中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
china-top-doctor-referral
三甲医院主任/副主任级医生推荐服务
Legitimate medical referral skill with documented external API communication. Minor undocumented behaviors (DEBUG_MODE detection, stdout push protocol) present but not malicious.
技能名称china-top-doctor-referral
分析耗时34.6s
引擎pi
可以安装
Approve for use. Ensure end users consent to customer service message forwarding as documented. Consider documenting DEBUG_MODE behavior in SKILL.md for transparency.

安全发现 3 项

严重性 安全发现 位置
低危
Undocumented DEBUG_MODE environment detection
config/api.js contains logic to detect a DEBUG_MODE file and switch between dev/prod environments. This behavior is not mentioned in SKILL.md documentation.
if (fs.existsSync(debugFilePath)) { return 'dev' }
→ Document this configuration mechanism in SKILL.md or remove the undocumented dev environment
 config/api.js:8
低危
Hidden stdout-based IPC for push notifications
The poll_and_push() function outputs structured messages via stdout using PUSH_MESSAGE: prefix. This is an undocumented communication channel for agent integration.
print(f"PUSH_MESSAGE:{push_data}")
→ Document the stdout-based IPC mechanism or use a more explicit integration method
 scripts/refer.py:160
提示
Optional .env file handling for USER_ID
Code reads USER_ID from .env file for local testing purposes. This is a minor undocumented feature.
if line.startswith("USER_ID="):
→ Document .env support or remove if not needed
 scripts/refer.py:37
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 scripts/refer.py:45 - creates pending_ctx.json
网络访问 READ WRITE ✓ 一致 scripts/refer.py:148 - POST to cs_webhook_url
命令执行 NONE NONE No subprocess/shell execution observed
4 项发现
🔗
中危 外部 URL 外部 URL
https://www.ihaola.com.cn
SKILL.md:5
🔗
中危 外部 URL 外部 URL
https://pe-t.ihaola.com.cn
SKILL.md:8
🔗
中危 外部 URL 外部 URL
https://www.ihaola.com.cn/privacy
SKILL.md:29
🔗
中危 外部 URL 外部 URL
https://t.ihaola.com.cn
config/api.js:15

目录结构

4 文件 · 156.8 KB · 3572 行
JSON 1f · 3005L Python 1f · 292L Markdown 1f · 239L JavaScript 1f · 36L
├─ 📁 config
│ └─ 📜 api.js JavaScript 36L · 761 B
├─ 📁 reference
│ └─ 📋 experts.json JSON 3005L · 136.5 KB
├─ 📁 scripts
│ └─ 🐍 refer.py Python 292L · 12.8 KB
└─ 📝 SKILL.md Markdown 239L · 6.8 KB

依赖分析 2 项

包名版本来源已知漏洞备注
openpyxl * pip Optional dependency, not directly used in refer.py
urllib builtin stdlib Standard library for HTTP requests

安全亮点

✓ No shell execution or subprocess usage observed
✓ No credential harvesting or exfiltration of sensitive data
✓ No base64 encoding, eval(), or other obfuscation techniques
✓ External API communication is clearly documented in privacy section
✓ User consent requirement mentioned in SKILL.md
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env production secrets)
✓ Open-source friendly dependencies (standard library + optional openpyxl)
✓ Data stays local for expert search feature (experts.json only)