Scan Report
10 /100
st-ent-mcp
Search 699pic enterprise photo/video assets, check download records, and generate download links through the local 699pic OpenAPI integration
This is a legitimate 699pic enterprise stock media asset search skill with proper credential handling via environment variables and no malicious indicators.
Safe to install
This skill is safe to use. Ensure SERVICE_API_KEY is sourced from your own environment, not shared credentials.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access in openapi.js |
| Network | READ | READ | ✓ Aligned | POST requests to SERVICE_API_BASE_URL for asset search |
| Shell | WRITE | WRITE | ✓ Aligned | Shell wrappers use mcporter, declared in SKILL.md |
| Environment | READ | READ | ✓ Aligned | Reads SERVICE_API_KEY and SERVICE_API_BASE_URL |
1 findings
Medium External URL 外部 URL
https://pre-st-api.699pic.com SKILL.md:18 File Tree
6 files · 11.4 KB · 336 lines Markdown 2f · 210L
JavaScript 1f · 88L
Shell 2f · 34L
YAML 1f · 4L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
references
│ └─
api.md
Markdown
├─
▾
scripts
│ ├─
openapi.js
JavaScript
│ ├─
search_photos.sh
Shell
│ └─
search_videos.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ No hardcoded credentials - API key sourced from environment variable only
✓ SKILL.md documentation is comprehensive and matches implementation
✓ No obfuscation or encoded commands detected
✓ No suspicious network patterns (no direct IPs, no C2-style communication)
✓ Proper error handling with informative messages
✓ Uses native fetch API - no eval or dangerous execution patterns
✓ Configurable base URL prevents vendor lock-in concerns
✓ Download link generation requires explicit asset type and id (no guessing)