serverchan
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: CRITICAL
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local bash scripts (
scripts/send.sh,scripts/check-env.sh) to perform its primary function of sending notifications. This is the intended behavior of the skill. - [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs (
sctapi.ftqq.comand*.push.ft07.com) which are the official endpoints for the ServerChan and ServerChan³ services. These are well-known services provided by the vendor 'easychen' and are documented in the skill's functionality. - [DATA_EXFILTRATION]: While the skill sends data (title and description) to an external API, this is the core purpose of a notification skill. It uses a secure SendKey provided by the user via environment variables and includes specific logic and instructions to prevent the accidental exposure or logging of these credentials.
- [REMOTE_CODE_EXECUTION]: The skill uses a small Python snippet inside
send.shto safely assemble JSON payloads. This execution is local, uses static logic, and correctly handles environment variables to prevent injection vulnerabilities during payload construction.
Recommendations
- CRITICAL: 2 infected file(s) detected - DO NOT USE
- Contains 2 malicious URL(s) - DO NOT USE
Audit Metadata