扫描报告
20 /100
taobao-shangou
查询淘宝闪购每日福利优惠券和红包
A legitimate Taobao coupon query tool with no malicious behavior detected; minor documentation gaps regarding declared permissions.
可以安装
Add explicit permission declarations in SKILL.md (filesystem:WRITE for caching, network:READ for API calls) to align with the capability model.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Missing permission declarations in SKILL.md 文档欺骗 | SKILL.md:1 |
| 低危 | Undeclared cache file write operation 文档欺骗 | scripts/fetch_shangou.py:44 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | WRITE | ✓ 一致 | scripts/fetch_shangou.py:44-47 (save_cache writes to data/latest.json) |
| 网络访问 | NONE | READ | ✓ 一致 | scripts/fetch_shangou.py:28-39 (urllib.request fetches from external API) |
| 命令执行 | NONE | NONE | — | N/A |
| 环境变量 | NONE | NONE | — | N/A |
| 技能调用 | NONE | NONE | — | N/A |
| 剪贴板 | NONE | NONE | — | N/A |
| 浏览器 | NONE | NONE | — | N/A |
| 数据库 | NONE | NONE | — | N/A |
1 项发现
中危 外部 URL 外部 URL
https://v.jumanjian.com/api/ scripts/fetch_shangou.py:6 目录结构
2 文件 · 5.8 KB · 211 行 Python 1f · 148L
Markdown 1f · 63L
├─
▾
scripts
│ └─
fetch_shangou.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ Uses only Python standard library (urllib, json, pathlib, re) - no third-party dependencies
✓ No credential harvesting or sensitive data access patterns
✓ No subprocess execution or shell command injection vectors
✓ No base64 encoded or obfuscated code
✓ No hidden HTML comments or prompt injection attempts
✓ API call is necessary for tool functionality (legitimate coupon data source)
✓ Proper error handling with try-except blocks
✓ No persistence mechanisms (cron, startup scripts, backdoors)
✓ No exfiltration or C2 communication patterns