中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
miliger-qmd-manager
统一的QMD知识库管理技能,集成官方qmd搜索功能
This QMD knowledge management skill uses safe execFile patterns but has minor documentation gaps regarding shell command execution.
技能名称miliger-qmd-manager
分析耗时29.0s
引擎pi
可以安装
Add explicit declaration of qmd CLI execution in SKILL.md capabilities section. Otherwise, the implementation follows security best practices.

安全发现 1 项

严重性 安全发现 位置
低危
Shell execution not declared in SKILL.md 文档欺骗
The skill uses execFile to execute the qmd CLI binary, which constitutes shell:WRITE capability. This is not mentioned in the capability declaration section of SKILL.md.
const result = await this.execCommand(this.qmdPath, args);
→ Add a 'Capabilities' or 'Security' section to SKILL.md explicitly declaring the use of execFile to invoke the qmd CLI binary.
 index.js:67
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 Only reads knowledge base via qmd CLI
命令执行 NONE WRITE ✗ 越权 Uses execFile to execute qmd CLI commands (index.js:67)
网络访问 NONE NONE No network activity detected
环境变量 NONE NONE Does not access environment variables
1 项发现
🔗
中危 外部 URL 外部 URL
https://clawhub.com/skills/miliger-qmd-manager
README.md:55

目录结构

4 文件 · 12.9 KB · 499 行
Markdown 2f · 287L JavaScript 1f · 179L JSON 1f · 33L
├─ 📜 index.js JavaScript 179L · 5.6 KB
├─ 📋 package.json JSON 33L · 784 B
├─ 📝 README.md Markdown 61L · 1.3 KB
└─ 📝 SKILL.md Markdown 226L · 5.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
child_process builtin node Standard library only
path builtin node Standard library only

安全亮点

✓ Uses execFile instead of exec, avoiding shell injection vulnerabilities
✓ No external network requests or data exfiltration
✓ No credential harvesting or sensitive data access
✓ No base64 encoding or obfuscation detected
✓ No dependency on external packages (only uses Node.js built-ins)
✓ Predefined command whitelist: search, query, vsearch, status, get, collection
✓ User input passed as arguments (not concatenated into shell strings)