中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
Kunwu Builder (坤吾工业仿真软件控制技能)
HTTP API client for Kunwu Builder industrial simulation software — controls robot models, gripper behaviors, assembly, and scene management
This is a legitimate HTTP API client for Kunwu Builder industrial simulation software with no malicious behavior. Only minor documentation inconsistencies and hardcoded private IPs in test files were identified, with no actual security impact.
技能名称Kunwu Builder (坤吾工业仿真软件控制技能)
分析耗时77.2s
引擎pi
可以安装
Approve for use. Consider updating test files to consistently use environment variables instead of hardcoded private IPs, and fix the deprecated /model/download endpoint reference in EXPORT-GUIDE.md.

安全发现 3 项

严重性 安全发现 位置
低危
Deprecated API endpoint still referenced in EXPORT-GUIDE.md 文档欺骗
EXPORT-GUIDE.md line 99 references /model/download endpoint which was removed from SKILL.md as of 2026-03-20. This is a documentation inconsistency without security impact since the code no longer calls this endpoint.
/model/download
→ Update EXPORT-GUIDE.md to remove /model/download reference and use /model/create + checkFromCloud:true instead
 EXPORT-GUIDE.md:99
低危
kunwu_call tool not formally declared in SKILL.md capability section 文档欺骗
SKILL.md uses the kunwu_call tool in examples but does not explicitly declare it as an HTTP POST tool with network:READ capability. The tool name matches the pattern of an LLM tool wrapper.
### `kunwu_call`
→ Add a capability declaration section at the top of SKILL.md listing allowed tools (kunwu_call as HTTP POST, with network:READ)
 SKILL.md:1
提示
Hardcoded private IP addresses in test files 敏感访问
Multiple test-*.js files hardcode private IP addresses (100.85.119.45, 192.168.176.1, 192.168.30.9) as BASE_URL defaults. While these are private IPs appropriate for industrial networks, hardcoding different IPs across test files creates inconsistency. The main kunwu-tool.js uses KUNWU_API_URL env var as the primary method.
const BASE_URL = process.env.KUNWU_API_URL || 'http://100.85.119.45:16888'
→ Ensure all test files consistently read KUNWU_API_URL and remove hardcoded fallback IPs for production deployment
 test-*.js, kunwu-tool.js:11
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 kunwu-tool.js:11 - http.request() to configurable API endpoint; SKILL.md declare…
文件系统 NONE NONE scripts/model-loader.js:fs.readFileSync() only reads local JSON model config fil…
命令执行 NONE NONE grep confirmed: no child_process, exec, spawn, or shell execution patterns in an…
环境变量 READ READ ✓ 一致 kunwu-tool.js:11 - reads KUNWU_API_URL; no iteration over os.environ for secrets
技能调用 NONE NONE No cross-skill invocation patterns found
剪贴板 NONE NONE No clipboard API usage
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
1 高危 5 项发现
📡
高危 IP 地址 硬编码 IP 地址
100.85.119.45
EXPORT-GUIDE.md:77
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:16888
EXPORT-GUIDE.md:74
🔗
中危 外部 URL 外部 URL
http://100.85.119.45:16888
EXPORT-GUIDE.md:77
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:16888/system/ping
EXPORT-GUIDE.md:257
🔗
中危 外部 URL 外部 URL
http://192.168.30.9:16888
SKILL.md:9

目录结构

72 文件 · 403.3 KB · 13767 行
JavaScript 58f · 10860L Markdown 11f · 2789L JSON 3f · 118L
├─ 📁 scripts
│ ├─ 📜 model-loader.js JavaScript 242L · 6.3 KB
│ ├─ 📋 models-dual-robot-trays.json JSON 73L · 1.4 KB
│ └─ 📋 models-example.json JSON 28L · 503 B
├─ 📁 tests-deprecated
│ ├─ 📜 test-download-debug.js JavaScript 102L · 2.7 KB
│ ├─ 📜 test-download-direct.js JavaScript 78L · 2.0 KB
│ ├─ 📜 test-download-local.js JavaScript 64L · 2.0 KB
│ ├─ 📜 test-download-one-gripper.js JavaScript 116L · 3.4 KB
│ └─ 📜 test-download-with-path.js JavaScript 135L · 4.0 KB
├─ 📝 api-reference.md Markdown 133L · 3.4 KB
├─ 📜 auto-gripper-behavior.js JavaScript 140L · 5.1 KB
├─ 📝 EXPORT-GUIDE.md Markdown 303L · 8.1 KB
├─ 📝 INDUSTRIAL-PATTERNS.md Markdown 365L · 7.6 KB
├─ 📜 kunwu-tool.js JavaScript 1180L · 31.2 KB
├─ 📝 MIGRATION-2026-03-20.md Markdown 94L · 2.7 KB
├─ 📋 package.json JSON 17L · 453 B
├─ 📝 QUICKSTART.md Markdown 113L · 2.5 KB
├─ 📝 README.md Markdown 104L · 2.1 KB
├─ 📝 SKILL_USAGE.md Markdown 697L · 20.8 KB
├─ 📝 SKILL.md Markdown 484L · 13.2 KB
├─ 📜 task-builder.js JavaScript 491L · 12.8 KB
├─ 📜 test-50-rounds.js JavaScript 254L · 8.7 KB
├─ 📜 test-add-behavior-child.js JavaScript 94L · 2.9 KB
├─ 📜 test-add-rotate-x.js JavaScript 103L · 3.0 KB
├─ 📜 test-all-grippers-final.js JavaScript 283L · 8.4 KB
├─ 📜 test-asm-demo.js JavaScript 165L · 5.8 KB
├─ 📜 test-asm-quick.js JavaScript 143L · 4.4 KB
├─ 📜 test-asm-v4.js JavaScript 154L · 4.6 KB
├─ 📜 test-assemble-correct.js JavaScript 220L · 8.0 KB
├─ 📜 test-assemble-existing.js JavaScript 179L · 6.2 KB
├─ 📜 test-assemble-final-correct.js JavaScript 201L · 7.0 KB
├─ 📜 test-assemble-final.js JavaScript 198L · 6.9 KB
├─ 📜 test-assemble-smart.js JavaScript 375L · 11.5 KB
├─ 📜 test-assemble-with-create.js JavaScript 231L · 7.4 KB
├─ 📜 test-assemble.js JavaScript 255L · 7.9 KB
├─ 📜 test-auto-wait-wrapper.js JavaScript 153L · 4.8 KB
├─ 📜 test-behavior-v2.js JavaScript 130L · 3.7 KB
├─ 📜 test-behavior.js JavaScript 135L · 4.2 KB
├─ 📜 test-bracket-workaround.js JavaScript 162L · 4.9 KB
├─ 📜 test-camera-bracket-assemble.js JavaScript 264L · 8.7 KB
├─ 📜 test-check-all-tasks.js JavaScript 79L · 1.9 KB
├─ 📜 test-check-existing.js JavaScript 63L · 1.7 KB
├─ 📜 test-check-grippers.js JavaScript 96L · 2.4 KB
├─ 📜 test-connection-kunwu.js JavaScript 64L · 1.6 KB
├─ 📜 test-create-gripper.js JavaScript 129L · 3.7 KB
├─ 📜 test-create-model.js JavaScript 66L · 1.7 KB
├─ 📜 test-debug-task.js JavaScript 43L · 1.1 KB
├─ 📜 test-final-assemble.js JavaScript 170L · 5.1 KB
├─ 📜 test-final-report.js JavaScript 99L · 3.0 KB
├─ 📜 test-find-child.js JavaScript 87L · 2.3 KB
├─ 📜 test-full.js JavaScript 66L · 1.9 KB
├─ 📜 test-gripper-download-debug.js JavaScript 95L · 2.4 KB
├─ 📜 test-gripper-result.js JavaScript 114L · 3.1 KB
├─ 📜 test-grippers-behavior.js JavaScript 278L · 8.2 KB
├─ 📜 test-local-library.js JavaScript 39L · 1.1 KB
├─ 📜 test-new-apis.js JavaScript 133L · 4.4 KB
├─ 📜 test-pick-sort-final.js JavaScript 187L · 6.4 KB
├─ 📜 test-pick-sort-scene.js JavaScript 194L · 6.3 KB
├─ 📜 test-pick-sort-simple.js JavaScript 235L · 7.2 KB
├─ 📜 test-pick-sort-v2.js JavaScript 258L · 8.0 KB
├─ 📜 test-pick-sort-v3.js JavaScript 246L · 7.5 KB
├─ 📜 test-proper-assemble.js JavaScript 224L · 6.9 KB
├─ 📜 test-query-task.js JavaScript 25L · 591 B
├─ 📜 test-remote-camera.js JavaScript 119L · 3.4 KB
├─ 📝 TEST-REPORT.md Markdown 146L · 4.6 KB
├─ 📜 test-robot-asm-final.js JavaScript 202L · 6.7 KB
├─ 📜 test-robot-asm-v2.js JavaScript 134L · 4.1 KB
├─ 📜 test-robot-asm-v3.js JavaScript 178L · 5.6 KB
├─ 📜 test-robot-assembly.js JavaScript 225L · 7.6 KB
├─ 📜 test-scene-dual-robot.js JavaScript 288L · 8.8 KB
├─ 📜 test-smart-rounds.js JavaScript 477L · 13.4 KB
├─ 📝 TODO-APIS.md Markdown 151L · 4.0 KB
└─ 📝 UPDATE-SUMMARY.md Markdown 199L · 5.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
none (pure Node.js built-ins) N/A built-in Only uses Node.js built-in modules: http, fs, path — no external npm packages

安全亮点

✓ No shell execution, child_process, or subprocess usage found — only Node.js built-in http module
✓ No credential harvesting, password/token theft, or environment variable iteration for secrets
✓ No base64 obfuscation, eval(), Function(), or anti-analysis patterns
✓ No data exfiltration, C2 communication, or outbound data transfer beyond declared simulation API
✓ No sensitive file access (~/.ssh, ~/.aws, .env files)
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ No prompt injection or jailbreak instructions
✓ No supply chain risks — package.json has no external dependencies (pure Node.js built-ins only)
✓ API URL is configurable via KUNWU_API_URL environment variable, not hardcoded as the sole option in main tool
✓ All code is readable, well-commented, and performs expected industrial simulation control operations
✓ No downloads or remote script execution (curl|bash, wget|sh patterns absent)