vision-mcp

Fail

Audited by Socket on Apr 13, 2026

1 alert found:

Malware

MalwareSKILL.md

HIGH

MalwareHIGH

SKILL.md

该技能的实际行为与宣称用途不一致：它不使用阿里云官方 API 与专用 DASHSCOPE_API_KEY，而是读取本地 ANTHROPIC_API_KEY 并转发到一个不可验证的私有 HTTP MCP 服务。存在明显的凭证转发、第三方中间代理、明文传输和持久化配置风险，整体应判定为可疑且高风险。

Confidence: 96%Severity: 96%

Audit Metadata

Analyzed At

Apr 13, 2026, 07:17 AM

Package URL

pkg:socket/skills-sh/horizon-continental%2Fhct-skills%2Fvision-mcp%2F@764c495a4a3ac0bb53e89d89af91310652d54c2a