Scan Report
5 /100
topview-skill
Topview AI API toolkit — video, image, avatar, voice generation
Clean Topview AI API client toolkit with no malicious behavior, obfuscation, credential theft, or hidden functionality. All capabilities are fully declared and aligned with documented behavior.
Safe to install
No action needed. The skill is safe to deploy.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | upload.py:resolve_local_file() reads local files; config.py:load_config() reads … |
| Network | READ | READ | ✓ Aligned | client.py: all HTTP calls to https://api.topview.ai only |
| Shell | NONE | NONE | — | No subprocess or shell execution found |
| Environment | READ | READ | ✓ Aligned | config.py reads TOPVIEW_UID, TOPVIEW_API_KEY from os.environ |
| Skill Invoke | NONE | NONE | — | No skill-to-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | auth.py uses webbrowser.open() for OAuth flow, declared in docs |
| Database | NONE | NONE | — | No database access |
10 findings
Medium External URL 外部 URL
http://www.apache.org/licenses/ LICENSE.txt:4 Medium External URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0 LICENSE.txt:196 Medium External URL 外部 URL
https://agentskills.io/specification README.md:5 Medium External URL 外部 URL
https://www.topview.ai SKILL.md:13 Medium External URL 外部 URL
https://www.topview.ai/board/ SKILL.md:198 Medium External URL 外部 URL
https://www.topview.ai/board/board_abc123?boardResultId=bt_xyz789 references/board.md:109 Medium External URL 外部 URL
https://www.topview.ai/dashboard/home references/error_handling.md:9 Medium External URL 外部 URL
https://www.topview.ai/oauth scripts/auth.py:29 Medium External URL 外部 URL
https://aigc-web-base-preview.vercel.app/board scripts/board.py:45 Medium External URL 外部 URL
https://api.topview.ai scripts/shared/client.py:11 File Tree
30 files · 251.6 KB · 6516 lines Python 15f · 4282L
Markdown 13f · 2031L
Text 2f · 203L
├─
▾
references
│ ├─
ai_image.md
Markdown
│ ├─
auth.md
Markdown
│ ├─
avatar4.md
Markdown
│ ├─
board.md
Markdown
│ ├─
error_handling.md
Markdown
│ ├─
product_avatar.md
Markdown
│ ├─
remove_bg.md
Markdown
│ ├─
text2voice.md
Markdown
│ ├─
user.md
Markdown
│ ├─
video_gen.md
Markdown
│ └─
voice.md
Markdown
├─
▾
scripts
│ ├─
▾
shared
│ │ ├─
__init__.py
Python
│ │ ├─
client.py
Python
│ │ ├─
config.py
Python
│ │ └─
upload.py
Python
│ ├─
__init__.py
Python
│ ├─
ai_image.py
Python
│ ├─
auth.py
Python
│ ├─
avatar4.py
Python
│ ├─
board.py
Python
│ ├─
product_avatar.py
Python
│ ├─
remove_bg.py
Python
│ ├─
requirements.txt
Text
│ ├─
text2voice.py
Python
│ ├─
user.py
Python
│ ├─
video_gen.py
Python
│ └─
voice.py
Python
├─
LICENSE.txt
Text
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | >=2.28.0 | pip | No | Version lower bound specified |
python-dotenv | >=1.0.0 | pip | No | Version lower bound specified |
Security Positives
✓ All network requests restricted to https://api.topview.ai — no direct IP calls or external C2 endpoints
✓ No base64, eval, or code obfuscation of any kind
✓ Credentials stored with chmod 0o600 in ~/.topview/credentials.json
✓ No access to ~/.ssh, ~/.aws, .env production secrets, or other sensitive host paths
✓ No curl|bash, wget|sh, or remote script execution
✓ No credential harvesting beyond the declared Topview API key
✓ No subprocess or shell execution — pure Python API calls only
✓ Dependency versions are specified (requests>=2.28.0, python-dotenv>=1.0.0) — no unconstrained '*' pins
✓ Documentation is thorough and accurately describes all capabilities
✓ No hidden functionality — all modules are documented in SKILL.md
✓ OAuth 2.0 Device Flow is a standard, secure authentication pattern
✓ No prompt injection vectors, hidden HTML comments, or shadow instructions