中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 40/100
上次扫描:1 天前 重新扫描
40 /100
likes-training-planner
Complete training plan solution for My Likes platform. Fetches historical data, analyzes training patterns, generates personalized plans, converts to Likes format, and pushes to calendar.
Legitimate training platform skill with documented but dangerous curl|bash installation pattern that creates supply chain risk. Core functionality is benign with no active malicious behavior detected.
技能名称likes-training-planner
分析耗时61.1s
引擎pi
谨慎使用
Replace curl|bash installation with manual download/extract or signed package verification. The current install.sh is benign but the pattern allows remote code injection if repositories are compromised.

攻击链 3 步

提权 User executes curl|bash installation from documentation
README.md:37
提权 Remote install.sh script executes with user privileges
install.sh:1
提权 Malicious install.sh could be served if repository is compromised, executing arbitrary code
install.sh

安全发现 2 项

严重性 安全发现 位置
中危
Dangerous curl|bash installation pattern 供应链
SKILL.md and README files recommend 'curl -fsSL <url> | bash' for installation. This pattern allows the remote server to execute arbitrary code on the user's machine. While the current install.sh is benign, the repository could be compromised to serve malicious code.
curl -fsSL https://gitee.com/chenyinshu/likes-training-planner/raw/main/install.sh | bash
→ Replace with manual download instructions or use signed package verification. Consider providing SHA256 checksums for verification.
 README.md:37
中危
Multiple remote installation sources 供应链
Skill provides installation instructions from both Gitee and GitHub. Both sources are third-party and could be independently compromised.
curl -fsSL https://raw.githubusercontent.com/chenwynn/likes-training-planner/main/install.sh | bash
→ Use a single trusted source with integrity verification.
 likes-training-planner/SKILL.md:297
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md declares node scripts that write config/output files to ~/.openclaw/
网络访问 READ READ ✓ 一致 SKILL.md declares LIKES_API_KEY requirement; scripts make HTTPS API calls to my.…
命令执行 WRITE WRITE ✓ 一致 SKILL.md documents node script execution (node scripts/*.cjs)
环境变量 READ READ ✓ 一致 Scripts read LIKES_API_KEY from process.env only - legitimate use
2 严重 9 项发现
💀
严重 危险命令 危险 Shell 命令
curl -fsSL https://gitee.com/chenyinshu/likes-training-planner/raw/main/install.sh | bash
README.en.md:35
💀
严重 危险命令 危险 Shell 命令
curl -fsSL https://raw.githubusercontent.com/chenwynn/likes-training-planner/main/install.sh | bash
likes-training-planner/SKILL.md:297
🔗
中危 外部 URL 外部 URL
https://gitee.com/chenyinshu/likes-training-planner/raw/main/install.sh
README.en.md:35
🔗
中危 外部 URL 外部 URL
https://gitee.com/chenyinshu/likes-training-planner/releases/latest/download/likes-training-planner.skill
README.en.md:43
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:18789
README.en.md:56
🔗
中危 外部 URL 外部 URL
https://my.likes.com.cn
README.en.md:63
🔗
中危 外部 URL 外部 URL
https://gitee.com/chenyinshu/likes-training-planner
README.en.md:276
🔗
中危 外部 URL 外部 URL
https://gitee.com/chenyinshu/likes-training-planner/releases
README.en.md:277
🔗
中危 外部 URL 外部 URL
https://my.likes.com.cn/api/open
likes-training-planner/references/api-docs.md:8

目录结构

45 文件 · 248.8 KB · 9197 行
JavaScript 31f · 5646L Markdown 11f · 3401L Shell 3f · 150L
├─ 📁 likes-training-planner
│ ├─ 📁 references
│ │ ├─ 📝 api-docs.md Markdown 484L · 11.8 KB
│ │ ├─ 📝 code-format.md Markdown 207L · 4.2 KB
│ │ └─ 📝 sport-examples.md Markdown 268L · 6.5 KB
│ ├─ 📁 scripts
│ │ ├─ 📜 add_feedback_comment.cjs JavaScript 190L · 5.3 KB
│ │ ├─ 📜 analyze_data.cjs JavaScript 162L · 4.5 KB
│ │ ├─ 📜 bot-config.cjs JavaScript 209L · 5.0 KB
│ │ ├─ 📜 bot-router.js JavaScript 52L · 2.0 KB
│ │ ├─ 📜 configure.cjs JavaScript 89L · 2.2 KB
│ │ ├─ 📜 fetch_ability.cjs JavaScript 240L · 8.0 KB
│ │ ├─ 📜 fetch_activities.cjs JavaScript 287L · 8.4 KB
│ │ ├─ 📜 fetch_feedback.cjs JavaScript 247L · 7.1 KB
│ │ ├─ 📜 fetch_game.cjs JavaScript 193L · 5.2 KB
│ │ ├─ 📜 fetch_games.cjs JavaScript 175L · 4.7 KB
│ │ ├─ 📜 fetch_plans.cjs JavaScript 179L · 4.6 KB
│ │ ├─ 📜 get_activity_detail.cjs JavaScript 202L · 5.8 KB
│ │ ├─ 📜 preview_plan.cjs JavaScript 204L · 5.5 KB
│ │ ├─ 📜 push_plans.cjs JavaScript 321L · 10.4 KB
│ │ ├─ 📜 push_plans.js JavaScript 128L · 3.3 KB
│ │ ├─ 🔧 push_plans.sh Shell 18L · 529 B
│ │ └─ 📜 set-config.cjs JavaScript 65L · 1.6 KB
│ └─ 📝 SKILL.md Markdown 298L · 8.0 KB
├─ 📁 references
│ ├─ 📝 api-docs.md Markdown 416L · 9.8 KB
│ ├─ 📝 code-format.md Markdown 207L · 4.2 KB
│ └─ 📝 sport-examples.md Markdown 268L · 6.5 KB
├─ 📁 scripts
│ ├─ 📜 add_feedback_comment.cjs JavaScript 190L · 5.3 KB
│ ├─ 📜 analyze_data.cjs JavaScript 162L · 4.5 KB
│ ├─ 📜 bot-config.cjs JavaScript 209L · 5.0 KB
│ ├─ 📜 bot-router.js JavaScript 52L · 2.0 KB
│ ├─ 📜 configure.cjs JavaScript 89L · 2.2 KB
│ ├─ 📜 fetch_activities.cjs JavaScript 287L · 8.4 KB
│ ├─ 📜 fetch_feedback.cjs JavaScript 247L · 7.1 KB
│ ├─ 📜 fetch_game.cjs JavaScript 193L · 5.2 KB
│ ├─ 📜 fetch_games.cjs JavaScript 175L · 4.7 KB
│ ├─ 📜 fetch_plans.cjs JavaScript 179L · 4.6 KB
│ ├─ 📜 get_activity_detail.cjs JavaScript 202L · 5.8 KB
│ ├─ 📜 preview_plan.cjs JavaScript 204L · 5.5 KB
│ ├─ 📜 push_plans.cjs JavaScript 321L · 10.4 KB
│ ├─ 📜 push_plans.js JavaScript 128L · 3.3 KB
│ ├─ 🔧 push_plans.sh Shell 18L · 529 B
│ └─ 📜 set-config.cjs JavaScript 65L · 1.6 KB
├─ 🔧 install.sh Shell 114L · 3.6 KB
├─ 📝 README.en.md Markdown 314L · 8.7 KB
├─ 📝 README.md Markdown 316L · 8.4 KB
├─ 📝 README.zh.md Markdown 314L · 8.4 KB
└─ 📝 SKILL.md Markdown 309L · 8.4 KB

安全亮点

✓ Core scripts (fetch_activities, push_plans, analyze_data) are well-written and legitimate
✓ API calls use HTTPS to known endpoint (my.likes.com.cn)
✓ No credential harvesting - only accesses LIKES_API_KEY for the training platform
✓ No base64 encoding, obfuscation, or eval() patterns found
✓ No access to ~/.ssh, ~/.aws, or other sensitive credential paths
✓ No data exfiltration to unknown IPs
✓ No reverse shell or RCE capabilities
✓ Configuration properly scoped to skill-specific file (~/.openclaw/likes-training-planner.json)