中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:17 hr ago Rescan
5 /100
card-profile-recommend
Analyze a multi-card portfolio — grade each card (MVP / Keep / Consider Dropping), recommend 2–3 new additions with churning strategy, apply issuer rules (Chase 5/24, Amex lifetime bonus, Citi 8/65), and sequence applications to maximize signup bonuses.
A legitimate credit card portfolio recommendation skill that uses the Brave Search API for card research, with fully declared capabilities and no hidden behavior.
Skill Namecard-profile-recommend
Duration24.3s
Enginepi
Safe to install
This skill is safe to use. All network calls are to the declared Brave Search API and issuer domains, no credential exfiltration, no shell execution beyond curl for fetching.

Findings 1 items

Severity Finding Location
Low
BRAVE_API_KEY declared with minimal version scoping detail Doc Mismatch
The metadata declares env:BRAVE_API_KEY as a required variable but does not specify version pinning or security guidance. This is a minor documentation issue without security impact.
env:
        - BRAVE_API_KEY
→ Consider adding version guidance for the API key or scoping to a specific environment variable convention.
 SKILL.md:6
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md:51 — curl to api.search.brave.com
Shell WRITE WRITE ✓ Aligned SKILL.md:51 — curl command usage declared
Environment READ READ ✓ Aligned SKILL.md:6 — requires BRAVE_API_KEY env var
Filesystem NONE NONE No file operations found
Clipboard NONE NONE No clipboard access found
Browser NONE NONE No browser tool usage found
Database NONE NONE No database access found
Skill Invoke NONE NONE No cross-skill invocation found
1 findings
🔗
Medium External URL 外部 URL
https://api.search.brave.com/res/v1/web/search?q=CARD+NAME+benefits+credits+annual+fee&count=10
SKILL.md:78

File Tree

1 files · 9.0 KB · 219 lines
Markdown 1f · 219L
└─ 📝 SKILL.md Markdown 219L · 9.0 KB

Security Positives

✓ All network access is explicitly declared and limited to Brave Search API and known issuer domains
✓ No shell execution beyond documented curl commands for web fetching
✓ No filesystem, clipboard, or database access — fully scoped to read-only research
✓ No credential harvesting or exfiltration of user credentials
✓ No obfuscated code, base64 payloads, or anti-analysis techniques
✓ No supply chain dependencies that could introduce malicious code
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ SKILL.md is thorough and accurately reflects implementation behavior