中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Trusted — Risk Score 5/100
Last scan:5 hr ago Rescan
5 /100
xiaobai-print
小白打印助手,通过本地 MCP bridge 调用打印相关工具
合法的打印助手技能,通过本地 MCP bridge 转发打印相关 API 调用,无恶意行为发现
Skill Namexiaobai-print
Duration37.2s
Enginepi
ClawHub xiaobai-print v1.0.0 by zwwz22
📥 144
ClawHub Verdict Suspicious install_untrusted_sourcepotential_exfiltration
Safe to install
无需限制,可安全使用

Findings 2 items

Severity Finding Location
Low
权限声明宽泛 Doc Mismatch
SKILL.md 声明 allowed-tools 为 Bash, Read,但实际只通过 node 执行固定脚本,不涉及任意 shell 命令执行
allowed-tools: Bash, Read
→ 建议细化权限声明为 skill_invoke:WRITE,明确只通过 invoke.js 调用预设工具
 SKILL.md:1
Info
网络调用未声明 Doc Mismatch
invoke.js 实际通过 fetch 调用本地 MCP bridge (127.0.0.1:8787),SKILL.md 未明确声明网络访问能力
const baseUrl = normalizeBaseUrl(process.env.MY_MCP_BASE_URL || DEFAULT_BASE_URL);
→ 属于正常架构设计,本地通信风险可控,建议文档补充说明
 skills/xiaobai-print/scripts/invoke.js:31
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md:3 允许 Read,实际只读用户指定的打印文件路径
Network NONE READ ✓ Aligned invoke.js:31 访问 http://127.0.0.1:8787 本地 bridge,未在 SKILL.md 声明
Shell WRITE READ ✓ Aligned invoke.js:1 声明 node 执行但 SKILL.md 标注 Bash,实际不执行任意 shell 命令
99 findings
🔗
Medium External URL 外部 URL
https://mcp.gongfudou.com/mcp/openclaw/sse
README.md:32
🔗
Medium External URL 外部 URL
http://127.0.0.1:8787
README.md:57
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz
package-lock.json:25
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz
package-lock.json:37
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/@types/node/-/node-22.19.15.tgz
package-lock.json:77
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz
package-lock.json:87
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz
package-lock.json:100
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz
package-lock.json:116
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz
package-lock.json:133
🔗
Medium External URL 外部 URL
https://opencollective.com/express
package-lock.json:152
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz
package-lock.json:157
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz
package-lock.json:166
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz
package-lock.json:179
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/content-disposition/-/content-disposition-1.0.1.tgz
package-lock.json:195
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz
package-lock.json:208
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz
package-lock.json:217
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz
package-lock.json:226
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz
package-lock.json:235
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz
package-lock.json:252
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz
package-lock.json:266
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz
package-lock.json:283
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz
package-lock.json:292
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz
package-lock.json:306
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz
package-lock.json:312
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz
package-lock.json:321
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz
package-lock.json:330
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz
package-lock.json:339
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz
package-lock.json:351
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz
package-lock.json:357
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/eventsource/-/eventsource-3.0.7.tgz
package-lock.json:366
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/eventsource-parser/-/eventsource-parser-3.0.6.tgz
package-lock.json:378
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/express/-/express-5.2.1.tgz
package-lock.json:387
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/express-rate-limit/-/express-rate-limit-8.3.1.tgz
package-lock.json:430
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz
package-lock.json:448
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fast-uri/-/fast-uri-3.1.0.tgz
package-lock.json:454
🔗
Medium External URL 外部 URL
https://opencollective.com/fastify
package-lock.json:463
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz
package-lock.json:470
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz
package-lock.json:491
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz
package-lock.json:500
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz
package-lock.json:509
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz
package-lock.json:518
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz
package-lock.json:542
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz
package-lock.json:555
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz
package-lock.json:567
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz
package-lock.json:579
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/hono/-/hono-4.12.7.tgz
package-lock.json:591
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz
package-lock.json:600
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz
package-lock.json:620
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz
package-lock.json:636
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz
package-lock.json:642
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz
package-lock.json:651
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz
package-lock.json:660
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz
package-lock.json:666
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/jose/-/jose-6.2.1.tgz
package-lock.json:672
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz
package-lock.json:681
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/json-schema-typed/-/json-schema-typed-8.0.2.tgz
package-lock.json:687
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz
package-lock.json:693
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz
package-lock.json:702
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz
package-lock.json:711
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz
package-lock.json:723
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz
package-lock.json:732
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz
package-lock.json:748
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz
package-lock.json:754
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz
package-lock.json:763
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz
package-lock.json:772
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz
package-lock.json:784
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/once/-/once-1.4.0.tgz
package-lock.json:796
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz
package-lock.json:805
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz
package-lock.json:814
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz
package-lock.json:823
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/pkce-challenge/-/pkce-challenge-5.0.1.tgz
package-lock.json:833
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz
package-lock.json:842
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/qs/-/qs-6.15.0.tgz
package-lock.json:855
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz
package-lock.json:870
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz
package-lock.json:879
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/require-from-string/-/require-from-string-2.0.2.tgz
package-lock.json:894
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/router/-/router-2.2.0.tgz
package-lock.json:903
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz
package-lock.json:919
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/send/-/send-1.2.1.tgz
package-lock.json:925
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz
package-lock.json:951
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz
package-lock.json:970
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz
package-lock.json:976
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz
package-lock.json:988
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz
package-lock.json:997
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz
package-lock.json:1016
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz
package-lock.json:1032
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz
package-lock.json:1050
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz
package-lock.json:1069
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz
package-lock.json:1078
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/type-is/-/type-is-2.0.1.tgz
package-lock.json:1087
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz
package-lock.json:1101
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/undici-types/-/undici-types-6.21.0.tgz
package-lock.json:1115
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz
package-lock.json:1122
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz
package-lock.json:1131
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/which/-/which-2.0.2.tgz
package-lock.json:1140
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz
package-lock.json:1155
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/zod/-/zod-4.3.6.tgz
package-lock.json:1161
🔗
Medium External URL 外部 URL
https://registry.npmmirror.com/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz
package-lock.json:1170
🔗
Medium External URL 外部 URL
http://127.0.0.1:8787/mcp/tools
skills/xiaobai-print/schema/tools.json:8

File Tree

24 files · 109.4 KB · 3487 lines
TypeScript 13f · 1515L JSON 5f · 1346L Markdown 4f · 508L JavaScript 2f · 118L
├─ 📁 examples
│ └─ 📁 search-docs-skill
│ ├─ 📁 schema
│ │ └─ 📋 tools.json JSON 31L · 834 B
│ ├─ 📁 scripts
│ │ └─ 📜 invoke.js JavaScript 59L · 1.5 KB
│ └─ 📝 SKILL.md Markdown 32L · 1.1 KB
├─ 📁 skills
│ └─ 📁 xiaobai-print
│ ├─ 📁 schema
│ │ └─ 📋 tools.json JSON 94L · 3.5 KB
│ ├─ 📁 scripts
│ │ └─ 📜 invoke.js JavaScript 59L · 1.5 KB
│ └─ 📝 SKILL.md Markdown 153L · 6.2 KB
├─ 📁 src
│ ├─ 📁 bridge
│ │ └─ 📜 http.ts TypeScript 278L · 7.5 KB
│ ├─ 📁 core
│ │ ├─ 📜 config.ts TypeScript 18L · 466 B
│ │ ├─ 📜 proxy-tools.ts TypeScript 43L · 1.4 KB
│ │ ├─ 📜 remote-client.ts TypeScript 71L · 2.0 KB
│ │ ├─ 📜 tool-specs.ts TypeScript 83L · 3.6 KB
│ │ ├─ 📜 types.ts TypeScript 30L · 583 B
│ │ └─ 📜 upload-file.ts TypeScript 90L · 2.7 KB
│ ├─ 📁 generator
│ │ ├─ 📜 cli.ts TypeScript 175L · 4.9 KB
│ │ ├─ 📜 generate.ts TypeScript 290L · 8.6 KB
│ │ ├─ 📜 render.ts TypeScript 289L · 7.4 KB
│ │ └─ 📜 types.ts TypeScript 71L · 1.6 KB
│ ├─ 📁 mcp
│ │ └─ 📜 index.ts TypeScript 76L · 2.2 KB
│ └─ 📜 index.ts TypeScript 1L · 25 B
├─ 📋 package-lock.json JSON 1178L · 41.0 KB
├─ 📋 package.json JSON 29L · 671 B
├─ 📝 README.md Markdown 170L · 3.4 KB
├─ 📝 SKILL.md Markdown 153L · 6.5 KB
└─ 📋 tsconfig.json JSON 14L · 278 B

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
@modelcontextprotocol/sdk ^1.12.1 npm No 官方 MCP SDK
typescript ^5.7.0 npm devDependencies No

Security Positives

✓ 代码逻辑清晰,无混淆或隐蔽执行
✓ 使用官方 @modelcontextprotocol/sdk 库
✓ 依赖版本已锁定在 package-lock.json
✓ 无凭证收割、环境变量遍历等恶意模式
✓ 本地通信设计合理(127.0.0.1:8787)
✓ 认证机制明确(MY_MCP_TOKEN)
✓ 无远程脚本下载或管道执行