中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:18 小时前 重新扫描
15 /100
dashboard-humanize
文案去AI味服务 - 调用Dashboard Console API将AI生成的文本改写得更像人类写作风格
A legitimate text humanization tool that calls a backend API to remove AI-like characteristics from content. No malicious patterns found; all functionality aligns with stated purpose.
技能名称dashboard-humanize
分析耗时49.9s
引擎pi
可以安装
Consider documenting the hardcoded fallback token in SKILL.md and clarifying that user content is sent to an external service for processing.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded default API token 凭证窃取
A default Bearer token 'atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc' is embedded in source code as a fallback. This appears to be a development/public token rather than harvested credentials, but exposes the token in source control.
DEFAULT_TOKEN = "atk_ajhhuxTyHciMIxZQ_vt_boqVeG_zTr4Ix9REWuVBXSc"
→ Remove hardcoded tokens from source code. Document that users should set DASHBOARD_TOKEN environment variable for production use.
 scripts/humanize.py:46
低危
Missing disclosure of external data transmission 文档欺骗
SKILL.md does not explicitly state that user content is transmitted to an external third-party service (xiaonian.cc) for processing. While the API call is the core functionality, this should be clearly disclosed for informed user consent.
通过小念AI后端实现
→ Add a note in SKILL.md clarifying: 'Note: Your content will be sent to the Dashboard Console API at xiaonian.cc for processing.'
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 scripts/humanize.py:79-83 reads --content-file or stdin
网络访问 WRITE WRITE ✓ 一致 scripts/humanize.py:27,118 makes HTTP POST to Dashboard Console API
命令执行 NONE NONE No subprocess or shell execution detected
环境变量 READ READ ✓ 一致 scripts/humanize.py:64-67 reads DASHBOARD_TOKEN, DASHBOARD_PHONE, DASHBOARD_PASS…
1 项发现
🔗
中危 外部 URL 外部 URL
https://xiaonian.cc
scripts/humanize.py:27

目录结构

3 文件 · 8.3 KB · 271 行
Python 1f · 170L Markdown 2f · 101L
├─ 📁 references
│ └─ 📝 api.md Markdown 50L · 1.2 KB
├─ 📁 scripts
│ └─ 🐍 humanize.py Python 170L · 5.6 KB
└─ 📝 SKILL.md Markdown 51L · 1.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
Python standard library only N/A stdlib Uses urllib, json, argparse, os, sys, typing - no external dependencies

安全亮点

✓ No shell execution or command injection vectors detected
✓ No obfuscation techniques (base64, eval, etc.) found
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No reverse shell, C2 communication, or data exfiltration beyond declared API calls
✓ No supply chain risks - uses only Python standard library (urllib, json, argparse)
✓ All functionality (file reading, network calls, env access) aligns with stated purpose
✓ Clean code structure with proper error handling and exit codes