扫描报告
0 /100
Daily News English Learning Cards
Generate daily news English learning cards with AI-generated comic illustrations for children
This is a legitimate educational content generation tool that fetches news, generates learning cards with AI, and composites final images. No malicious behavior detected.
可以安装
Approve for use. The skill performs exactly what is documented with no hidden functionality.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md lines 19-21 declares API calls to Tavily, DeepSeek, OpenRouter; code ca… |
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md declares output to output/daily-news-cards/{date}/; code writes PNG/JSO… |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md step 2 documents 'pip install -q'; code uses subprocess.check_call for … |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md table lists TAVILY_API_KEY, DEEPSEEK_API_KEY, OPENROUTER_API_KEY; code … |
| 技能调用 | NONE | NONE | — | No cross-skill invocation found |
| 剪贴板 | NONE | NONE | — | No clipboard access found |
| 浏览器 | NONE | NONE | — | No browser automation found |
| 数据库 | NONE | NONE | — | No database access found |
5 项发现
中危 外部 URL 外部 URL
https://tavily.com SKILL.md:19 中危 外部 URL 外部 URL
https://platform.deepseek.com SKILL.md:20 中危 外部 URL 外部 URL
https://openrouter.ai SKILL.md:21 中危 外部 URL 外部 URL
https://api.deepseek.com scripts/generate_cards.py:262 中危 外部 URL 外部 URL
https://openrouter.ai/api/v1 scripts/generate_cards.py:265 目录结构
3 文件 · 60.0 KB · 1636 行 Python 1f · 1546L
Markdown 1f · 86L
Text 1f · 4L
├─
▾
scripts
│ └─
generate_cards.py
Python
├─
requirements.txt
Text
└─
SKILL.md
Markdown
依赖分析 4 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
tavily-python | >=0.5.0 | pip | 否 | Version constrained |
openai | >=1.0.0 | pip | 否 | Version constrained |
Pillow | >=10.0.0 | pip | 否 | Version constrained |
requests | >=2.28.0 | pip | 否 | Version constrained |
安全亮点
✓ SKILL.md accurately documents all capabilities and API dependencies
✓ subprocess pip install is explicitly declared in SKILL.md step 2
✓ All external network calls go to documented, legitimate API endpoints (Tavily, DeepSeek, OpenRouter, Google Fonts CDN)
✓ No credential harvesting or exfiltration; API keys used only for their intended services
✓ No obfuscation, no base64 executed as code, no reverse shells
✓ Font downloads from github.com/google/fonts (standard Noto Sans), verified and cached
✓ Content safety filters are a positive feature for a children's educational tool
✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)
✓ Dependencies are standard, reputable Python packages with version constraints