE ✓ 一致 xreader.mjs:35-37 writes migrated auth with 0o600
命令执行 READ READ ✓ 一致 xreader.mjs:75 uses execFileAsync to run xreach
网络访问 READ READ ✓ 一致 xreader.mjs:78-83 resolves URLs via fetch()
浏览器 WRITE WRITE ✓ 一致 xreader.mjs:85-253 uses Playwright for article extraction
1 高危 7 项发现
📡
高危 IP 地址 硬编码 IP 地址
122.0.0.0
scripts/xreader.mjs:253
🔗
中危 外部 URL 外部 URL
https://x.com/...
SKILL.md:32
🔗
中危 外部 URL 外部 URL
https://x.com/.../status/...
SKILL.md:44
🔗
中危 外部 URL 外部 URL
https://x.com/i/article/...
SKILL.md:50
🔗
中危 外部 URL 外部 URL
https://x.com/yangguangai/status/2033736815405121642?s=46
SKILL.md:117
🔗
中危 外部 URL 外部 URL
https://x.com/yangguangai/status/2033522959407878621?s=46
SKILL.md:118
🔗
中危 外部 URL 外部 URL
https://x.com/google/status/2031558824042058064
SKILL.md:119

目录结构

4 文件 · 24.4 KB · 761 行
JavaScript 1f · 560L Markdown 1f · 136L JSON 2f · 65L
├─ 📁 scripts
│ └─ 📜 xreader.mjs JavaScript 560L · 18.5 KB
├─ 📋 package-lock.json JSON 57L · 1.6 KB
├─ 📋 package.json JSON 8L · 123 B
└─ 📝 SKILL.md Markdown 136L · 4.1 KB

依赖分析 2 项

包名版本来源已知漏洞备注
xreach * npm External CLI tool, documented dependency
playwright ^1.53.0 npm Used for article page rendering only

安全亮点

✓ All functionality declared in SKILL.md matches code implementation
✓ Auth tokens are used locally for X.com authentication only - no exfiltration
✓ File permissions set to 0o600 for auth files
✓ No shell command injection vectors
✓ No base64/eval obfuscation
✓ No credential harvesting beyond documented auth files
✓ No remote script execution (curl|bash, wget|sh)
✓ No hidden functionality or undocumented network connections
✓ Dependencies are standard and documented (xreach CLI, Playwright)