中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
coze-web-fetch
Fetch and extract content from URLs using coze-coding-dev-sdk. Supports web pages, PDF, Office documents, and various other formats.
A legitimate web fetching utility that uses the coze-coding-dev-sdk to extract content from URLs with no malicious behavior detected.
技能名称coze-web-fetch
分析耗时22.4s
引擎pi
可以安装
This skill is safe to use. No security concerns identified. The npx/ts-node execution is declared in SKILL.md metadata.

安全发现 1 项

严重性 安全发现 位置
低危
External SDK dependency without version pinning 供应链
The script imports coze-coding-dev-sdk without specifying a version constraint in package.json or requirements.txt. This could lead to unexpected behavior if the SDK is updated.
import { FetchClient, Config, APIError } from "coze-coding-dev-sdk";
→ Create a package.json with pinned dependency version: "coze-coding-dev-sdk": "^1.0.0"
 scripts/fetch.ts:1
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 Script reads no local files; uses stdin/stdout for I/O
网络访问 READ READ ✓ 一致 SKILL.md declares web fetching; script uses FetchClient from coze-coding-dev-sdk
命令执行 WRITE NONE ✓ 一致 npx ts-node is used via Bash but only for execution; no direct shell commands in…
环境变量 NONE NONE Config class instantiated without credentials
1 项发现
🔗
中危 外部 URL 外部 URL
https://www.coze.com
SKILL.md:4

目录结构

2 文件 · 9.0 KB · 351 行
TypeScript 1f · 219L Markdown 1f · 132L
├─ 📁 scripts
│ └─ 📜 fetch.ts TypeScript 219L · 5.4 KB
└─ 📝 SKILL.md Markdown 132L · 3.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
coze-coding-dev-sdk unspecified npm No package.json found; SDK version not pinned

安全亮点

✓ No credential harvesting or environment variable access
✓ No shell command injection vectors detected
✓ No sensitive file access (~/.ssh, ~/.aws, .env)
✓ No base64 encoding or obfuscation techniques
✓ No data exfiltration or C2 communication
✓ No persistence mechanisms (cron, startup hooks)
✓ Documentation accurately reflects functionality
✓ Clean, straightforward URL fetching implementation