扫描报告
20 /100
bozo-jiaodu
AI图片摄像机角度提示词转换助手。将创意描述转换为摄像机角度提示词,输出以<sks>开头的标准格式。
Legitimate camera angle prompt converter with documented shell script API integration; no malicious behavior detected, only minor documentation quality issues.
可以安装
Approve for use. Consider removing placeholder API key strings from documentation and explicitly declaring network:WRITE and shell:WRITE permissions in SKILL.md for transparency.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Undeclared shell and network execution permissions 文档欺骗 | SKILL.md:1 |
| 低危 | Placeholder credential strings in documentation 文档欺骗 | SKILL.md:213 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | READ | ✓ 一致 | SKILL.md:read-only prompt transformation, no file writes |
| 网络访问 | NONE | WRITE | ✗ 越权 | scripts/create_angle_task.sh:73-77 — curl POST to api.bizyair.cn |
| 命令执行 | NONE | WRITE | ✗ 越权 | scripts/create_angle_task.sh — executes bash scripts; scripts/get_task_outputs.s… |
| 环境变量 | NONE | READ | ✓ 一致 | scripts/check for $BIZYAIR_API_KEY env var — legitimate use for API auth, not ex… |
| 技能调用 | NONE | NONE | — | No cross-skill invocation found |
| 剪贴板 | NONE | NONE | — | Not used |
| 浏览器 | NONE | NONE | — | Not used |
| 数据库 | NONE | NONE | — | Not used |
2 高危 9 项发现
高危 API 密钥 疑似硬编码凭证
API_KEY="your_actual_api_key_here" SKILL.md:213 高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here" scripts/README.md:141 中危 外部 URL 外部 URL
https://storage.bizyair.cn/creations/20260318/4ac1e8ed-58a8-4b14-bd9d-6c536875bab5_649c12a5106e5bdd4d59e974671a1944_Comf... .claude/settings.local.json:5 中危 外部 URL 外部 URL
https://storage.bizyair.cn/outputs/xxx.png SKILL.md:287 中危 外部 URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/create SKILL.md:298 中危 外部 URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId= SKILL.md:313 中危 外部 URL 外部 URL
https://storage.bizyair.cn/inputs/20260108/JYLqRJcgPJ1GcOrzRfXJ8qsXnia1aWSB.png scripts/README.md:81 中危 外部 URL 外部 URL
https://storage.bizyair.cn/inputs/20260108/... scripts/README.md:88 中危 外部 URL 外部 URL
https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=$ scripts/get_task_outputs.sh:47 目录结构
6 文件 · 34.9 KB · 1057 行 Markdown 2f · 549L
Shell 2f · 282L
JSON 2f · 226L
├─
▾
.claude
│ └─
settings.local.json
JSON
├─
▾
evals
│ └─
evals.json
JSON
├─
▾
scripts
│ ├─
create_angle_task.sh
Shell
│ ├─
get_task_outputs.sh
Shell
│ └─
README.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ No base64-encoded execution, eval(), or obfuscated code — all scripts are plain, readable bash
✓ No credential harvesting — only reads BIZYAIR_API_KEY for API auth, does not iterate environment variables or access sensitive paths like ~/.ssh or ~/.aws
✓ No data exfiltration — network requests are confined to the legitimate BizyAir API endpoint (api.bizyair.cn), consistent with the documented image processing feature
✓ No persistence mechanisms — no cron jobs, startup hooks, or backdoor installation found
✓ API script functionality is described in SKILL.md (BizyAir API section), providing partial documentation
✓ No remote script download — scripts are bundled locally, no curl|bash or wget|sh patterns
✓ All external URLs point to storage.bizyair.cn and api.bizyair.cn (consistent with BizyAir image processing service)