扫描报告
10 /100
flyai-companion-match
同行人适配推荐助手,根据同行人特征(老人、小孩、闺蜜等)智能筛选目的地景点。调用FlyAI获取景点数据,结合同行人画像自动过滤,推荐适合所有同行人的景点和玩法。
This is a pure-documentation travel companion matching skill that provides prompt instructions for AI agents, with no executable code — all shell execution, filesystem access, and network behavior are explicitly documented and directly tied to the declared FlyAI CLI tool functionality.
可以安装
Approve for use. All resource usage is documented, relevant, and necessary for the skill's stated purpose. Consider pinning the npm package version in production deployments to avoid supply-chain risk from unpinned @latest.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned npm package version 供应链 | SKILL.md:75 |
| 低危 | TLS certificate verification disabled for flyai CLI 文档欺骗 | SKILL.md:93 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ,WRITE | READ,WRITE | ✓ 一致 | SKILL.md (mkdir ~/.flyai, cat/read_file ~/.flyai/user-profile.md, write user pro… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md '前置步骤': npm install -g @fly-ai/flyai-cli@latest, flyai search-poi, flya… |
| 网络访问 | NONE | NONE | — | No direct HTTP requests; network traffic only occurs transitively through the fl… |
| 环境变量 | NONE | NONE | — | No iteration over os.environ; NODE_TLS_REJECT_UNAUTHORIZED is an ad-hoc env var … |
| 技能调用 | READ | READ | ✓ 一致 | SKILL.md describes read order: search_memory → read_file as fallback; no undecla… |
| 剪贴板 | NONE | NONE | — | Not referenced anywhere in the skill |
| 浏览器 | NONE | NONE | — | Not referenced; URLs in output (jumpUrl fields) are informational only |
| 数据库 | NONE | NONE | — | No database access; Qoder Memory (search_memory/update_memory) is not a database… |
3 项发现
中危 外部 URL 外部 URL
https://nodejs.org/ SKILL.md:124 中危 外部 URL 外部 URL
https://img.alicdn.com/... reference/search-hotel.md:44 中危 外部 URL 外部 URL
https://img.alicdn.com/tfscom/... reference/search-poi.md:32 目录结构
12 文件 · 29.9 KB · 981 行 Markdown 12f · 981L
├─
▾
reference
│ ├─
ai-search.md
Markdown
│ ├─
examples.md
Markdown
│ ├─
keyword-search.md
Markdown
│ ├─
search-flight.md
Markdown
│ ├─
search-hotel.md
Markdown
│ ├─
search-marriott-hotel.md
Markdown
│ ├─
search-marriott-package.md
Markdown
│ ├─
search-poi.md
Markdown
│ ├─
search-train.md
Markdown
│ ├─
tools.md
Markdown
│ └─
user-profile-storage.md
Markdown
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
@fly-ai/flyai-cli | @latest (unpinned) | npm | 否 | Version not pinned; resolves to latest at install time |
安全亮点
✓ No executable scripts or code — skill is 100% Markdown documentation
✓ All shell commands are explicitly declared and directly tied to the core FlyAI CLI functionality
✓ Filesystem access is scoped to a single user-specific path (~/.flyai/user-profile.md) with clear purpose
✓ No credential harvesting, API key scanning, or environment variable enumeration
✓ No obfuscation, base64 payloads, or hidden instructions in HTML comments
✓ No supply-chain indicators beyond the @latest npm tag (minor)
✓ User profile storage is fully documented with a legitimate dual-mode fallback pattern
✓ No C2 communication, reverse shells, or data exfiltration behavior
✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed
✓ Skill name and branding are consistent with documented functionality — no masquerading