中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
wayinvideo
AI video editing and analysis suite with highlight extraction, natural language search, summarization, and transcription via wayinvideo-api.wayin.ai REST API
WayinVideo is a legitimate AI video processing CLI client that wraps the wayinvideo-api.wayin.ai REST API. All network traffic is confined to the declared API endpoint, subprocess is used only for optional system event notifications, and no credential exfiltration or sensitive path access was found.
技能名称wayinvideo
分析耗时36.6s
引擎pi
可以安装
Approve for use. The skill performs standard API client operations with no hidden functionality.

安全发现 2 项

严重性 安全发现 位置
低危
Undeclared subprocess usage for system events
cli.py _send_event() uses subprocess.run to invoke 'openclaw system event' for progress notifications. SKILL.md does not declare this shell execution capability. The call is best-effort (wrapped in try/except) and optional (only fires when event_interval > 0), so the practical risk is negligible.
subprocess.run(['openclaw', 'system', 'event', '--text', text, '--mode', 'now'], check=True, capture_output=True, text=True)
→ Document shell:WRITE in SKILL.md metadata or replace with a non-subprocess IPC mechanism if available.
 wayinvideo-cli/wayinvideo/cli.py:40
低危
Config file path expansion with user-controlled tilde
config.py:36 and cli.py:58 handle paths starting with '~' via os.path.expanduser(). This is standard shell behavior and not a path traversal risk since the tilde is literal and validated.
if v.startswith('~'): return os.path.expanduser(v)
→ No action needed; this is expected behavior for path resolution.
 wayinvideo-cli/wayinvideo/config.py:36
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 cli.py:116 _save_json writes to ~/.wayinvideo/; cli.py:217 config writes to ~/.w…
网络访问 READ READ ✓ 一致 client.py:64-165 all urllib requests go to https://wayinvideo-api.wayin.ai; cons…
命令执行 NONE WRITE ✓ 一致 cli.py:40-46 _send_event() calls subprocess.run(['openclaw', 'system', 'event', …
环境变量 READ READ ✓ 一致 client.py:25 reads WAYIN_API_KEY from os.environ; SKILL.md metadata declares WAY…
6 项发现
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips
wayinvideo-cli/wayinvideo/constants.py:6
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments
wayinvideo-cli/wayinvideo/constants.py:7
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/summaries
wayinvideo-cli/wayinvideo/constants.py:8
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/transcripts
wayinvideo-cli/wayinvideo/constants.py:9
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/export
wayinvideo-cli/wayinvideo/constants.py:10
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/upload/single-file
wayinvideo-cli/wayinvideo/constants.py:13

目录结构

19 文件 · 89.2 KB · 1964 行
Python 7f · 1538L Markdown 12f · 426L
├─ 📁 advanced
│ ├─ 📝 learning_from_videos.md Markdown 40L · 3.3 KB
│ └─ 📝 searching_best.md Markdown 35L · 3.2 KB
├─ 📁 basics
│ ├─ 📝 ai-clipping.md Markdown 29L · 2.9 KB
│ ├─ 📝 export.md Markdown 24L · 2.0 KB
│ ├─ 📝 find-moments.md Markdown 26L · 2.0 KB
│ ├─ 📝 video-summarization.md Markdown 14L · 725 B
│ └─ 📝 video-transcription.md Markdown 14L · 776 B
├─ 📁 references
│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB
│ ├─ 📝 platform_duration.md Markdown 8L · 2.0 KB
│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B
│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB
├─ 📁 wayinvideo-cli
│ ├─ 📁 wayinvideo
│ │ ├─ 🐍 __init__.py Python 2L · 96 B
│ │ ├─ 🐍 __main__.py Python 5L · 117 B
│ │ ├─ 🐍 cli.py Python 1035L · 39.5 KB
│ │ ├─ 🐍 client.py Python 165L · 5.9 KB
│ │ ├─ 🐍 config.py Python 128L · 4.2 KB
│ │ └─ 🐍 constants.py Python 189L · 8.4 KB
│ └─ 🐍 setup.py Python 14L · 371 B
└─ 📝 SKILL.md Markdown 101L · 7.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
stdlib-only N/A Python 3.7+ standard library No pip-installed dependencies; uses urllib.request, json, os, subprocess, argparse, mimetypes, copy, textwrap, datetime, shutil (implicit)

安全亮点

✓ Uses only stdlib (urllib, json, os, subprocess, argparse); no third-party dependency risk
✓ API key read exclusively from environment variable WAYIN_API_KEY, never hardcoded or exfiltrated
✓ All network requests confined to declared domain wayinvideo-api.wayin.ai
✓ No base64, eval, dynamic code execution, or obfuscation
✓ No access to ~/.ssh, ~/.aws, .env, or other credential paths
✓ No reverse shell, C2, or data theft patterns
✓ File writes limited to ~/.wayinvideo/ (config + cache), appropriate for the tool's function
✓ Uploads go directly to a presigned URL, not through the host system
✓ Subprocess call is best-effort and optional (controlled by event_enabled flag)