Scan Report
5 /100
oatda-generate-image
Generate images from text descriptions using AI models through OATDA's unified API
Legitimate OATDA image generation API wrapper with fully declared capabilities and no malicious behavior detected.
Safe to install
Approve for use. The skill is a straightforward API client with no hidden functionality or suspicious patterns.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md - bash commands using curl and jq for API calls |
| Network | READ | READ | ✓ Aligned | SKILL.md - curl to https://oatda.com/api/v1/llm/* endpoints |
| Filesystem | READ | READ | ✓ Aligned | SKILL.md - reads ~/.oatda/credentials.json for API key fallback |
| Environment | READ | READ | ✓ Aligned | SKILL.md - reads OATDA_API_KEY environment variable |
6 findings
Medium External URL 外部 URL
https://oatda.com SKILL.md:4 Medium External URL 外部 URL
https://oatda.com/api/v1/llm/models?type=image SKILL.md:54 Medium External URL 外部 URL
https://oatda.com/api/v1/llm/generate-image SKILL.md:66 Medium External URL 外部 URL
https://cdn.example.com/generated-image.png SKILL.md:105 Medium External URL 外部 URL
https://cdn.example.com/image-1.png SKILL.md:107 Medium External URL 外部 URL
https://cdn.example.com/image-2.png SKILL.md:108 File Tree
1 files · 7.0 KB · 185 lines Markdown 1f · 185L
└─
SKILL.md
Markdown
Security Positives
✓ No executable code present - only documentation file
✓ All shell commands are fully declared in documentation
✓ API calls restricted to single trusted endpoint (oatda.com)
✓ API key properly masked (only first 8 chars shown)
✓ No credential exfiltration - keys stay local
✓ No base64, eval, or dynamic code execution
✓ No suspicious network connections or IP addresses
✓ No hidden HTML comments or steganographic content
✓ No remote script execution (curl|bash pattern absent)
✓ No iteration over environment variables for credential harvesting
✓ Dependencies (curl, jq) are declared and standard