Scan Report
5 /100
wechat-cover
Generate WeChat official account cover images with proper 2.35:1 aspect ratio. Supports OpenAI DALL-E and Gemini image generation with customizable styles.
This is a legitimate WeChat cover image generator with no malicious behavior found. All capabilities are declared, dependencies are version-pinned, and no credential theft, data exfiltration, obfuscation, or unauthorized access was detected.
Safe to install
This skill is safe to use. No action required.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Info | Incomplete capability declaration in SKILL.md Doc Mismatch | SKILL.md:1 |
| Info | Dependencies declared in inline script header Supply Chain | scripts/generate.py:2 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | SKILL.md does not mention reading settings.json or its role. However, file reads… |
| Filesystem | NONE | WRITE | ✓ Aligned | SKILL.md usage examples show --output-dir and --filename parameters but does not… |
| Network | NONE | READ | ✓ Aligned | SKILL.md declares OpenAI and Gemini API calls in the Configuration and Requireme… |
| Environment | NONE | READ | ✓ Aligned | SKILL.md declares OPENAI_API_KEY, OPENAI_BASE_URL, and GEMINI_API_KEY environmen… |
| Shell | NONE | NONE | — | No shell execution found. 'uv run' is a Python script runner, not shell executio… |
3 findings
Medium External URL 外部 URL
https://your-proxy.com/v1 SKILL.md:37 Medium External URL 外部 URL
https://platform.openai.com/api-keys SKILL.md:152 Medium External URL 外部 URL
https://aistudio.google.com/app/apikey SKILL.md:153 File Tree
6 files · 33.0 KB · 985 lines Python 4f · 818L
Markdown 1f · 153L
JSON 1f · 14L
├─
▾
scripts
│ ├─
gemini_client.py
Python
│ ├─
generate.py
Python
│ ├─
image_client.py
Python
│ └─
openai_client.py
Python
├─
settings.json
JSON
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
openai | >=1.12.0 | inline script header | No | Lower-bound pin; should consider exact version pin |
pillow | >=10.0.0 | inline script header | No | Lower-bound pin; well-established image processing library |
google-genai | >=0.8.0 | inline script header | No | Lower-bound pin; Google's official Gemini SDK |
Security Positives
✓ All dependencies are declared with version constraints in the inline script header
✓ API keys are only used to authenticate with the intended provider — no credential exfiltration
✓ No shell execution, subprocess, os.system, or any form of command injection
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No obfuscation (no base64 decode + execute patterns, no eval, no dynamic code generation)
✓ No supply chain threats — all packages are from well-known, established sources (openai, pillow, google-genai)
✓ No C2 communication or data exfiltration — network calls are exclusively to documented AI provider APIs
✓ Image output is user-controlled and limited to the specified output directory
✓ Settings.json contains only placeholder API keys (not real credentials)
✓ Clean code with no suspicious patterns, hidden functionality, or shadow features
✓ Error handling is appropriate and does not leak sensitive information