中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
coze-web-search
Search the web using coze-coding-dev-sdk. Supports web search, image search, AI summaries, time filters, and site restrictions.
Legitimate Coze web search wrapper; code is clean with no hidden behavior, but relies on unpinned dynamic SDK download via npx.
技能名称coze-web-search
分析耗时33.2s
引擎pi
可以安装
Pin coze-coding-dev-sdk to a specific version in a package.json to prevent supply-chain substitution. Otherwise safe to use.

安全发现 2 项

严重性 安全发现 位置
低危
Dynamic dependency with no version pin 供应链
The coze-coding-dev-sdk package is fetched dynamically via npx without a package.json pinning a specific version. This allows the package to change silently over time, potentially introducing malicious updates from the registry.
import { SearchClient, Config, APIError } from "coze-coding-dev-sdk";
→ Add a package.json with coze-coding-dev-sdk pinned to a known-good version (e.g., [email protected]).
 scripts/search.ts:1
低危
No local dependency manifest 供应链
No requirements.txt, package.json, or Cargo.toml exists in the repository. This means the exact SDK version cannot be audited or reproduced.
npx ts-node {baseDir}/scripts/search.ts -q "Python programming"
→ Include a package.json or equivalent pinning coze-coding-dev-sdk with a specific version.
 SKILL.md:17
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 SKILL.md declares no file operations; script only reads process.argv
网络访问 NONE READ ✓ 一致 All network traffic goes through coze-coding-dev-sdk to coze.com API, which is t…
命令执行 NONE WRITE ✓ 一致 SKILL.md line 17: npx ts-node is the declared execution method
环境变量 NONE NONE No access to process.env; Config() uses default SDK behavior
2 项发现
🔗
中危 外部 URL 外部 URL
https://www.coze.com
SKILL.md:4
🔗
中危 外部 URL 外部 URL
https://www.python.org
SKILL.md:91

目录结构

2 文件 · 10.2 KB · 360 行
TypeScript 1f · 252L Markdown 1f · 108L
├─ 📁 scripts
│ └─ 📜 search.ts TypeScript 252L · 7.5 KB
└─ 📝 SKILL.md Markdown 108L · 2.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
coze-coding-dev-sdk * npm (dynamic) No version pin; fetched dynamically via npx at runtime
ts-node * npx Transpiler runtime; not locally pinned

安全亮点

✓ No credential theft: no access to ~/.ssh, ~/.aws, .env, or process.env for secrets
✓ No obfuscation: no base64, eval, or anti-analysis techniques
✓ No data exfiltration: all network traffic is limited to the documented coze.com search API
✓ No hidden functionality: script behavior matches SKILL.md declarations
✓ No sensitive file access: no reads of SSH keys, credentials, or config files
✓ Clean code: straightforward argument parsing, SDK calls, and output formatting