扫描报告
15 /100
github-automation
Automate common GitHub tasks — create issues, check PR status, list repos, manage projects.
A straightforward GitHub API CLI with no hidden or malicious behavior; the only concern is disabled SSL verification for GitHub API requests, which has a plausible legitimate use case.
可以安装
Re-enable SSL certificate verification by removing ctx.check_hostname and ctx.verify_mode overrides, or limit the SSL bypass to internal/CustomHTTPSBackend proxies only.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 中危 | SSL certificate verification disabled 敏感访问 | scripts/gh_tool.py:30 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | urllib.request.urlopen to https://api.github.com, lines 32-63 |
| 环境变量 | READ | READ | ✓ 一致 | os.environ.get('GITHUB_TOKEN'), lines 14-20 — used for GitHub auth only |
| 命令执行 | NONE | NONE | — | No subprocess/os.system/eval calls found |
| 文件系统 | NONE | NONE | — | No file read/write operations in gh_tool.py |
目录结构
2 文件 · 7.6 KB · 266 行 Python 1f · 181L
Markdown 1f · 85L
├─
▾
scripts
│ └─
gh_tool.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ No shell execution (subprocess, os.system, eval) — code is purely a GitHub API client
✓ No credential exfiltration — GITHUB_TOKEN is read but never transmitted anywhere other than the official GitHub API
✓ No filesystem access declared or implemented
✓ No obfuscation (no base64, no exec/eval chains)
✓ SKILL.md accurately describes all functionality — no doc-to-code mismatch
✓ No supply-chain risk — no external dependencies, only stdlib
✓ Token is scoped to GitHub API only, with no network I/O to third-party hosts