中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
introspection-debugger
AI Agent 自省调试框架 - 让 AI Agent 具备自我诊断和自动修复能力
This is a legitimate AI agent self-debugging framework with no malicious behavior; however, undeclared network access for webhook notifications and overly broad shell/filesystem capabilities that exceed what is technically documented create minor security concerns.
技能名称introspection-debugger
分析耗时40.0s
引擎pi
可以安装
Narrow the shell execution scope, explicitly document network notification capability, add input sanitization for file paths extracted from error messages, and pin npm install versions.

安全发现 4 项

严重性 安全发现 位置
中危
Undeclared network access via webhook 文档欺骗
notifyHuman() silently POSTs full error reports (including stack traces, error messages, and fix results) to any HTTP/HTTPS URL supplied as notificationHook. SKILL.md never mentions network access or webhook capability. This allows exfiltration of error context to any external endpoint.
const req = fetch.request(this.notificationHook, { method: 'POST', ... })
→ Document the webhook notification feature in SKILL.md with explicit mention of network:WRITE and what data is transmitted.
 introspection-debugger.js:257
低危
Undeclared global process handler registration 权限提升
setupGlobalHandlers() attaches listeners to process.on('uncaughtException') and process.on('unhandledRejection'), affecting the entire Node.js process. SKILL.md does not mention this global interception behavior.
process.on('uncaughtException', ...)
→ Document that the skill registers global process error handlers and clarify scope of impact.
 introspection-debugger.js:222
低危
Unpinned npm install in installDependency fix 代码执行
The installDependency fix runs 'npm install <moduleName>' without version pinning or dry-run checks. A crafted error message could trigger installation of an arbitrary npm package into the workspace.
await this.execAsync(`npm install ${moduleName}`)
→ Pin installed package versions and add validation before executing npm install.
 introspection-debugger.js:135
低危
Shell command injection via extractFilePath 代码执行
extractFilePath() uses a simple regex match on error messages and passes the result to chmod +x. While path separators are not shell-injected, the path comes from an untrusted error source.
await this.execAsync(`chmod +x "${filePath}"`)
→ Validate that extracted paths are within the intended workspace directory before executing chmod.
 introspection-debugger.js:111
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 introspection-debugger.js:107 — createMissingFile calls fs.writeFileSync on extr…
命令执行 NONE WRITE ✓ 一致 introspection-debugger.js:296 — execAsync('chmod +x ...') and execAsync('npm ins…
网络访问 NONE WRITE ✗ 越权 introspection-debugger.js:257 — notifyHuman() POSTs JSON report to arbitrary thi…
环境变量 NONE READ ✓ 一致 introspection-debugger.js reads process.cwd() for workspace — baseline for any p…

目录结构

2 文件 · 16.1 KB · 614 行
JavaScript 1f · 526L Markdown 1f · 88L
├─ 📜 introspection-debugger.js JavaScript 526L · 14.2 KB
└─ 📝 SKILL.md Markdown 88L · 1.9 KB

安全亮点

✓ No credential harvesting or environment variable enumeration for sensitive keys
✓ No base64 or other obfuscation techniques detected
✓ No direct IP network requests or hardcoded C2 endpoints
✓ No downloads from remote URLs via curl|bash patterns
✓ No supply chain threats — no package manager files present
✓ Core functionality (error capture, analysis, reporting) matches stated purpose