Name: zhy-article-illustrator Security Report — Trusted | ClawSafe
Item: zhy-article-illustrator
Rating: 95
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

5 /100

zhy-article-illustrator

为 Markdown 文章自动规划并生成高完成度编辑视觉配图

这是一个合法的文章配图工具，Base64 编解码用于标准图片 API 响应处理，预扫描 IOC 为误报，代码行为与文档声明完全一致，无恶意行为发现。

Skill Namezhy-article-illustrator

Duration50.1s

Enginepi

ClawHub Zhy Article Illustrator v0.1.0 by zhylq

📥 151 📦 1

ClawHub Verdict Suspicious dangerous_execenv_credential_accessllm_suspiciouspotential_exfiltration

✓

Safe to install

可直接使用。该技能功能正常，无安全风险。

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/image-gen.ts:351 writeFileSync(output, imgBuffer)
Network	`READ`	`READ`	✓ Aligned	scripts/image-gen.ts:299 fetch(url, ...) - 仅调用图片生成 API
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/illustrate-article.ts:180 spawn(process.execPath, [...]) - 正常子进程调用

3 Critical 16 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(base64Data, "base64"

scripts/image-gen.ts:338

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(imgData, "base64"

scripts/image-gen.ts:374

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(item.b64_json, "base64"

scripts/image-gen.ts:460

🔗

Medium External URL 外部 URL

https://your-compatible-endpoint.example/v1beta

SKILL.md:314

🔗

Medium External URL 外部 URL

https://your-relay.example.com/v1beta

SKILL.md:325

🔗

Medium External URL 外部 URL

https://vip.123everything.com/v1beta

scripts/image-gen.ts:215

🔗

Medium External URL 外部 URL

https://cdn.example.com

scripts/qiniu-upload.ts:84

🔗

Medium External URL 外部 URL

https://developer.qiniu.com/kodo/1671/region-endpoint-fq

scripts/qiniu-upload.ts:96

🔗

Medium External URL 外部 URL

https://up-z0.qiniup.com

scripts/qiniu-upload.ts:100

🔗

Medium External URL 外部 URL

https://up-cn-east-2.qiniup.com

scripts/qiniu-upload.ts:101

🔗

Medium External URL 外部 URL

https://up-z1.qiniup.com

scripts/qiniu-upload.ts:102

🔗

Medium External URL 外部 URL

https://up-z2.qiniup.com

scripts/qiniu-upload.ts:103

🔗

Medium External URL 外部 URL

https://up-na0.qiniup.com

scripts/qiniu-upload.ts:104

🔗

Medium External URL 外部 URL

https://up-as0.qiniup.com

scripts/qiniu-upload.ts:105

🔗

Medium External URL 外部 URL

https://up-ap-southeast-2.qiniup.com

scripts/qiniu-upload.ts:106

🔗

Medium External URL 外部 URL

https://up-ap-southeast-3.qiniup.com

scripts/qiniu-upload.ts:107

File Tree

9 files · 108.0 KB · 3403 lines

TypeScript 4f · 2347L Markdown 4f · 1027L JSON 1f · 29L

├─ ▾ 📁 references

│ ├─ 📝 config-schema.md Markdown 227L · 6.3 KB

│ └─ 📝 prompt-guide.md Markdown 336L · 10.8 KB

├─ ▾ 📁 scripts

│ ├─ 📜 illustrate-article.ts TypeScript 537L · 16.6 KB

│ ├─ 📜 image-gen.ts TypeScript 513L · 15.1 KB

│ ├─ 📜 plan-illustrations.ts TypeScript 977L · 32.4 KB

│ └─ 📜 qiniu-upload.ts TypeScript 320L · 10.1 KB

├─ 📝 README.md Markdown 104L · 1.8 KB

├─ 📝 SKILL.md Markdown 360L · 14.2 KB

└─ 📋 tsconfig.json JSON 29L · 713 B

Security Positives

✓ 代码结构清晰，职责单一（规划/生图/上传分离）

✓ 错误处理完善（重试机制、失败跳过不中断）

✓ 仅使用标准 Node.js API 和 fetch，无第三方依赖风险

✓ 七牛云上传使用 HMAC-SHA1 签名，凭证不外泄

✓ API 密钥通过环境变量读取，不硬编码在代码中

✓ SKILL.md 文档详尽，声明了所有功能和环境变量

Scan Report

File Tree

Security Positives