中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
kmind-markdown-to-mindmap
Convert Markdown outlines or plain text into themed KMind mind maps. Export SVG or PNG images with theme presets, layouts, edge routes, dark mode, and rainbow branches.
A legitimate KMind mind-map rendering wrapper. The script is a thin, benign Node.js wrapper with no malicious behavior, but has minor documentation gaps around browser automation and references a missing vendor binary.
技能名称kmind-markdown-to-mindmap
分析耗时45.9s
引擎pi
可以安装
Verify that scripts/vendor/cli.mjs is bundled before deployment. Consider clarifying the browser automation behavior in SKILL.md to remove the 'fully offline' claim if headless Chrome is involved. Pin the package.json version and add a devDependency on puppeteer if that's the underlying browser automation library.

安全发现 3 项

严重性 安全发现 位置
中危
Missing vendor binary
scripts/kmind-render.mjs imports a vendor binary at scripts/vendor/cli.mjs that does not exist in the provided file tree. The script is a non-functional wrapper without this binary.
const vendorCliPath = path.join(scriptDir, "vendor", "cli.mjs");
→ Ensure the vendor/cli.mjs file is bundled alongside the wrapper script in the final skill package.
 scripts/kmind-render.mjs:7
低危
Offline claim contradicts browser automation
SKILL.md states the skill is 'fully offline' and 'does not require any network connection', yet the documented workflow explicitly auto-launches a Chromium browser. Browser automation via puppeteer/playwright typically opens a Chrome DevTools Protocol connection to localhost.
It is a fully offline skill and does not require any network connection for local conversion.
→ Update the description to clarify that local browser automation (Chromium) is used for rendering, rather than claiming full offline operation.
 SKILL.md:11
低危
No dependency pinning
package.json has no dependencies declared. The underlying vendor binary (kmind cli) is an uninspectable blob, making version verification impossible.
{
  "name": "kmind-markdown-to-mindmap",
  "private": true,
  "version": "0.1.0"
}
→ Add a devDependency or note identifying the bundled KMind CLI version for auditability.
 package.json:1
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 scripts/kmind-render.mjs:18 - passes args to vendor binary which writes output
网络访问 NONE READ ✓ 一致 SKILL.md line 18 - auto-launches local Chromium browser; browser automation typi…
命令执行 NONE WRITE ✓ 一致 scripts/kmind-render.mjs:13-14 - spawns child process via Node.js; this is a sta…
浏览器 NONE WRITE ✓ 一致 SKILL.md line 18,43 - auto-launches Chromium in headless mode; this is the prima…
1 项发现
🔗
中危 外部 URL 外部 URL
https://kmind.app
SKILL.md:9

目录结构

4 文件 · 6.3 KB · 127 行
Markdown 1f · 86L JavaScript 1f · 29L YAML 1f · 7L JSON 1f · 5L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 7L · 430 B
├─ 📁 scripts
│ └─ 📜 kmind-render.mjs JavaScript 29L · 734 B
├─ 📋 package.json JSON 5L · 83 B
└─ 📝 SKILL.md Markdown 86L · 5.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
kmind-vendor-cli unknown vendored scripts/vendor/cli.mjs Vendor binary is missing from bundle and cannot be audited

安全亮点

✓ No credential harvesting or environment variable iteration observed
✓ No base64-encoded payloads or eval() usage
✓ No curl|bash or remote script execution
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No data exfiltration or external network calls detected
✓ Subprocess spawning is a standard, well-documented CLI wrapper pattern for Node.js
✓ SKILL.md has a publish-safe allowlist that restricts theme/layout/edge-route options