xhs-download
xhs-download · v · by
65.8
Trust Score
0
Trust Tier
danger
Badge
Score Breakdown
| Factor | Score | Weight |
|---|---|---|
| Static | 0.0 | 15% |
| Permission | 95.0 | 15% |
| Poison | 100.0 | 15% |
| Clickfix | 100.0 | 15% |
| Credential | 100.0 | 15% |
| Twostage | 5.0 | 10% |
| Infrastructure | 10.0 | 5% |
| Typosquat | 100.0 | 5% |
| Age | 17.2 | 3% |
| Popularity | 0.0 | 2% |
Scan Results
STATIC — Score: 0
[CRITICAL] Remote code download and execution via curl pipe
(line 31)
curl -s http://127.0.0.1:9222/json | python3 -c "
[HIGH] Shell command execution
(line 64)
r = subprocess.run(['curl', '-s', 'http://127.0.0.1:9222/json'],
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 72)
def send(ws, method, params={}):
[CRITICAL] Cryptocurrency theft or unauthorized transfer pattern
(line 233)
| `send()` 报错 | 确认是3个参数:`send(ws, method, params={})` |
PERMISSION — Score: 95
[LOW] Skill appears to use network but declares no permissions
POISON — Score: 100
No findings.
CLICKFIX — Score: 100
No findings.
INFRASTRUCTURE — Score: 10
[HIGH] Direct IP URL with no domain (likely C2 server)
(line 31)
curl -s http://127.0.0.1:9222/json | python3 -c "
[HIGH] Direct IP URL with no domain (likely C2 server)
(line 64)
r = subprocess.run(['curl', '-s', 'http://127.0.0.1:9222/json'],
[HIGH] Direct IP URL with no domain (likely C2 server)
(line 237)
1. **不杀 Chrome** — 先 `curl http://127.0.0.1:9222/json`
TWOSTAGE — Score: 5
[CRITICAL] Download piped directly to interpreter (two-stage loader)
(line 31)
curl -s http://127.0.0.1:9222/json | python3 -c "
CREDENTIAL — Score: 100
No findings.
TYPOSQUAT — Score: 100
No findings.