中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
tradfri-lights
Control IKEA TRÅDFRI lights and groups through a local TRÅDFRI gateway using node-tradfri-client
A legitimate smart home control skill for IKEA TRÅDFRI lights with no malicious indicators - all capabilities are documented, no credential exfiltration, no shell execution, and network access is restricted to the local gateway.
技能名称tradfri-lights
分析耗时27.7s
引擎pi
可以安装
This skill is safe to use. No action required.

安全发现 1 项

严重性 安全发现 位置
低危
Missing package.json 供应链
No package.json with pinned versions - npm install will fetch latest node-tradfri-client
const { TradfriClient, AccessoryTypes } = require('node-tradfri-client');
→ Consider adding package.json with pinned versions for reproducible builds
 scripts/tradfri.js:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 Only reads config.json for gateway credentials
网络访问 READ READ ✓ 一致 Only connects to local TRÅDFRI gateway via node-tradfri-client
命令执行 NONE NONE No shell commands or subprocess calls in code
环境变量 NONE READ ✓ 一致 Reads TRADFRI_* env vars for gateway credentials; documented in SKILL.md

目录结构

4 文件 · 22.6 KB · 623 行
JavaScript 1f · 449L Markdown 2f · 169L JSON 1f · 5L
├─ 📁 references
│ └─ 📝 setup.md Markdown 39L · 1.0 KB
├─ 📁 scripts
│ └─ 📜 tradfri.js JavaScript 449L · 17.3 KB
├─ 🔑 config.json JSON 5L · 110 B
└─ 📝 SKILL.md Markdown 130L · 4.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
node-tradfri-client * npm Version not pinned - no package.json present

安全亮点

✓ No credential exfiltration - gateway credentials only used for local authentication
✓ No shell command execution or subprocess calls
✓ No external network connections beyond local TRÅDFRI gateway
✓ No obfuscation, base64 encoding, or hidden execution paths
✓ Documentation fully matches implemented functionality
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env reading)
✓ Clean error handling with no silent failures
✓ Credentials are local-only, not transmitted externally