中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
zhuocha
招投标重复项目核实助手 - Bidding/tender duplicate verification assistant
Legitimate internal bidding/tender duplicate verification tool with no malicious indicators. All network activity confined to private RFC1918 IP ranges.
技能名称zhuocha
分析耗时24.6s
引擎pi
可以安装
Approve for use. Consider pinning requests library version for dependency hygiene.

安全发现 3 项

严重性 安全发现 位置
低危
Dependency version not pinned
The 'requests' library has no version constraint in code. While no known CVEs currently exist, pinning versions provides reproducible builds and protection against supply chain attacks.
import requests
→ Add version constraint: requests>=2.28.0,<3.0.0
 scripts/zhuocha_finder.py
提示
SQL injection protection present
INSERT operations use parameterized queries (:reid, :reason, etc.) which properly mitigate SQL injection risk.
"params": {"reid": reid, "reason": reason, "rr": rr, "rd": rd, "re_result": re_result}
→ Continue using parameterized queries
 scripts/zhuocha_finder.py:108
提示
All network targets are internal RFC1918 addresses
All three API endpoints (192.168.88.51:5100/5200/6100) resolve to private IP space. No data exfiltration risk to external entities.
192.168.88.51
→ No action required - internal-only network topology
 SKILL.md:12
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All HTTP requests to 192.168.88.51 private IPs (5100/5200/6100)
文件系统 NONE READ ✓ 一致 ~/.openclaw/workspace/.zhuocha_cursor.json for state persistence
命令执行 NONE NONE SKILL.md explicitly prohibits bash curl loops; script uses Python urllib
3 项发现
🔗
中危 外部 URL 外部 URL
http://192.168.88.51:6100/insert
SKILL.md:66
🔗
中危 外部 URL 外部 URL
http://192.168.88.51:6100/query
scripts/zhuocha_finder.py:21
🔗
中危 外部 URL 外部 URL
http://192.168.88.51:5100/query
scripts/zhuocha_finder.py:22

目录结构

2 文件 · 16.5 KB · 405 行
Python 1f · 225L Markdown 1f · 180L
├─ 📁 scripts
│ └─ 🐍 zhuocha_finder.py Python 225L · 7.6 KB
└─ 📝 SKILL.md Markdown 180L · 8.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned

安全亮点

✓ Parameterized SQL queries prevent injection attacks
✓ All network activity to private RFC1918 IPs (192.168.x.x) - no external exfiltration
✓ Explicit bash prohibition documented in SKILL.md (use Python urllib)
✓ State file is non-sensitive workspace metadata
✓ No credential harvesting or environment variable scanning
✓ No base64, eval, or obfuscation patterns
✓ No hidden instructions or suspicious comments
✓ Single-purpose business logic with clear documentation