中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
kmind-markdown-to-mindmap
Convert Markdown outlines or plain text into themed KMind mind maps. Export SVG or PNG images with theme presets, layouts, edge routes, dark mode, and rainbow branches.
A legitimate KMind mind-map rendering wrapper. The script is a thin, benign Node.js wrapper with no malicious behavior, but has minor documentation gaps around browser automation and references a missing vendor binary.
Skill Namekmind-markdown-to-mindmap
Duration45.9s
Enginepi
Safe to install
Verify that scripts/vendor/cli.mjs is bundled before deployment. Consider clarifying the browser automation behavior in SKILL.md to remove the 'fully offline' claim if headless Chrome is involved. Pin the package.json version and add a devDependency on puppeteer if that's the underlying browser automation library.

Findings 3 items

Severity Finding Location
Medium
Missing vendor binary
scripts/kmind-render.mjs imports a vendor binary at scripts/vendor/cli.mjs that does not exist in the provided file tree. The script is a non-functional wrapper without this binary.
const vendorCliPath = path.join(scriptDir, "vendor", "cli.mjs");
→ Ensure the vendor/cli.mjs file is bundled alongside the wrapper script in the final skill package.
 scripts/kmind-render.mjs:7
Low
Offline claim contradicts browser automation
SKILL.md states the skill is 'fully offline' and 'does not require any network connection', yet the documented workflow explicitly auto-launches a Chromium browser. Browser automation via puppeteer/playwright typically opens a Chrome DevTools Protocol connection to localhost.
It is a fully offline skill and does not require any network connection for local conversion.
→ Update the description to clarify that local browser automation (Chromium) is used for rendering, rather than claiming full offline operation.
 SKILL.md:11
Low
No dependency pinning
package.json has no dependencies declared. The underlying vendor binary (kmind cli) is an uninspectable blob, making version verification impossible.
{
  "name": "kmind-markdown-to-mindmap",
  "private": true,
  "version": "0.1.0"
}
→ Add a devDependency or note identifying the bundled KMind CLI version for auditability.
 package.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned scripts/kmind-render.mjs:18 - passes args to vendor binary which writes output
Network NONE READ ✓ Aligned SKILL.md line 18 - auto-launches local Chromium browser; browser automation typi…
Shell NONE WRITE ✓ Aligned scripts/kmind-render.mjs:13-14 - spawns child process via Node.js; this is a sta…
Browser NONE WRITE ✓ Aligned SKILL.md line 18,43 - auto-launches Chromium in headless mode; this is the prima…
1 findings
🔗
Medium External URL 外部 URL
https://kmind.app
SKILL.md:9

File Tree

4 files · 6.3 KB · 127 lines
Markdown 1f · 86L JavaScript 1f · 29L YAML 1f · 7L JSON 1f · 5L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 430 B
├─ 📁 scripts
│ └─ 📜 kmind-render.mjs JavaScript 29L · 734 B
├─ 📋 package.json JSON 5L · 83 B
└─ 📝 SKILL.md Markdown 86L · 5.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
kmind-vendor-cli unknown vendored scripts/vendor/cli.mjs No Vendor binary is missing from bundle and cannot be audited

Security Positives

✓ No credential harvesting or environment variable iteration observed
✓ No base64-encoded payloads or eval() usage
✓ No curl|bash or remote script execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No data exfiltration or external network calls detected
✓ Subprocess spawning is a standard, well-documented CLI wrapper pattern for Node.js
✓ SKILL.md has a publish-safe allowlist that restricts theme/layout/edge-route options