Scan Report
10 /100
coze-web-fetch
Fetch and extract content from URLs using coze-coding-dev-sdk. Supports web pages, PDF, Office documents, and various other formats.
A legitimate web fetching utility that uses the coze-coding-dev-sdk to extract content from URLs with no malicious behavior detected.
Safe to install
This skill is safe to use. No security concerns identified. The npx/ts-node execution is declared in SKILL.md metadata.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | External SDK dependency without version pinning Supply Chain | scripts/fetch.ts:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | Script reads no local files; uses stdin/stdout for I/O |
| Network | READ | READ | ✓ Aligned | SKILL.md declares web fetching; script uses FetchClient from coze-coding-dev-sdk |
| Shell | WRITE | NONE | ✓ Aligned | npx ts-node is used via Bash but only for execution; no direct shell commands in… |
| Environment | NONE | NONE | — | Config class instantiated without credentials |
1 findings
Medium External URL 外部 URL
https://www.coze.com SKILL.md:4 File Tree
2 files · 9.0 KB · 351 lines TypeScript 1f · 219L
Markdown 1f · 132L
├─
▾
scripts
│ └─
fetch.ts
TypeScript
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
coze-coding-dev-sdk | unspecified | npm | No | No package.json found; SDK version not pinned |
Security Positives
✓ No credential harvesting or environment variable access
✓ No shell command injection vectors detected
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No base64 encoding or obfuscation techniques
✓ No data exfiltration or C2 communication
✓ No persistence mechanisms (cron, startup hooks)
✓ Documentation accurately reflects functionality
✓ Clean, straightforward URL fetching implementation