st-ent-mcp 安全扫描报告 — 低风险 | ClawSafe

10 /100

st-ent-mcp

Search 699pic enterprise photo/video assets, check download records, and generate download links through the local 699pic OpenAPI integration

This is a legitimate 699pic enterprise stock media asset search skill with proper credential handling via environment variables and no malicious indicators.

技能名称st-ent-mcp

分析耗时24.7s

引擎pi

✓

可以安装

This skill is safe to use. Ensure SERVICE_API_KEY is sourced from your own environment, not shared credentials.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access in openapi.js
网络访问	`READ`	`READ`	✓ 一致	POST requests to SERVICE_API_BASE_URL for asset search
命令执行	`WRITE`	`WRITE`	✓ 一致	Shell wrappers use mcporter, declared in SKILL.md
环境变量	`READ`	`READ`	✓ 一致	Reads SERVICE_API_KEY and SERVICE_API_BASE_URL

1 项发现

🔗

中危外部 URL 外部 URL

https://pre-st-api.699pic.com

SKILL.md:18

目录结构

6 文件 · 11.4 KB · 336 行

Markdown 2f · 210L JavaScript 1f · 88L Shell 2f · 34L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 275 B

├─ ▾ 📁 references

│ └─ 📝 api.md Markdown 42L · 1.4 KB

├─ ▾ 📁 scripts

│ ├─ 📜 openapi.js JavaScript 88L · 3.0 KB

│ ├─ 🔧 search_photos.sh Shell 17L · 353 B

│ └─ 🔧 search_videos.sh Shell 17L · 353 B

└─ 📝 SKILL.md Markdown 168L · 6.0 KB

安全亮点

✓ No hardcoded credentials - API key sourced from environment variable only

✓ SKILL.md documentation is comprehensive and matches implementation

✓ No obfuscation or encoded commands detected

✓ No suspicious network patterns (no direct IPs, no C2-style communication)

✓ Proper error handling with informative messages

✓ Uses native fetch API - no eval or dangerous execution patterns

✓ Configurable base URL prevents vendor lock-in concerns

✓ Download link generation requires explicit asset type and id (no guessing)