中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:18 hr ago Rescan
20 /100
postergen-parser
Parse PDF/Markdown files into structured HTML posters with multi-modal output (PDF, PNG, DOCX, PPTX), or generate poster/slides images via Gemini image generation
This is a legitimate PDF/Markdown-to-poster/HTML converter with multi-modal output. No malicious behavior found; the main concerns are unpinned dependencies and missing declared capability documentation.
Skill Namepostergen-parser
Duration68.2s
Enginepi
Safe to install
Pin all dependency versions in pyproject.toml and add an explicit allowed-tools/capability declaration to SKILL.md. The curl|sh for UV is documented and standard for this project's setup requirements.

Findings 3 items

Severity Finding Location
Medium
Unpinned dependencies in pyproject.toml Supply Chain
Several key dependencies lack version constraints (openai>=1.0.0, requests>=2.31.0, Pillow>=10.0.0, playwright>=1.40.0, beautifulsoup4>=4.12.0, python-pptx>=0.6.23). This allows supply chain attacks via transitive dependency hijacking.
openai>=1.0.0, requests>=2.31.0, Pillow>=10.0.0
→ Pin to specific versions, e.g. openai==1.72.2. Use uv lock for reproducible builds.
 pyproject.toml:18
Medium
Unpinned git dependency from third-party fork Supply Chain
marker-pdf is installed from git+https://github.com/Hadlay-Zhang/marker.git without a commit hash, pointing to a non-canonical fork.
git+https://github.com/Hadlay-Zhang/marker.git
→ Pin to a specific commit hash or switch to the official marker-pdf PyPI package.
 requirements.txt:13
Low
No allowed-tools capability declaration in SKILL.md Doc Mismatch
SKILL.md has no frontmatter declaring allowed tools. The shell:WRITE capability is only implied by the documented install.sh instructions rather than explicitly declared.
No ---name/allowed-tools block present
→ Add frontmatter declaring allowed tools: filesystem:WRITE, shell:WRITE, network:READ, environment:READ, skill_invoke:READ.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned install.sh:writes .env; run.py:creates output dirs; renderer_unit.py:write HTML …
Shell NONE WRITE ✓ Aligned install.sh:62 curl|sh UV install; install.sh:65-100 apt-get, uv python install, …
Network NONE READ ✓ Aligned renderer_unit.py:POST to LLM APIs; image_generator.py:POST to Gemini endpoint; t…
Environment NONE READ ✓ Aligned Reads API keys, base URLs, model names from os.getenv — standard for LLM tools
Skill Invoke NONE READ ✓ Aligned run.py:136 entry point only
1 Critical 1 High 73 findings
💀
Critical Dangerous Command 危险 Shell 命令
curl -LsSf https://astral.sh/uv/install.sh | sh
SKILL.md:128
🔑
High API Key 疑似硬编码凭证
API_KEY="your-nanobanana-key"
.env.txt:7
🔗
Medium External URL 外部 URL
https://runway.devops.rednote.life/openai/google/v1:generateContent
.env.txt:8
🔗
Medium External URL 外部 URL
https://runway.devops.xiaohongshu.com/openai
README.md:67
🔗
Medium External URL 外部 URL
https://maas.devops.xiaohongshu.com/v1
SKILL.md:47
🔗
Medium External URL 外部 URL
https://astral.sh/uv/install.sh
SKILL.md:128
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/682b0ba6000000001101f517
examples/sigma1209-1.md:3
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68998b9a000000002302d9b1
examples/sigma1209-1.md:7
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/666793da000000000600665f
examples/sigma1209-1.md:17
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67879a270000000019014125
examples/sigma1209-1.md:29
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68fee6870000000003022142
examples/sigma1209-1.md:63
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66e80121000000002603c20a
examples/sigma1209-1.md:63
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67c110aa000000001201ddf5
examples/sigma1209-2.md:4
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67f605c5000000000b01e924
examples/sigma1209-2.md:50
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66c406ba000000001d019145
examples/sigma1209-2.md:69
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68fed8a0000000000302e2ef
examples/sigma1209-2.md:83
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66e0484a000000000c018527
examples/sigma1209-2.md:113
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67c3b321000000000903b268
examples/sigma1209-2.md:117
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68ff5f9b000000000303bcf4
examples/sigma1209-3.md:4
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68e7aede0000000003021ed7
examples/sigma1209-3.md:10
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6826ff62000000002301cafb
examples/sigma1209-3.md:41
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68ea54f90000000007034e19
examples/sigma1209-3.md:77
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67ebe34b000000000b0148f0
examples/sigma1209-3.md:88
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67ac4580000000002a00d9ea
examples/sigma1209-3.md:101
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6583e38e000000003802a74f
examples/sigma1209-3.md:105
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68adbf2a000000001d027985
examples/sigma1209-3.md:117
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68ff370b0000000004004b5b
examples/sigma1209-3.md:143
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67e4e5cc00000000090383e7
examples/sigma1209-3.md:148
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6721a227000000001b02dfa8
examples/sigma1209-3.md:157
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6407223a00000000130097cb
examples/tusen_1210.md:5
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66174f3d000000001b008b51
examples/tusen_1210.md:5
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/658ce2af000000000f030b0e
examples/tusen_1210.md:5
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6825a0bc000000000f030531
examples/tusen_1210.md:6
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67e9e6dd000000001b038691
examples/tusen_1210.md:6
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6920229d000000001e03a6fe
examples/tusen_1210.md:6
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/689c50ec000000001b02238f
examples/tusen_1210.md:7
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6902fa5b0000000003020507
examples/tusen_1210.md:7
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/691003e50000000003038014
examples/tusen_1210.md:8
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6470708b000000001300c8c1
examples/tusen_1210.md:13
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66c160bc0000000005039d08
examples/tusen_1210.md:13
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/63106d70000000001101092c
examples/tusen_1210.md:14
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/693290a8000000000d03d634
examples/tusen_1210.md:15
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/690966220000000003011aec
examples/tusen_1210.md:15
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68f482420000000007002f5e
examples/tusen_1210.md:16
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/665ab1760000000016010af1
examples/tusen_1210.md:16
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68b51e0e000000001d018a1c
examples/tusen_1210.md:16
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/684996f50000000021004ec9
examples/tusen_1210.md:17
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/667f9c69000000001c026c9c
examples/tusen_1210.md:21
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66b0562f000000001e01ebde
examples/tusen_1210.md:22
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66cf0eda000000001f01e1cb
examples/tusen_1210.md:23
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/659d24ce000000001e00617c
examples/tusen_1210.md:23
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/689a90e50000000022022428
examples/tusen_1210.md:23
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/69119df10000000004002bca
examples/tusen_1210.md:28
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68f9c171000000000302c706
examples/tusen_1210.md:29
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68d3eff5000000001101d5b5
examples/tusen_1210.md:29
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/681db7180000000003039899
examples/tusen_1210.md:29
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68ee140a000000000700f1fe
examples/tusen_1210.md:33
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68e782020000000004016afd
examples/tusen_1210.md:34
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/6889e924000000002203a0ad
examples/tusen_1210.md:34
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/69082093000000000402b5b6
examples/tusen_1210.md:38
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68c2170c000000001c007202
examples/tusen_1210.md:38
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/65978d900000000012003346
examples/tusen_1210.md:39
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66ee3b1c000000000c0186f5
examples/tusen_1210.md:43
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/66a075a1000000002701175e
examples/tusen_1210.md:44
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/68d9c924000000000e023b9b
examples/tusen_1210.md:44
🔗
Medium External URL 外部 URL
https://www.xiaohongshu.com/explore/67628d4f00000000140254ce
examples/tusen_1210.md:46
🔗
Medium External URL 外部 URL
http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink
mm_output/converter.py:23
🔗
Medium External URL 外部 URL
http://schemas.openxmlformats.org/drawingml/2006/main
mm_output/pptx_converter.py:27
🔗
Medium External URL 外部 URL
http://schemas.openxmlformats.org/presentationml/2006/main
mm_output/pptx_converter.py:28
🔗
Medium External URL 外部 URL
http://schemas.openxmlformats.org/officeDocument/2006/relationships
mm_output/pptx_converter.py:29
🔗
Medium External URL 外部 URL
https://cdn.tailwindcss.com
templates/doubao.txt:7
🔗
Medium External URL 外部 URL
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css
templates/doubao.txt:9
🔗
Medium External URL 外部 URL
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/all.min.css
templates/report_web.txt:8

File Tree

36 files · 355.1 KB · 8418 lines
Python 16f · 5036L Text 10f · 2172L Markdown 7f · 852L Shell 2f · 295L TOML 1f · 63L
├─ 📁 examples
│ ├─ 📝 sigma1209-1.md Markdown 114L · 8.8 KB
│ ├─ 📝 sigma1209-2.md Markdown 140L · 10.1 KB
│ ├─ 📝 sigma1209-3.md Markdown 194L · 12.8 KB
│ └─ 📝 tusen_1210.md Markdown 45L · 11.3 KB
├─ 📁 mm_output
│ ├─ 🐍 __init__.py Python 30L · 767 B
│ ├─ 🐍 cli.py Python 96L · 3.9 KB
│ ├─ 🐍 converter.py Python 418L · 14.6 KB
│ ├─ 🐍 example.py Python 37L · 904 B
│ ├─ 🐍 integrate.py Python 369L · 10.6 KB
│ ├─ 🐍 pptx_converter.py Python 913L · 36.5 KB
│ ├─ 📝 README.md Markdown 23L · 728 B
│ └─ 🐍 run_mm_output.py Python 83L · 3.1 KB
├─ 📁 paper2slides
│ ├─ 🐍 __init__.py Python 288L · 9.6 KB
│ ├─ 🐍 content_planner.py Python 377L · 13.9 KB
│ ├─ 🐍 image_generator.py Python 426L · 15.0 KB
│ ├─ 🐍 models.py Python 117L · 3.1 KB
│ ├─ 🐍 prompts.py Python 371L · 15.3 KB
│ └─ 🐍 xhs_generator.py Python 421L · 10.7 KB
├─ 📁 templates
│ ├─ 📄 doubao_dark.txt Text 73L · 2.8 KB
│ ├─ 📄 doubao_enterprise_blue.txt Text 95L · 4.2 KB
│ ├─ 📄 doubao_minimal.txt Text 71L · 2.5 KB
│ ├─ 📄 doubao_newspaper.txt Text 127L · 4.9 KB
│ ├─ 📄 doubao_refine.txt Text 94L · 3.9 KB
│ ├─ 📄 doubao.txt Text 463L · 27.7 KB
│ ├─ 📄 report_web_reduced.txt Text 252L · 9.4 KB
│ └─ 📄 report_web.txt Text 972L · 51.3 KB
├─ 🔑 .env.txt Text 11L · 412 B
├─ 🔧 install.sh Shell 153L · 3.9 KB
├─ 🐍 parser_unit.py Python 206L · 8.5 KB
├─ 📄 pyproject.toml TOML 63L · 1.2 KB
├─ 📝 README.md Markdown 121L · 3.3 KB
├─ 🐍 renderer_unit.py Python 748L · 33.4 KB
├─ 📄 requirements.txt Text 14L · 248 B
├─ 🐍 run.py Python 136L · 5.9 KB
├─ 🔧 run.sh Shell 142L · 4.2 KB
└─ 📝 SKILL.md Markdown 215L · 5.9 KB

Dependencies 9 items

PackageVersionSourceKnown VulnsNotes
openai >=1.0.0 pyproject.toml No Version not pinned
requests >=2.31.0 pyproject.toml No Version not pinned
Pillow >=10.0.0 pyproject.toml No Version not pinned
playwright >=1.40.0 pyproject.toml No Version not pinned
torch 2.9.1 pyproject.toml No Pinned
transformers 4.57.6 pyproject.toml No Pinned
marker-pdf git+Hadlay-Zhang fork requirements.txt No Third-party fork, no commit hash
python-docx >=1.1.0 pyproject.toml No Version not pinned
beautifulsoup4 >=4.12.0 pyproject.toml No Version not pinned

Security Positives

✓ No credential theft — API keys are only used for outbound LLM calls, never exfiltrated
✓ No sensitive file access — does not read ~/.ssh, ~/.aws, or similar credential paths
✓ No obfuscation — all code is readable Python with no base64-encoded execution or eval(atob(...))
✓ No data exfiltration — network calls are exclusively to configured LLM provider endpoints
✓ No persistence mechanisms — no cron jobs, startup hooks, or backdoor installation
✓ No prompt injection — no hidden instructions in HTML comments or documentation
✓ Reference URL verification in renderer_unit.py prevents hallucinated citation URLs
✓ Uses dotenv for credential management (credentials not hardcoded in source)
✓ Subprocess usage is limited to documented install scripts (curl|sh for UV, apt-get, uv sync) — all documented in SKILL.md