安全决策报告
dygod-movies
Movie crawler skill with legitimate functionality but multiple security misconfigurations including hardcoded credentials in documentation and code, unpinned dependencies, and unauthenticated API endpoints.
最直接的威胁证据
高危 凭证窃取
Hardcoded NAS credentials in documentation SKILL.md contains plaintext credentials for Synology NAS: account=xiaoai, passwd=Xx654321 at 192.168.123.223:5000
SKILL.md:120 为什么得出这个结论
2/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
阻止
隐藏执行与外联
提取到 1 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 5 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Hardcoded credentials in SKILL.md +15
Synology NAS password 'Xx654321' exposed in documentation examples
Hardcoded credentials in code +15
scripts/dygod_crawler.py:305-308 contains plaintext credentials
Unpinned dependencies +10
requirements.txt uses '*' version specifiers for all packages
No authentication on FastAPI +5
service/main.py exposes download endpoint without auth
最关键的证据
高危 凭证窃取
Hardcoded NAS credentials in documentation
SKILL.md contains plaintext credentials for Synology NAS: account=xiaoai, passwd=Xx654321 at 192.168.123.223:5000
SKILL.md:120 Remove credentials from documentation. Use environment variables or configuration files for credentials.
高危 凭证窃取
Hardcoded NAS credentials in source code
scripts/dygod_crawler.py contains hardcoded Synology credentials at module level
scripts/dygod_crawler.py:305 Move credentials to environment variables or secure config. Use os.getenv('SYNOLOGY_PASS') pattern.
中危 供应链
Unpinned Python dependencies
requirements.txt uses '*' for all versions, allowing automatic upgrades that could introduce vulnerabilities
service/requirements.txt:1 Pin exact versions: requests==2.32.3, beautifulsoup4==4.12.3, etc.
中危 权限提升
Unauthenticated FastAPI endpoints
The /download and other endpoints have no authentication, allowing anyone to trigger downloads
service/main.py:170 Add authentication middleware or API key validation to protect endpoints.
低危 文档欺骗
Insecure example in documentation
SKILL.md examples use curl.exe with credentials in URL query parameters, promoting insecure patterns
SKILL.md:132 Document secure credential handling and recommend environment-based configuration.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
SKILL.md:56 cache file writes 网络访问 通过
声明 READ
→ 推断 READ
scripts/dygod_crawler.py:73-84 HTTP GET requests 命令执行 通过
声明 NONE
→ 推断 NONE
No subprocess/shell execution found 环境变量 通过
声明 NONE
→ 推断 NONE
No environment variable access 可疑产物与外联
高危 IP 地址
120.0.0.0 scripts/dygod_crawler.py:40
中危 外部 URL
http://192.168.123.223:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=xiaoai&passwd=Xx654321&session=DownloadStation&format=sid SKILL.md:120
中危 外部 URL
http://192.168.123.223:5000/webapi/DownloadStation/task.cgi SKILL.md:132
中危 外部 URL
http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=list&additional=transfer&_sid=YOUR_SID SKILL.md:161
中危 外部 URL
http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=delete&id=TASK_ID&force_complete=false&_sid=YOUR_SID SKILL.md:167
中危 外部 URL
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd data/gndy_index.html:1
中危 外部 URL
http://www.w3.org/1999/xhtml data/gndy_index.html:2
中危 外部 URL
http://www.dygod.net data/gndy_index.html:43
中危 外部 URL
http://www.dygod.net/ data/gndy_index.html:44
中危 外部 URL
https://dygod.net/html/gndy/dyzz/20260307/131013.html data/movies_cache.json:6
中危 外部 URL
https://dygod.net/html/gndy/dyzz/20101019/28863.html data/movies_cache.json:34
中危 外部 URL
https://dygod.net/html/gndy/dyzz/20070612/2906.html data/movies_cache.json:39
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| requests | >=2.32.0 | pip | 否 | Version not pinned |
| beautifulsoup4 | >=4.12.0 | pip | 否 | Version not pinned |
| fastapi | >=0.115.0 | pip | 否 | Version not pinned |
| uvicorn | >=0.32.0 | pip | 否 | Version not pinned |
| httpx | >=0.27.0 | pip | 否 | Version not pinned |
文件构成
8 个文件 · 4876 行
HTML 2 个文件 · 1955 行JSON 2 个文件 · 1712 行Python 2 个文件 · 1000 行Markdown 1 个文件 · 204 行Text 1 个文件 · 5 行
需关注文件 · 8
data/tv_index.html http://www.dygod.net/html/3gp/3gpmovie/
data/gndy_index.html http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd · http://www.w3.org/1999/xhtml · http://www.dygod.net · http://www.dygod.net/
data/movies_cache.json https://dygod.net/html/gndy/dyzz/20260307/131013.html · https://dygod.net/html/gndy/dyzz/20101019/28863.html · https://dygod.net/html/gndy/dyzz/20070612/2906.html · https://dygod.net/html/gndy/dyzz/20130507/42183.html · https://dygod.net/html/gndy/dyzz/20160926/108530.html · https://dygod.net/html/gndy/dyzz/20110304/31168.html · https://dygod.net/html/gndy/dyzz/20260313/131092.html · https://dygod.net/html/gndy/dyzz/20090208/16879.html · https://dygod.net/html/gndy/dyzz/20260313/131091.html · https://dygod.net/html/gndy/dyzz/20260313/131087.html · https://dygod.net/html/gndy/dyzz/20260313/131085.html · https://dygod.net/html/gndy/dyzz/20260313/131086.html · https://dygod.net/html/gndy/dyzz/20260313/131089.html · https://dygod.net/html/gndy/dyzz/20210612/115133.html · https://dygod.net/html/gndy/dyzz/20100105/23821.html · https://dygod.net/html/gndy/dyzz/20260312/131083.html · https://dygod.net/html/gndy/dyzz/20260312/131082.html · https://dygod.net/html/gndy/dyzz/20141229/105608.html · https://dygod.net/html/gndy/dyzz/20260312/131077.html · https://dygod.net/html/gndy/dyzz/20260312/131076.html · https://dygod.net/html/gndy/dyzz/20260312/131075.html · https://dygod.net/html/gndy/dyzz/20260312/131074.html · https://dygod.net/html/gndy/dyzz/20260312/131073.html · https://dygod.net/html/gndy/dyzz/20260312/131066.html · https://dygod.net/html/gndy/dyzz/20260312/131067.html · https://dygod.net/html/gndy/dyzz/20260312/131068.html · https://dygod.net/html/gndy/dyzz/20260312/131069.html · https://dygod.net/html/gndy/dyzz/20150806/106691.html · https://dygod.net/html/gndy/dyzz/20090301/17224.html · https://dygod.net/html/gndy/dyzz/20260303/130943.html · https://dygod.net/html/gndy/dyzz/20131206/103704.html · https://dygod.net/html/gndy/dyzz/20140929/105156.html · https://dygod.net/html/gndy/dyzz/20260227/130889.html · https://dygod.net/html/gndy/dyzz/20260311/131062.html · https://dygod.net/html/gndy/dyzz/20070901/5368.html · https://dygod.net/html/gndy/dyzz/20090727/20542.html · https://dygod.net/html/gndy/dyzz/20260311/131059.html · https://dygod.net/html/gndy/dyzz/20260311/131060.html · https://dygod.net/html/gndy/dyzz/20260310/131049.html · https://dygod.net/html/gndy/dyzz/20260310/131055.html · https://dygod.net/html/gndy/dyzz/20070814/4857.html · https://dygod.net/html/gndy/dyzz/20260310/131050.html · https://dygod.net/html/gndy/dyzz/20260310/131051.html · https://dygod.net/html/gndy/dyzz/20081007/14599.html · https://dygod.net/html/gndy/dyzz/20260309/131042.html · https://dygod.net/html/gndy/dyzz/20260310/131058.html · https://dygod.net/html/gndy/dyzz/20190928/112428.html · https://dygod.net/html/gndy/dyzz/20260309/131040.html · https://dygod.net/html/gndy/dyzz/20260309/131038.html · https://dygod.net/html/gndy/dyzz/20260309/131037.html
scripts/dygod_crawler.py Hardcoded NAS credentials in source code · 120.0.0.0 · https://dygod.net/html/gndy/dyzz/ · https://dygod.net
data/tv_cache.json https://dygod.net/html/tv/hytv/20251213/129594.html · https://dygod.net/html/tv/hytv/20260228/130900.html · https://dygod.net/html/tv/hytv/20260309/131041.html · https://dygod.net/html/tv/hytv/20260312/131084.html · https://dygod.net/html/tv/hytv/20260312/131080.html · https://dygod.net/html/tv/hytv/20260312/131079.html · https://dygod.net/html/tv/hytv/20260312/131081.html · https://dygod.net/html/tv/hytv/20260308/131032.html · https://dygod.net/html/tv/hytv/20260312/131072.html · https://dygod.net/html/tv/hytv/20260306/131003.html · https://dygod.net/html/tv/hytv/20260226/130866.html · https://dygod.net/html/tv/hytv/20260310/131056.html · https://dygod.net/html/tv/hytv/20260226/130867.html · https://dygod.net/html/tv/hytv/20260305/130972.html · https://dygod.net/html/tv/hytv/20260307/131009.html · https://dygod.net/html/tv/hytv/20260222/130837.html · https://dygod.net/html/tv/hytv/20260312/131071.html · https://dygod.net/html/tv/hytv/20260224/130858.html · https://dygod.net/html/tv/hytv/20260121/130360.html · https://dygod.net/html/tv/hytv/20260121/130362.html · https://dygod.net/html/tv/hytv/20260311/131065.html · https://dygod.net/html/tv/hytv/20260304/130958.html · https://dygod.net/html/tv/hytv/20260228/130905.html · https://dygod.net/html/tv/hytv/20251117/129222.html · https://dygod.net/html/tv/hytv/20251014/128653.html · https://dygod.net/html/tv/rihantv/20260205/130589.html · https://dygod.net/html/tv/rihantv/20260205/130590.html · https://dygod.net/html/tv/rihantv/20260122/130363.html · https://dygod.net/html/tv/rihantv/20260116/130267.html · https://dygod.net/html/tv/rihantv/20260122/130376.html · https://dygod.net/html/tv/rihantv/20260115/130257.html · https://dygod.net/html/tv/rihantv/20260109/130100.html · https://dygod.net/html/tv/rihantv/20260304/130961.html · https://dygod.net/html/tv/rihantv/20260204/130558.html · https://dygod.net/html/tv/rihantv/20260114/130238.html · https://dygod.net/html/tv/rihantv/20260107/130067.html · https://dygod.net/html/tv/rihantv/20260114/130237.html · https://dygod.net/html/tv/rihantv/20260228/130899.html · https://dygod.net/html/tv/rihantv/20260120/130339.html · https://dygod.net/html/tv/rihantv/20260113/130217.html · https://dygod.net/html/tv/rihantv/20260113/130216.html · https://dygod.net/html/tv/rihantv/20260113/130215.html · https://dygod.net/html/tv/rihantv/20260202/130533.html · https://dygod.net/html/tv/rihantv/20260106/130038.html · https://dygod.net/html/tv/rihantv/20260112/130193.html · https://dygod.net/html/tv/rihantv/20260113/130198.html · https://dygod.net/html/tv/rihantv/20260301/130924.html · https://dygod.net/html/tv/rihantv/20260202/130539.html · https://dygod.net/html/tv/rihantv/20260118/130314.html · https://dygod.net/html/tv/rihantv/20260217/130767.html · https://dygod.net/html/tv/oumeitv/20251021/128747.html · https://dygod.net/html/tv/oumeitv/20260116/130279.html · https://dygod.net/html/tv/oumeitv/20260306/130995.html · https://dygod.net/html/tv/oumeitv/20260106/130033.html · https://dygod.net/html/tv/oumeitv/20260312/131070.html · https://dygod.net/html/tv/oumeitv/20260214/130705.html · https://dygod.net/html/tv/oumeitv/20250918/128200.html · https://dygod.net/html/tv/oumeitv/20260110/130121.html · https://dygod.net/html/tv/oumeitv/20260130/130478.html · https://dygod.net/html/tv/oumeitv/20251023/128788.html · https://dygod.net/html/tv/oumeitv/20260109/130101.html · https://dygod.net/html/tv/oumeitv/20260122/130364.html · https://dygod.net/html/tv/oumeitv/20260305/130969.html · https://dygod.net/html/tv/oumeitv/20251026/128817.html · https://dygod.net/html/tv/oumeitv/20260310/131054.html · https://dygod.net/html/tv/oumeitv/20251223/129769.html · https://dygod.net/html/tv/oumeitv/20260225/130861.html · https://dygod.net/html/tv/oumeitv/20260311/131063.html · https://dygod.net/html/tv/oumeitv/20201102/113893.html · https://dygod.net/html/tv/oumeitv/20251016/128692.html · https://dygod.net/html/tv/oumeitv/20260302/130939.html · https://dygod.net/html/tv/oumeitv/20260304/130960.html · https://dygod.net/html/tv/oumeitv/20260309/131047.html · https://dygod.net/html/tv/oumeitv/20260309/131048.html · https://dygod.net/html/tv/oumeitv/20251015/128675.html
service/main.py Unauthenticated FastAPI endpoints · https://www.dygod.net/html/tv/
SKILL.md Hardcoded NAS credentials in documentation · Insecure example in documentation · http://192.168.123.223:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=6&method=login&account=xiaoai&passwd=Xx654321&session=DownloadStation&format=sid · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=list&additional=transfer&_sid=YOUR_SID · http://192.168.123.223:5000/webapi/DownloadStation/task.cgi?api=SYNO.DownloadStation.Task&version=1&method=delete&id=TASK_ID&force_complete=false&_sid=YOUR_SID
service/requirements.txt Unpinned Python dependencies
安全亮点
No subprocess/shell execution capabilities
No credential harvesting from system
No base64 obfuscation or anti-analysis techniques
No attempts to access ~/.ssh, ~/.aws, or other sensitive paths
No external C2 communication or data exfiltration
Clear documentation of intended web scraping functionality
Uses standard libraries (requests, BeautifulSoup) for legitimate scraping