扫描报告
15 /100
shaper
Connect to a Shaper (useshaper.com) workspace via MCP to execute Shape Up methodology as an AI agent.
This is a documentation-only skill that provides curl commands for interacting with a legitimate project management service (Shaper/useshaper.com) via MCP. No executable scripts or code files exist. Network access is declared and necessary for the stated functionality.
可以安装
The skill is safe to use as documented. Monitor for any attempts to use the agent_register capability in unexpected ways, as it allows autonomous workspace creation without authentication.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | agent_register allows unauthenticated workspace creation 文档欺骗 | SKILL.md:82 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:39 - POST to useshaper.com/mcp |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md:18-19 - reads SHAPER_API_KEY and SHAPER_WORKSPACE_SLUG |
| 文件系统 | NONE | NONE | — | No file operations in the skill |
| 命令执行 | NONE | NONE | — | No shell scripting - only curl command examples in docs |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
3 项发现
中危 外部 URL 外部 URL
https://useshaper.com/ SKILL.md:16 中危 外部 URL 外部 URL
https://useshaper.com/mcp SKILL.md:39 中危 外部 URL 外部 URL
https://useshaper.com/.well-known/mcp.json SKILL.md:88 目录结构
2 文件 · 5.7 KB · 219 行 Markdown 2f · 219L
├─
▾
references
│ └─
tools.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ No executable code or scripts - pure documentation
✓ Network access is fully declared and matches stated purpose
✓ API key handling via environment variables is appropriate
✓ No obfuscation or suspicious patterns
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env reads)
✓ No base64-encoded payloads or dynamic code execution
✓ No credential harvesting beyond the single declared API key
✓ All functionality aligns with documented project management use case