ai-image-generator 安全扫描报告 — 可信 | ClawSafe

5 /100

ai-image-generator

AI 图片与视频异步生成技能，调用 AI Artist API 根据文本提示词生成图片或视频

The skill is a legitimate AI image/video generator that makes authenticated API calls to staging.kocgo.vip for content generation. No malicious behavior, credential theft, or undeclared capabilities were found.

技能名称ai-image-generator

分析耗时38.0s

引擎pi

✓

可以安装

No action needed. The skill is safe to use as documented.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	scripts/generate_image.py:23-24 BASE_URL and FEISHU_WEBHOOK_URL
环境变量	`READ`	`READ`	✓ 一致	scripts/generate_image.py:25-27 reads AI_ARTIST_TOKEN and FEISHU_WEBHOOK_URL
文件系统	`WRITE`	`WRITE`	✓ 一致	scripts/generate_image.py:68-83 download_image() saves to user-specified directo…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
技能调用	`NONE`	`NONE`	—	No skill_invoke usage detected
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

6 项发现

🔗

中危外部 URL 外部 URL

https://staging.kocgo.vip/index

README.md:9

🔗

中危外部 URL 外部 URL

https://open.feishu.cn/open-apis/bot/v2/hook/xxx

SKILL.md:340

🔗

中危外部 URL 外部 URL

https://staging.kocgo.vip/stage-api/ai/AiArtistRecord

references/api.md:103

🔗

中危外部 URL 外部 URL

https://staging.kocgo.vip/stage-api/ai/AiArtistImage/getInfoByArtistId/

references/api.md:123

🔗

中危外部 URL 外部 URL

https://your-cdn.com/image.png

references/feishu-integration.md:84

🔗

中危外部 URL 外部 URL

https://staging.kocgo.vip/stage-api/ai

scripts/generate_image.py:22

目录结构

6 文件 · 43.6 KB · 1439 行

Markdown 5f · 771L Python 1f · 668L

├─ ▾ 📁 references

│ ├─ 📝 api.md Markdown 125L · 3.0 KB

│ ├─ 📝 chat-integration.md Markdown 69L · 1.8 KB

│ └─ 📝 feishu-integration.md Markdown 159L · 4.2 KB

├─ ▾ 📁 scripts

│ └─ 🐍 generate_image.py Python 668L · 23.7 KB

├─ 📝 README.md Markdown 72L · 1.5 KB

└─ 📝 SKILL.md Markdown 346L · 9.4 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned but widely-used library

安全亮点

✓ No shell execution or subprocess usage - only uses requests library for HTTP

✓ No credential theft or exfiltration - API key only sent to legitimate API endpoint

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No obfuscation techniques (base64 decode, eval, atob)

✓ No hidden functionality - all capabilities match documentation

✓ Safe file handling using pathlib with proper directory creation

✓ API key scoped to intended purpose (X-Api-Key header to kocgo.vip)

✓ Feishu webhook is optional and user-configured

✓ No remote code execution vectors detected