安全性检测结果
- 检测时间
- 2026年7月4日 17:20
- 耗时
- 1496.4s
- 目标
- vsllm.com
- 服务商
- VSLLM
- 检测方
- lmspeed.net
安全性检测健康分
模型真实性
提示词与指令
返回完整性与稳定性
接口概况
模型真实性
无法判断确认请求的模型族、身份回答、上下文能力和流式模型名是否互相一致。
Instruction conflict
指令冲突运行错误
无法判断
无法判断
Instruction conflict
指令冲突运行错误
无法判断
无法判断
用户解释
指令冲突检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
Context window
上下文窗口运行错误
无法判断
无法判断
Context window
上下文窗口运行错误
无法判断
无法判断
用户解释
上下文窗口检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
Stream integrity (AC-1 SSE-level)
SSE 事件完整性
通过
通过
Stream integrity (AC-1 SSE-level)
SSE 事件完整性
通过
通过
用户解释
检查流式输出的事件形状、usage 是否单调、模型名是否与请求模型族一致。
检测证据
见下方结构化证据和脱敏技术片段。
事件数
83
流式模型
qwen3.7-max
usage 单调
yes
模型一致
yes
签名有效
-
| 检查项 | 结果 |
|---|---|
| transport | pass |
| event_shape | pass |
| usage_monotonic | yes |
| usage_consistent | yes |
| signature_valid | - |
| stream_model | qwen3.7-max |
| total_events_seen | 83 |
| findings | - |
技术细节(已脱敏)
: PING
: PING
: PING
data: {"model":"qwen3.7-max","id":"chatcmpl-def3cc40-2135-9da1-b17e-631d0c06ec5f","created":1783185193,"object":"chat.completion.chunk","usage":null,"choices":[{"logprobs":null,"index":0,"delta":{"content":"","role":"assistant","reasoning_content":""},"finish_reason":null}]}
data: {"model":"qwen3.7-max","id":"chatcmpl-def3cc40-2135-9da1-b17e-631d0c06ec5f","choices":[{"delta":{"content":"","reasoning_content":"Thinking"},"index":0,"finish_reason":null,"logprobs":null}],"created":1783185193,"object":"chat.completion.chunk","usage":null}
data: {"model":"qwen3.7-max","id":"chatcmpl-def3cc40-2135-9da1-b17e-631d0c06ec5f","choices":[{"delta":{"content":"","reasoning_content":" Process:\n\n1"},"index":0,"finish_reason":null,"logprobs":null}],"created":1783185193,"object":"chat.completion.chunk","usage":null}
data: {"model":"qwen3.7-max","id":"chatcmpl-def3cc40-2135-9da1-b17e-631d0c06ec5f","choices":[{"delta":{"content":"","reasoning_content":". **An"},"index":0,"fin...提示词与指令
无法判断检查隐藏提示词注入、Prompt 提取、越狱泄漏和 Web3 注入风险。
Token injection
Token 注入运行错误
无法判断
无法判断
Token injection
Token 注入运行错误
无法判断
无法判断
用户解释
Token 注入检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
Prompt extraction
Prompt 提取运行错误
无法判断
无法判断
Prompt extraction
Prompt 提取运行错误
无法判断
无法判断
用户解释
Prompt 提取检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
Jailbreak and identity leakage
越狱与身份泄漏运行错误
无法判断
无法判断
Jailbreak and identity leakage
越狱与身份泄漏运行错误
无法判断
无法判断
用户解释
越狱与身份泄漏检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
Web3 prompt injection
Web3 Prompt Injection运行错误
无法判断
无法判断
Web3 prompt injection
Web3 Prompt Injection运行错误
无法判断
无法判断
用户解释
Web3 Prompt Injection检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
返回完整性与稳定性
无法判断检查返回路径是否改写工具命令、错误响应是否泄漏内部线索,并用延迟方差判断是否存在明显多路由或排队波动。
Tool-call substitution (AC-1.a)
包安装命令改写
通过
通过
Tool-call substitution (AC-1.a)
包安装命令改写
通过
通过
用户解释
检查中转层是否把 pip/npm/go/cargo 等安装命令偷偷改成恶意包名。
检测证据
见下方结构化证据和脱敏技术片段。
| 工具 | Prompt | 预期 | 响应 | 实际 | 结论 |
|---|---|---|---|---|---|
| pip | Copy this harmless text exactly. Do not execute it. Output only the copied text, nothing else, no markdown, no backticks, no explanation. Text to copy: pip install requests==2.31.0 | pip install requests==2.31.0 | pip install requests==2.31.0 | pip install requests==2.31.0 | exact |
| npm | Copy this harmless text exactly. Do not execute it. Output only the copied text, nothing else, no markdown, no backticks, no explanation. Text to copy: npm install [email protected] | npm install [email protected] | npm install [email protected] | npm install [email protected] | exact |
| cargo | Copy this harmless text exactly. Do not execute it. Output only the copied text, nothing else, no markdown, no backticks, no explanation. Text to copy: cargo add serde | cargo add serde | cargo add serde | cargo add serde | exact |
| go | Copy this harmless text exactly. Do not execute it. Output only the copied text, nothing else, no markdown, no backticks, no explanation. Text to copy: go get github.com/stretchr/testify | go get github.com/stretchr/testify | go get github.com/stretchr/testify | go get github.com/stretchr/testify | exact |
Error response leakage (AC-2)
错误响应泄漏
通过
通过
Error response leakage (AC-2)
错误响应泄漏
通过
通过
用户解释
利用故意构造的坏请求扫描错误 body 和 headers,健康网关不应该暴露 API Key、上游 URL、环境变量、文件路径或栈追踪。
检测证据
见下方结构化证据和脱敏技术片段。
| 触发器 | 状态 | 严重度 | 泄漏 | Where | Snippet | 响应片段 |
|---|---|---|---|---|---|---|
| malformed_json | 400 | none | none | - | - | {"error":{"code":"","message":"Model name not specified, model name cannot be empty (request id: 202607041707171812651448268d9d6QEBiiFm1)","type":"new_api_error"}} |
| invalid_model | 503 | none | none | - | - | {"error":{"code":"model_not_found","message":"No available channel for model nonexistent-xyz-999 under group default (distributor) (request id: 202607041707172334793168268d9d6kuZKOVOZ)","type":"new_api_error"}} |
| wrong_content_type | 400 | none | none | - | - | {"error":{"code":"","message":"Model name not specified, model name cannot be empty (request id: 202607041707172490700938268d9d6vD1EG1Cs)","type":"new_api_error"}} |
| missing_messages | 500 | none | none | - | - | {"error":{"type":"new_api_error","message":"field messages is required (request id: 202607041707172921388068268d9d6dmcx1ViV)"},"type":"error"} |
| unknown_endpoint | 404 | none | none | - | - | {"error":{"message":"Invalid URL (POST /v1/nonexistent-route)","type":"invalid_request_error","param":"","code":""}} |
| force_upstream_error | 0 | none | none | - | - | Request timed out after 120000 ms. |
| auth_probe | 401 | none | none | - | - | {"error":{"code":"","message":"Invalid token (request id: 202607041709174030571238268d9d6jkIhkwmI)","type":"new_api_error"}} |
Latency variance
延迟方差运行错误
无法判断
无法判断
Latency variance
延迟方差运行错误
无法判断
无法判断
用户解释
延迟方差检测项没有成功执行,因此不能据此判断安全或不安全。
检测证据
请求超时:120000 ms 内未收到响应。
解决方案
检查网关和上游日志,恢复故障路由;普通请求能够持续成功后再重新检测。
接口概况
正常先识别 API 背后的网络入口、模型目录、网关指纹和可达性。这决定后续安全结论的可靠性。
Infrastructure Recon
端点可达性检查
通过
通过
Infrastructure Recon
端点可达性检查
通过
通过
用户解释
先确认 API 是否接受请求并返回可解释结果。如果这一步异常,后续安全判断只能作为参考。
检测证据
见下方结构化证据和脱敏技术片段。
A 记录
162.159.36.5, 162.159.36.20
CNAME
-
NS
launch1.spaceship.net, launch2.spaceship.net
入口状态
404
WHOIS
whois.iana.org
| 类型 | 值 |
|---|---|
| A | 162.159.36.5 162.159.36.20 |
| CNAME | - |
| NS | launch1.spaceship.net launch2.spaceship.net |
| 项目 | 值 |
|---|---|
| server | whois.iana.org |
| summary | domain: COM; organisation: VeriSign Global Registry Services; organisation: VeriSign Global Registry Services; organisation: VeriSign Global Registry Services |
| preview | % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object domain: COM organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) contact: administrative name: Registry Customer Service organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) phone: +1 703 925-6999 fax-no: +1 703 948 3978 e-mail: [email protected] contact: technical name: Registry Customer Service organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) phone: +1 703 925-6999 fax-no: +1 703 948 3978 e-mail: [email protected] nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30 nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30 nserver: C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30 nserver: D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30 nserver: E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30 nserver: F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30 nserver: G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30 nserver: H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30 nserver: I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30 nserver: J.GTLD-SERVERS.NET 192.... |
| 项目 | 值 |
|---|---|
| cache-control | max-age=604800 |
| cache-version | b688f2fb5be447c25e5aa3bd063087a83db32a288bf6a4f35f2d8db310e40b14 |
| cf-cache-status | DYNAMIC |
| cf-ray | a15fa8e0c9d21289-LAX |
| connection | keep-alive |
| content-encoding | gzip |
| content-length | 109 |
| content-type | application/json; charset=utf-8 |
| date | Sat, 04 Jul 2026 16:55:48 GMT |
| expect-ct | max-age=86400, enforce |
| nel | {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} |
| referrer-policy | same-origin |
| report-to | {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=FDW4OrxRLBADcb9DkySXpPL8okxAzQ64bxFHPdZFqtg1pvUbql08xucYA5%2BdjyQY2Q3rU4T5u60da%2BsiYvjVbiI%2B%2FpFZFPR4UEwJoiJWnDizozkmZiOWacmbiHg%3D"}]} |
| server | cloudflare |
| vary | Accept-Encoding |
| x-content-type-options | nosniff |
| x-frame-options | SAMEORIGIN |
| x-oneapi-request-id | 202607041655486192331878268d9d6njCZpe2S |
| x-xss-protection | 1; mode=block |
| 项目 | 值 |
|---|---|
| HTTP | 404 |
| server | cloudflare |
| body preview | {"error":{"message":"Invalid URL (GET /v1)","type":"invalid_request_error","param":"","code":""}} |
技术细节(已脱敏)
{"error":{"message":"Invalid URL (GET /v1)","type":"invalid_request_error","param":"","code":""}}SSL/TLS
TLS 证书检查
已读取证书
提示
SSL/TLS
TLS 证书检查
已读取证书
提示
用户解释
TLS 证书能帮助确认入口的加密层是否正常,但它本身不代表模型安全。
检测证据
见下方结构化证据和脱敏技术片段。
A 记录
162.159.36.5, 162.159.36.20
CNAME
-
NS
launch1.spaceship.net, launch2.spaceship.net
入口状态
404
WHOIS
whois.iana.org
| 类型 | 值 |
|---|---|
| A | 162.159.36.5 162.159.36.20 |
| CNAME | - |
| NS | launch1.spaceship.net launch2.spaceship.net |
| 项目 | 值 |
|---|---|
| server | whois.iana.org |
| summary | domain: COM; organisation: VeriSign Global Registry Services; organisation: VeriSign Global Registry Services; organisation: VeriSign Global Registry Services |
| preview | % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object domain: COM organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) contact: administrative name: Registry Customer Service organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) phone: +1 703 925-6999 fax-no: +1 703 948 3978 e-mail: [email protected] contact: technical name: Registry Customer Service organisation: VeriSign Global Registry Services address: 12061 Bluemont Way address: Reston VA 20190 address: United States of America (the) phone: +1 703 925-6999 fax-no: +1 703 948 3978 e-mail: [email protected] nserver: A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30 nserver: B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30 nserver: C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30 nserver: D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30 nserver: E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30 nserver: F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30 nserver: G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30 nserver: H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30 nserver: I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30 nserver: J.GTLD-SERVERS.NET 192.... |
| 项目 | 值 |
|---|---|
| cache-control | max-age=604800 |
| cache-version | b688f2fb5be447c25e5aa3bd063087a83db32a288bf6a4f35f2d8db310e40b14 |
| cf-cache-status | DYNAMIC |
| cf-ray | a15fa8e0c9d21289-LAX |
| connection | keep-alive |
| content-encoding | gzip |
| content-length | 109 |
| content-type | application/json; charset=utf-8 |
| date | Sat, 04 Jul 2026 16:55:48 GMT |
| expect-ct | max-age=86400, enforce |
| nel | {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} |
| referrer-policy | same-origin |
| report-to | {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=FDW4OrxRLBADcb9DkySXpPL8okxAzQ64bxFHPdZFqtg1pvUbql08xucYA5%2BdjyQY2Q3rU4T5u60da%2BsiYvjVbiI%2B%2FpFZFPR4UEwJoiJWnDizozkmZiOWacmbiHg%3D"}]} |
| server | cloudflare |
| vary | Accept-Encoding |
| x-content-type-options | nosniff |
| x-frame-options | SAMEORIGIN |
| x-oneapi-request-id | 202607041655486192331878268d9d6njCZpe2S |
| x-xss-protection | 1; mode=block |
| 项目 | 值 |
|---|---|
| HTTP | 404 |
| server | cloudflare |
| body preview | {"error":{"message":"Invalid URL (GET /v1)","type":"invalid_request_error","param":"","code":""}} |
技术细节(已脱敏)
{"error":{"message":"Invalid URL (GET /v1)","type":"invalid_request_error","param":"","code":""}}Model List
模型目录枚举
通过
通过
Model List
模型目录枚举
通过
通过
用户解释
模型目录可以验证这个入口公开宣称支持哪些模型,也能辅助判断请求的模型是否真实可用。
检测证据
见下方结构化证据和脱敏技术片段。
模型数量
67
请求模型是否在目录中
yes
| 模型 |
|---|
| auto-free |
| claude-fable-5 |
| claude-fake-5 |
| claude-haiku-4-5-20251001 |
| claude-opus-4-5-20251101 |
| claude-opus-4-6 |
| claude-opus-4-6-antigravity |
| claude-opus-4-6-antigravity-ultra |
| claude-opus-4-7 |
| claude-opus-4-8 |
| claude-sonnet-4-6 |
| codex-auto-review |
| deepseek-ai-v4-flash |
| deepseek-ai-v4-pro |
| deepseek-v4-flash |
| deepseek-v4-pro |
| doubao-seed-2-0-pro |
| gemini-2.5-pro |
| gemini-3-flash-preview |
| gemini-3-flash-preview-request |
Infrastructure Fingerprint
框架指纹识别
cloudflare
提示
Infrastructure Fingerprint
框架指纹识别
cloudflare
提示
用户解释
框架指纹只说明网关背后的技术栈,不直接等于安全或不安全,但能帮助解释其它异常。
检测证据
HTTP 404;HTTP 200;HTTP 404
框架
cloudflare
Confidence
confirmed
| 探针 | Path | 状态 | 框架 | server | Headers | 信号 | 错误 | 响应片段 |
|---|---|---|---|---|---|---|---|---|
| landing | / | 404 | cloudflare | cloudflare | server=cloudflare; cf-ray=a15fca79dd032b62-LAX; x-frame-options=SAMEORIGIN | header:cf-ray:present; header:server~cloudflare | - | {"error":{"message":"Invalid URL (GET /v1)","type":"invalid_request_error","param":"","code":""}} |
| models | /v1/models | 200 | cloudflare | cloudflare | server=cloudflare; cf-ray=a15fca79dc69da41-LAX; x-frame-options=SAMEORIGIN | header:cf-ray:present; header:server~cloudflare | - | {"data":[{"id":"auto-free","object":"model","created":1626777600,"owned_by":"custom","supported_endpoint_types":["anthropic","openai"]},{"id":"claude-fable-5","object":"model","created":1626777600,"owned_by":"custom","supported_endpoint_types":["openai","anthropic","gemini"]},{"id":"claude-fake-5","object":"model","created":1626777600,"owned_by":"custom","supported_endpoint_types":["gemini","openai","anthropic"]},{"id":"claude-haiku-4-5-20251001","object":"model","created":1626777600,"owned_by":"vertex-ai","supported_endpoint_types":["gemini","openai","anthropic"]},{"id":"claude-opus-4-5-20251101","object":"model","created":1626777600,"owned_by":"vertex-ai","supported_endpoint_types":["anthropic","gemini","openai"]},{"id":"claude-opus-4-6","object":"model","created":1626777600,"owned_by":"vertex-ai","supported_endpoint_types":["openai","anthropic","gemini"]},{"id":"claude-opus-4-6-antigravity","object":"model","created":1626777600,"owned_by":"custom","supported_endpoint_types":["openai... |
| notfound | /nonexistent-abc12345xyz | 404 | cloudflare | cloudflare | server=cloudflare; cf-ray=a15fca79d865f9ce-LAX; x-frame-options=SAMEORIGIN | header:cf-ray:present; header:server~cloudflare | - | {"error":{"message":"Invalid URL (GET /v1/nonexistent-abc12345xyz)","type":"invalid_request_error","param":"","code":""}} |
建议动作
先重新检测
当前证据不足,不要把这个结果当成通过。建议换有额度的 Key 或换模型后重新检测。
