中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Trusted — Risk Score 5/100
Last scan:4 hr ago Rescan
5 /100
fly-flight
中国境内航班和高铁统一查询工具
合法的中国境内出行查询工具,通过公开网页抓取航班和高铁信息,行为与声明一致,无恶意特征。
Skill Namefly-flight
Duration34.7s
Enginepi
ClawHub Fly Flight v1.1.1 by baizhexue
📥 274
ClawHub Verdict Suspicious dynamic_code_executionllm_suspiciousvt_suspicious
Safe to install
可直接使用

Findings 2 items

Severity Finding Location
Low
subprocess调用外部进程 Priv Escalation
flight_public_service.py使用subprocess调用node.exe解析HTML。这是合法的网页抓取技术,但涉及调用外部进程。subprocess.run使用列表参数而非shell=True,无命令注入风险。
subprocess.run(["node", str(script_path)], input=html, capture_output=True, text=True, check=False)
→ 可接受的标准技术模式,已在文档范围内
 scripts/providers/flight_public_service.py:62
Low
ssl._create_unverified_context()使用 Supply Chain
train_public_service.py使用未验证的SSL上下文连接12306。这是应对某些网站证书问题的常见模式。
DEFAULT_SSL_CONTEXT = ssl._create_unverified_context()
→ 针对12306特定端点的已知兼容性处理,可接受
 scripts/providers/train_public_service.py:21
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned 仅访问 www.ly.com 和 kyfw.12306.cn 公开接口,SKILL.md已声明
Shell NONE READ ✓ Aligned flight_public_service.py:62 使用subprocess调用node.exe,无shell=True,命令固定为本地js脚本
Filesystem READ READ ✓ Aligned 仅读取本地JSON配置文件和命令行参数文件
8 findings
🔗
Medium External URL 外部 URL
https://www.ly.com/flights/
README.md:78
🔗
Medium External URL 外部 URL
https://kyfw.12306.cn/
README.md:83
🔗
Medium External URL 外部 URL
https://www.ly.com/flights/itinerary/oneway/
references/provider-public-web.md:6
🔗
Medium External URL 外部 URL
https://www.ly.com/flights/itinerary/oneway/BJS-SHA?date=2026-03-20
references/provider-public-web.md:7
🔗
Medium External URL 外部 URL
https://kyfw.12306.cn/otn/resources/js/framework/station_name.js?station_version=1.9367
scripts/providers/train_public_service.py:20
🔗
Medium External URL 外部 URL
https://kyfw.12306.cn/otn/leftTicket/queryG
scripts/providers/train_public_service.py:21
🔗
Medium External URL 外部 URL
https://kyfw.12306.cn/otn/leftTicket/init?linktypeid=dc
scripts/providers/train_public_service.py:22
🔗
Medium External URL 外部 URL
https://kyfw.12306.cn/otn/leftTicketPrice/queryAllPublicPrice
scripts/providers/train_public_service.py:23

File Tree

17 files · 70.4 KB · 2063 lines
Python 6f · 1275L JSON 6f · 378L Markdown 3f · 377L JavaScript 1f · 29L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 328 B
├─ 📁 assets
│ ├─ 📁 data
│ │ ├─ 📋 airport_aliases.json JSON 74L · 2.0 KB
│ │ └─ 📋 domestic_city_codes.json JSON 160L · 3.4 KB
│ ├─ 📋 sample-provider-response.json JSON 45L · 1.2 KB
│ ├─ 📋 sample-public-state.json JSON 45L · 1.3 KB
│ ├─ 📋 sample-train-price.json JSON 38L · 970 B
│ └─ 📋 sample-train-query.json JSON 16L · 513 B
├─ 📁 references
│ └─ 📝 provider-public-web.md Markdown 22L · 829 B
├─ 📁 scripts
│ ├─ 📁 providers
│ │ ├─ 🐍 __init__.py Python 1L · 62 B
│ │ ├─ 🐍 flight_public_service.py Python 353L · 12.1 KB
│ │ └─ 🐍 train_public_service.py Python 503L · 17.1 KB
│ ├─ 🐍 domestic_flight_public_service.py Python 96L · 4.3 KB
│ ├─ 📜 extract_tongcheng_state.js JavaScript 29L · 721 B
│ ├─ 🐍 test_domestic_flight_public_service.py Python 128L · 3.5 KB
│ └─ 🐍 transport_service.py Python 194L · 9.7 KB
├─ 📝 README.md Markdown 249L · 7.8 KB
└─ 📝 SKILL.md Markdown 106L · 4.7 KB

Security Positives

✓ 声明与实际能力完全一致,无阴影功能
✓ 无凭证收割或敏感路径访问
✓ 无数据外泄或C2通信
✓ 无代码混淆或恶意编码
✓ 无远程脚本执行或反向shell
✓ 仅访问公开的航班和高铁查询接口
✓ 使用sample_*参数支持本地测试,避免网络依赖