Scan Report
5 /100
tga-analyze
TGA gaming analytics data retrieval and analysis tool
Legitimate TGA gaming analytics data retrieval tool with fully documented behavior and no malicious indicators.
Safe to install
This skill is safe to use. No security concerns identified.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Info | Pre-scan false positive on IP address | scripts/tga.js:33 |
| Low | Broad node script path in documentation | SKILL.md:16 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ,WRITE | READ,WRITE | ✓ Aligned | SKILL.md: Reads .env and writes .tga-token, downloads to filesystem |
| Network | WRITE | WRITE | ✓ Aligned | SKILL.md: Login and download API calls to tga-web.hortorgames.com |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: node command execution for tga.js scripts |
1 High 3 findings
High IP Address 硬编码 IP 地址
145.0.0.0 scripts/tga.js:33 Medium External URL 外部 URL
https://tga-web.hortorgames.com/#/panel/panel/377_5851 SKILL.md:21 Medium External URL 外部 URL
https://tga-web.hortorgames.com scripts/tga.js:18 File Tree
2 files · 16.3 KB · 431 lines JavaScript 1f · 372L
Markdown 1f · 59L
├─
▾
scripts
│ └─
tga.js
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ All functionality fully documented in SKILL.md
✓ Uses only Node.js built-in modules (fs, path, https) - no external dependencies
✓ No base64 encoded payloads or obfuscated code
✓ HTTPS-only communication with verified domain tga-web.hortorgames.com
✓ Credentials read only from local .env file, not exfiltrated
✓ Token stored locally in .tga-token, not transmitted to third parties
✓ No subprocess spawning, no shell command injection vectors
✓ Proper error handling with informative messages
✓ Supports task resumption with --task-id flag for reliability