Scan Report
5 /100
z-image
使用 Z-Image 轻量级文生图接口生成图片
A legitimate text-to-image generation skill with properly documented behavior, no malicious indicators, and credentials handled through standard dotfile patterns.
Safe to install
No action required. The skill is safe to use. Consider pinning the API key storage to a more secure vault if available.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Plaintext credential storage | scripts/set_key.sh:12 |
| Low | API endpoint is a domain, not an IP | SKILL.md:102 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md lines 71-78 describe .env file read/write |
| Network | READ | READ | ✓ Aligned | SKILL.md line 102 declares https://agent.mathmind.cn/minimalist/api/tywx/zImage |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md lines 189-191 document scripts/generate.sh and scripts/set_key.sh |
1 findings
Medium External URL 外部 URL
https://agent.mathmind.cn/minimalist/api/tywx/zImage SKILL.md:102 File Tree
4 files · 12.3 KB · 465 lines Markdown 2f · 292L
Shell 2f · 173L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ SKILL.md accurately describes all functionality including credential storage and API usage
✓ Shell scripts use set -euo pipefail for safe error handling
✓ API key is masked in logs per documentation requirements
✓ chmod 600 applied to credential file for owner-only access
✓ No base64, eval, or dynamic code execution patterns found
✓ No exfiltration of credentials or sensitive data detected
✓ Input validation present for prompt, size format, and count
✓ Scripts match documentation exactly