中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
introspection-debugger
AI Agent 自省调试框架 - 让 AI Agent 具备自我诊断和自动修复能力
This is a legitimate AI agent self-debugging framework with no malicious behavior; however, undeclared network access for webhook notifications and overly broad shell/filesystem capabilities that exceed what is technically documented create minor security concerns.
Skill Nameintrospection-debugger
Duration40.0s
Enginepi
Safe to install
Narrow the shell execution scope, explicitly document network notification capability, add input sanitization for file paths extracted from error messages, and pin npm install versions.

Findings 4 items

Severity Finding Location
Medium
Undeclared network access via webhook Doc Mismatch
notifyHuman() silently POSTs full error reports (including stack traces, error messages, and fix results) to any HTTP/HTTPS URL supplied as notificationHook. SKILL.md never mentions network access or webhook capability. This allows exfiltration of error context to any external endpoint.
const req = fetch.request(this.notificationHook, { method: 'POST', ... })
→ Document the webhook notification feature in SKILL.md with explicit mention of network:WRITE and what data is transmitted.
 introspection-debugger.js:257
Low
Undeclared global process handler registration Priv Escalation
setupGlobalHandlers() attaches listeners to process.on('uncaughtException') and process.on('unhandledRejection'), affecting the entire Node.js process. SKILL.md does not mention this global interception behavior.
process.on('uncaughtException', ...)
→ Document that the skill registers global process error handlers and clarify scope of impact.
 introspection-debugger.js:222
Low
Unpinned npm install in installDependency fix RCE
The installDependency fix runs 'npm install <moduleName>' without version pinning or dry-run checks. A crafted error message could trigger installation of an arbitrary npm package into the workspace.
await this.execAsync(`npm install ${moduleName}`)
→ Pin installed package versions and add validation before executing npm install.
 introspection-debugger.js:135
Low
Shell command injection via extractFilePath RCE
extractFilePath() uses a simple regex match on error messages and passes the result to chmod +x. While path separators are not shell-injected, the path comes from an untrusted error source.
await this.execAsync(`chmod +x "${filePath}"`)
→ Validate that extracted paths are within the intended workspace directory before executing chmod.
 introspection-debugger.js:111
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned introspection-debugger.js:107 — createMissingFile calls fs.writeFileSync on extr…
Shell NONE WRITE ✓ Aligned introspection-debugger.js:296 — execAsync('chmod +x ...') and execAsync('npm ins…
Network NONE WRITE ✗ Violation introspection-debugger.js:257 — notifyHuman() POSTs JSON report to arbitrary thi…
Environment NONE READ ✓ Aligned introspection-debugger.js reads process.cwd() for workspace — baseline for any p…

File Tree

2 files · 16.1 KB · 614 lines
JavaScript 1f · 526L Markdown 1f · 88L
├─ 📜 introspection-debugger.js JavaScript 526L · 14.2 KB
└─ 📝 SKILL.md Markdown 88L · 1.9 KB

Security Positives

✓ No credential harvesting or environment variable enumeration for sensitive keys
✓ No base64 or other obfuscation techniques detected
✓ No direct IP network requests or hardcoded C2 endpoints
✓ No downloads from remote URLs via curl|bash patterns
✓ No supply chain threats — no package manager files present
✓ Core functionality (error capture, analysis, reporting) matches stated purpose