中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:2 天前 重新扫描
10 /100
get-my-location
Get current IP geolocation with 3-tier fallback (freegeoip.app → api.ipbase.com → ip-api.com). No API key required.
A straightforward IP geolocation tool that queries three public APIs (freegeoip.app, ipbase, ip-api.com) and returns location data; no malicious behavior, credential access, or hidden functionality.
技能名称get-my-location
分析耗时31.5s
引擎pi
可以安装
No action required. Consider removing the hardcoded real IP address (222.89.92.62) from SKILL.md examples to avoid inadvertently disclosing a specific user's IP.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded real IP address in documentation example 文档欺骗
SKILL.md line 50 shows IP 222.89.92.62 with city-level precision (Xinxiang, Henan) as the example output. This appears to be a real user's IP address rather than a synthetic example, which could inadvertently expose someone's approximate location in the documentation.
  IP 地址: 222.89.92.62
→ Replace the hardcoded IP example with a clearly synthetic/reserved IP (e.g., 203.0.113.1) or a well-known public DNS server IP to avoid real-user data exposure in docs.
 SKILL.md:50
低危
HTTP (non-TLS) endpoint in fallback chain 敏感访问
The third fallback source (ip-api.com) uses http:// instead of https://, meaning the IP address is sent in plaintext over the network.
url = "http://ip-api.com/json/"
→ Use https://ip-api.com/json/ instead. The ip-api.com service supports HTTPS and plaintext HTTP is an unnecessary privacy leak.
 scripts/location.py:87
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 scripts/location.py:59-99 — HTTP GETs to 3 public geolocation APIs, fully declar…
命令执行 NONE NONE No subprocess/Popen/eval/exec usage found — uses only stdlib urllib
文件系统 NONE NONE No file open/write operations — purely reads from network
环境变量 NONE NONE No os.environ iteration or credential access
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
技能调用 NONE NONE No skill invocation
2 高危 5 项发现
📡
高危 IP 地址 硬编码 IP 地址
8.8.8.8
SKILL.md:27
📡
高危 IP 地址 硬编码 IP 地址
222.89.92.62
SKILL.md:50
🔗
中危 外部 URL 外部 URL
https://freegeoip.app/json/
scripts/location.py:59
🔗
中危 外部 URL 外部 URL
https://api.ipbase.com/v1/json/
scripts/location.py:73
🔗
中危 外部 URL 外部 URL
http://ip-api.com/json/
scripts/location.py:87

目录结构

3 文件 · 8.0 KB · 280 行
Python 1f · 174L Markdown 1f · 92L JSON 1f · 14L
├─ 📁 scripts
│ └─ 🐍 location.py Python 174L · 5.4 KB
├─ 📋 _meta.json JSON 14L · 464 B
└─ 📝 SKILL.md Markdown 92L · 2.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
None (stdlib only) N/A stdlib No pip/conda packages required — only Python 3.6+ standard library

安全亮点

✓ Uses only Python stdlib (urllib, json, sys) — no external dependencies, no pip install, no supply chain risk
✓ No subprocess, shell execution, eval, or exec calls
✓ No credential harvesting, no environment variable scanning
✓ No obfuscation (base64, rot13, encoded strings, etc.)
✓ Behavior is fully declared in SKILL.md — doc-to-code alignment is strong
✓ All network calls are to well-known public geolocation APIs consistent with the stated purpose
✓ No filesystem writes, no sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No persistence mechanisms (no cron, no startup hooks, no backdoor installation)