Python包鸿蒙兼容性测试技能

This skill does what it says (downloads package source, scans for Windows imports, runs tests and emits reports) but has two practical security concerns you should consider before installing or running it: 1) TLS bypass: The included script disables TLS certificate verification when downloading from GitHub/PyPI. That is unnecessary in normal environments and makes downloads susceptible to man-in-the-middle tampering. Ask the author to remove disabling of ssl verification (restore default SSL checks) or explain why it is required for your environment. 2) Execution of untrusted code: To assess compatibility the tool downloads packages and runs their test suites. Tests can execute arbitrary Python code (including network access, file operations, or deleting files). Only run this tool in an isolated sandbox (container, VM, or dedicated build runner) that has no access to secrets, credentials, or sensitive mounts. Prefer ephemeral environments; do not run on developer workstations or production hosts. Other points to verify: - Resolve the version mismatch between registry metadata (1.0.1) and manifest.json (1.2.0). - If you need safer operation, request changes: re-enable SSL verification, add optional allowlist of trusted repos/packages, add explicit safeguards (no-network mode, resource/time limits, capability drops), and document exactly which subprocesses (pip, pytest) are invoked. - Use --keep-source only for manual inspection in a safe place; retained sources may contain malicious code. If the author provides evidence that TLS is only disabled for a narrow, documented HarmonyOS reason or they add sandboxing/allowlisting, my assessment would move toward benign. Until then, treat this skill as potentially risky but not clearly malicious.