中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
groundapi_context_aware
Context-aware daily assistant — auto-detect user location via IP, provide local weather, track packages, and offer lifestyle tips. Powered by GroundAPI MCP tools.
A purely declarative SKILL.md using only documented MCP tools with no local execution, scripts, or hidden functionality.
技能名称groundapi_context_aware
分析耗时23.9s
引擎pi
可以安装
Approve for use. The hardcoded IP 8.8.8.8 is a benign documentation example. No local execution or credential exfiltration detected.

安全发现 2 项

严重性 安全发现 位置
低危
Hardcoded IP address 8.8.8.8 in documentation example
Line 100 of SKILL.md uses 8.8.8.8 as an example IP address to demonstrate the life_ip() tool. This is a well-known public DNS resolver IP used for documentation purposes and poses no security risk.
调用 `life_ip(address="8.8.8.8")` 或 `life_ip()`(查自己)
→ No action needed. This is a legitimate documentation example. Consider using a more neutral IP (e.g., 1.1.1.1) to avoid any association concerns.
 SKILL.md:100
低危
External service dependencies declared
The skill depends on external GroundAPI MCP service (mcp.groundapi.net/sse) and its upstream weather/logistics providers. These are declared in SKILL.md configuration example.
"url": "https://mcp.groundapi.net/sse"
→ No action needed. Dependencies are clearly documented.
 SKILL.md:29
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file read/write operations present — SKILL.md only
网络访问 READ READ ✓ 一致 All network activity routed through documented MCP tools (life_ip, life_weather,…
命令执行 NONE NONE No subprocess, bash, or shell execution of any kind
环境变量 READ READ ✓ 一致 GROUNDAPI_KEY declared in metadata.requires.env — not iterated or exfiltrated
技能调用 READ READ ✓ 一致 Only invokes documented MCP tools: life_ip, life_weather, life_logistics, info_n…
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 高危 3 项发现
📡
高危 IP 地址 硬编码 IP 地址
8.8.8.8
SKILL.md:100
🔗
中危 外部 URL 外部 URL
https://groundapi.net
SKILL.md:9
🔗
中危 外部 URL 外部 URL
https://mcp.groundapi.net/sse
SKILL.md:29

目录结构

1 文件 · 3.3 KB · 132 行
Markdown 1f · 132L
└─ 📝 SKILL.md Markdown 132L · 3.3 KB

安全亮点

✓ Only SKILL.md — no scripts, no dependencies, no executable code
✓ All capabilities routed through documented MCP tools only
✓ API key (GROUNDAPI_KEY) is properly declared in metadata
✓ No local filesystem, shell, or environment variable access
✓ No credential harvesting or exfiltration
✓ No base64, eval, curl|bash, or other high-risk patterns
✓ Feature scope is narrow and clearly documented