中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:18 小时前 重新扫描
45 /100
authenticate-wallet
Authenticate to AgnicPay wallet using browser OAuth or non-browser API token mode
The skill relies on unversioned npx execution of external npm package with wildcard arguments, posing significant supply chain risk.
技能名称authenticate-wallet
分析耗时35.0s
引擎pi
谨慎使用
Pin the npm package to a specific version hash and restrict allowed-tools to documented subcommands only.

攻击链 3 步

提权 Attacker typosquats or compromises 'agnic' npm package
SKILL.md:8
提权 Skill executes arbitrary code via 'npx agnic@latest *' when user invokes
SKILL.md:8
影响 Malicious package executes code with same shell:WRITE privileges
SKILL.md:8

安全发现 3 项

严重性 安全发现 位置
高危
Unversioned npm package execution 供应链
The skill uses 'npx agnic@latest' which pulls from npm registry without version pinning. An attacker who compromises the 'agnic' package name (typosquatting, account takeover) could execute arbitrary code.
allowed-tools: ["Bash(npx agnic@latest *)"]
→ Pin to a specific version or commit hash, e.g., 'npx [email protected]' or verify package integrity with integrity hash
 SKILL.md:8
中危
Wildcard allows undocumented subcommands 文档欺骗
The '*' in allowed-tools permits any agnic command, not just the documented auth/status/logout. The skill could silently execute other agnic subcommands not listed in documentation.
Bash(npx agnic@latest *)
→ Restrict to specific subcommands: 'Bash(npx agnic@latest auth login;npx agnic@latest status --json;npx agnic@latest auth logout)'
 SKILL.md:8
低危
Token visible in command line 凭证窃取
Passing --token as a command-line argument exposes the credential in process list and shell history.
npx agnic@latest --token <agnic_token>
→ Prefer environment variable AGNIC_TOKEN which is less exposed, or document this risk explicitly
 SKILL.md:11
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 allowed-tools declares Bash(npx agnic@latest *)

目录结构

1 文件 · 1.5 KB · 62 行
Markdown 1f · 62L
└─ 📝 SKILL.md Markdown 62L · 1.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
agnic @latest npm No version pinned; arbitrary code execution possible if package compromised

安全亮点

✓ Skill is simple with minimal attack surface
✓ No hidden functionality detected
✓ No direct access to sensitive files (~/.ssh, ~/.aws, etc.)
✓ No base64 or obfuscated code
✓ No credential exfiltration observed