serverchan

Fail

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: CRITICAL
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses local bash scripts (scripts/send.sh, scripts/check-env.sh) to perform its primary function of sending notifications. This is the intended behavior of the skill.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs (sctapi.ftqq.com and *.push.ft07.com) which are the official endpoints for the ServerChan and ServerChan³ services. These are well-known services provided by the vendor 'easychen' and are documented in the skill's functionality.
  • [DATA_EXFILTRATION]: While the skill sends data (title and description) to an external API, this is the core purpose of a notification skill. It uses a secure SendKey provided by the user via environment variables and includes specific logic and instructions to prevent the accidental exposure or logging of these credentials.
  • [REMOTE_CODE_EXECUTION]: The skill uses a small Python snippet inside send.sh to safely assemble JSON payloads. This execution is local, uses static logic, and correctly handles environment variables to prevent injection vulnerabilities during payload construction.
Recommendations
  • CRITICAL: 2 infected file(s) detected - DO NOT USE
  • Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 17, 2026, 06:47 AM
Security Audit — agent-trust-hub — serverchan