Skill Trust Decision
dianping-api
Remote script execution via curl|bash with base64-encoded content is a critical supply chain vulnerability, compounded by undocumented shell/filesystem/network access in the installation mechanism.
Most direct threat evidence
Critical Supply Chain
Remote Script Execution via curl|bash The install.sh fetches and executes code from a remote URL using the dangerous curl|bash pattern. The <URL> placeholder could point to a compromised or attacker-controlled server at any time after distribution.
install.sh:3 Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
2 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Attacker compromises the <URL> host or DNS
delivery · install.sh:3
02
Malicious install.sh replaces legitimate content
delivery · install.sh:3
03
curl|bash executes arbitrary attacker code with user privileges
Execution · install.sh:3
04
Malicious Python/Shell scripts written to disk and chmod +x'd
Persistence · install.sh:28
What drove the risk score up
Remote script execution +25
curl -fsSL <URL>/install.sh | bash allows arbitrary code injection at install time
Base64 obfuscation +20
All source code is base64-encoded and decoded at runtime, hiding true implementation from static analysis
Undeclared shell execution +10
SKILL.md does not mention subprocess usage with curl commands
Undeclared filesystem WRITE +5
SKILL.md does not declare that cookies are stored in ~/.dianping/
Undeclared network access +5
SKILL.md mentions curl but does not explicitly declare network:READ capability
Most important evidence
Critical Supply Chain
Remote Script Execution via curl|bash
The install.sh fetches and executes code from a remote URL using the dangerous curl|bash pattern. The <URL> placeholder could point to a compromised or attacker-controlled server at any time after distribution.
install.sh:3 Remove remote installation entirely. Distribute skill as static files. If self-update is needed, download to a temp file and audit before execution.
Critical Obfuscation
Base64-Encoded Source Code Execution
All three source files (SKILL.md, dianping_api.py, dianping_login.py) are base64-encoded and decoded at install time. This prevents static analysis of the actual code and could be used to smuggle malicious payloads.
install.sh:11 Distribute source code in plaintext. Use signed hashes for integrity verification instead of obfuscation.
Medium Doc Mismatch
Undeclared Shell Execution via subprocess
Both Python scripts use subprocess.run() to execute curl commands, but SKILL.md does not declare shell:WRITE capability or mention subprocess usage. The doc only states 'uses curl' without explaining the execution model.
dianping_api.py:35 Document that curl is invoked via subprocess. Consider using the requests library or urllib3 instead of subprocess if possible.
Medium Doc Mismatch
Undeclared Filesystem Write Access
SKILL.md states cookies are stored in '~/.dianping/cookies.json' but does not declare filesystem:WRITE permission. This is hidden behavior affecting user home directory.
dianping_login.py:69 Explicitly declare filesystem:WRITE access for cookie storage in SKILL.md capability requirements.
Medium Doc Mismatch
Undeclared Network Access
SKILL.md mentions 'curl (系统自带,无需安装)' but does not explicitly declare network:READ capability. HTTP requests to dianping.com are fundamental to the tool but undocumented.
SKILL.md:1 Add explicit network:READ declaration for api.dianping.com domain in SKILL.md prerequisites.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
install.sh:24 writes ~/.dianping/cookies.json via Python scripts Network Block
Declared NONE
→ Inferred READ
dianping_api.py:35 subprocess.run(['curl',...]) Shell Block
Declared NONE
→ Inferred WRITE
install.sh:3 curl|bash pattern Environment Pass
Declared NONE
→ Inferred NONE
No environment variable access found Skill Invoke Pass
Declared NONE
→ Inferred NONE
No cross-skill invocation Suspicious artifacts and egress
Critical Dangerous Command
curl -fsSL <URL>/install.sh | bash install.sh:3
Critical Encoded Execution
base64 -d install.sh:11
Medium External URL
https://www.dianping.com/ scripts/dianping_api.py:38
Medium External URL
https://www.dianping.com/search/keyword/%d/0_%s scripts/dianping_api.py:65
Medium External URL
https://www.dianping.com/shop/ scripts/dianping_api.py:104
Medium External URL
https://www.dianping.com scripts/dianping_login.py:23
Medium External URL
https://account.dianping.com/pclogin scripts/dianping_login.py:183
Medium External URL
https://www.dianping.com/search/keyword/ scripts/dianping_login.py:218
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| curl | system-provided | system | No | No pip/npm dependencies - uses system curl |
File composition
4 files · 664 lines
Python 2 files · 462 linesMarkdown 1 files · 165 linesShell 1 files · 37 lines
Files of concern · 4
install.sh Remote Script Execution via curl|bash · Base64-Encoded Source Code Execution · curl -fsSL <URL>/install.sh | bash · base64 -d
scripts/dianping_login.py https://www.dianping.com · https://account.dianping.com/pclogin · https://www.dianping.com/search/keyword/
scripts/dianping_api.py https://www.dianping.com/ · https://www.dianping.com/search/keyword/%d/0_%s · https://www.dianping.com/shop/
SKILL.md Undeclared Network Access
Security positives
No evidence of credential harvesting beyond the legitimate Dianping session cookies
No reverse shell, C2 communication, or data exfiltration to third-party servers
Cookies stored locally in user's home directory, not transmitted elsewhere
The Python implementation appears functionally legitimate for the stated restaurant search purpose
Uses standard curl User-Agent to appear as a normal browser