中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
slide-editor
Visual editor for HTML presentations - self-contained, offline-capable, designed for AI agent control
A legitimate HTML presentation editor with documented Bun installation instructions and benign shell usage for browser opening only.
Skill Nameslide-editor
Duration44.5s
Enginepi
Safe to install
Approve for use. The execSync shell commands in inject.ts are used solely for opening URLs in the browser (open/xdg-open/start) and are not declared in SKILL.md. Consider adding shell:WRITE to declared permissions for transparency.

Findings 2 items

Severity Finding Location
Low
Undeclared shell execution Doc Mismatch
inject.ts uses execSync from child_process to open URLs in browser (open/xdg-open/start) but this is not declared in SKILL.md permissions.
execSync(`open "${fileUrl}"`, { stdio: 'ignore' });
→ Add shell:WRITE to declared permissions in SKILL.md for transparency.
 inject.ts:179
Info
Bun runtime installation documented Supply Chain
SKILL.md documents curl|bash installation from bun.sh - a legitimate JavaScript runtime. This is flagged as IOC but is standard practice for Bun installation.
curl -fsSL https://bun.sh/install | bash
→ No action needed - this is documented user prerequisite, not hidden behavior.
 SKILL.md:23
ResourceDeclaredInferredStatusEvidence
Filesystem READ,WRITE READ,WRITE ✓ Aligned inject.ts:5-6 reads/writes HTML files
Shell NONE WRITE ✓ Aligned inject.ts:179-187 execSync for browser URL opening
Network NONE NONE No network requests found
Environment NONE NONE No environment variable access
Skill Invoke NONE NONE No skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE READ ✓ Aligned Editor runs in browser, accesses DOM
Database NONE NONE No database access
1 Critical 2 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -fsSL https://bun.sh/install | bash
SKILL.md:23
🔗
Medium External URL 外部 URL
https://bun.sh/install
SKILL.md:23

File Tree

27 files · 479.7 KB · 8614 lines
HTML 5f · 4020L TypeScript 18f · 4003L Markdown 2f · 523L JSON 2f · 68L
├─ 📁 src
│ ├─ 📁 components
│ │ ├─ 📜 index.ts TypeScript 3L · 141 B
│ │ ├─ 📜 PropertiesPanel.ts TypeScript 312L · 12.2 KB
│ │ ├─ 📜 SlideNavigator.ts TypeScript 208L · 6.8 KB
│ │ └─ 📜 Toolbar.ts TypeScript 198L · 7.4 KB
│ ├─ 📁 core
│ │ ├─ 📜 DragManager.ts TypeScript 99L · 2.8 KB
│ │ ├─ 📜 HistoryManager.ts TypeScript 53L · 1.3 KB
│ │ ├─ 📜 index.ts TypeScript 5L · 243 B
│ │ ├─ 📜 ResizeManager.ts TypeScript 250L · 7.6 KB
│ │ ├─ 📜 SelectionManager.ts TypeScript 121L · 3.5 KB
│ │ └─ 📜 TextEditor.ts TypeScript 111L · 3.0 KB
│ ├─ 📁 i18n
│ │ └─ 📜 index.ts TypeScript 1L · 78 B
│ ├─ 📁 serialization
│ │ ├─ 📜 Exporter.ts TypeScript 579L · 18.0 KB
│ │ └─ 📜 index.ts TypeScript 1L · 53 B
│ ├─ 📜 i18n.ts TypeScript 133L · 4.1 KB
│ ├─ 📜 index.ts TypeScript 1162L · 36.1 KB
│ ├─ 📜 styles.ts TypeScript 451L · 9.2 KB
│ └─ 📜 types.ts TypeScript 123L · 2.8 KB
├─ 📁 test
│ ├─ 📄 clean-test.html HTML 819L · 70.7 KB
│ ├─ 📄 debug.html HTML 829L · 70.8 KB
│ ├─ 📄 presentation-clean.html HTML 774L · 65.0 KB
│ ├─ 📄 presentation-debug.html HTML 799L · 69.1 KB
│ └─ 📄 presentation.html HTML 799L · 69.0 KB
├─ 📜 inject.ts TypeScript 193L · 5.2 KB
├─ 📋 package.json JSON 50L · 1.3 KB
├─ 📝 README.md Markdown 186L · 4.8 KB
├─ 📝 SKILL.md Markdown 337L · 8.1 KB
└─ 📋 tsconfig.json JSON 18L · 444 B

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
esbuild ^0.20.0 npm No DevDependency - version loosely pinned
puppeteer ^24.39.1 npm No DevDependency - browser automation
typescript ^5.4.0 npm No DevDependency
@types/node ^20.0.0 npm No DevDependency - type definitions

Security Positives

✓ No credential harvesting or token theft
✓ No data exfiltration or C2 communication
✓ No base64-encoded or obfuscated code
✓ No sensitive file access (.ssh, .env, etc.)
✓ No reverse shell or RCE capabilities
✓ All functionality aligns with stated purpose (visual HTML presentation editor)
✓ Open source with clear MIT license
✓ No malicious dependencies detected