fanfuaji

The analyzed fragment is non-executable documentation describing a translation/conversion skill that uses an external API for its core functionality. The primary security concerns are data privacy and the potential exposure of user content to a third-party service. The README provides explicit guidance to mask sensitive information and avoid processing secret files. No malware, backdoors, or obfuscated code are evident. The overall risk is moderate and centers on data handling/privacy rather than code-level threats.

[Skill Scanner] System prompt extraction attempt All findings: [HIGH] skill_discovery_abuse: System prompt extraction attempt (SD002) [AITech 4.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] BENIGN / Low risk in intent. The skill's stated capabilities match the described behavior (text/file conversion via api.zhconvert.org). The documentation includes appropriate security controls (must disclose API calls, block known secret files, require confirmation for sensitive files and overwrites, treat outputs as untrusted). The main operational risk is inadvertent leakage of sensitive files to the external API if the implementation does not enforce the documented preflight checks; therefore review of the actual scripts (scripts/fanfuaji.py) is recommended to verify enforcement. No signs of obfuscation, embedded malware, download-execute chains, credential harvesting endpoints, or other malicious behavior in the provided fragment. LLM verification: The provided metadata documents a legitimate Chinese conversion skill that relies on a third-party API. The main security concern is potential exfiltration of sensitive files if the documented preflight checks or denylist are not implemented in the missing scripts/fanfuaji.py. No clear malicious code or obfuscation is visible in the provided materials. Recommend code review of scripts/fanfuaji.py to verify enforcement of denylist and confirmation dialogs, ensure only the documented API endpoint