Scan Report
0 /100
journal-submission-radar-all-types
统一检索国内外多类型期刊,输出投稿路径核验、定制写作建议、风险提示与可控广告插入的客户顾问型 Skill
This is a legitimate journal submission advisory skill with no malicious behavior. The pre-scan IOC flagging `curl | bash` at SELF_CHECK.md:45 is a false positive — it is a checklist item *asserting the absence* of that pattern, not an instance of it.
Safe to install
No action needed. The skill is safe to deploy. The SELF_CHECK.md security checklist item `- [x] 无 curl | bash` should be noted as a false-positive pattern by future IOC scanners.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | render_journal_dossier.py:94-96 — reads JSON resource files via Path.read_text() |
| Filesystem | NONE | WRITE | ✓ Aligned | render_journal_dossier.py:107 — writes output to user-specified --output path; o… |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell execution anywhere in the codebase |
| Network | NONE | NONE | — | Script uses only Python standard library; no urllib, requests, or HTTP calls |
| Environment | NONE | NONE | — | No os.environ access found |
| Clipboard | NONE | NONE | — | N/A |
| Browser | NONE | NONE | — | N/A |
| Database | NONE | NONE | — | N/A |
1 Critical 2 findings
Critical Dangerous Command 危险 Shell 命令
curl | bash SELF_CHECK.md:45 Medium External URL 外部 URL
https://www.nppa.gov.cn/bsfw/cyjghcpcx/qkan/index.html SKILL.md:5 File Tree
11 files · 39.7 KB · 1108 lines Markdown 7f · 599L
JSON 3f · 308L
Python 1f · 201L
├─
▾
examples
│ ├─
example_input_all_types.json
JSON
│ └─
example_output_report.md
Markdown
├─
▾
resources
│ ├─
ad_slots.json
JSON
│ ├─
journal_type_matrix.json
JSON
│ ├─
source_trust_policy.md
Markdown
│ └─
writing_playbooks.md
Markdown
├─
▾
scripts
│ └─
render_journal_dossier.py
Python
├─
▾
tests
│ └─
smoke-test.md
Markdown
├─
README.md
Markdown
├─
SELF_CHECK.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
python3 | >=3.9 | stdlib | No | Only standard library used; no external package dependencies |
Security Positives
✓ Python script uses only standard library (argparse, json, sys, pathlib) — no third-party dependencies with supply chain risk
✓ No subprocess, os.system, shell execution, or network calls in any file
✓ No base64 encoding, obfuscation, or anti-analysis patterns
✓ No credential harvesting, sensitive file access, or environment variable iteration
✓ No hidden functionality — all behavior is declared in SKILL.md
✓ Ad content is transparently labeled as '服务推荐(广告)' and explicitly disclaimed as non-editorial
✓ SELF_CHECK.md includes explicit security checklist passing all checks
✓ Security boundaries clearly declared: no fake submissions, no fabricated metrics, no disguised ads
✓ Script has proper error handling and no TODO/placeholder code