中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
Memelord
AI-powered meme generation, meme editing, meme video generation via Memelord API
The Memelord skill is a legitimate meme generation tool with no malicious behavior; the pre-scan flagged base64 decoding is standard image data URI handling, not obfuscation.
Skill NameMemelord
Duration49.4s
Enginepi
Safe to install
Approve for use. Consider documenting filesystem write scope (--out, --png paths) and shell usage in SKILL.md to eliminate the documentation gap.

Findings 1 items

Severity Finding Location
Low
Undeclared filesystem write scope in SKILL.md Doc Mismatch
SKILL.md declares filesystem:READ+WRITE implicitly via allowed-tools mapping, but does not explicitly enumerate that scripts write JSON responses, PNG files, and temp files to user-specified paths. This is a documentation clarity gap rather than hidden functionality, as the write operations are evident in the script contents and are standard for this tool's purpose.
SKILL.md lists bins: [node, curl, realpath] and primaryEnv: MEMELORD_API_KEY but omits the explicit write destinations
→ Add to SKILL.md under 'Executable scripts': 'Scripts write JSON responses to --out paths and decoded PNGs to --png paths. Temp files are created via mktemp and cleaned up via trap.'
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned Bash scripts using node - <<'NODE' for JSON construction, curl for HTTP, mktemp …
Filesystem READ+WRITE READ+WRITE ✓ Aligned Writes JSON responses to --out paths, writes PNG files to --png paths, reads JSO…
Network READ READ ✓ Aligned HTTPS GET/POST to api.memelord.com only; no direct IP connections
Environment READ (MEMELORD_API_KEY only) READ (MEMELORD_API_KEY only) ✓ Aligned Only reads MEMELORD_API_KEY; no iteration through os.environ or credential harve…
1 Critical 9 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(m[2], 'base64'
scripts/ai-meme.sh:127
🔗
Medium External URL 外部 URL
https://memelord.com
SKILL.md:6
🔗
Medium External URL 外部 URL
https://www.memelord.com/docs
SKILL.md:10
🔗
Medium External URL 外部 URL
https://www.memelord.com/docs.
SKILL.md:114
🔗
Medium External URL 外部 URL
https://www.memelord.com/api/v1/ai-meme/edit
scripts/ai-meme-edit.sh:119
🔗
Medium External URL 外部 URL
https://www.memelord.com/api/v1/ai-meme
scripts/ai-meme.sh:77
🔗
Medium External URL 外部 URL
https://www.memelord.com/api/v1/ai-video-meme/edit
scripts/ai-video-meme-edit.sh:91
🔗
Medium External URL 外部 URL
https://www.memelord.com/api/v1/ai-video-meme
scripts/ai-video-meme.sh:79
🔗
Medium External URL 外部 URL
https://www.memelord.com/api/video/render/remote?jobId=$(node
scripts/video-render-remote.sh:53

File Tree

11 files · 27.1 KB · 972 lines
Shell 9f · 852L Markdown 1f · 114L JSON 1f · 6L
├─ 📁 scripts
│ ├─ 🔧 ai-meme-edit.sh Shell 156L · 4.7 KB
│ ├─ 🔧 ai-meme.sh Shell 157L · 4.4 KB
│ ├─ 🔧 ai-video-meme-edit.sh Shell 97L · 2.6 KB
│ ├─ 🔧 ai-video-meme.sh Shell 85L · 2.3 KB
│ ├─ 🔧 render.sh Shell 148L · 4.0 KB
│ ├─ 🔧 verify-webhook.sh Shell 69L · 1.6 KB
│ └─ 🔧 video-render-remote.sh Shell 65L · 1.5 KB
├─ 🔧 _env.sh Shell 11L · 331 B
├─ 📋 _meta.json JSON 6L · 128 B
├─ 🔧 memelord.sh Shell 64L · 1.3 KB
└─ 📝 SKILL.md Markdown 114L · 4.4 KB

Security Positives

✓ No credential theft: only MEMELORD_API_KEY is read from environment, no iteration through os.environ
✓ No data exfiltration: all network traffic is exclusively to api.memelord.com over HTTPS
✓ No reverse shell or C2: no socket listeners, no external IP connections beyond the declared API endpoint
✓ No obfuscation: base64 decoding (Buffer.from) is used exclusively for decoding image data URIs returned by the API — this is standard and necessary for saving meme images
✓ No supply chain risk: no external package dependencies (pip/npm), only built-in Node.js modules (fs, https, crypto, path)
✓ No sensitive path access: no access to ~/.ssh, ~/.aws, or other credential directories
✓ No remote script execution: no curl|bash or wget|sh patterns