中文 EN
Start Review
Skill Trust Decision

personal-voice-generator

SKILL.md 声明"本地完成不上传",但代码实际将用户音频文件上传至阿里云 OSS,存在文档欺骗行为

Install decision first Source: ClawHub Scanned: 5 days ago
Files 4
Artifacts 9
Violations 1
Findings 2
Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged
Block
Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review
Hidden execution and egress

9 lower-risk artifacts were extracted and still need context.

Pass
Attack chain and severe findings

There is no explicit malicious chain in the report.

Review
Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

文档声明与实际行为不符 +25

SKILL.md 声明"声音样本与合成操作均在本地完成,不上传",但 upload_file() 函数将音频上传至阿里云 OSS

未声明的网络写入操作 +10

未在 permissions 中声明文件上传到外部 OSS 的 WRITE 操作

Most important evidence

Medium Doc Mismatch

文档声明"本地完成不上传"与实际行为不符

SKILL.md 明确声明"所有声音样本与合成操作均在本地完成,不上传、不存储、不泄露任何用户数据",但 upload_file() 函数(行52-75)会将用户提供的本地音频文件通过 multipart/form-data POST 到外部阿里云 OSS(kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com)。这是典型的阴影功能行为。

scripts/voice_clone.py:52
修改 SKILL.md 中 permissions.network 和 description,明确声明"需要将本地音频文件上传至语音合成服务提供商的 OSS 存储以获取可访问 URL"
Low Sensitive Access

读取环境变量和 .env 文件获取 API Key

get_api_key() 函数(行24-45)遍历环境变量和 .env 文件读取 AI_ARTIST_TOKEN,这是获取凭证的正常方式,但未在 SKILL.md 中声明

scripts/voice_clone.py:24
在 permissions 中补充说明需要配置 API Key 环境变量

Declared capability vs actual capability

Network Block
Declared READ
Inferred WRITE
voice_clone.py:52 将本地文件 POST 到外部 OSS
Filesystem Pass
Declared WRITE
Inferred WRITE
voice_clone.py:180-198 下载音频到本地目录

Suspicious artifacts and egress

Medium External URL
https://ai.deepsop.com/prod-api

references/api.md:5

Medium External URL
https://ai.deepsop.com/login?source=2

references/api.md:10

Medium External URL
https://ai.deepsop.com/register?source=2

references/api.md:11

Medium External URL
https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/1773663443610_c8733ade.mp3

references/api.md:53

Medium External URL
https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/xxx.mp3

references/api.md:104

Medium External URL
https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/1775109577087_813ce67c.mp3

references/api.md:137

Medium External URL
https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/voice_clone/1/3c48a33a-8bdb-4272-81c4-b5607a19928c.mp3

references/api.md:186

Medium External URL
https://ai.deepsop.com/prod-api/system/fileUpload/upload

references/api.md:219

Medium External URL
https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/material/100/6f5a70ba-cb60-4474-a579-ef5326037b5c.mp3

references/api.md:231

Dependencies and supply chain

PackageVersionSourceKnown vulnNotes
requests * pip No 无版本锁定但为通用HTTP库

File composition

4 files · 701 lines
Python 1 files · 392 linesMarkdown 3 files · 309 lines
Files of concern · 2
scripts/voice_clone.py Python · 392 lines
文档声明"本地完成不上传"与实际行为不符 · 读取环境变量和 .env 文件获取 API Key
references/api.md Markdown · 279 lines
https://ai.deepsop.com/prod-api · https://ai.deepsop.com/login?source=2 · https://ai.deepsop.com/register?source=2 · https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/1773663443610_c8733ade.mp3 · https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/xxx.mp3 · https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/timbre/100/1775109577087_813ce67c.mp3 · https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/voice_clone/1/3c48a33a-8bdb-4272-81c4-b5607a19928c.mp3 · https://ai.deepsop.com/prod-api/system/fileUpload/upload · https://kocgo-ai-sales-test.oss-cn-hangzhou.aliyuncs.com/material/100/6f5a70ba-cb60-4474-a579-ef5326037b5c.mp3
Other files · README.md · SKILL.md

Security positives

代码结构清晰,无混淆或隐蔽执行
API 调用基于标准 requests 库,无恶意依赖
文件下载功能符合"本地保存"声明
无反向 shell、凭证收割或其他主动攻击行为