中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:22 小时前 重新扫描
5 /100
credential-vault
GPG AES-256 encrypted credential management tool for passwords, API tokens, and secrets
The skill is a legitimate GPG AES-256 credential manager with well-documented security practices, correctly declared permissions, and no malicious behavior detected.
技能名称credential-vault
分析耗时34.4s
引擎pi
可以安装
No action required. The skill can be used safely. Consider pinning GPG versions in deployment environments for supply-chain hygiene.
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 cred_manager.py:52 _gpg_encrypt subprocess, cred_manager.py:88 _secure_write_tem…
命令执行 WRITE WRITE ✓ 一致 cred_manager.py:44 subprocess.Popen for GPG encrypt/decrypt; cred_helper.sh:47 e…
环境变量 READ READ ✓ 一致 cred_manager.py:38 MASTER_PASS = os.environ.get('CRED_MASTER_PASS', '')
网络访问 NONE NONE No network calls in any file
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
技能调用 NONE NONE No skill invocation
1 项发现
🔗
中危 外部 URL 外部 URL
https://gpg4win.org
SKILL.md:28

目录结构

3 文件 · 22.8 KB · 602 行
Python 1f · 357L Markdown 1f · 186L Shell 1f · 59L
├─ 📁 scripts
│ ├─ 🔧 cred_helper.sh Shell 59L · 2.1 KB
│ └─ 🐍 cred_manager.py Python 357L · 13.0 KB
└─ 📝 SKILL.md Markdown 186L · 7.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
gnupg (gpg) any system binary No version pinning available for system binaries; recommend verifying GPG installation in deployment

安全亮点

✓ Master password passed via --passphrase-fd stdin pipe, not command-line arguments — prevents ps aux leakage
✓ Temporary plaintext files created with mkstemp + fchmod 600 and securely zero-overwritten before unlink
✓ Encrypted credential file permissions set to 600 (owner-only)
✓ All known security limitations transparently documented in SKILL.md
✓ Environment variable access (CRED_MASTER_PASS) explicitly declared in _meta.json metadata
✓ GPG and python3 binary dependencies declared in metadata
✓ No credential exfiltration, no external network calls, no obfuscation
✓ Shell helper script uses identical --passphrase-fd 0 pattern as Python implementation
✓ No iteration over os.environ for credential harvesting — only reads the specific CRED_MASTER_PASS variable
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)