中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
meitu-carousel
小红书轮播套组生成工具 - 一键生成封面+内页风格统一的轮播图组
A legitimate image carousel generation skill using meitu-cli with clear documentation, fully declared capabilities, and no malicious indicators.
Skill Namemeitu-carousel
Duration27.5s
Enginepi
Safe to install
This skill is safe to use. Consider pinning meitu-cli to a specific version in production for reproducibility.

Findings 1 items

Severity Finding Location
Low
Unpinned npm package dependency Supply Chain
meitu-cli is installed without version pinning (npm install -g meitu-cli), which could lead to unexpected behavior if a breaking update is released
Install: `npm install -g meitu-cli`
→ Pin to a specific version: npm install -g [email protected]
 SKILL.md:22
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md:12-14 declares file_read for credentials.json and workspace
Filesystem WRITE WRITE ✓ Aligned SKILL.md:13 declares file_write for workspace/visual/
Shell WRITE WRITE ✓ Aligned SKILL.md:15-16 declares exec for meitu command

File Tree

3 files · 26.3 KB · 426 lines
Markdown 3f · 426L
├─ 📁 references
│ ├─ 📝 memory-protocol.md Markdown 82L · 2.8 KB
│ └─ 📝 xiaohongshu-cover.md Markdown 67L · 7.6 KB
└─ 📝 SKILL.md Markdown 277L · 15.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
meitu-cli * npm No Version not pinned

Security Positives

✓ Comprehensive SKILL.md documentation with clear capability declarations
✓ No obfuscated code, base64 payloads, or suspicious shell patterns
✓ All credential access explicitly declared (MEITU_OPENAPI_ACCESS_KEY, MEITU_OPENAPI_SECRET_KEY)
✓ File operations scoped to specific user directories with no sensitive path access
✓ No data exfiltration or C2 communication detected
✓ Uses a legitimate commercial API (Meitu AI Open Platform)
✓ No credential harvesting beyond declared API keys
✓ Clean file tree with no binary or hidden scripts