中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
jettyd
Interact with IoT devices via the jettyd platform — read sensors, send commands, manage rules, and list devices
A legitimate IoT device management skill for the jettyd platform. All functionality is declared, the implementation is clean, and there are no security violations. The only flag is a template password placeholder in documentation which is clearly illustrative.
技能名称jettyd
分析耗时32.3s
引擎pi
可以安装
Approve for use. The hardcoded password placeholder in blueprint.md is a template example with no security impact — it is not actual credentials.

安全发现 1 项

严重性 安全发现 位置
低危
Template password placeholder in documentation 文档欺骗
blueprint.md line 58 contains CONFIG_JETTYD_WIFI_PASSWORD="YourNetworkPassword" — this is a clearly marked template/example string in a config file snippet, not actual credentials. It has no security impact as it is never parsed or used by the skill code.
CONFIG_JETTYD_WIFI_PASSWORD="YourNetworkPassword"
→ No action needed. Replace with {{YOUR_WIFI_PASSWORD}} or similar placeholder notation in documentation to eliminate ambiguity.
 blueprint.md:58
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 jettyd-cli.js:42 — fetch to api.jettyd.com only
文件系统 READ READ ✓ 一致 jettyd-cli.js:22-29 — reads ~/.openclaw/openclaw.json for API key; langchain_too…
命令执行 WRITE NONE ✓ 一致 SKILL.md declares 'bins: node' for running the CLI; no subprocess/bash execution…
1 高危 9 项发现
🔑
高危 API 密钥 疑似硬编码凭证
PASSWORD="YourNetworkPassword"
blueprint.md:58
🔗
中危 外部 URL 外部 URL
https://jettyd.com
SKILL.md:14
🔗
中危 外部 URL 外部 URL
https://api.jettyd.com/v1
SKILL.md:15
🔗
中危 外部 URL 外部 URL
https://jettyd.com/docs/mcp
SKILL.md:150
🔗
中危 外部 URL 外部 URL
https://api.jettyd.com/v1/devices
blueprint.md:84
🔗
中危 外部 URL 外部 URL
https://api.jettyd.com/v1/devices/DEVICE_ID/config
blueprint.md:177
🔗
中危 外部 URL 外部 URL
https://api.jettyd.com/v1/webhooks
blueprint.md:200
🔗
中危 外部 URL 外部 URL
https://hooks.slack.com/...
blueprint.md:205
🔗
中危 外部 URL 外部 URL
https://docs.jettyd.com
blueprint.md:235

目录结构

6 文件 · 25.9 KB · 862 行
Markdown 4f · 461L JavaScript 1f · 221L Python 1f · 180L
├─ 📁 examples
│ ├─ 🐍 langchain_tool.py Python 180L · 5.6 KB
│ └─ 📝 README.md Markdown 19L · 580 B
├─ 📁 references
│ └─ 📝 api-summary.md Markdown 50L · 1.7 KB
├─ 📁 scripts
│ └─ 📜 jettyd-cli.js JavaScript 221L · 8.1 KB
├─ 📝 blueprint.md Markdown 240L · 5.8 KB
└─ 📝 SKILL.md Markdown 152L · 4.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Only in langchain_tool.py example file, not required for the skill itself

安全亮点

✓ All network requests go to the single, declared endpoint api.jettyd.com — no data exfiltration
✓ No shell command execution, subprocess, or eval patterns found in the codebase
✓ No credential harvesting beyond the intended API key — environment and config file read are both declared and scoped
✓ No obfuscation techniques (no base64, no dynamic code loading, no anti-analysis patterns)
✓ No supply chain risk — no dependencies with unpinned versions or known vulnerabilities
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) — only reads ~/.openclaw/openclaw.json as declared
✓ API key is used exclusively for Bearer token auth to the jettyd platform — not exfiltrated elsewhere