中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
emwstudio
电磁波Studio ComfyUI workflow integration skill for RunningHub platform - supports video generation and audio synthesis workflows
A legitimate ComfyUI workflow integration skill for RunningHub platform with minor documentation quality issue (hardcoded IP in example response). No malicious behavior detected in actual code.
Skill Nameemwstudio
Duration44.4s
Enginepi
Safe to install
Consider removing hardcoded IP address from SKILL.md documentation example and replacing with placeholder. Otherwise, the skill is safe for use.

Findings 1 items

Severity Finding Location
Low
Hardcoded IP address in documentation example Doc Mismatch
The SKILL.md contains a hardcoded IP address (222.186.161.123) within an example WSS URL in the documentation at line 130. This appears to be a sample API response showing what the RunningHub API returns, not actual code that executes. However, this creates unnecessary concern and should be replaced with a placeholder or removed.
netWssUrl: wss://www.runninghub.cn:443/ws/c_instance?c_host=222.186.161.123...
→ Replace the hardcoded IP in the example with a generic placeholder like 'YOUR_SERVER_IP' or remove the c_host parameter from the example.
 SKILL.md:130
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned get_env.py:29 - reads ~/.openclaw/openclaw.json
Network READ READ ✓ Aligned All scripts only make HTTPS requests to www.runninghub.cn or www.runninghub.ai
Shell WRITE WRITE ✓ Aligned SKILL.md declares use of OpenClaw exec tool for running Python scripts
1 High 3 findings
📡
High IP Address 硬编码 IP 地址
222.186.161.123
SKILL.md:130
🔗
Medium External URL 外部 URL
https://www.runninghub.cn/?inviteCode=6bfdf1c0
SKILL.md:232
🔗
Medium External URL 外部 URL
https://www.runninghub.ai/?inviteCode=6bfdf1c0
SKILL.md:232

File Tree

10 files · 27.1 KB · 930 lines
Python 8f · 682L Markdown 1f · 235L JSON 1f · 13L
├─ 📁 data
│ └─ 📋 workflows.json JSON 13L · 306 B
├─ 📁 scripts
│ ├─ 🐍 config_api_key.py Python 104L · 2.9 KB
│ ├─ 🐍 config_host.py Python 98L · 2.6 KB
│ ├─ 🐍 create_task.py Python 72L · 1.9 KB
│ ├─ 🐍 get_account_info.py Python 78L · 1.9 KB
│ ├─ 🐍 get_env.py Python 35L · 863 B
│ ├─ 🐍 get_workflow_info.py Python 78L · 1.9 KB
│ ├─ 🐍 poll_task.py Python 144L · 4.1 KB
│ └─ 🐍 query_task.py Python 73L · 1.8 KB
└─ 📝 SKILL.md Markdown 235L · 8.9 KB

Security Positives

✓ All network requests go to legitimate RunningHub endpoints (www.runninghub.cn or www.runninghub.ai)
✓ No obfuscation techniques detected - all Python code is plaintext
✓ No credential exfiltration - API keys are stored locally in OpenClaw config and used only for RunningHub API calls
✓ No subprocess, eval, exec, compile, or __import__ calls in actual scripts
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Shell execution is properly declared in SKILL.md documentation
✓ No base64 encoding/decoding or anti-analysis techniques found
✓ API keys are not logged or transmitted to third parties