中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:1 天前 重新扫描
15 /100
caricature-portrait-generator
Generate hilarious AI caricature portraits with exaggerated features via the Neta AI image generation API
A legitimate caricature image generation skill that makes HTTPS API calls, but SKILL.md misleadingly declares the Bash tool without any shell execution actually occurring in the implementation.
技能名称caricature-portrait-generator
分析耗时27.4s
引擎pi
可以安装
Fix the SKILL.md to accurately reflect the tool: use Read or no tool declaration instead of Bash, since the script only runs Node.js with built-in https module.

安全发现 2 项

严重性 安全发现 位置
低危
Bash tool declared without corresponding functionality 文档欺骗
SKILL.md declares `tools: Bash` on line 3, but the entire codebase contains zero child_process, exec, spawn, or shell command invocations. The script is a pure Node.js app using only built-in https module. The Bash declaration is a false positive — no shell-level execution occurs.
tools: Bash
→ Remove the Bash tool declaration from SKILL.md or replace it with a note that the skill only uses Node.js built-in modules.
 SKILL.md:3
低危
Network access undeclared in SKILL.md 文档欺骗
The script makes HTTPS requests to api.talesofai.com (Neta AI image generation API) but SKILL.md makes no mention of network access. This is a minor doc gap — the network use is necessary and proportional to the stated purpose.
await request('POST', 'api.talesofai.com', '/v3/make_image', body)
→ Add a note in SKILL.md that the skill makes outbound HTTPS requests to api.talesofai.com for image generation.
 caricatureportraitgenerator.js:69
资源类型声明权限推断权限状态证据
命令执行 WRITE NONE ✓ 一致 SKILL.md:3 declares tools: Bash, but JS file has no child_process, exec, spawn, …
网络访问 NONE READ ✓ 一致 caricatureportraitgenerator.js:69-75 makes HTTPS POST/GET to api.talesofai.com —…
文件系统 NONE NONE No file read/write operations in the JS implementation
环境变量 NONE NONE No environment variable access in the JS implementation
1 项发现
🔗
中危 外部 URL 外部 URL
https://www.neta.art/open/
README.md:19

目录结构

4 文件 · 7.7 KB · 252 行
JavaScript 1f · 140L Markdown 2f · 111L JSON 1f · 1L
├─ 📜 caricatureportraitgenerator.js JavaScript 140L · 3.5 KB
├─ 📋 package.json JSON 1L · 188 B
├─ 📝 README.md Markdown 77L · 2.6 KB
└─ 📝 SKILL.md Markdown 34L · 1.4 KB

安全亮点

✓ No subprocess, exec, or shell command execution found — script runs purely via Node.js built-in modules
✓ No credential harvesting or environment variable iteration
✓ No data exfiltration or C2 communication — only makes legitimate API calls to the documented endpoint
✓ No obfuscation, base64 decoding, or anti-analysis techniques
✓ No filesystem writes or sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No supply chain risks — package.json has no external dependencies, only Node.js built-ins
✓ No persistence mechanisms (cron, startup hooks, backdoors)
✓ Token is passed via CLI flag only, not read from environment or sensitive files