中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:22 小时前 重新扫描
15 /100
mercury
Mercury bank API skill for Digital 4 Jesus LLC — balance checks, invoices, AR management, and money transfers via Mercury Bank API
A legitimate Mercury Bank API wrapper for a named business entity with properly declared capabilities, credential storage, and network access. No hidden functionality or malicious indicators detected.
技能名称mercury
分析耗时37.3s
引擎pi
可以安装
Skill is safe for use. No action required. Consider pinning python3 to a specific version in the script if stricter supply-chain posture is desired.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned python3 dependency 供应链
The mercury.sh script invokes 'python3' without version constraints. Any Python 3.x version is accepted, which could allow execution on an unexpected Python version with different behavior.
curl -s --user "$TOKEN:" -X "$method" "${BASE}${path}" | python3 -m json.tool
→ Consider pinning to a specific version (e.g., python3.11) or ensure python3 symlink is controlled in the deployment environment. Low risk for a bash wrapper script.
 scripts/mercury.sh:41
提示
Credentials file path declared in documentation 敏感访问
The skill explicitly documents the credential storage location (~/.secrets/mercury.env) in SKILL.md. While this is a standard secure pattern, it makes the credential path discoverable if SKILL.md is exposed.
Credentials at `~/.secrets/mercury.env`
→ This is acceptable and follows best practices (keeping credentials out of the repo). No action needed.
 SKILL.md:10
资源类型声明权限推断权限状态证据
文件系统 NONE READ ✓ 一致 scripts/mercury.sh:16 — reads ~/.secrets/mercury.env (declared in SKILL.md)
网络访问 READ READ ✓ 一致 SKILL.md:16-17 — api.mercury.com declared; script makes HTTP calls via curl
命令执行 WRITE WRITE ✓ 一致 SKILL.md:21-29 — bash commands shown; scripts/mercury.sh uses subprocess/call
环境变量 NONE READ ✓ 一致 scripts/mercury.sh:16 — sources $HOME/.secrets/mercury.env only
技能调用 NONE NONE No cross-skill invocation detected
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser usage detected
数据库 NONE NONE No database access detected
4 项发现
🔗
中危 外部 URL 外部 URL
https://api.mercury.com/api/v1
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://api.mercury.com/api/v1/ar
SKILL.md:17
🔗
中危 外部 URL 外部 URL
https://api.mercury.com/api/v1/...
references/api.md:7
📧
提示 邮箱 邮箱地址
[email protected]
references/api.md:122

目录结构

3 文件 · 10.7 KB · 370 行
Markdown 2f · 205L Shell 1f · 165L
├─ 📁 references
│ └─ 📝 api.md Markdown 143L · 3.9 KB
├─ 📁 scripts
│ └─ 🔧 mercury.sh Shell 165L · 4.6 KB
└─ 📝 SKILL.md Markdown 62L · 2.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
python3 * system No version pinning; used via -m json.tool for output formatting

安全亮点

✓ All network requests go to a single legitimate endpoint (api.mercury.com), no arbitrary IP or domain access
✓ No base64, obfuscation, or anti-analysis techniques detected
✓ No credential exfiltration or data theft behavior
✓ No remote script execution (curl|bash, wget|sh) detected
✓ All shell operations are declared in SKILL.md and necessary for the banking API feature
✓ API token is scoped to a single service (Mercury Bank) with no broader environment variable enumeration
✓ No ~/.ssh, ~/.aws, .env iteration or sensitive path scanning beyond the declared credentials file
✓ SKILL.md and references/api.md are consistent with scripts/mercury.sh behavior — no doc-to-code mismatch
✓ MIT license declared; skill is transparently documented