扫描报告
5 /100
super-train
火车票智能中转方案推荐助手
A well-documented train ticket query assistant that exclusively relies on the flyai CLI for execution, with no executable code, no credential access, and comprehensive shell injection prevention documented in SKILL.md.
可以安装
No security concerns identified. The skill is safe to use as documented.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | WRITE | ✓ 一致 | SKILL.md:170-200 - describes reading preferences.json and appending to history.j… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:70-90 - documents flyai search-train command execution |
目录结构
4 文件 · 16.8 KB · 402 行 Markdown 2f · 386L
JSON 2f · 16L
├─
▾
assets
│ ├─
history.json
JSON
│ └─
preferences.json
JSON
├─
▾
references
│ └─
flyai-cli-reference.md
Markdown
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@fly-ai/flyai-cli | * | npm | 否 | External CLI tool, version not pinned in documentation |
安全亮点
✓ Comprehensive shell injection prevention documented with explicit character blocklists
✓ File path access strictly constrained to assets/ directory
✓ All behavior clearly declared in SKILL.md with no hidden functionality
✓ Input validation rules explicitly defined with max lengths and allowed character sets
✓ No credential, SSH, AWS, or environment variable access
✓ No network requests made by the skill itself (delegates to external CLI)
✓ Well-structured JSON validation for user preferences
✓ No base64, obfuscation, or suspicious code patterns detected