中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
shuzhi-open
数秦开放平台统一接口封装 - blockchain evidence collection and electronic signing platform wrapper
A well-structured API wrapper for a legitimate blockchain/evidence-collection/signing platform with no malicious patterns, proper HMAC authentication, and documented user-confirmation workflows.
Skill Nameshuzhi-open
Duration75.2s
Enginepi
Safe to install
This skill is safe to use. Ensure config.json credentials are protected and network access to shuzhi.shuqinkeji.cn is expected for the API functionality.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md declares config.json and contract file reading; scripts/readFileSync on…
Network READ READ ✓ Aligned All network calls use fetch() to configured API gateway with HMAC-SHA256 authent…
Shell NONE NONE No subprocess, exec, or shell command execution found in codebase
Environment NONE NONE No os.environ iteration or credential harvesting
Skill Invoke NONE NONE No skill invocation capabilities used
Clipboard NONE NONE No clipboard access detected
Browser NONE NONE No browser automation detected
Database NONE NONE No direct database access - uses API for all data operations
3 findings
🔗
Medium External URL 外部 URL
https://mobile.yangkeduo.com/goods.html?goods_id=xxx
SKILL.md:153
🔗
Medium External URL 外部 URL
https://test-apisix-gateway.shuzhi.shuqinkeji.cn
config.json:2
🔗
Medium External URL 外部 URL
https://api.dataqin.com
references/certificate-api.md:7

File Tree

31 files · 141.6 KB · 5207 lines
JavaScript 24f · 3387L Markdown 5f · 1674L JSON 2f · 146L
├─ 📁 lib
│ ├─ 📁 modules
│ │ ├─ 📜 certificate.js JavaScript 84L · 1.9 KB
│ │ ├─ 📜 chain.js JavaScript 139L · 3.9 KB
│ │ ├─ 📜 evidence.js JavaScript 193L · 4.8 KB
│ │ └─ 📜 sign.js JavaScript 444L · 13.0 KB
│ ├─ 📜 auth.js JavaScript 82L · 2.4 KB
│ ├─ 📜 callback.js JavaScript 86L · 2.2 KB
│ ├─ 📜 client.js JavaScript 174L · 4.3 KB
│ └─ 📜 validate.js JavaScript 162L · 4.9 KB
├─ 📁 references
│ ├─ 📝 certificate-api.md Markdown 83L · 1.9 KB
│ ├─ 📝 chain-api.md Markdown 215L · 5.3 KB
│ ├─ 📝 evidence-api.md Markdown 174L · 3.6 KB
│ └─ 📝 sign-api.md Markdown 253L · 5.3 KB
├─ 📁 scripts
│ ├─ 📁 certificate
│ │ ├─ 📜 create.js JavaScript 68L · 1.7 KB
│ │ ├─ 📜 download.js JavaScript 56L · 1.3 KB
│ │ ├─ 📜 generate-interactive.js JavaScript 248L · 8.5 KB
│ │ ├─ 📜 generate.js JavaScript 104L · 3.3 KB
│ │ └─ 📜 templates.js JavaScript 26L · 732 B
│ ├─ 📁 chain
│ │ ├─ 📜 query.js JavaScript 74L · 1.9 KB
│ │ └─ 📜 upload.js JavaScript 88L · 2.3 KB
│ ├─ 📁 evidence
│ │ ├─ 📜 create-task-interactive.js JavaScript 144L · 4.5 KB
│ │ ├─ 📜 create-task.js JavaScript 101L · 2.8 KB
│ │ ├─ 📜 device.js JavaScript 83L · 2.2 KB
│ │ ├─ 📜 download.js JavaScript 59L · 1.4 KB
│ │ └─ 📜 query.js JavaScript 64L · 1.8 KB
│ └─ 📁 sign
│ ├─ 📜 enterprise.js JavaScript 87L · 2.9 KB
│ ├─ 📜 person.js JavaScript 87L · 2.8 KB
│ ├─ 📜 sign-flow.js JavaScript 196L · 6.1 KB
│ └─ 📜 workflow.js JavaScript 538L · 16.1 KB
├─ 🔑 config.json JSON 117L · 3.8 KB
├─ 📋 package.json JSON 29L · 948 B
└─ 📝 SKILL.md Markdown 949L · 23.1 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
Node.js native fetch Built-in (Node 18+) Built-in No Uses native fetch API, no external dependencies
crypto (Node.js) Built-in Built-in No Uses Node.js crypto for HMAC-SHA256 signing

Security Positives

✓ No subprocess, shell execution, or eval() calls - pure Node.js application
✓ HMAC-SHA256 authentication protects API credentials from exfiltration
✓ No credential harvesting - credentials only used locally for API signing
✓ No base64 decode + bash execution patterns or remote script downloads
✓ Well-documented user confirmation workflows for sensitive operations
✓ Explicit prohibition of auto-filling legal/contract fields without user input
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Config validation ensures proper setup before API calls
✓ Comprehensive error handling with meaningful error messages