扫描报告
5 /100
doubao-media
豆包网页端媒体提取与抓包工具
Legitimate Doubao media extraction tool with properly scoped capabilities and no malicious indicators.
可以安装
This skill is safe to use. All functionality aligns with declared behavior in SKILL.md.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | HTTPS requests to www.doubao.com for API calls and media downloads |
| 文件系统 | WRITE | WRITE | ✓ 一致 | Writes session file (~/.doubao_chat_session.json) and downloads media to capture… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | exec('start') used only for opening login page in doubao_session.js:45 |
| 浏览器 | READ | READ | ✓ 一致 | CDP port 18800 for cookie extraction and network monitoring |
1 严重 7 项发现
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(text, 'base64' scripts/capture_doubao_media.js:370 中危 外部 URL 外部 URL
https://www.doubao.com/ SKILL.md:59 中危 外部 URL 外部 URL
https://www.doubao.com scripts/doubao_api.js:78 中危 外部 URL 外部 URL
https://www.doubao.com/chat/ scripts/doubao_api.js:79 中危 外部 URL 外部 URL
https://registry.npmmirror.com/chrome-remote-interface/-/chrome-remote-interface-0.33.3.tgz scripts/package-lock.json:17 中危 外部 URL 外部 URL
https://registry.npmmirror.com/commander/-/commander-2.11.0.tgz scripts/package-lock.json:30 中危 外部 URL 外部 URL
https://registry.npmmirror.com/ws/-/ws-7.5.10.tgz scripts/package-lock.json:36 目录结构
7 文件 · 41.4 KB · 1274 行 JavaScript 4f · 1066L
Markdown 1f · 125L
JSON 2f · 83L
├─
▾
scripts
│ ├─
capture_doubao_media.js
JavaScript
│ ├─
doubao_api.js
JavaScript
│ ├─
doubao_media_api.js
JavaScript
│ ├─
doubao_session.js
JavaScript
│ ├─
package-lock.json
JSON
│ └─
package.json
JSON
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
chrome-remote-interface | ^0.33.3 | npm | 否 | Version pinned with caret range |
安全亮点
✓ All network requests target exclusively Doubao infrastructure (www.doubao.com, bytedance, douyin domains)
✓ The base64 decoding at capture_doubao_media.js:370 is legitimate CDP response handling, not obfuscation
✓ Session cookies stored locally only, used only for API authentication with Doubao
✓ File operations scoped to session management and media download - no sensitive path access
✓ Dependencies (chrome-remote-interface) are versioned and from trusted npm registry
✓ SKILL.md documentation accurately reflects implementation capabilities
✓ No credential exfiltration, data theft, or C2 communication patterns detected