中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
zeplin-to-prompt
Export Zeplin designs into structured layer tree with local assets, package as zip
Legitimate Zeplin design export tool with no malicious behavior detected. All functionality is properly documented, dependencies are standard SDK packages, and credential handling follows legitimate patterns for API token storage.
技能名称zeplin-to-prompt
分析耗时56.2s
引擎pi
可以安装
This skill is safe to use. It requires filesystem:WRITE for creating exports and network:READ for accessing Zeplin's public API. No additional security concerns identified.
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares WRITE for export files; code writes to build/ directory
网络访问 READ READ ✓ 一致 Only accesses api.zeplin.dev official API; asset downloads via HTTPS
命令执行 MINIMAL MINIMAL ✓ 一致 Uses grep, zip, open, and node commands as documented in SKILL.md
9 项发现
🔗
中危 外部 URL 外部 URL
https://app.zeplin.io/project/
README.md:18
🔗
中危 外部 URL 外部 URL
https://app\.zeplin\.io/project/[^[:space:
SKILL.md:17
🔗
中危 外部 URL 外部 URL
https://app.zeplin.io/project/xxx/screen/aaa
SKILL.md:24
🔗
中危 外部 URL 外部 URL
https://app.zeplin.io/project/xxx/screen/bbb
SKILL.md:25
🔗
中危 外部 URL 外部 URL
https://api.zeplin.dev/v1
export_project.mjs:48
🔗
中危 外部 URL 外部 URL
https://app.zeplin.io/project/xxx/screen/yyy
export_screen.mjs:20
🔗
中危 外部 URL 外部 URL
https://app.zeplin.io/project/$
lib/htmlDocument.mjs:23
🔗
中危 外部 URL 外部 URL
https://opencollective.com/core-js
package-lock.json:78
🔗
中危 外部 URL 外部 URL
https://dotenvx.com
package-lock.json:99

目录结构

20 文件 · 171.2 KB · 4541 行
JavaScript 15f · 3899L JSON 2f · 353L Markdown 2f · 213L CSS 1f · 76L
├─ 📁 lib
│ ├─ 📜 assets.mjs JavaScript 282L · 9.2 KB
│ ├─ 📜 fsHelpers.mjs JavaScript 29L · 989 B
│ ├─ 📜 htmlDocument.mjs JavaScript 83L · 4.2 KB
│ ├─ 📜 layerTree.mjs JavaScript 505L · 19.1 KB
│ ├─ 📜 logger.mjs JavaScript 34L · 887 B
│ ├─ 📜 minifyLayout.mjs JavaScript 158L · 4.8 KB
│ ├─ 📜 previewClient.js JavaScript 1238L · 45.3 KB
│ ├─ 📄 previewStyles.css CSS 76L · 8.1 KB
│ ├─ 📜 renderHtml.mjs JavaScript 4L · 233 B
│ ├─ 📜 renderIndex.mjs JavaScript 74L · 3.5 KB
│ ├─ 📜 renderLayer.mjs JavaScript 344L · 16.1 KB
│ ├─ 📜 renderTree.mjs JavaScript 98L · 4.9 KB
│ ├─ 📜 styleMapping.mjs JavaScript 590L · 20.6 KB
│ └─ 📜 zeplinClient.mjs JavaScript 8L · 345 B
├─ 📜 export_project.mjs JavaScript 203L · 6.7 KB
├─ 📜 export_screen.mjs JavaScript 249L · 8.6 KB
├─ 📋 package-lock.json JSON 337L · 11.6 KB
├─ 📋 package.json JSON 16L · 303 B
├─ 📝 README.md Markdown 65L · 1.9 KB
└─ 📝 SKILL.md Markdown 148L · 4.1 KB

依赖分析 2 项

包名版本来源已知漏洞备注
@zeplin/sdk ^1.34.0 npm Official Zeplin SDK, version pinned
dotenv ^17.2.3 npm Environment variable loading, version pinned

安全亮点

✓ All functionality fully documented in SKILL.md
✓ Dependencies (@zeplin/sdk, dotenv) are standard, pinned packages
✓ No credential exfiltration - tokens stored locally with 0o600 permissions
✓ Network requests limited to official Zeplin API (api.zeplin.dev)
✓ Asset downloads over HTTPS with redirect limit (MAX_DOWNLOAD_REDIRECTS = 5)
✓ No base64-encoded execution or obfuscation detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No environment variable enumeration or credential harvesting
✓ Proper error handling throughout (try/catch blocks)
✓ Input sanitization for file paths (sanitizeFileName function)