中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
tga-analyze
TGA gaming analytics data retrieval and analysis tool
Legitimate TGA gaming analytics data retrieval tool with fully documented behavior and no malicious indicators.
技能名称tga-analyze
分析耗时44.8s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性 安全发现 位置
提示
Pre-scan false positive on IP address
The pre-scan flagged '145.0.0.0' as a hardcoded IP at scripts/tga.js:33. This is actually 'Chrome/145.0.0.0' - a browser version identifier in the User-Agent header, not an IP address.
'Chrome/145.0.0.0'
→ No action needed. This is a legitimate browser User-Agent string.
 scripts/tga.js:33
低危
Broad node script path in documentation
SKILL.md references ~/.agents/skills/tga-analyze/scripts/tga.js which is a generic installation path. While documented, this broad path declaration is non-standard.
node ~/.agents/skills/tga-analyze/scripts/tga.js
→ Consider using relative paths or a more specific installation path in documentation.
 SKILL.md:16
资源类型声明权限推断权限状态证据
文件系统 READ,WRITE READ,WRITE ✓ 一致 SKILL.md: Reads .env and writes .tga-token, downloads to filesystem
网络访问 WRITE WRITE ✓ 一致 SKILL.md: Login and download API calls to tga-web.hortorgames.com
命令执行 WRITE WRITE ✓ 一致 SKILL.md: node command execution for tga.js scripts
1 高危 3 项发现
📡
高危 IP 地址 硬编码 IP 地址
145.0.0.0
scripts/tga.js:33
🔗
中危 外部 URL 外部 URL
https://tga-web.hortorgames.com/#/panel/panel/377_5851
SKILL.md:21
🔗
中危 外部 URL 外部 URL
https://tga-web.hortorgames.com
scripts/tga.js:18

目录结构

2 文件 · 16.3 KB · 431 行
JavaScript 1f · 372L Markdown 1f · 59L
├─ 📁 scripts
│ └─ 📜 tga.js JavaScript 372L · 12.3 KB
└─ 📝 SKILL.md Markdown 59L · 4.0 KB

安全亮点

✓ All functionality fully documented in SKILL.md
✓ Uses only Node.js built-in modules (fs, path, https) - no external dependencies
✓ No base64 encoded payloads or obfuscated code
✓ HTTPS-only communication with verified domain tga-web.hortorgames.com
✓ Credentials read only from local .env file, not exfiltrated
✓ Token stored locally in .tga-token, not transmitted to third parties
✓ No subprocess spawning, no shell command injection vectors
✓ Proper error handling with informative messages
✓ Supports task resumption with --task-id flag for reliability