Scan Report
0 /100
Daily News English Learning Cards
Generate daily news English learning cards with AI-generated comic illustrations for children
This is a legitimate educational content generation tool that fetches news, generates learning cards with AI, and composites final images. No malicious behavior detected.
Safe to install
Approve for use. The skill performs exactly what is documented with no hidden functionality.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md lines 19-21 declares API calls to Tavily, DeepSeek, OpenRouter; code ca… |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md declares output to output/daily-news-cards/{date}/; code writes PNG/JSO… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md step 2 documents 'pip install -q'; code uses subprocess.check_call for … |
| Environment | READ | READ | ✓ Aligned | SKILL.md table lists TAVILY_API_KEY, DEEPSEEK_API_KEY, OPENROUTER_API_KEY; code … |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
5 findings
Medium External URL 外部 URL
https://tavily.com SKILL.md:19 Medium External URL 外部 URL
https://platform.deepseek.com SKILL.md:20 Medium External URL 外部 URL
https://openrouter.ai SKILL.md:21 Medium External URL 外部 URL
https://api.deepseek.com scripts/generate_cards.py:262 Medium External URL 外部 URL
https://openrouter.ai/api/v1 scripts/generate_cards.py:265 File Tree
3 files · 60.0 KB · 1636 lines Python 1f · 1546L
Markdown 1f · 86L
Text 1f · 4L
├─
▾
scripts
│ └─
generate_cards.py
Python
├─
requirements.txt
Text
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
tavily-python | >=0.5.0 | pip | No | Version constrained |
openai | >=1.0.0 | pip | No | Version constrained |
Pillow | >=10.0.0 | pip | No | Version constrained |
requests | >=2.28.0 | pip | No | Version constrained |
Security Positives
✓ SKILL.md accurately documents all capabilities and API dependencies
✓ subprocess pip install is explicitly declared in SKILL.md step 2
✓ All external network calls go to documented, legitimate API endpoints (Tavily, DeepSeek, OpenRouter, Google Fonts CDN)
✓ No credential harvesting or exfiltration; API keys used only for their intended services
✓ No obfuscation, no base64 executed as code, no reverse shells
✓ Font downloads from github.com/google/fonts (standard Noto Sans), verified and cached
✓ Content safety filters are a positive feature for a children's educational tool
✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)
✓ Dependencies are standard, reputable Python packages with version constraints