中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
emwstudio
电磁波Studio ComfyUI workflow integration skill for RunningHub platform - supports video generation and audio synthesis workflows
A legitimate ComfyUI workflow integration skill for RunningHub platform with minor documentation quality issue (hardcoded IP in example response). No malicious behavior detected in actual code.
技能名称emwstudio
分析耗时44.4s
引擎pi
可以安装
Consider removing hardcoded IP address from SKILL.md documentation example and replacing with placeholder. Otherwise, the skill is safe for use.

安全发现 1 项

严重性 安全发现 位置
低危
Hardcoded IP address in documentation example 文档欺骗
The SKILL.md contains a hardcoded IP address (222.186.161.123) within an example WSS URL in the documentation at line 130. This appears to be a sample API response showing what the RunningHub API returns, not actual code that executes. However, this creates unnecessary concern and should be replaced with a placeholder or removed.
netWssUrl: wss://www.runninghub.cn:443/ws/c_instance?c_host=222.186.161.123...
→ Replace the hardcoded IP in the example with a generic placeholder like 'YOUR_SERVER_IP' or remove the c_host parameter from the example.
 SKILL.md:130
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 get_env.py:29 - reads ~/.openclaw/openclaw.json
网络访问 READ READ ✓ 一致 All scripts only make HTTPS requests to www.runninghub.cn or www.runninghub.ai
命令执行 WRITE WRITE ✓ 一致 SKILL.md declares use of OpenClaw exec tool for running Python scripts
1 高危 3 项发现
📡
高危 IP 地址 硬编码 IP 地址
222.186.161.123
SKILL.md:130
🔗
中危 外部 URL 外部 URL
https://www.runninghub.cn/?inviteCode=6bfdf1c0
SKILL.md:232
🔗
中危 外部 URL 外部 URL
https://www.runninghub.ai/?inviteCode=6bfdf1c0
SKILL.md:232

目录结构

10 文件 · 27.1 KB · 930 行
Python 8f · 682L Markdown 1f · 235L JSON 1f · 13L
├─ 📁 data
│ └─ 📋 workflows.json JSON 13L · 306 B
├─ 📁 scripts
│ ├─ 🐍 config_api_key.py Python 104L · 2.9 KB
│ ├─ 🐍 config_host.py Python 98L · 2.6 KB
│ ├─ 🐍 create_task.py Python 72L · 1.9 KB
│ ├─ 🐍 get_account_info.py Python 78L · 1.9 KB
│ ├─ 🐍 get_env.py Python 35L · 863 B
│ ├─ 🐍 get_workflow_info.py Python 78L · 1.9 KB
│ ├─ 🐍 poll_task.py Python 144L · 4.1 KB
│ └─ 🐍 query_task.py Python 73L · 1.8 KB
└─ 📝 SKILL.md Markdown 235L · 8.9 KB

安全亮点

✓ All network requests go to legitimate RunningHub endpoints (www.runninghub.cn or www.runninghub.ai)
✓ No obfuscation techniques detected - all Python code is plaintext
✓ No credential exfiltration - API keys are stored locally in OpenClaw config and used only for RunningHub API calls
✓ No subprocess, eval, exec, compile, or __import__ calls in actual scripts
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Shell execution is properly declared in SKILL.md documentation
✓ No base64 encoding/decoding or anti-analysis techniques found
✓ API keys are not logged or transmitted to third parties