扫描报告
5 /100
form2api
Web form reverse-engineering tool that intercepts API requests and generates reusable API documentation
A legitimate form reverse-engineering tool that captures browser API requests through declared browser injection and CDP-based cookie extraction, with all functionality accurately documented in SKILL.md.
可以安装
No action required. The skill performs documented network interception and cookie extraction functionality that is core to its purpose.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 浏览器 | WRITE | WRITE | ✓ 一致 | SKILL.md: Inject interceptor via evaluate action |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md: subprocess calls to Python scripts |
| 文件系统 | WRITE | WRITE | ✓ 一致 | Reads scripts, writes /tmp outputs |
| 网络访问 | READ | READ | ✓ 一致 | localhost:9222 CDP for browser cookies only |
| 环境变量 | NONE | NONE | — | No environment variable access |
1 项发现
中危 外部 URL 外部 URL
http://127.0.0.1:9222/json scripts/extract_cookies.py:49 目录结构
5 文件 · 22.0 KB · 715 行 Python 2f · 424L
Markdown 2f · 196L
JavaScript 1f · 95L
├─
▾
references
│ └─
output_template.md
Markdown
├─
▾
scripts
│ ├─
analyze_requests.py
Python
│ ├─
extract_cookies.py
Python
│ └─
inject_interceptor.js
JavaScript
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
websocket-client | * | pip | 否 | Required for Chrome DevTools Protocol communication |
安全亮点
✓ All functionality declared in SKILL.md with clear workflow
✓ Clean, readable code with no obfuscation (no base64, no encoded commands)
✓ No external network connections for data exfiltration
✓ Only standard library + websocket-client dependency (for CDP)
✓ Filesystem access limited to /tmp temp files and skill scripts
✓ CDP connection restricted to localhost:9222 (browser debugging port)
✓ Cookies cached only locally in /tmp with 1-hour expiry
✓ Scripts filter static resources and tracking domains from analysis