genai-calling 安全扫描报告 — 可信 | ClawSafe

5 /100

genai-calling

Unified interface for all AI providers and modalities - text/image/audio/video/embedding workflows with MCP support

This is a documentation-only skill providing instructions for using the genai-calling CLI to interface with various AI model providers. No executable code, malicious patterns, or credential harvesting detected.

技能名称genai-calling

分析耗时28.9s

引擎pi

✓

可以安装

No action required. This is a legitimate documentation skill. Consider pinning the genai-calling package version in production for reproducibility.

安全发现 1 项

严重性	安全发现	位置
低危	Package version not pinned 供应链 The skill uses 'uvx --from genai-calling' without specifying a version, which means it will always fetch the latest version from PyPI. This could introduce unexpected behavior if the package is updated. `uvx --from genai-calling genai` → Pin the package version for reproducible behavior, e.g., 'uvx --from genai-calling==1.2.3 genai'	`SKILL.md:31`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem operations declared or inferred
网络访问	`READ`	`READ`	✓ 一致	Skill documents connecting to AI provider APIs (expected behavior)
命令执行	`WRITE`	`WRITE`	✓ 一致	Documents uvx CLI invocations, standard pattern
环境变量	`READ`	`READ`	✓ 一致	Documents .env loading for API credentials (standard pattern)
技能调用	`NONE`	`NONE`	—	No skill chaining declared
剪贴板	`NONE`	`NONE`	—	No clipboard access documented
浏览器	`NONE`	`NONE`	—	No browser automation documented
数据库	`NONE`	`NONE`	—	No database access documented

4 项发现

🔗

中危外部 URL 外部 URL

https://dashscope.aliyuncs.com/compatible-mode/v1

SKILL.md:122

🔗

中危外部 URL 外部 URL

https://ark.cn-beijing.volces.com/api/v3

SKILL.md:125

🔗

中危外部 URL 外部 URL

https://api.tu-zi.com

SKILL.md:127

🔗

中危外部 URL 外部 URL

https://api.tu-zi.com/v1

SKILL.md:128

目录结构

1 文件 · 9.6 KB · 322 行

Markdown 1f · 322L

└─ 📝 SKILL.md Markdown 322L · 9.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`genai-calling`	`latest (unpinned)`	PyPI (uvx)	否	Version not pinned - will always fetch latest

安全亮点

✓ Documentation-only skill with no executable code present

✓ No credential harvesting - only documents standard env var loading

✓ No base64, obfuscation, or anti-analysis patterns detected

✓ No sensitive path access (SSH, AWS configs, .env files)

✓ No reverse shell, C2, or data exfiltration patterns

✓ External URLs are legitimate AI provider endpoints (Aliyun, Volcengine, Tu-zi)

✓ Standard package runner (uvx) used for CLI invocation

✓ API credentials managed via standard environment variable pattern