中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
camera-yolo-operator
操作本地摄像头,运行 YOLO 目标检测和 DA3Metric 深度估计
Legitimate computer vision skill for webcam-based YOLO object detection and depth estimation with no malicious indicators.
技能名称camera-yolo-operator
分析耗时33.2s
引擎pi
可以安装
No action needed. The skill performs standard computer vision tasks using opencv, ultralytics YOLO, and depth-anything models. All functionality is accurately documented in SKILL.md.

安全发现 1 项

严重性 安全发现 位置
低危
Dependency versions not pinned 供应链
requirements.txt uses >= lower-bound constraints without upper bounds (e.g., ultralytics>=8.0.0, torch>=2.0.0), which could allow installing incompatible future versions.
ultralytics>=8.0.0
torch>=2.0.0
→ Consider pinning exact versions or using compatible release specifiers (e.g., ultralytics>=8.0.0,<9.0.0) to ensure reproducible builds. However, all packages come from trusted mainstream sources (PyPI, HuggingFace).
 requirements.txt:1
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md declares --output-dir for saving images; scripts use os.makedirs() and …
命令执行 READ READ ✓ 一致 download_models.sh uses python3 -c for model download, documented in SKILL.md
网络访问 READ READ ✓ 一致 Downloads YOLO models and HuggingFace depth models; explicitly documented in SKI…
浏览器 NONE NONE No browser usage
剪贴板 NONE NONE No clipboard access
环境变量 READ READ ✓ 一致 Reads OPENCLAW_WORKSPACE, YOLO_MODEL_PATH, HF_ENDPOINT as documented in SKILL.md
技能调用 NONE NONE No skill invocation
数据库 NONE NONE No database access
6 项发现
🔗
中危 外部 URL 外部 URL
https://hf-mirror.com
SKILL.md:336
🔗
中危 外部 URL 外部 URL
https://huggingface.co/depth-anything/DA3Metric-Large
SKILL.md:370
🔗
中危 外部 URL 外部 URL
https://download.pytorch.org/whl/cu121
SKILL.md:385
🔗
中危 外部 URL 外部 URL
https://pypi.tuna.tsinghua.edu.cn/simple
SKILL.md:394
🔗
中危 外部 URL 外部 URL
https://docs.ultralytics.com/models/yolo11
references/deployment.md:91
🔗
中危 外部 URL 外部 URL
https://huggingface.co/ultralytics/
references/deployment.md:136

目录结构

9 文件 · 54.3 KB · 1749 行
Python 4f · 874L Markdown 3f · 777L Shell 1f · 82L Text 1f · 16L
├─ 📁 references
│ ├─ 📝 deployment.md Markdown 292L · 6.0 KB
│ └─ 📝 platform.md Markdown 47L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 capture_webcam.py Python 136L · 5.0 KB
│ ├─ 🔧 download_models.sh Shell 82L · 2.2 KB
│ ├─ 🐍 yolo_depth_distance.py Python 275L · 11.1 KB
│ ├─ 🐍 yolo_detection.py Python 235L · 8.5 KB
│ └─ 🐍 yolo_pedestrian_tracker.py Python 228L · 8.6 KB
├─ 📄 requirements.txt Text 16L · 292 B
└─ 📝 SKILL.md Markdown 438L · 11.5 KB

依赖分析 7 项

包名版本来源已知漏洞备注
ultralytics >=8.0.0 pip Version not pinned but from trusted source
torch >=2.0.0 pip Version not pinned but from official PyTorch
torchvision >=0.15.0 pip Version not pinned but from official PyTorch
depth-anything-3 >=0.1.0 pip Version not pinned
supervision >=0.20.0 pip Version not pinned
opencv-python >=4.8.0 pip Version not pinned but mainstream
numpy >=1.24.0 pip Version not pinned but mainstream

安全亮点

✓ All functionality accurately documented in SKILL.md - no doc-to-code mismatch
✓ No credential harvesting or sensitive file access (no ~/.ssh, ~/.aws, .env scanning)
✓ No data exfiltration or C2 communication
✓ No obfuscation techniques (no base64, eval(), or anti-analysis patterns)
✓ No reverse shell, RCE, or arbitrary command execution
✓ No hidden functionality - all scripts perform explicitly documented operations
✓ Model downloads from official sources (Ultralytics, HuggingFace) are clearly documented
✓ No suspicious network IOCs beyond documented model download endpoints
✓ Webcam access is for legitimate computer vision tasks only, with no surreptitious recording
✓ All subprocess usage (model download) is documented and necessary for the feature