扫描报告
5 /100
z-image
使用 Z-Image 轻量级文生图接口生成图片
A legitimate text-to-image generation skill with properly documented behavior, no malicious indicators, and credentials handled through standard dotfile patterns.
可以安装
No action required. The skill is safe to use. Consider pinning the API key storage to a more secure vault if available.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Plaintext credential storage | scripts/set_key.sh:12 |
| 低危 | API endpoint is a domain, not an IP | SKILL.md:102 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | SKILL.md lines 71-78 describe .env file read/write |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md line 102 declares https://agent.mathmind.cn/minimalist/api/tywx/zImage |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md lines 189-191 document scripts/generate.sh and scripts/set_key.sh |
1 项发现
中危 外部 URL 外部 URL
https://agent.mathmind.cn/minimalist/api/tywx/zImage SKILL.md:102 目录结构
4 文件 · 12.3 KB · 465 行 Markdown 2f · 292L
Shell 2f · 173L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
安全亮点
✓ SKILL.md accurately describes all functionality including credential storage and API usage
✓ Shell scripts use set -euo pipefail for safe error handling
✓ API key is masked in logs per documentation requirements
✓ chmod 600 applied to credential file for owner-only access
✓ No base64, eval, or dynamic code execution patterns found
✓ No exfiltration of credentials or sensitive data detected
✓ Input validation present for prompt, size format, and count
✓ Scripts match documentation exactly