fetch-archive-to-lexiang
github.com/clawhub.ai/fetch-archive-to-lexiang
Scanned Thu, 28 May 2026 16:19:37 GMT
Scan ID crawl-taj59xee14aeue63469jqrsk · 14ms
D
SCORE 30 / 100
Verdict: Do not install
1 critical finding.
This skill leaks data via URL parameters ($GEMINI_API_KEY) plus 2 other issues listed below.
1 critical0 high2 medium9 rules passed
Why grade D?
score · 30 / 100The current grade reflects 1 critical finding (any single CRIT → D).
1 CRIT0 HIGH2 MED0 LOW
To reach a higher grade
- CReach Ctarget score 55
Resolve all 1 CRIT findings.
- BReach Btarget score 75
Resolve all 1 CRIT.
- AReach Atarget score 95
Resolve all 1 CRIT.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
critURL embeds a credential variableThe skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.▾
URL embeds a credential variable
The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.
1792| md_to_page.py 导入后文字显示为 base64 乱码 | 脚本通过 HTTP JSON-RPC 直连乐享 MCP API 时,对 content 做了多余的 base64 编码。乐享 MCP 的 base64 要求仅针对 IDE 侧 MCP 协议 | 已修复:去掉 `import_content` 函数中的 `base64.b64encode()`,直传原始 markdown。⚠️ 通过 HTTP JSON-RPC 直连时**永远不要做 base64 编码** |
1793| md_to_page.py 批量插入图片 block 失败 | `block_create_block_descendant` 一次传多张图片的 descendant 数组会超时或报错 | 改为逐张插入,每次只传一个 image block 的 descendant + children |
1794| Gemini API 调用报 404 模型不存在 | `gemini-2.0-flash` 模型已下线 | 使用 `gemini-2.5-flash` 替代。可通过 `curl "https://generativelanguage.googleapis.com/v1beta/models?key=$GEMINI_API_KEY"` 查看当前可用模型 |← URL interpolates a credential into the query string
1795| 英文文章未翻译就归档 | 跳过了步骤 3.5 的语言检测和翻译 | **所有英文文章必须翻译为中英对照后再归档**,这是强制步骤不可跳过。使用 `translate_gemini.py`(Gemini API)或 `translate_article.py`(OpenAI API)翻译,翻译完用 `md_to_page.py --entry-id` 覆盖更新 |
1796| `translate_gemini.py` 报错 FileNotFoundError | 脚本硬编码了源文件路径,不读取命令行参数 | 已修复:改用 `sys.argv[1]` 读取输入文件,`sys.argv[2]` 读取输出文件,默认输出 `_translated.md` |
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestmedLink text shows "setup.md" but points at github.comThe visible link text contains the domain `setup.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.▾
Link text shows "setup.md" but points at github.com
The visible link text contains the domain `setup.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
1010 - **直接修改 MCP 配置**:将 MCP server URL 中的 `${LEXIANG_TOKEN}` 占位符替换为实际值
1011
10123. 详细配置步骤参见:[lexiang-mcp-skill setup.md](https://github.com/tencent-lexiang/lexiang-mcp-skill/blob/main/setup.md)← text→setup.md · href→github.com
1013
1014#### 目标知识库
skillox.io/r/crawl-taj59xee14aeue63469jqrsk