中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:22 小时前 重新扫描
45 /100
cogdx-health
Free cognitive health check for AI agents via Cerebratech CogDx
Documentation-only skill that sends agent conversation history to an external third-party API without clear data handling policies or declared allowed-tools.
技能名称cogdx-health
分析耗时29.7s
引擎pi
谨慎使用
Add explicit allowed-tools declaration (network:READ), clarify data retention policies, and ensure users consent to sharing conversation outputs with the external Cerebratech service.

安全发现 3 项

严重性 安全发现 位置
中危
Missing allowed-tools declaration 文档欺骗
SKILL.md lacks allowed-tools metadata declaration. Despite this, the skill performs network requests to api.cerebratech.ai. The skill metadata should explicitly declare network:READ permission.
No allowed-tools field in YAML frontmatter
→ Add 'allowed-tools: Bash' or appropriate tool declaration if this skill will be implemented with code.
 SKILL.md:1
中危
Conversation data sent to external third-party API 数据外泄
The skill sends 10-20 recent agent outputs (including user prompts and agent responses) to api.cerebratech.ai. This effectively exfiltrates conversation context to an external party without clear data retention, privacy, or consent policies documented.
POST https://api.cerebratech.ai/cogdx-health with outputs array containing prompts and responses
→ Document data handling practices, add privacy policy reference, and warn users that their prompts/responses will be sent to an external service.
 SKILL.md:32
低危
External service dependency on Cerebratech 供应链
The skill depends entirely on an external API (api.cerebratech.ai). If this service goes down, is compromised, or changes terms, the skill becomes non-functional. No fallback or local alternative exists.
POST https://api.cerebratech.ai/cogdx-health
→ Consider documenting reliability expectations or offering a local analysis mode.
 SKILL.md:32
资源类型声明权限推断权限状态证据
网络访问 NONE READ ✓ 一致 SKILL.md:32 POST https://api.cerebratech.ai/cogdx-health
文件系统 NONE NONE N/A - no file operations
命令执行 NONE NONE N/A - no shell execution
环境变量 NONE NONE N/A - no env access
技能调用 NONE NONE N/A - no skill chaining
剪贴板 NONE NONE N/A - no clipboard access
浏览器 NONE NONE N/A - no browser usage
数据库 NONE NONE N/A - no DB access
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.cerebratech.ai/cogdx-health
SKILL.md:25

目录结构

2 文件 · 5.5 KB · 155 行
Markdown 2f · 155L
├─ 📁 references
│ └─ 📝 api.md Markdown 71L · 2.3 KB
└─ 📝 SKILL.md Markdown 84L · 3.2 KB

安全亮点

✓ No executable code present - skill is documentation only
✓ API endpoint and data format are fully documented
✓ No obfuscated code, base64 payloads, or suspicious patterns detected
✓ No credential harvesting, SSH key access, or sensitive file operations
✓ No reverse shell, C2, or direct IP-based malicious communication
✓ Skill purpose is transparent (cognitive health assessment)
✓ MIT license declared with author attribution