genai-calling Security Report — Trusted | ClawSafe

5 /100

genai-calling

Unified interface for all AI providers and modalities - text/image/audio/video/embedding workflows with MCP support

This is a documentation-only skill providing instructions for using the genai-calling CLI to interface with various AI model providers. No executable code, malicious patterns, or credential harvesting detected.

Skill Namegenai-calling

Duration28.9s

Enginepi

✓

Safe to install

No action required. This is a legitimate documentation skill. Consider pinning the genai-calling package version in production for reproducibility.

Findings 1 items

Severity	Finding	Location
Low	Package version not pinned Supply Chain The skill uses 'uvx --from genai-calling' without specifying a version, which means it will always fetch the latest version from PyPI. This could introduce unexpected behavior if the package is updated. `uvx --from genai-calling genai` → Pin the package version for reproducible behavior, e.g., 'uvx --from genai-calling==1.2.3 genai'	`SKILL.md:31`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem operations declared or inferred
Network	`READ`	`READ`	✓ Aligned	Skill documents connecting to AI provider APIs (expected behavior)
Shell	`WRITE`	`WRITE`	✓ Aligned	Documents uvx CLI invocations, standard pattern
Environment	`READ`	`READ`	✓ Aligned	Documents .env loading for API credentials (standard pattern)
Skill Invoke	`NONE`	`NONE`	—	No skill chaining declared
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	No browser automation documented
Database	`NONE`	`NONE`	—	No database access documented

4 findings

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1

SKILL.md:122

🔗

Medium External URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

SKILL.md:125

🔗

Medium External URL 外部 URL

https://api.tu-zi.com

SKILL.md:127

🔗

Medium External URL 外部 URL

https://api.tu-zi.com/v1

SKILL.md:128

File Tree

1 files · 9.6 KB · 322 lines

Markdown 1f · 322L

└─ 📝 SKILL.md Markdown 322L · 9.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`genai-calling`	`latest (unpinned)`	PyPI (uvx)	No	Version not pinned - will always fetch latest

Security Positives

✓ Documentation-only skill with no executable code present

✓ No credential harvesting - only documents standard env var loading

✓ No base64, obfuscation, or anti-analysis patterns detected

✓ No sensitive path access (SSH, AWS configs, .env files)

✓ No reverse shell, C2, or data exfiltration patterns

✓ External URLs are legitimate AI provider endpoints (Aliyun, Volcengine, Tu-zi)

✓ Standard package runner (uvx) used for CLI invocation

✓ API credentials managed via standard environment variable pattern

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives