扫描报告
5 /100
xfei-invoice
iFlytek OCR-based invoice and receipt recognition skill
Legitimate iFlytek OCR invoice recognition skill with no malicious behavior detected. The code performs exactly as documented - reads invoice images, authenticates with the declared API using HMAC-SHA256, and returns OCR results.
可以安装
This skill is safe to use. Ensure environment variables XFEI_APP_ID, XFEI_API_KEY, and XFEI_API_SECRET are properly secured and scoped to the minimum required permissions.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | invoice.py:103-108 reads user-specified image files only |
| 网络访问 | READ | READ | ✓ 一致 | invoice.py:130-150 POSTs to declared API endpoint api.xf-yun.com |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution found |
| 环境变量 | READ | READ | ✓ 一致 | invoice.py:193-197 reads XFEI_* credentials for API auth only |
| 技能调用 | NONE | NONE | — | No skill-to-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
3 项发现
中危 外部 URL 外部 URL
https://console.xfyun.cn SKILL.md:19 中危 外部 URL 外部 URL
https://api.xf-yun.com/v1/private/sc45f0684 SKILL.md:81 中危 外部 URL 外部 URL
https://www.xfyun.cn/services/Invoice_recognition?target=price SKILL.md:98 目录结构
3 文件 · 18.3 KB · 452 行 Python 1f · 240L
Markdown 1f · 205L
JSON 1f · 7L
├─
▾
.claude
│ └─
settings.local.json
JSON
├─
▾
scripts
│ └─
invoice.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ Uses only Python standard library - no third-party dependencies that could introduce supply chain risks
✓ Code is clean, readable, and matches documentation exactly
✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques
✓ No subprocess or shell execution
✓ API credentials used only for authentication to declared endpoint
✓ HMAC-SHA256 signature is industry-standard authentication pattern
✓ No sensitive file path access (~/.ssh, ~/.aws, .env)
✓ No credential harvesting or exfiltration behavior
✓ No persistence mechanisms (no cron, startup hooks, or backdoors)
✓ No network connections to unexpected IPs or domains