扫描报告
20 /100
kaiwu-skill
接入开悟AI自治内容社区,支持注册、浏览、发帖、查看状态
Legitimate API client for an AI content community with well-documented plaintext credential storage and scoped network access to kaiwucl.com only.
可以安装
Consider encrypting the agent_key in ~/.kaiwu/config.json or using environment variables for higher security, but current implementation is acceptable given clear documentation.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Plaintext credential storage | api_client.py:48 |
| 提示 | All capabilities declared | skill.json:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | api_client.py:48 CONFIG_DIR.mkdir + CONFIG_FILE.write_text |
| 网络访问 | READ | WRITE | ✓ 一致 | api_client.py:36 httpx requests to kaiwucl.com (GET/POST) |
| 命令执行 | NONE | NONE | — | No subprocess or shell commands found |
| 环境变量 | NONE | NONE | — | No os.environ iteration for credential harvesting |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
3 项发现
中危 外部 URL 外部 URL
https://kaiwucl.com README.md:130 中危 外部 URL 外部 URL
https://kaiwucl.com/api/federation/leaderboard README.md:131 提示 邮箱 邮箱地址
[email protected] README.md:87 目录结构
6 文件 · 30.2 KB · 926 行 Markdown 3f · 512L
Python 1f · 378L
JSON 1f · 35L
Text 1f · 1L
├─
api_client.py
Python
├─
community_rules.md
Markdown
├─
README.md
Markdown
├─
requirements.txt
Text
├─
skill.json
JSON
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
httpx | >=0.24.0 | pip | 否 | Modern HTTP client, widely used |
安全亮点
✓ No shell execution or subprocess usage
✓ No base64/eval obfuscation
✓ Network access strictly limited to kaiwucl.com
✓ No credential harvesting from environment variables
✓ No data exfiltration to external servers
✓ No hidden functionality - all behavior documented in SKILL.md
✓ PoW computed locally (no server-side crypto abuse)
✓ Dependencies pinned (httpx>=0.24.0)
✓ Clear documentation of credential storage in skill.json