中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
zhuocha
招投标重复项目核实助手 - Bidding/tender duplicate verification assistant
Legitimate internal bidding/tender duplicate verification tool with no malicious indicators. All network activity confined to private RFC1918 IP ranges.
Skill Namezhuocha
Duration24.6s
Enginepi
Safe to install
Approve for use. Consider pinning requests library version for dependency hygiene.

Findings 3 items

Severity Finding Location
Low
Dependency version not pinned
The 'requests' library has no version constraint in code. While no known CVEs currently exist, pinning versions provides reproducible builds and protection against supply chain attacks.
import requests
→ Add version constraint: requests>=2.28.0,<3.0.0
 scripts/zhuocha_finder.py
Info
SQL injection protection present
INSERT operations use parameterized queries (:reid, :reason, etc.) which properly mitigate SQL injection risk.
"params": {"reid": reid, "reason": reason, "rr": rr, "rd": rd, "re_result": re_result}
→ Continue using parameterized queries
 scripts/zhuocha_finder.py:108
Info
All network targets are internal RFC1918 addresses
All three API endpoints (192.168.88.51:5100/5200/6100) resolve to private IP space. No data exfiltration risk to external entities.
192.168.88.51
→ No action required - internal-only network topology
 SKILL.md:12
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned All HTTP requests to 192.168.88.51 private IPs (5100/5200/6100)
Filesystem NONE READ ✓ Aligned ~/.openclaw/workspace/.zhuocha_cursor.json for state persistence
Shell NONE NONE SKILL.md explicitly prohibits bash curl loops; script uses Python urllib
3 findings
🔗
Medium External URL 外部 URL
http://192.168.88.51:6100/insert
SKILL.md:66
🔗
Medium External URL 外部 URL
http://192.168.88.51:6100/query
scripts/zhuocha_finder.py:21
🔗
Medium External URL 外部 URL
http://192.168.88.51:5100/query
scripts/zhuocha_finder.py:22

File Tree

2 files · 16.5 KB · 405 lines
Python 1f · 225L Markdown 1f · 180L
├─ 📁 scripts
│ └─ 🐍 zhuocha_finder.py Python 225L · 7.6 KB
└─ 📝 SKILL.md Markdown 180L · 8.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Version not pinned

Security Positives

✓ Parameterized SQL queries prevent injection attacks
✓ All network activity to private RFC1918 IPs (192.168.x.x) - no external exfiltration
✓ Explicit bash prohibition documented in SKILL.md (use Python urllib)
✓ State file is non-sensitive workspace metadata
✓ No credential harvesting or environment variable scanning
✓ No base64, eval, or obfuscation patterns
✓ No hidden instructions or suspicious comments
✓ Single-purpose business logic with clear documentation