kids-ai-magazine 安全扫描报告 — 可信 | ClawSafe

5 /100

kids-ai-magazine

Generate a kids-friendly AI news magazine with text and audio narration

A benign content generation tool for creating children's AI news magazines with TTS audio. No malicious patterns detected; all functionality is declared and appropriate for the stated purpose.

技能名称kids-ai-magazine

分析耗时27.9s

引擎pi

✓

可以安装

No action required. The skill is safe for use.

安全发现 1 项

严重性	安全发现	位置
低危	Minor SKILL.md vs Script Mismatch 文档欺骗 SKILL.md shows 'cloudflared tunnel --url http://localhost:8899' as a usage example but the scripts do not implement or call cloudflared. This is benign as it only provides manual instructions. `cloudflared tunnel --url http://localhost:8899` → No action needed; this is documentation of expected behavior, not hidden functionality.	`SKILL.md:64`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares file writes for magazine output; build_magazine.py line 87 wri…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md lists external news sources; template.html contains legitimate URLs to …
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares http.server and cloudflared; generate_audio.py line 21 uses su…
环境变量	`NONE`	`NONE`	—	No os.environ access found in any script
技能调用	`NONE`	`NONE`	—	No skill_invoke capability used
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

3 项发现

🔗

中危外部 URL 外部 URL

https://www.thepaper.cn/newsDetail_forward_32689787

assets/template.html:184

🔗

中危外部 URL 外部 URL

https://www.woshipm.com/share/6355994.html

assets/template.html:236

🔗

中危外部 URL 外部 URL

https://36kr.com/p/3602173033792516

assets/template.html:288

目录结构

5 文件 · 29.5 KB · 671 行

HTML 1f · 365L Python 2f · 153L Markdown 1f · 93L JSON 1f · 60L

├─ ▾ 📁 assets

│ └─ 📄 template.html HTML 365L · 14.7 KB

├─ ▾ 📁 references

│ └─ 📋 example-stories.json JSON 60L · 5.7 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 build_magazine.py Python 98L · 3.5 KB

│ └─ 🐍 generate_audio.py Python 55L · 1.9 KB

└─ 📝 SKILL.md Markdown 93L · 3.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`edge-tts`	`*`	pip	否	Microsoft Azure TTS service; no version pinning specified but package is well-maintained

安全亮点

✓ No credential theft or environment variable harvesting

✓ No data exfiltration or C2 communication

✓ No obfuscation (base64, eval, encoded commands)

✓ No reverse shell or RCE capabilities

✓ No hidden instructions in HTML comments

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No supply chain risks - uses only standard library and edge-tts

✓ All subprocess usage is declared and appropriate for the tool's purpose

✓ Template HTML contains no malicious content

✓ External URLs point to legitimate Chinese news sources