中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
shuzhi-open
数秦开放平台统一接口封装 - blockchain evidence collection and electronic signing platform wrapper
A well-structured API wrapper for a legitimate blockchain/evidence-collection/signing platform with no malicious patterns, proper HMAC authentication, and documented user-confirmation workflows.
技能名称shuzhi-open
分析耗时75.2s
引擎pi
可以安装
This skill is safe to use. Ensure config.json credentials are protected and network access to shuzhi.shuqinkeji.cn is expected for the API functionality.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md declares config.json and contract file reading; scripts/readFileSync on…
网络访问 READ READ ✓ 一致 All network calls use fetch() to configured API gateway with HMAC-SHA256 authent…
命令执行 NONE NONE No subprocess, exec, or shell command execution found in codebase
环境变量 NONE NONE No os.environ iteration or credential harvesting
技能调用 NONE NONE No skill invocation capabilities used
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser automation detected
数据库 NONE NONE No direct database access - uses API for all data operations
3 项发现
🔗
中危 外部 URL 外部 URL
https://mobile.yangkeduo.com/goods.html?goods_id=xxx
SKILL.md:153
🔗
中危 外部 URL 外部 URL
https://test-apisix-gateway.shuzhi.shuqinkeji.cn
config.json:2
🔗
中危 外部 URL 外部 URL
https://api.dataqin.com
references/certificate-api.md:7

目录结构

31 文件 · 141.6 KB · 5207 行
JavaScript 24f · 3387L Markdown 5f · 1674L JSON 2f · 146L
├─ 📁 lib
│ ├─ 📁 modules
│ │ ├─ 📜 certificate.js JavaScript 84L · 1.9 KB
│ │ ├─ 📜 chain.js JavaScript 139L · 3.9 KB
│ │ ├─ 📜 evidence.js JavaScript 193L · 4.8 KB
│ │ └─ 📜 sign.js JavaScript 444L · 13.0 KB
│ ├─ 📜 auth.js JavaScript 82L · 2.4 KB
│ ├─ 📜 callback.js JavaScript 86L · 2.2 KB
│ ├─ 📜 client.js JavaScript 174L · 4.3 KB
│ └─ 📜 validate.js JavaScript 162L · 4.9 KB
├─ 📁 references
│ ├─ 📝 certificate-api.md Markdown 83L · 1.9 KB
│ ├─ 📝 chain-api.md Markdown 215L · 5.3 KB
│ ├─ 📝 evidence-api.md Markdown 174L · 3.6 KB
│ └─ 📝 sign-api.md Markdown 253L · 5.3 KB
├─ 📁 scripts
│ ├─ 📁 certificate
│ │ ├─ 📜 create.js JavaScript 68L · 1.7 KB
│ │ ├─ 📜 download.js JavaScript 56L · 1.3 KB
│ │ ├─ 📜 generate-interactive.js JavaScript 248L · 8.5 KB
│ │ ├─ 📜 generate.js JavaScript 104L · 3.3 KB
│ │ └─ 📜 templates.js JavaScript 26L · 732 B
│ ├─ 📁 chain
│ │ ├─ 📜 query.js JavaScript 74L · 1.9 KB
│ │ └─ 📜 upload.js JavaScript 88L · 2.3 KB
│ ├─ 📁 evidence
│ │ ├─ 📜 create-task-interactive.js JavaScript 144L · 4.5 KB
│ │ ├─ 📜 create-task.js JavaScript 101L · 2.8 KB
│ │ ├─ 📜 device.js JavaScript 83L · 2.2 KB
│ │ ├─ 📜 download.js JavaScript 59L · 1.4 KB
│ │ └─ 📜 query.js JavaScript 64L · 1.8 KB
│ └─ 📁 sign
│ ├─ 📜 enterprise.js JavaScript 87L · 2.9 KB
│ ├─ 📜 person.js JavaScript 87L · 2.8 KB
│ ├─ 📜 sign-flow.js JavaScript 196L · 6.1 KB
│ └─ 📜 workflow.js JavaScript 538L · 16.1 KB
├─ 🔑 config.json JSON 117L · 3.8 KB
├─ 📋 package.json JSON 29L · 948 B
└─ 📝 SKILL.md Markdown 949L · 23.1 KB

依赖分析 2 项

包名版本来源已知漏洞备注
Node.js native fetch Built-in (Node 18+) Built-in Uses native fetch API, no external dependencies
crypto (Node.js) Built-in Built-in Uses Node.js crypto for HMAC-SHA256 signing

安全亮点

✓ No subprocess, shell execution, or eval() calls - pure Node.js application
✓ HMAC-SHA256 authentication protects API credentials from exfiltration
✓ No credential harvesting - credentials only used locally for API signing
✓ No base64 decode + bash execution patterns or remote script downloads
✓ Well-documented user confirmation workflows for sensitive operations
✓ Explicit prohibition of auto-filling legal/contract fields without user input
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Config validation ensures proper setup before API calls
✓ Comprehensive error handling with meaningful error messages