中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:19 hr ago Rescan
5 /100
form2api
Web form reverse-engineering tool that intercepts API requests and generates reusable API documentation
A legitimate form reverse-engineering tool that captures browser API requests through declared browser injection and CDP-based cookie extraction, with all functionality accurately documented in SKILL.md.
Skill Nameform2api
Duration30.1s
Enginepi
Safe to install
No action required. The skill performs documented network interception and cookie extraction functionality that is core to its purpose.
ResourceDeclaredInferredStatusEvidence
Browser WRITE WRITE ✓ Aligned SKILL.md: Inject interceptor via evaluate action
Shell WRITE WRITE ✓ Aligned SKILL.md: subprocess calls to Python scripts
Filesystem WRITE WRITE ✓ Aligned Reads scripts, writes /tmp outputs
Network READ READ ✓ Aligned localhost:9222 CDP for browser cookies only
Environment NONE NONE No environment variable access
1 findings
🔗
Medium External URL 外部 URL
http://127.0.0.1:9222/json
scripts/extract_cookies.py:49

File Tree

5 files · 22.0 KB · 715 lines
Python 2f · 424L Markdown 2f · 196L JavaScript 1f · 95L
├─ 📁 references
│ └─ 📝 output_template.md Markdown 101L · 2.1 KB
├─ 📁 scripts
│ ├─ 🐍 analyze_requests.py Python 288L · 9.2 KB
│ ├─ 🐍 extract_cookies.py Python 136L · 4.1 KB
│ └─ 📜 inject_interceptor.js JavaScript 95L · 2.8 KB
└─ 📝 SKILL.md Markdown 95L · 3.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
websocket-client * pip No Required for Chrome DevTools Protocol communication

Security Positives

✓ All functionality declared in SKILL.md with clear workflow
✓ Clean, readable code with no obfuscation (no base64, no encoded commands)
✓ No external network connections for data exfiltration
✓ Only standard library + websocket-client dependency (for CDP)
✓ Filesystem access limited to /tmp temp files and skill scripts
✓ CDP connection restricted to localhost:9222 (browser debugging port)
✓ Cookies cached only locally in /tmp with 1-hour expiry
✓ Scripts filter static resources and tracking domains from analysis