中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:20 小时前 重新扫描
10 /100
skills-security-scanner
审计和扫描技能的安全性。在启用新技能前使用此工具验证其安全性,确保符合安全策略。
A legitimate security scanning tool that packages and uploads target skills to a Volcengine cloud API for analysis; no malicious behavior, credential theft, or hidden exfiltration found.
技能名称skills-security-scanner
分析耗时25.7s
引擎pi
可以安装
Skill is safe for use. No action required. Consider pinning the `requests` library version for supply-chain hygiene.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned requests library 供应链
The `requests` library has no version pin in the code. While requests is used only for HTTP API calls and has no critical unfixed CVE for this usage, pinning to a specific version is a best practice.
import requests
→ Add a version pin, e.g. `requests>=2.31.0`, to ensure reproducible and auditable dependencies.
 scripts/scan.py:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:12 — targets a directory, reads it into a zip
网络访问 READ READ ✓ 一致 scripts/scan.py:16,19 — POSTs zip to Volcengine API
命令执行 NONE NONE No shell execution found
环境变量 NONE READ ✓ 一致 scripts/scan.py:280-287 — reads AK/SK/env vars to configure API calls; necessary…
技能调用 NONE NONE No skill invocation found
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser usage
数据库 NONE NONE No database access
2 项发现
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:8181/api/top/mana-open/cn-north-1/2025-01-01
scripts/scan.py:16
🔗
中危 外部 URL 外部 URL
https://open.volcengineapi.com
scripts/scan.py:19

目录结构

2 文件 · 17.2 KB · 425 行
Python 1f · 367L Markdown 1f · 58L
├─ 📁 scripts
│ └─ 🐍 scan.py Python 367L · 15.0 KB
└─ 📝 SKILL.md Markdown 58L · 2.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
requests unpinned pip No version constraint; minor supply-chain concern
volcengine unpinned pip Volcengine SDK used for API request signing; no version pin

安全亮点

✓ No arbitrary code execution — subprocess/bash not used
✓ No credential theft — AK/SK read from env vars only for signing outbound API calls to Volcengine
✓ No data exfiltration — only uploads the target skill zip (requested by the user) to the scan service
✓ No obfuscation — all code is plain Python, no base64 or eval patterns
✓ No sensitive path access (~/.ssh, ~/.aws, .env of the host) — only zips the user-specified target directory
✓ Network destination is Volcengine public cloud API (open.volcengineapi.com) — legitimate and declared
✓ Full code review shows clean, straightforward logic: zip → sign → upload → poll → return results