中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:20 小时前 重新扫描
5 /100
topview-skill
Topview AI API toolkit — video, image, avatar, voice generation
Clean Topview AI API client toolkit with no malicious behavior, obfuscation, credential theft, or hidden functionality. All capabilities are fully declared and aligned with documented behavior.
技能名称topview-skill
分析耗时44.9s
引擎pi
可以安装
No action needed. The skill is safe to deploy.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 upload.py:resolve_local_file() reads local files; config.py:load_config() reads …
网络访问 READ READ ✓ 一致 client.py: all HTTP calls to https://api.topview.ai only
命令执行 NONE NONE No subprocess or shell execution found
环境变量 READ READ ✓ 一致 config.py reads TOPVIEW_UID, TOPVIEW_API_KEY from os.environ
技能调用 NONE NONE No skill-to-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE auth.py uses webbrowser.open() for OAuth flow, declared in docs
数据库 NONE NONE No database access
10 项发现
🔗
中危 外部 URL 外部 URL
http://www.apache.org/licenses/
LICENSE.txt:4
🔗
中危 外部 URL 外部 URL
http://www.apache.org/licenses/LICENSE-2.0
LICENSE.txt:196
🔗
中危 外部 URL 外部 URL
https://agentskills.io/specification
README.md:5
🔗
中危 外部 URL 外部 URL
https://www.topview.ai
SKILL.md:13
🔗
中危 外部 URL 外部 URL
https://www.topview.ai/board/
SKILL.md:198
🔗
中危 外部 URL 外部 URL
https://www.topview.ai/board/board_abc123?boardResultId=bt_xyz789
references/board.md:109
🔗
中危 外部 URL 外部 URL
https://www.topview.ai/dashboard/home
references/error_handling.md:9
🔗
中危 外部 URL 外部 URL
https://www.topview.ai/oauth
scripts/auth.py:29
🔗
中危 外部 URL 外部 URL
https://aigc-web-base-preview.vercel.app/board
scripts/board.py:45
🔗
中危 外部 URL 外部 URL
https://api.topview.ai
scripts/shared/client.py:11

目录结构

30 文件 · 251.6 KB · 6516 行
Python 15f · 4282L Markdown 13f · 2031L Text 2f · 203L
├─ 📁 references
│ ├─ 📝 ai_image.md Markdown 138L · 4.4 KB
│ ├─ 📝 auth.md Markdown 122L · 4.8 KB
│ ├─ 📝 avatar4.md Markdown 134L · 3.7 KB
│ ├─ 📝 board.md Markdown 194L · 4.5 KB
│ ├─ 📝 error_handling.md Markdown 40L · 2.1 KB
│ ├─ 📝 product_avatar.md Markdown 175L · 5.1 KB
│ ├─ 📝 remove_bg.md Markdown 93L · 2.8 KB
│ ├─ 📝 text2voice.md Markdown 110L · 2.9 KB
│ ├─ 📝 user.md Markdown 81L · 1.6 KB
│ ├─ 📝 video_gen.md Markdown 184L · 6.4 KB
│ └─ 📝 voice.md Markdown 177L · 4.9 KB
├─ 📁 scripts
│ ├─ 📁 shared
│ │ ├─ 🐍 __init__.py Python 2L · 66 B
│ │ ├─ 🐍 client.py Python 163L · 5.7 KB
│ │ ├─ 🐍 config.py Python 69L · 2.1 KB
│ │ └─ 🐍 upload.py Python 81L · 2.5 KB
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 ai_image.py Python 585L · 25.6 KB
│ ├─ 🐍 auth.py Python 331L · 10.5 KB
│ ├─ 🐍 avatar4.py Python 371L · 13.5 KB
│ ├─ 🐍 board.py Python 440L · 14.9 KB
│ ├─ 🐍 product_avatar.py Python 442L · 16.9 KB
│ ├─ 🐍 remove_bg.py Python 272L · 9.4 KB
│ ├─ 📄 requirements.txt Text 2L · 38 B
│ ├─ 🐍 text2voice.py Python 305L · 10.9 KB
│ ├─ 🐍 user.py Python 124L · 3.5 KB
│ ├─ 🐍 video_gen.py Python 743L · 38.2 KB
│ └─ 🐍 voice.py Python 354L · 12.6 KB
├─ 📄 LICENSE.txt Text 201L · 11.1 KB
├─ 📝 README.md Markdown 85L · 5.8 KB
└─ 📝 SKILL.md Markdown 498L · 25.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
requests >=2.28.0 pip Version lower bound specified
python-dotenv >=1.0.0 pip Version lower bound specified

安全亮点

✓ All network requests restricted to https://api.topview.ai — no direct IP calls or external C2 endpoints
✓ No base64, eval, or code obfuscation of any kind
✓ Credentials stored with chmod 0o600 in ~/.topview/credentials.json
✓ No access to ~/.ssh, ~/.aws, .env production secrets, or other sensitive host paths
✓ No curl|bash, wget|sh, or remote script execution
✓ No credential harvesting beyond the declared Topview API key
✓ No subprocess or shell execution — pure Python API calls only
✓ Dependency versions are specified (requests>=2.28.0, python-dotenv>=1.0.0) — no unconstrained '*' pins
✓ Documentation is thorough and accurately describes all capabilities
✓ No hidden functionality — all modules are documented in SKILL.md
✓ OAuth 2.0 Device Flow is a standard, secure authentication pattern
✓ No prompt injection vectors, hidden HTML comments, or shadow instructions