中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
cloud-upload-backup
Cloud file upload and backup tool. Upload local files to Tencent SMH cloud storage, generate download links and image previews.
Cloud file upload/backup tool using Tencent SMH. All capabilities are declared, credentials are scoped to smh_ prefix, network traffic is limited to api.tencentsmh.cn, and no malicious patterns were found.
技能名称cloud-upload-backup
分析耗时31.7s
引擎pi
可以安装
Skill is safe to use. Consider pinning smh-node-sdk to a specific version for reproducibility.

安全发现 2 项

严重性 安全发现 位置
低危
smh-node-sdk version not pinned
SKILL.md instructs `npm install -g smh-node-sdk` without specifying a version, which could lead to unexpected updates.
npm install -g smh-node-sdk
→ Pin to a specific version: npm install -g [email protected]
 SKILL.md:27
提示
Access token embedded in download URL
The generated download URL contains the raw access_token as a query parameter. This is standard SMH API behavior, but the URL is delivered to the user.
?access_token=${encodeURIComponent(accessToken)}
→ This is expected SMH behavior; no action needed beyond not logging URLs publicly.
 SKILL.md:218
资源类型声明权限推断权限状态证据
文件系统 READ,WRITE READ,WRITE ✓ 一致 SKILL.md: Reads local files for upload; writes /tmp/smh-upload.js
网络访问 READ READ ✓ 一致 SKILL.md: All API calls to api.tencentsmh.cn only
命令执行 WRITE WRITE ✓ 一致 SKILL.md: Executes `node /tmp/smh-upload.js` commands
环境变量 READ READ ✓ 一致 SKILL.md: Reads smh_* env vars from .env and openclaw.json
技能调用 NONE NONE No skill_invoke usage found
剪贴板 NONE NONE No clipboard access found
浏览器 NONE NONE No browser access found
数据库 NONE NONE No database access found
3 项发现
🔗
中危 外部 URL 外部 URL
https://api.tencentsmh.cn
SKILL.md:78
🔗
中危 外部 URL 外部 URL
https://api.tencentsmh.cn/api/v1/file/smhxxx/space-xxx/report.pdf?access_token=acctk...&ContentDisposition=attachment&Pu...
SKILL.md:183
🔗
中危 外部 URL 外部 URL
https://api.tencentsmh.cn/api/v1/file/smhxxx/space-xxx/photo.jpg?access_token=acctk...&ContentDisposition=attachment&Pur...
SKILL.md:190

目录结构

1 文件 · 23.2 KB · 628 行
Markdown 1f · 628L
└─ 📝 SKILL.md Markdown 628L · 23.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
smh-node-sdk * npm Version not pinned — recommend pinning to specific version

安全亮点

✓ All script code is fully inline in SKILL.md — no dynamic download or external fetch
✓ Credential access is strictly scoped to smh_* prefixed variables only
✓ Network traffic is limited exclusively to api.tencentsmh.cn
✓ No base64 encoding, eval(), atob(), or obfuscated code found
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env for non-smh credentials
✓ No credential exfiltration or data theft patterns detected
✓ No reverse shell or C2 indicators
✓ No hidden instructions in HTML comments or metadata
✓ Script is purpose-limited: upload, info, and list only