中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
paper-reading
Read academic papers from local PDF files, arXiv URLs, or paper titles and generate structured reading notes in Chinese.
A legitimate academic paper reading skill with minor documentation flaws (hardcoded user paths, unversioned dependency) but no security violations.
技能名称paper-reading
分析耗时41.1s
引擎pi
可以安装
Update hardcoded paths in SKILL.md to use relative paths or environment variables. Pin pdfplumber version to ensure reproducibility.

安全发现 3 项

严重性 安全发现 位置
低危
Hardcoded user-specific paths in SKILL.md 文档欺骗
SKILL.md contains hardcoded paths with /Users/yihe/ which will not work for other users. These should use relative paths or document that users need to customize.
python /Users/yihe/.config/opencode/skills/paper-reading/scripts/fetch_pdf.py
→ Replace hardcoded paths with relative paths or document path customization.
 SKILL.md:17
低危
Unversioned dependency 供应链
pip install pdfplumber has no version constraint. This could lead to unexpected behavior if a breaking change is released.
pip install pdfplumber  # if not already installed
→ Pin to a specific version: pip install pdfplumber==0.11.0
 SKILL.md:23
提示
HTTP endpoint for arXiv API 文档欺骗
The script uses http://export.arxiv.org/api/query instead of HTTPS. While arXiv is a legitimate academic resource, HTTPS would be more secure.
ARXIV_API = "http://export.arxiv.org/api/query"
→ Consider using HTTPS: https://export.arxiv.org/api/query
 scripts/fetch_pdf.py:25
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:17 - Validates local PDF existence
网络访问 READ READ ✓ 一致 scripts/fetch_pdf.py:25 - Downloads PDFs from arXiv.org
命令执行 WRITE WRITE ✓ 一致 SKILL.md:23 - Executes python scripts for PDF extraction
环境变量 NONE NONE No environment variable access found
6 项发现
🔗
中危 外部 URL 外部 URL
https://cdn.nlark.com/yuque/0/2026/png/57569306/1767535158747-34ab19e4-bec9-4f80-bb38-e36d876b77d9.png
references/mHC.md:30
🔗
中危 外部 URL 外部 URL
https://cdn.nlark.com/yuque/0/2026/png/57569306/1767535744001-6619f6a6-10a5-4434-afe2-da36ff2d58af.png
references/mHC.md:304
🔗
中危 外部 URL 外部 URL
http://export.arxiv.org/api/query
scripts/fetch_pdf.py:25
🔗
中危 外部 URL 外部 URL
https://arxiv.org/pdf/
scripts/fetch_pdf.py:40
🔗
中危 外部 URL 外部 URL
http://www.w3.org/2005/Atom
scripts/fetch_pdf.py:62
🔗
中危 外部 URL 外部 URL
http://arxiv.org/schemas/atom
scripts/fetch_pdf.py:62

目录结构

5 文件 · 24.9 KB · 672 行
Markdown 3f · 455L Python 2f · 217L
├─ 📁 references
│ ├─ 📝 mHC.md Markdown 323L · 13.6 KB
│ └─ 📝 note-template.md Markdown 50L · 1.7 KB
├─ 📁 scripts
│ ├─ 🐍 fetch_pdf.py Python 141L · 4.2 KB
│ └─ 🐍 read_pdf.py Python 76L · 2.4 KB
└─ 📝 SKILL.md Markdown 82L · 3.0 KB

依赖分析 1 项

包名版本来源已知漏洞备注
pdfplumber * pip Version not pinned

安全亮点

✓ No credential theft or harvesting detected
✓ No data exfiltration to external servers
✓ No obfuscation techniques (base64, eval, exec) found
✓ No subprocess abuse or shell command injection vectors
✓ Code is readable and straightforward with clear purpose
✓ Network access is limited to legitimate arXiv paper downloads
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env access)
✓ No persistence mechanisms or backdoors
✓ No prompt injection attempts