中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
voice-minimax
MiniMax TTS语音生成并通过飞书发送的技能
A straightforward voice generation skill with all capabilities declared in documentation; minor issue with placeholder credentials in code.
技能名称voice-minimax
分析耗时23.8s
引擎pi
可以安装
This skill is safe to use. Consider documenting that users should never commit actual API keys to version control.

安全发现 2 项

严重性 安全发现 位置
低危
API key placeholder in inline code
The MiniMax API key is embedded as a string literal '你的MiniMax API Key' in the Python code. While documented as requiring replacement, inline credential storage is poor security hygiene.
MINIMAX_KEY = '你的MiniMax API Key'
→ Recommend documenting that users should use environment variables or a config file for credentials instead of inline strings.
 SKILL.md:23
低危
Lark user ID hardcoded
The Feishu user ID is also a placeholder in the documentation, which is acceptable but could be moved to configuration.
--user-id 飞书用户ID
→ Consider allowing user ID to be configured via environment or command-line argument.
 SKILL.md:42
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:31 urllib.request to api.minimaxi.com
命令执行 WRITE WRITE ✓ 一致 SKILL.md:24-45 ffmpeg, cp, lark-cli commands
文件系统 WRITE WRITE ✓ 一致 SKILL.md:36-37 writes to /tmp/voice.mp3 and ./voice.opus
环境变量 NONE NONE No environment variable access detected
技能调用 NONE NONE No skill invocation detected
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser access detected
数据库 NONE NONE No database access detected
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.minimaxi.com/v1/t2a_v2
SKILL.md:31

目录结构

1 文件 · 2.2 KB · 89 行
Markdown 1f · 89L
└─ 📝 SKILL.md Markdown 89L · 2.2 KB

安全亮点

✓ All shell commands (ffmpeg, cp, lark-cli) are explicitly declared in SKILL.md
✓ No hidden functionality or undocumented code execution
✓ No credential harvesting or data exfiltration detected
✓ No base64 encoding, eval(), or other obfuscation techniques
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Single-purpose tool with clear, auditable workflow
✓ No external script downloads (curl|bash pattern absent)
✓ Filesystem operations are limited to documented /tmp/ and ./ directories