Scan Report
20 /100
bozo-jiaodu
AI图片摄像机角度提示词转换助手。将创意描述转换为摄像机角度提示词,输出以<sks>开头的标准格式。
Legitimate camera angle prompt converter with documented shell script API integration; no malicious behavior detected, only minor documentation quality issues.
Safe to install
Approve for use. Consider removing placeholder API key strings from documentation and explicitly declaring network:WRITE and shell:WRITE permissions in SKILL.md for transparency.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Undeclared shell and network execution permissions Doc Mismatch | SKILL.md:1 |
| Low | Placeholder credential strings in documentation Doc Mismatch | SKILL.md:213 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | SKILL.md:read-only prompt transformation, no file writes |
| Network | NONE | WRITE | ✗ Violation | scripts/create_angle_task.sh:73-77 — curl POST to api.bizyair.cn |
| Shell | NONE | WRITE | ✗ Violation | scripts/create_angle_task.sh — executes bash scripts; scripts/get_task_outputs.s… |
| Environment | NONE | READ | ✓ Aligned | scripts/check for $BIZYAIR_API_KEY env var — legitimate use for API auth, not ex… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation found |
| Clipboard | NONE | NONE | — | Not used |
| Browser | NONE | NONE | — | Not used |
| Database | NONE | NONE | — | Not used |
2 High 9 findings
High API Key 疑似硬编码凭证
API_KEY="your_actual_api_key_here" SKILL.md:213 High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" scripts/README.md:141 Medium External URL 外部 URL
https://storage.bizyair.cn/creations/20260318/4ac1e8ed-58a8-4b14-bd9d-6c536875bab5_649c12a5106e5bdd4d59e974671a1944_Comf... .claude/settings.local.json:5 Medium External URL 外部 URL
https://storage.bizyair.cn/outputs/xxx.png SKILL.md:287 Medium External URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/create SKILL.md:298 Medium External URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId= SKILL.md:313 Medium External URL 外部 URL
https://storage.bizyair.cn/inputs/20260108/JYLqRJcgPJ1GcOrzRfXJ8qsXnia1aWSB.png scripts/README.md:81 Medium External URL 外部 URL
https://storage.bizyair.cn/inputs/20260108/... scripts/README.md:88 Medium External URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=$ scripts/get_task_outputs.sh:47 File Tree
6 files · 34.9 KB · 1057 lines Markdown 2f · 549L
Shell 2f · 282L
JSON 2f · 226L
├─
▾
.claude
│ └─
settings.local.json
JSON
├─
▾
evals
│ └─
evals.json
JSON
├─
▾
scripts
│ ├─
create_angle_task.sh
Shell
│ ├─
get_task_outputs.sh
Shell
│ └─
README.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ No base64-encoded execution, eval(), or obfuscated code — all scripts are plain, readable bash
✓ No credential harvesting — only reads BIZYAIR_API_KEY for API auth, does not iterate environment variables or access sensitive paths like ~/.ssh or ~/.aws
✓ No data exfiltration — network requests are confined to the legitimate BizyAir API endpoint (api.bizyair.cn), consistent with the documented image processing feature
✓ No persistence mechanisms — no cron jobs, startup hooks, or backdoor installation found
✓ API script functionality is described in SKILL.md (BizyAir API section), providing partial documentation
✓ No remote script download — scripts are bundled locally, no curl|bash or wget|sh patterns
✓ All external URLs point to storage.bizyair.cn and api.bizyair.cn (consistent with BizyAir image processing service)