中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 45/100
Last scan:19 hr ago Rescan
45 /100
Etf
ETF analysis utility (claimed) / Generic local logger (actual)
Documentation claims ETF analysis functionality but code implements only a generic local logger with no financial analysis features.
Skill NameEtf
Duration45.3s
Enginepi
Use with caution
Do not deploy. The documentation is misleading about the tool's actual capabilities. Request clarification from the author about the mismatch between the stated ETF analysis purpose and the generic logging implementation.

Findings 3 items

Severity Finding Location
High
False documentation - no ETF functionality exists Doc Mismatch
SKILL.md describes an 'ETF holdings analyzer' for 'screening ETFs, comparing ratios, and tracking allocations' but scripts/script.sh contains only generic local logging commands. There is zero ETF-specific logic, financial data fetching, or market analysis code.
description: 'Analyze ETF holdings, compare fund metrics, and review sector allocation data'
→ Verify if this skill was mislabeled or if malicious code was injected into a legitimate tool.
 SKILL.md:1
Medium
Undeclared filesystem WRITE permission Priv Escalation
The skill declares filesystem:NONE but the script creates and writes to ~/.local/share/etf/ directory for persistent storage.
DATA_DIR="${HOME}/.local/share/etf"
mkdir -p "$DATA_DIR"
→ Update SKILL.md to declare filesystem:WRITE permission for the etf data directory.
 scripts/script.sh:9
Low
Local data persistence with no encryption Data Exfil
All user inputs to commands are logged in plaintext to log files in ~/.local/share/etf/. While marked 'offline', this creates a local data store that could be accessed by other processes.
echo "$ts|$input" >> "$DATA_DIR/run.log"
→ Consider documenting data retention policies and adding encryption if sensitive data may be processed.
 scripts/script.sh:58
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✗ Violation scripts/script.sh:9 mkdir -p "$DATA_DIR"
Network NONE NONE No network calls found
Shell NONE NONE No subprocess/eval calls
Environment NONE NONE No env access except DATA_DIR path
3 findings
🔗
Medium External URL 外部 URL
https://bytesagain.com
SKILL.md:6
🔗
Medium External URL 外部 URL
https://bytesagain.com/feedback/
SKILL.md:98
📧
Info Email 邮箱地址
[email protected]
SKILL.md:101

File Tree

2 files · 13.8 KB · 414 lines
Shell 1f · 313L Markdown 1f · 101L
├─ 📁 scripts
│ └─ 🔧 script.sh Shell 313L · 10.7 KB
└─ 📝 SKILL.md Markdown 101L · 3.1 KB

Security Positives

✓ No network requests or external communications detected
✓ No credential harvesting or environment variable enumeration
✓ No base64 encoding or obfuscated commands
✓ No remote script execution (curl|bash, wget|sh)
✓ No subprocess or shell execution capabilities
✓ Works entirely offline as documented
✓ No supply chain dependencies or external packages