中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:1 天前 重新扫描
20 /100
Memelord
AI-powered meme generation, meme editing, meme video generation via Memelord API
The Memelord skill is a legitimate meme generation tool with no malicious behavior; the pre-scan flagged base64 decoding is standard image data URI handling, not obfuscation.
技能名称Memelord
分析耗时49.4s
引擎pi
可以安装
Approve for use. Consider documenting filesystem write scope (--out, --png paths) and shell usage in SKILL.md to eliminate the documentation gap.

安全发现 1 项

严重性 安全发现 位置
低危
Undeclared filesystem write scope in SKILL.md 文档欺骗
SKILL.md declares filesystem:READ+WRITE implicitly via allowed-tools mapping, but does not explicitly enumerate that scripts write JSON responses, PNG files, and temp files to user-specified paths. This is a documentation clarity gap rather than hidden functionality, as the write operations are evident in the script contents and are standard for this tool's purpose.
SKILL.md lists bins: [node, curl, realpath] and primaryEnv: MEMELORD_API_KEY but omits the explicit write destinations
→ Add to SKILL.md under 'Executable scripts': 'Scripts write JSON responses to --out paths and decoded PNGs to --png paths. Temp files are created via mktemp and cleaned up via trap.'
 SKILL.md:1
资源类型声明权限推断权限状态证据
命令执行 WRITE WRITE ✓ 一致 Bash scripts using node - <<'NODE' for JSON construction, curl for HTTP, mktemp …
文件系统 READ+WRITE READ+WRITE ✓ 一致 Writes JSON responses to --out paths, writes PNG files to --png paths, reads JSO…
网络访问 READ READ ✓ 一致 HTTPS GET/POST to api.memelord.com only; no direct IP connections
环境变量 READ (MEMELORD_API_KEY only) READ (MEMELORD_API_KEY only) ✓ 一致 Only reads MEMELORD_API_KEY; no iteration through os.environ or credential harve…
1 严重 9 项发现
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(m[2], 'base64'
scripts/ai-meme.sh:127
🔗
中危 外部 URL 外部 URL
https://memelord.com
SKILL.md:6
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/docs
SKILL.md:10
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/docs.
SKILL.md:114
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/api/v1/ai-meme/edit
scripts/ai-meme-edit.sh:119
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/api/v1/ai-meme
scripts/ai-meme.sh:77
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/api/v1/ai-video-meme/edit
scripts/ai-video-meme-edit.sh:91
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/api/v1/ai-video-meme
scripts/ai-video-meme.sh:79
🔗
中危 外部 URL 外部 URL
https://www.memelord.com/api/video/render/remote?jobId=$(node
scripts/video-render-remote.sh:53

目录结构

11 文件 · 27.1 KB · 972 行
Shell 9f · 852L Markdown 1f · 114L JSON 1f · 6L
├─ 📁 scripts
│ ├─ 🔧 ai-meme-edit.sh Shell 156L · 4.7 KB
│ ├─ 🔧 ai-meme.sh Shell 157L · 4.4 KB
│ ├─ 🔧 ai-video-meme-edit.sh Shell 97L · 2.6 KB
│ ├─ 🔧 ai-video-meme.sh Shell 85L · 2.3 KB
│ ├─ 🔧 render.sh Shell 148L · 4.0 KB
│ ├─ 🔧 verify-webhook.sh Shell 69L · 1.6 KB
│ └─ 🔧 video-render-remote.sh Shell 65L · 1.5 KB
├─ 🔧 _env.sh Shell 11L · 331 B
├─ 📋 _meta.json JSON 6L · 128 B
├─ 🔧 memelord.sh Shell 64L · 1.3 KB
└─ 📝 SKILL.md Markdown 114L · 4.4 KB

安全亮点

✓ No credential theft: only MEMELORD_API_KEY is read from environment, no iteration through os.environ
✓ No data exfiltration: all network traffic is exclusively to api.memelord.com over HTTPS
✓ No reverse shell or C2: no socket listeners, no external IP connections beyond the declared API endpoint
✓ No obfuscation: base64 decoding (Buffer.from) is used exclusively for decoding image data URIs returned by the API — this is standard and necessary for saving meme images
✓ No supply chain risk: no external package dependencies (pip/npm), only built-in Node.js modules (fs, https, crypto, path)
✓ No sensitive path access: no access to ~/.ssh, ~/.aws, or other credential directories
✓ No remote script execution: no curl|bash or wget|sh patterns