中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 31/100
上次扫描:1 天前 重新扫描
31 /100
chattts
High-quality, conversational Text-to-Speech (TTS) generation via local ChatTTS API
Hardcoded non-localhost IP address (172.23.252.114:8020) in both SKILL.md and script creates an undeclared network destination with no clear legitimate reason to avoid environment-based configuration.
技能名称chattts
分析耗时49.4s
引擎pi
谨慎使用
Remove the hardcoded IP fallback. Only use the CHATTTS_API_URL environment variable, defaulting to localhost (127.0.0.1) if needed. Document why external network access is required.

安全发现 2 项

严重性 安全发现 位置
中危
Hardcoded fallback IP address 敏感访问
The script uses a hardcoded IP address (172.23.252.114:8020) as a fallback when CHATTTS_API_URL is not set. This creates a network dependency to an unspecified external endpoint without clear documentation of its trustworthiness.
const apiUrl = process.env.CHATTTS_API_URL || 'http://172.23.252.114:8020';
→ Remove the hardcoded IP fallback. Require CHATTTS_API_URL to be explicitly set, or default to localhost (127.0.0.1:8020) for local-only operation.
 scripts/tts.mjs:48
中危
Non-localhost network destination declared as requirement 文档欺骗
The SKILL.md metadata explicitly declares http://172.23.252.114:8020 as the primaryEnv requirement. For a typical TTS skill, a local server (localhost) would be expected. Using a private IP suggests external infrastructure without justification.
"primaryEnv":"http://172.23.252.114:8020"
→ If external TTS servers are legitimate use cases, document why. Otherwise, default to localhost for user privacy and security.
 SKILL.md:4
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:4 metadata declares env=['http://172.23.252.114:8020']
命令执行 WRITE WRITE ✓ 一致 SKILL.md usage shows 'node {baseDir}/scripts/tts.mjs'
文件系统 NONE NONE No file operations in scripts/tts.mjs
环境变量 READ READ ✓ 一致 scripts/tts.mjs:48 reads process.env.CHATTTS_API_URL
1 高危 2 项发现
📡
高危 IP 地址 硬编码 IP 地址
172.23.252.114
SKILL.md:4
🔗
中危 外部 URL 外部 URL
http://172.23.252.114:8020
SKILL.md:4

目录结构

2 文件 · 3.5 KB · 87 行
JavaScript 1f · 60L Markdown 1f · 27L
├─ 📁 scripts
│ └─ 📜 tts.mjs JavaScript 60L · 1.9 KB
└─ 📝 SKILL.md Markdown 27L · 1.6 KB

安全亮点

✓ Skill functionality is straightforward: text-to-speech via HTTP API
✓ No credential harvesting or sensitive file access
✓ No obfuscation techniques (base64, eval) detected
✓ Uses standard Node.js fetch API for HTTP requests
✓ Environment variable CHATTTS_API_URL is supported as primary configuration method