中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
meitu-carousel
小红书轮播套组生成工具 - 一键生成封面+内页风格统一的轮播图组
A legitimate image carousel generation skill using meitu-cli with clear documentation, fully declared capabilities, and no malicious indicators.
技能名称meitu-carousel
分析耗时27.5s
引擎pi
可以安装
This skill is safe to use. Consider pinning meitu-cli to a specific version in production for reproducibility.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned npm package dependency 供应链
meitu-cli is installed without version pinning (npm install -g meitu-cli), which could lead to unexpected behavior if a breaking update is released
Install: `npm install -g meitu-cli`
→ Pin to a specific version: npm install -g [email protected]
 SKILL.md:22
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:12-14 declares file_read for credentials.json and workspace
文件系统 WRITE WRITE ✓ 一致 SKILL.md:13 declares file_write for workspace/visual/
命令执行 WRITE WRITE ✓ 一致 SKILL.md:15-16 declares exec for meitu command

目录结构

3 文件 · 26.3 KB · 426 行
Markdown 3f · 426L
├─ 📁 references
│ ├─ 📝 memory-protocol.md Markdown 82L · 2.8 KB
│ └─ 📝 xiaohongshu-cover.md Markdown 67L · 7.6 KB
└─ 📝 SKILL.md Markdown 277L · 15.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
meitu-cli * npm Version not pinned

安全亮点

✓ Comprehensive SKILL.md documentation with clear capability declarations
✓ No obfuscated code, base64 payloads, or suspicious shell patterns
✓ All credential access explicitly declared (MEITU_OPENAPI_ACCESS_KEY, MEITU_OPENAPI_SECRET_KEY)
✓ File operations scoped to specific user directories with no sensitive path access
✓ No data exfiltration or C2 communication detected
✓ Uses a legitimate commercial API (Meitu AI Open Platform)
✓ No credential harvesting beyond declared API keys
✓ Clean file tree with no binary or hidden scripts