中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
flyai-companion-matcher
旅伴匹配度报告——出发前先测你们合不合适!帮助旅伴在出发前做旅行风格匹配度测试,提前发现分歧点,并给出基于真实酒店/景点数据的兼顾方案。
This is a legitimate travel companion matching skill with minor security concerns around SSL bypass instruction and unversioned npm dependency, but no malicious behavior detected.
技能名称flyai-companion-matcher
分析耗时49.6s
引擎pi
可以安装
Consider pinning FlyAI CLI to a specific version instead of @latest, and document the security implications of NODE_TLS_REJECT_UNAUTHORIZED=0 before using it.

安全发现 2 项

严重性 安全发现 位置
中危
SSL certificate verification bypass documented 文档欺骗
The workflow documentation instructs users to disable SSL verification with NODE_TLS_REJECT_UNAUTHORIZED=0 when encountering certificate errors. This could expose users to man-in-the-middle attacks if not properly understood.
NODE_TLS_REJECT_UNAUTHORIZED=0 flyai <command>
→ Add security warning explaining the risk, or document alternative solutions before resorting to SSL bypass.
 reference/workflow.md:107
低危
Unversioned npm dependency 供应链
FlyAI CLI is installed using @latest tag, which could pull different versions over time and introduce unexpected changes.
npm install -g @fly-ai/flyai-cli@latest
→ Pin to a specific version (e.g., @fly-ai/[email protected]) for reproducible deployments.
 reference/workflow.md:18
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md declares user profile storage; workflow.md:49-50 reads ~/.flyai/
网络访问 READ READ ✓ 一致 SKILL.md declares FlyAI search commands; calls flyai CLI API
命令执行 NONE NONE No shell execution in skill; flyai is a CLI tool, not arbitrary command executio…
3 项发现
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/...
reference/search-hotel.md:44
🔗
中危 外部 URL 外部 URL
https://img.alicdn.com/tfscom/...
reference/search-poi.md:32
🔗
中危 外部 URL 外部 URL
https://nodejs.org/
reference/workflow.md:22

目录结构

14 文件 · 34.3 KB · 1108 行
Markdown 14f · 1108L
├─ 📁 reference
│ ├─ 📝 ai-search.md Markdown 26L · 659 B
│ ├─ 📝 examples.md Markdown 27L · 857 B
│ ├─ 📝 keyword-search.md Markdown 53L · 1.6 KB
│ ├─ 📝 search-flight.md Markdown 87L · 3.0 KB
│ ├─ 📝 search-hotel.md Markdown 57L · 1.8 KB
│ ├─ 📝 search-marriott-hotel.md Markdown 54L · 1.8 KB
│ ├─ 📝 search-marriott-package.md Markdown 40L · 995 B
│ ├─ 📝 search-poi.md Markdown 47L · 2.2 KB
│ ├─ 📝 search-train.md Markdown 77L · 2.6 KB
│ ├─ 📝 self-growth.md Markdown 21L · 623 B
│ ├─ 📝 strategies.md Markdown 33L · 1.1 KB
│ ├─ 📝 user-profile-storage.md Markdown 187L · 4.1 KB
│ └─ 📝 workflow.md Markdown 286L · 8.6 KB
└─ 📝 SKILL.md Markdown 113L · 4.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@fly-ai/flyai-cli latest npm Version not pinned, uses @latest tag

安全亮点

✓ No credential harvesting detected - skill does not access API keys, tokens, or passwords
✓ No obfuscation or encoded commands found
✓ No network requests to suspicious external IPs
✓ No hidden functionality or undocumented behavior
✓ Documentation is comprehensive and matches implementation
✓ User profile data is local and user-controlled
✓ flyai CLI is a legitimate travel data API tool