Scan Report
0 /100
zhy-article-illustrator
Generate AI illustrations for Markdown articles using Gemini/OpenAI/Xiaomi image generation APIs
Article illustration skill that generates AI images via declared providers with no security issues.
Safe to install
Skill is safe to use. The pre-scan base64 IOC flags are false positives - Buffer.from() is standard legitimate image decoding for API responses.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md declares article reading; scripts read .env and article files |
| Network | READ | READ | ✓ Aligned | SKILL.md declares image provider APIs; fetch() calls to gemini/openai/xiaomi end… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md declares script orchestration; spawn() calls only internal scripts |
3 Critical 16 findings
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(base64Data, "base64" scripts/image-gen.ts:338 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(imgData, "base64" scripts/image-gen.ts:374 Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(item.b64_json, "base64" scripts/image-gen.ts:460 Medium External URL 外部 URL
https://your-compatible-endpoint.example/v1beta SKILL.md:314 Medium External URL 外部 URL
https://your-relay.example.com/v1beta SKILL.md:325 Medium External URL 外部 URL
https://vip.123everything.com/v1beta scripts/image-gen.ts:215 Medium External URL 外部 URL
https://cdn.example.com scripts/qiniu-upload.ts:84 Medium External URL 外部 URL
https://developer.qiniu.com/kodo/1671/region-endpoint-fq scripts/qiniu-upload.ts:96 Medium External URL 外部 URL
https://up-z0.qiniup.com scripts/qiniu-upload.ts:100 Medium External URL 外部 URL
https://up-cn-east-2.qiniup.com scripts/qiniu-upload.ts:101 Medium External URL 外部 URL
https://up-z1.qiniup.com scripts/qiniu-upload.ts:102 Medium External URL 外部 URL
https://up-z2.qiniup.com scripts/qiniu-upload.ts:103 Medium External URL 外部 URL
https://up-na0.qiniup.com scripts/qiniu-upload.ts:104 Medium External URL 外部 URL
https://up-as0.qiniup.com scripts/qiniu-upload.ts:105 Medium External URL 外部 URL
https://up-ap-southeast-2.qiniup.com scripts/qiniu-upload.ts:106 Medium External URL 外部 URL
https://up-ap-southeast-3.qiniup.com scripts/qiniu-upload.ts:107 File Tree
9 files · 108.0 KB · 3403 lines TypeScript 4f · 2347L
Markdown 4f · 1027L
JSON 1f · 29L
├─
▾
references
│ ├─
config-schema.md
Markdown
│ └─
prompt-guide.md
Markdown
├─
▾
scripts
│ ├─
illustrate-article.ts
TypeScript
│ ├─
image-gen.ts
TypeScript
│ ├─
plan-illustrations.ts
TypeScript
│ └─
qiniu-upload.ts
TypeScript
├─
README.md
Markdown
├─
SKILL.md
Markdown
└─
tsconfig.json
JSON
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
Node.js builtins only | N/A | bundled | No | Uses only Node.js standard library (fs, path, crypto, child_process) |
Security Positives
✓ Buffer.from(base64, 'base64') usage is legitimate image decoding for API responses, not obfuscation
✓ Environment variable access is limited to explicitly configured API keys (GEMINI_API_KEY, XIAOMI_API_KEY, QINIU_*), not indiscriminate iteration
✓ Shell execution (spawn) is limited to running internal scripts (image-gen.ts, plan-illustrations.ts, qiniu-upload.ts)
✓ All network requests go to documented providers (Gemini, OpenAI, Xiaomi, Qiniu) with declared API keys
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files outside skill scope)
✓ No base64-encoded dynamic code execution or eval() patterns
✓ SKILL.md accurately documents all capabilities and tool usage