postergen-parser 安全扫描报告 — 低风险 | ClawSafe

20 /100

postergen-parser

Parse PDF/Markdown files into structured HTML posters with multi-modal output (PDF, PNG, DOCX, PPTX), or generate poster/slides images via Gemini image generation

This is a legitimate PDF/Markdown-to-poster/HTML converter with multi-modal output. No malicious behavior found; the main concerns are unpinned dependencies and missing declared capability documentation.

技能名称postergen-parser

分析耗时68.2s

引擎pi

✓

可以安装

Pin all dependency versions in pyproject.toml and add an explicit allowed-tools/capability declaration to SKILL.md. The curl|sh for UV is documented and standard for this project's setup requirements.

安全发现 3 项

严重性	安全发现	位置
中危	Unpinned dependencies in pyproject.toml 供应链 Several key dependencies lack version constraints (openai>=1.0.0, requests>=2.31.0, Pillow>=10.0.0, playwright>=1.40.0, beautifulsoup4>=4.12.0, python-pptx>=0.6.23). This allows supply chain attacks via transitive dependency hijacking. `openai>=1.0.0, requests>=2.31.0, Pillow>=10.0.0` → Pin to specific versions, e.g. openai==1.72.2. Use uv lock for reproducible builds.	`pyproject.toml:18`
中危	Unpinned git dependency from third-party fork 供应链 marker-pdf is installed from git+https://github.com/Hadlay-Zhang/marker.git without a commit hash, pointing to a non-canonical fork. `git+https://github.com/Hadlay-Zhang/marker.git` → Pin to a specific commit hash or switch to the official marker-pdf PyPI package.	`requirements.txt:13`
低危	No allowed-tools capability declaration in SKILL.md 文档欺骗 SKILL.md has no frontmatter declaring allowed tools. The shell:WRITE capability is only implied by the documented install.sh instructions rather than explicitly declared. `No ---name/allowed-tools block present` → Add frontmatter declaring allowed tools: filesystem:WRITE, shell:WRITE, network:READ, environment:READ, skill_invoke:READ.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	install.sh:writes .env; run.py:creates output dirs; renderer_unit.py:write HTML …
命令执行	`NONE`	`WRITE`	✓ 一致	install.sh:62 curl\|sh UV install; install.sh:65-100 apt-get, uv python install, …
网络访问	`NONE`	`READ`	✓ 一致	renderer_unit.py:POST to LLM APIs; image_generator.py:POST to Gemini endpoint; t…
环境变量	`NONE`	`READ`	✓ 一致	Reads API keys, base URLs, model names from os.getenv — standard for LLM tools
技能调用	`NONE`	`READ`	✓ 一致	run.py:136 entry point only

1 严重 1 高危 73 项发现

💀

严重危险命令危险 Shell 命令

curl -LsSf https://astral.sh/uv/install.sh | sh

SKILL.md:128

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your-nanobanana-key"

.env.txt:7

🔗

中危外部 URL 外部 URL

https://runway.devops.rednote.life/openai/google/v1:generateContent

.env.txt:8

🔗

中危外部 URL 外部 URL

https://runway.devops.xiaohongshu.com/openai

README.md:67

🔗

中危外部 URL 外部 URL

https://maas.devops.xiaohongshu.com/v1

SKILL.md:47

🔗

中危外部 URL 外部 URL

https://astral.sh/uv/install.sh

SKILL.md:128

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/682b0ba6000000001101f517

examples/sigma1209-1.md:3

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68998b9a000000002302d9b1

examples/sigma1209-1.md:7

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/666793da000000000600665f

examples/sigma1209-1.md:17

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67879a270000000019014125

examples/sigma1209-1.md:29

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68fee6870000000003022142

examples/sigma1209-1.md:63

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66e80121000000002603c20a

examples/sigma1209-1.md:63

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67c110aa000000001201ddf5

examples/sigma1209-2.md:4

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67f605c5000000000b01e924

examples/sigma1209-2.md:50

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66c406ba000000001d019145

examples/sigma1209-2.md:69

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68fed8a0000000000302e2ef

examples/sigma1209-2.md:83

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66e0484a000000000c018527

examples/sigma1209-2.md:113

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67c3b321000000000903b268

examples/sigma1209-2.md:117

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68ff5f9b000000000303bcf4

examples/sigma1209-3.md:4

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68e7aede0000000003021ed7

examples/sigma1209-3.md:10

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6826ff62000000002301cafb

examples/sigma1209-3.md:41

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68ea54f90000000007034e19

examples/sigma1209-3.md:77

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67ebe34b000000000b0148f0

examples/sigma1209-3.md:88

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67ac4580000000002a00d9ea

examples/sigma1209-3.md:101

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6583e38e000000003802a74f

examples/sigma1209-3.md:105

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68adbf2a000000001d027985

examples/sigma1209-3.md:117

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68ff370b0000000004004b5b

examples/sigma1209-3.md:143

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67e4e5cc00000000090383e7

examples/sigma1209-3.md:148

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6721a227000000001b02dfa8

examples/sigma1209-3.md:157

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6407223a00000000130097cb

examples/tusen_1210.md:5

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66174f3d000000001b008b51

examples/tusen_1210.md:5

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/658ce2af000000000f030b0e

examples/tusen_1210.md:5

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6825a0bc000000000f030531

examples/tusen_1210.md:6

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67e9e6dd000000001b038691

examples/tusen_1210.md:6

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6920229d000000001e03a6fe

examples/tusen_1210.md:6

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/689c50ec000000001b02238f

examples/tusen_1210.md:7

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6902fa5b0000000003020507

examples/tusen_1210.md:7

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/691003e50000000003038014

examples/tusen_1210.md:8

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6470708b000000001300c8c1

examples/tusen_1210.md:13

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66c160bc0000000005039d08

examples/tusen_1210.md:13

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/63106d70000000001101092c

examples/tusen_1210.md:14

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/693290a8000000000d03d634

examples/tusen_1210.md:15

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/690966220000000003011aec

examples/tusen_1210.md:15

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68f482420000000007002f5e

examples/tusen_1210.md:16

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/665ab1760000000016010af1

examples/tusen_1210.md:16

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68b51e0e000000001d018a1c

examples/tusen_1210.md:16

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/684996f50000000021004ec9

examples/tusen_1210.md:17

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/667f9c69000000001c026c9c

examples/tusen_1210.md:21

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66b0562f000000001e01ebde

examples/tusen_1210.md:22

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66cf0eda000000001f01e1cb

examples/tusen_1210.md:23

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/659d24ce000000001e00617c

examples/tusen_1210.md:23

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/689a90e50000000022022428

examples/tusen_1210.md:23

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/69119df10000000004002bca

examples/tusen_1210.md:28

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68f9c171000000000302c706

examples/tusen_1210.md:29

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68d3eff5000000001101d5b5

examples/tusen_1210.md:29

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/681db7180000000003039899

examples/tusen_1210.md:29

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68ee140a000000000700f1fe

examples/tusen_1210.md:33

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68e782020000000004016afd

examples/tusen_1210.md:34

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/6889e924000000002203a0ad

examples/tusen_1210.md:34

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/69082093000000000402b5b6

examples/tusen_1210.md:38

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68c2170c000000001c007202

examples/tusen_1210.md:38

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/65978d900000000012003346

examples/tusen_1210.md:39

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66ee3b1c000000000c0186f5

examples/tusen_1210.md:43

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/66a075a1000000002701175e

examples/tusen_1210.md:44

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/68d9c924000000000e023b9b

examples/tusen_1210.md:44

🔗

中危外部 URL 外部 URL

https://www.xiaohongshu.com/explore/67628d4f00000000140254ce

examples/tusen_1210.md:46

🔗

中危外部 URL 外部 URL

http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink

mm_output/converter.py:23

🔗

中危外部 URL 外部 URL

http://schemas.openxmlformats.org/drawingml/2006/main

mm_output/pptx_converter.py:27

🔗

中危外部 URL 外部 URL

http://schemas.openxmlformats.org/presentationml/2006/main

mm_output/pptx_converter.py:28

🔗

中危外部 URL 外部 URL

http://schemas.openxmlformats.org/officeDocument/2006/relationships

mm_output/pptx_converter.py:29

🔗

中危外部 URL 外部 URL

https://cdn.tailwindcss.com

templates/doubao.txt:7

🔗

中危外部 URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css

templates/doubao.txt:9

🔗

中危外部 URL 外部 URL

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/all.min.css

templates/report_web.txt:8

目录结构

36 文件 · 355.1 KB · 8418 行

Python 16f · 5036L Text 10f · 2172L Markdown 7f · 852L Shell 2f · 295L TOML 1f · 63L

├─ ▾ 📁 examples

│ ├─ 📝 sigma1209-1.md Markdown 114L · 8.8 KB

│ ├─ 📝 sigma1209-2.md Markdown 140L · 10.1 KB

│ ├─ 📝 sigma1209-3.md Markdown 194L · 12.8 KB

│ └─ 📝 tusen_1210.md Markdown 45L · 11.3 KB

├─ ▾ 📁 mm_output

│ ├─ 🐍 __init__.py Python 30L · 767 B

│ ├─ 🐍 cli.py Python 96L · 3.9 KB

│ ├─ 🐍 converter.py Python 418L · 14.6 KB

│ ├─ 🐍 example.py Python 37L · 904 B

│ ├─ 🐍 integrate.py Python 369L · 10.6 KB

│ ├─ 🐍 pptx_converter.py Python 913L · 36.5 KB

│ ├─ 📝 README.md Markdown 23L · 728 B

│ └─ 🐍 run_mm_output.py Python 83L · 3.1 KB

├─ ▾ 📁 paper2slides

│ ├─ 🐍 __init__.py Python 288L · 9.6 KB

│ ├─ 🐍 content_planner.py Python 377L · 13.9 KB

│ ├─ 🐍 image_generator.py Python 426L · 15.0 KB

│ ├─ 🐍 models.py Python 117L · 3.1 KB

│ ├─ 🐍 prompts.py Python 371L · 15.3 KB

│ └─ 🐍 xhs_generator.py Python 421L · 10.7 KB

├─ ▾ 📁 templates

│ ├─ 📄 doubao_dark.txt Text 73L · 2.8 KB

│ ├─ 📄 doubao_enterprise_blue.txt Text 95L · 4.2 KB

│ ├─ 📄 doubao_minimal.txt Text 71L · 2.5 KB

│ ├─ 📄 doubao_newspaper.txt Text 127L · 4.9 KB

│ ├─ 📄 doubao_refine.txt Text 94L · 3.9 KB

│ ├─ 📄 doubao.txt Text 463L · 27.7 KB

│ ├─ 📄 report_web_reduced.txt Text 252L · 9.4 KB

│ └─ 📄 report_web.txt Text 972L · 51.3 KB

├─ 🔑 .env.txt ⚠ Text 11L · 412 B

├─ 🔧 install.sh Shell 153L · 3.9 KB

├─ 🐍 parser_unit.py Python 206L · 8.5 KB

├─ 📄 pyproject.toml TOML 63L · 1.2 KB

├─ 📝 README.md Markdown 121L · 3.3 KB

├─ 🐍 renderer_unit.py Python 748L · 33.4 KB

├─ 📄 requirements.txt Text 14L · 248 B

├─ 🐍 run.py Python 136L · 5.9 KB

├─ 🔧 run.sh Shell 142L · 4.2 KB

└─ 📝 SKILL.md Markdown 215L · 5.9 KB

依赖分析 9 项

包名	版本	来源	已知漏洞	备注
`openai`	`>=1.0.0`	pyproject.toml	否	Version not pinned
`requests`	`>=2.31.0`	pyproject.toml	否	Version not pinned
`Pillow`	`>=10.0.0`	pyproject.toml	否	Version not pinned
`playwright`	`>=1.40.0`	pyproject.toml	否	Version not pinned
`torch`	`2.9.1`	pyproject.toml	否	Pinned
`transformers`	`4.57.6`	pyproject.toml	否	Pinned
`marker-pdf`	`git+Hadlay-Zhang fork`	requirements.txt	否	Third-party fork, no commit hash
`python-docx`	`>=1.1.0`	pyproject.toml	否	Version not pinned
`beautifulsoup4`	`>=4.12.0`	pyproject.toml	否	Version not pinned

安全亮点

✓ No credential theft — API keys are only used for outbound LLM calls, never exfiltrated

✓ No sensitive file access — does not read ~/.ssh, ~/.aws, or similar credential paths

✓ No obfuscation — all code is readable Python with no base64-encoded execution or eval(atob(...))

✓ No data exfiltration — network calls are exclusively to configured LLM provider endpoints

✓ No persistence mechanisms — no cron jobs, startup hooks, or backdoor installation

✓ No prompt injection — no hidden instructions in HTML comments or documentation

✓ Reference URL verification in renderer_unit.py prevents hallucinated citation URLs

✓ Uses dotenv for credential management (credentials not hardcoded in source)

✓ Subprocess usage is limited to documented install scripts (curl|sh for UV, apt-get, uv sync) — all documented in SKILL.md