中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:21 小时前 重新扫描
15 /100
post-content-moderation
Review, rewrite, and moderate user-generated posts across title, body text, images, and videos to block ads and contact information
This is a legitimate content moderation skill with declared network access. The skill transparently documents that user content (posts, images, videos) may be sent to external APIs for moderation. No executable code exists, only markdown documentation. Minor documentation artifacts reference non-existent PHP scripts.
技能名称post-content-moderation
分析耗时48.3s
引擎pi
可以安装
This skill is safe to use. When deploying, ensure external API endpoints are properly allowlisted and environment variables are used for secrets. Be aware that user-generated content will leave the local environment for moderation.

安全发现 2 项

严重性 安全发现 位置
低危
Referenced PHP scripts not present in package 文档欺骗
Documentation references bundled PHP scripts (config.php, moderation_support.php, php_xai_client_example.php, etc.) but no script files exist in the package. Only markdown documentation is present.
scripts/config.php, scripts/moderation_support.php, scripts/php_xai_client_example.php
→ This appears to be documentation-only intent. Remove script references or provide the actual scripts if executable functionality is intended.
 references/php-example-notes.md:4
低危
User content explicitly declared for external transmission 敏感访问
SKILL.md clearly states that post text, images, videos, and URLs may leave the local environment. This is expected behavior for a moderation skill but should be acknowledged by operators.
any post text, comment text, whitelist, custom rules, image URLs, or video URLs included in the payload may leave the local environment
→ Ensure users/operators are informed that content submitted for moderation will be sent to external AI APIs for analysis.
 SKILL.md:18
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md: 'bundled PHP scripts can send moderation payloads to external APIs'
文件系统 NONE NONE No file operations in this skill
命令执行 NONE NONE No shell execution referenced
5 项发现
🔗
中危 外部 URL 外部 URL
https://cdn.example.com/a.jpg
references/api-integration.md:30
🔗
中危 外部 URL 外部 URL
https://cdn.example.com/a.mp4
references/api-integration.md:33
🔗
中危 外部 URL 外部 URL
https://api.x.ai/v1/chat/completions
references/api-integration.md:150
🔗
中危 外部 URL 外部 URL
https://cdn.example.com/post/10001-1.jpg
references/api-spec.md:21
🔗
中危 外部 URL 外部 URL
https://cdn.example.com/post/10001-1.mp4
references/api-spec.md:24

目录结构

9 文件 · 43.3 KB · 1510 行
Markdown 9f · 1510L
├─ 📁 references
│ ├─ 📝 api-integration.md Markdown 199L · 4.6 KB
│ ├─ 📝 api-spec.md Markdown 288L · 7.1 KB
│ ├─ 📝 install-and-usage.md Markdown 123L · 3.5 KB
│ ├─ 📝 php-demo-suite.md Markdown 100L · 2.8 KB
│ ├─ 📝 php-example-notes.md Markdown 80L · 2.4 KB
│ ├─ 📝 prompt-templates.md Markdown 111L · 2.9 KB
│ ├─ 📝 release-notes.zh-CN.md Markdown 108L · 3.2 KB
│ └─ 📝 rule-template.md Markdown 84L · 1.6 KB
└─ 📝 SKILL.md Markdown 417L · 15.2 KB

安全亮点

✓ SKILL.md explicitly declares network capabilities and data exfiltration scope
✓ Security best practices are documented (environment variables, allowlisting, dry-run testing)
✓ Media inspection limitations are disclosed (placeholder only, no real OCR/QR)
✓ Example URLs use placeholder domains (example.com, api.x.ai in examples)
✓ No hardcoded credentials or API keys in documentation
✓ No obfuscation, reverse shell, or credential harvesting patterns detected
✓ Skill recommends fail-closed policy for ambiguous cases