中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:2 天前 重新扫描
10 /100
vanio
Connect your agent to Airbnb, Booking.com & VRBO via Vanio AI — vacation rental property management CLI
Vanio AI CLI is a legitimate vacation rental property management tool with standard OAuth login flow and minimal shell execution limited to opening browser URLs.
技能名称vanio
分析耗时34.5s
引擎pi
可以安装
Approve for use. The shell execution via `exec` is confined to browser URL opening for OAuth and poses no security risk. Ensure `api.vanio.ai` is a trusted endpoint before enabling network access.

安全发现 2 项

严重性 安全发现 位置
低危
Undeclared shell execution for OAuth
The CLI uses child_process.exec to open the user's default browser for OAuth authentication, but this behavior is not documented in SKILL.md. However, this is a standard and necessary CLI practice.
const { exec } = await import('child_process'); exec(openCmd)
→ Document browser opening behavior in SKILL.md for transparency, or use a platform-appropriate library like 'open' package
 src/index.ts:107
低危
API key stored in plaintext config file
The API key is stored in ~/.config/vanio/config.json without encryption. While standard for CLI tools, this could be improved with OS keychain integration.
writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2))
→ Consider using OS-native credential storage (Keychain on macOS, Keyring on Linux) for enhanced security
 src/index.ts:18
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 src/index.ts:14-15 writes to ~/.config/vanio/config.json for API key persistence
网络访问 WRITE WRITE ✓ 一致 src/index.ts:54-66 POSTs to api.vanio.ai with API key header
命令执行 NONE WRITE ✓ 一致 src/index.ts:107-111 uses child_process.exec to open browser URL for OAuth — not…
3 项发现
🔗
中危 外部 URL 外部 URL
https://www.vanio.ai
SKILL.md:5
🔗
中危 外部 URL 外部 URL
https://api.vanio.ai
dist/index.cjs:2
🔗
中危 外部 URL 外部 URL
http://127.0.0.1
dist/index.cjs:2

目录结构

5 文件 · 23.8 KB · 584 行
TypeScript 1f · 377L Markdown 1f · 118L JavaScript 2f · 72L JSON 1f · 17L
├─ 📁 dist
│ └─ 📜 index.cjs JavaScript 50L · 7.4 KB
├─ 📁 src
│ └─ 📜 index.ts TypeScript 377L · 11.4 KB
├─ 📜 build.mjs JavaScript 22L · 559 B
├─ 📋 package.json JSON 17L · 518 B
└─ 📝 SKILL.md Markdown 118L · 4.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none N/A bundled No external dependencies — uses only Node.js built-in modules (fs, path, os, http, crypto, child_process)

安全亮点

✓ CSRF protection implemented via state parameter in OAuth callback
✓ API key masked in console output (only first 8 chars shown)
✓ Config stored in user's home directory with appropriate path (~/.config/vanio/)
✓ HTTPS enforced for all API communications
✓ No dependencies with known vulnerabilities (package.json has no external dependencies)
✓ OAuth callback server binds to 127.0.0.1 only, not exposed externally
✓ API key sourced from environment variable with fallback to config file
✓ No credential exfiltration or suspicious network destinations beyond declared API endpoint
✓ Source code is readable TypeScript with clear, standard patterns