安全决策报告
video-to-text
The skill has significant doc-to-code mismatch with undeclared shell execution via execSync and undeclared filesystem writes, though the underlying functionality appears legitimate for video transcription.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Undeclared shell execution +20
SKILL.md does not mention execSync usage in tool.js; only declares the video_to_text tool interface
Undeclared filesystem writes +10
Downloads files to os.tmpdir() without declaring filesystem:WRITE capability
Command injection risk pattern +10
execSync(args.join(' ')) pattern is dangerous; args are joined to string before execution
Hidden credential handling +5
Python script accepts --api-key for AssemblyAI but not declared in SKILL.md
最关键的证据
中危
Undeclared subprocess execution via execSync
tool.js uses child_process.execSync() to execute shell commands but SKILL.md only declares the tool interface without mentioning this implementation detail.
tool.js:24 Declare shell:WRITE capability in _meta.json tools section, or refactor to use child_process.spawn() with explicit argument arrays to avoid string injection risk.
中危
Command injection risk pattern
The execSync(args.join(' ')) pattern joins array elements into a single string before execution. While currently safe (URLs are passed as separate array items), this pattern is fragile and could become exploitable if parameters are modified.
tool.js:24 Use child_process.spawn() with explicit argument array instead of execSync with string joining.
低危
Undeclared filesystem write to temp directory
index.js downloads files to os.tmpdir() using fs.createWriteStream but this filesystem:WRITE usage is not declared in SKILL.md.
index.js:44 Add filesystem:WRITE to declared capabilities in _meta.json or document this behavior in SKILL.md.
低危
Hidden credential parameter in Python script
scripts/video2text.py accepts --api-key parameter for AssemblyAI but this capability is not documented in SKILL.md.
scripts/video2text.py:64 Document API key support in SKILL.md or remove if not needed.
声明能力 vs 实际能力
网络访问 通过
声明 READ
→ 推断 READ
SKILL.md mentions API calls to api.myshell.ai and api.openai.com 命令执行 阻止
声明 NONE
→ 推断 WRITE
tool.js:24 - execSync(args.join(' ')) 文件系统 阻止
声明 NONE
→ 推断 WRITE
index.js:44 - fs.createWriteStream(tempFile), index.js:103 - fs.unlink() 环境变量 通过
声明 NONE
→ 推断 NONE
No os.environ access detected 可疑产物与外联
中危 外部 URL
https://api.myshell.ai/v1/audio/transcriptions SKILL.md:53
中危 外部 URL
https://api.assemblyai.com/v2/upload scripts/video2text.py:49
中危 外部 URL
https://api.assemblyai.com/v2/transcript scripts/video2text.py:58
中危 外部 URL
https://api.assemblyai.com/v2/transcript/ scripts/video2text.py:69
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| node | system | system | 否 | Required runtime, no vulnerability scanning applicable |
文件构成
6 个文件 · 602 行
JavaScript 2 个文件 · 328 行Python 1 个文件 · 141 行JSON 2 个文件 · 70 行Markdown 1 个文件 · 63 行
需关注文件 · 4
index.js Undeclared filesystem write to temp directory
scripts/video2text.py Hidden credential parameter in Python script · https://api.assemblyai.com/v2/upload · https://api.assemblyai.com/v2/transcript · https://api.assemblyai.com/v2/transcript/
SKILL.md https://api.myshell.ai/v1/audio/transcriptions
tool.js Undeclared subprocess execution via execSync · Command injection risk pattern
其他文件 · _meta.json · package.json
安全亮点
No evidence of credential exfiltration or data theft
No base64-encoded payloads or obfuscated code
No attempts to access ~/.ssh, ~/.aws, or other sensitive paths
No curl|bash remote script execution
No hidden instructions in comments or HTML
Legitimate video transcription functionality with documented API endpoints
Proper file cleanup after processing (fs.unlink)