中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:19 小时前 重新扫描
45 /100
Etf
ETF analysis utility (claimed) / Generic local logger (actual)
Documentation claims ETF analysis functionality but code implements only a generic local logger with no financial analysis features.
技能名称Etf
分析耗时45.3s
引擎pi
谨慎使用
Do not deploy. The documentation is misleading about the tool's actual capabilities. Request clarification from the author about the mismatch between the stated ETF analysis purpose and the generic logging implementation.

安全发现 3 项

严重性 安全发现 位置
高危
False documentation - no ETF functionality exists 文档欺骗
SKILL.md describes an 'ETF holdings analyzer' for 'screening ETFs, comparing ratios, and tracking allocations' but scripts/script.sh contains only generic local logging commands. There is zero ETF-specific logic, financial data fetching, or market analysis code.
description: 'Analyze ETF holdings, compare fund metrics, and review sector allocation data'
→ Verify if this skill was mislabeled or if malicious code was injected into a legitimate tool.
 SKILL.md:1
中危
Undeclared filesystem WRITE permission 权限提升
The skill declares filesystem:NONE but the script creates and writes to ~/.local/share/etf/ directory for persistent storage.
DATA_DIR="${HOME}/.local/share/etf"
mkdir -p "$DATA_DIR"
→ Update SKILL.md to declare filesystem:WRITE permission for the etf data directory.
 scripts/script.sh:9
低危
Local data persistence with no encryption 数据外泄
All user inputs to commands are logged in plaintext to log files in ~/.local/share/etf/. While marked 'offline', this creates a local data store that could be accessed by other processes.
echo "$ts|$input" >> "$DATA_DIR/run.log"
→ Consider documenting data retention policies and adding encryption if sensitive data may be processed.
 scripts/script.sh:58
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✗ 越权 scripts/script.sh:9 mkdir -p "$DATA_DIR"
网络访问 NONE NONE No network calls found
命令执行 NONE NONE No subprocess/eval calls
环境变量 NONE NONE No env access except DATA_DIR path
3 项发现
🔗
中危 外部 URL 外部 URL
https://bytesagain.com
SKILL.md:6
🔗
中危 外部 URL 外部 URL
https://bytesagain.com/feedback/
SKILL.md:98
📧
提示 邮箱 邮箱地址
[email protected]
SKILL.md:101

目录结构

2 文件 · 13.8 KB · 414 行
Shell 1f · 313L Markdown 1f · 101L
├─ 📁 scripts
│ └─ 🔧 script.sh Shell 313L · 10.7 KB
└─ 📝 SKILL.md Markdown 101L · 3.1 KB

安全亮点

✓ No network requests or external communications detected
✓ No credential harvesting or environment variable enumeration
✓ No base64 encoding or obfuscated commands
✓ No remote script execution (curl|bash, wget|sh)
✓ No subprocess or shell execution capabilities
✓ Works entirely offline as documented
✓ No supply chain dependencies or external packages