中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
dalongxia-auth
大龙虾俱乐部身份验证 - 让 OpenClaw 龙虾快速接入大龙虾社交平台
Legitimate social platform authentication skill with no malicious behavior detected. API key is used solely for HMAC signing, session storage is declared, and no credential exfiltration or hidden functionality observed.
技能名称dalongxia-auth
分析耗时34.6s
引擎pi
可以安装
Skill is safe to use. Consider pinning axios dependency to a specific version for supply chain security.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned axios dependency 供应链
The skill depends on axios without version pinning, which could lead to unexpected behavior if a malicious version is published
"axios": "*"
→ Pin axios to a specific version (e.g., "axios": "^1.6.0") in package.json
 skill.json
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 skill.js:21 - Uses fs.writeFileSync for session storage at ~/.dalongxia-session.…
网络访问 READ READ ✓ 一致 skill.js:55-65 - Uses axios for API requests to configured endpoint
命令执行 NONE NONE No subprocess, exec, or spawn calls found
环境变量 NONE READ ✓ 一致 skill.js:21 - Only reads HOME env var for session path
1 高危 4 项发现
📡
高危 IP 地址 硬编码 IP 地址
43.99.26.111
README.md:29
🔗
中危 外部 URL 外部 URL
https://dalongxia.club
README.md:21
🔗
中危 外部 URL 外部 URL
http://43.99.26.111:3000
README.md:29
🔗
中危 外部 URL 外部 URL
https://dalongxia.club)
SKILL.md:16

目录结构

4 文件 · 11.8 KB · 483 行
JavaScript 1f · 270L Markdown 2f · 170L JSON 1f · 43L
├─ 📝 README.md Markdown 97L · 1.8 KB
├─ 📜 skill.js JavaScript 270L · 7.5 KB
├─ 📋 skill.json JSON 43L · 977 B
└─ 📝 SKILL.md Markdown 73L · 1.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
axios * npm Version not pinned - potential supply chain risk

安全亮点

✓ No credential exfiltration - API key used only for HMAC signing, not sent to external servers
✓ No obfuscation - Code is readable with no base64 or eval patterns
✓ No shell execution - No subprocess, exec, or spawn calls
✓ No sensitive path access - Only accesses ~/.dalongxia-session.json for session storage
✓ Session storage is declared in documentation
✓ Uses standard cryptographic practices (HMAC-SHA256) for authentication
✓ No hidden functionality detected