Database已验证

High risk

security-pen-testing

Critical signals were detected and installation should be handled carefully.

0/100

5critical1high2medium

修复建议

🚨 得分 0/100 — 此技能极度危险。请勿安装。

检测到的风险8

Data Exfiltrationcritical

data_exfiltration

Data exfiltration attempt

Line 201

Snippets

L201

    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

L2540

            "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

L201

    "evidence": "Request: POST /api/login {\"email\": \"' OR 1=1--\", \"password\": \"x\"}\nResponse: 200 OK with admin session token",

Exec Callcritical

exec_call

System command execution

Line 1120

Snippets

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

L2791

                "recommendation": "Never use eval() or exec() with untrusted input. Use ast.literal_eval() for data parsing.",

Eval Callcritical

eval_call

Use of eval()

Line 405

Snippets

L405eval()

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

L2791

                "recommendation": "Never use eval() or exec() with untrusted input. Use ast.literal_eval() for data parsing.",

Python Picklecritical

python_pickle

Unsafe deserialization (Python pickle)

Line 1291

Snippets

L12912. Avoid `pickle.loads()` on untrusted data

L3034 "Review code for pickle.load(), yaml.load(), Java ObjectInputStream.",

Python Subprocesscritical

python_subprocess

System command execution (Python)

Line 1120

Snippets

L11206. Never pass user input to eval(), exec(), os.system(), or child_process

Sensitive Fileshigh

sensitive_files

Sensitive system file access

Line 162

Snippets

L162| **Path Traversal** | `../../../etc/passwd`, URL encoding, double encoding bypasses |

Fs Readmedium

fs_read

Filesystem read access

Line 2835

Snippets

L2835

                "pattern": r'''(?:open|readFile|readFileSync|Path\.join)\s*\(.*(?:request\.|req\.|params|args|input|user)''',

L2835

                "pattern": r'''(?:open|readFile|readFileSync|Path\.join)\s*\(.*(?:request\.|req\.|params|args|input|user)''',

Network Callmedium

network_call

Outbound network call

Line 248

Snippets

L248curl -sI https://target.com | grep -iE "(strict-transport|content-security|x-frame|x-content-type)"

L621If the server fetches keys from a JWKS URL in the JWT header:

L1341

SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL, allowing attackers to reach internal services, cloud metadata endpoints, or other protected resources.

L13755. Disable unnecessary URL-fetching features

L1784 {"ecosystem": "npm", "package": "axios", "below": "1.6.0",

Voir les risques detectes

Connectez-vous pour consulter l'analyse detaillee des risques.

$npx agentfend install cmn92rtln00ynu1ip9vqbxzhw

Trust Score

20trust

⭐ 7359🍴 881

Updated 2周前

分析时间

2026年3月31日 15:57

+ 2 previous scans

兼容

Cursor

Skill details

Trust score

20/100

GitHub

Connected

Stars

7359

Forks

881

Updated 2周前

分析时间 2026年3月31日 15:57

说明

"Use when the user asks to perform security audits, penetration testing, vulnerability scanning, OWASP Top 10 checks, or offensive security assessments. Covers static analysis, dependency scanning, secret detection, API security testing, and pen test report generation."

查看源码