中文 EN

扫描报告

扫描新文件

可疑 — 风险评分 45/100
上次扫描:21 小时前 重新扫描
45 /100
minimax-image-gen
使用 Minimax Image API 生成图片。支持文生图、13+ 种风格预设、跨平台
The skill performs legitimate image generation but disables SSL certificate verification while claiming SSL/TLS encryption in documentation - a doc-to-code mismatch creating MITM vulnerability risk.
技能名称minimax-image-gen
分析耗时38.8s
引擎pi
谨慎使用
Fix SSL verification by setting verify_mode=ssl.CERT_REQUIRED and check_hostname=True. Update documentation to accurately reflect security implementation.

安全发现 2 项

严重性 安全发现 位置
高危
SSL/TLS security claim contradicts code implementation 文档欺骗
SKILL.md lists 'SSL/TLS 加密传输' under security features, but scripts/gen.py disables SSL certificate verification at lines 171-172 and 226-227, creating vulnerability to man-in-the-middle attacks.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
→ Set ctx.check_hostname = True and ctx.verify_mode = ssl.CERT_REQUIRED, or remove the custom SSL context entirely to use system defaults.
 scripts/gen.py:171
中危
Reads API configuration from OpenClaw config file 敏感访问
The script searches for API keys in ~/.openclaw/openclaw.json and parent directories. While not exfiltrating data, this accesses configuration files outside the skill's declared scope.
paths = [
    Path.home() / ".openclaw" / "openclaw.json",
    Path(os.getcwd()).parent / ".openclaw" / "openclaw.json",
]
→ Document this behavior in SKILL.md or limit to only explicitly configured paths.
 scripts/gen.py:206
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md:requires:env MINIMAX_API_KEY - legitimate API calls
文件系统 WRITE WRITE ✓ 一致 scripts/gen.py:280-290 - saves images to output directory
命令执行 WRITE WRITE ✓ 一致 scripts/gen.py:263-270 - cross-platform image preview (open/xdg-open)
环境变量 READ READ ✓ 一致 scripts/gen.py:199 - reads MINIMAX_API_KEY
7 项发现
🔗
中危 外部 URL 外部 URL
https://platform.minimaxi.com/docs/api-reference/image-generation-t2i
SKILL.md:4
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/GitHub-neuroXY-blue
SKILL.md:22
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/Version-1.1.0-green
SKILL.md:23
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/Platform-Windows%2FMac%2FLinux-yellow
SKILL.md:24
🔗
中危 外部 URL 外部 URL
https://img.shields.io/badge/License-MIT-orange
SKILL.md:25
🔗
中危 外部 URL 外部 URL
https://platform.minimaxi.com/user-center/interface-key
SKILL.md:86
🔗
中危 外部 URL 外部 URL
https://api.minimaxi.com
scripts/gen.py:231

目录结构

2 文件 · 22.3 KB · 775 行
Python 1f · 490L Markdown 1f · 285L
├─ 📁 scripts
│ └─ 🐍 gen.py Python 490L · 15.4 KB
└─ 📝 SKILL.md Markdown 285L · 6.9 KB

安全亮点

✓ No credential exfiltration detected - API keys used only for local API calls
✓ Input sanitization implemented to prevent XSS/script injection
✓ Prompt length validation prevents resource exhaustion
✓ Subprocess usage for image preview is documented in SKILL.md
✓ Error handling for various API error codes present
✓ No base64-encoded execution or obfuscation detected
✓ No sensitive file access (~/.ssh, ~/.aws, .env) beyond declared API key locations
✓ No reverse shell, C2 communication, or data theft patterns