zhy-article-illustrator 安全扫描报告 — 可信 | ClawSafe

0 /100

zhy-article-illustrator

Generate AI illustrations for Markdown articles using Gemini/OpenAI/Xiaomi image generation APIs

Article illustration skill that generates AI images via declared providers with no security issues.

技能名称zhy-article-illustrator

分析耗时28.4s

引擎pi

✓

可以安装

Skill is safe to use. The pre-scan base64 IOC flags are false positives - Buffer.from() is standard legitimate image decoding for API responses.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md declares article reading; scripts read .env and article files
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares image provider APIs; fetch() calls to gemini/openai/xiaomi end…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares script orchestration; spawn() calls only internal scripts

3 严重 16 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(base64Data, "base64"

scripts/image-gen.ts:338

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(imgData, "base64"

scripts/image-gen.ts:374

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(item.b64_json, "base64"

scripts/image-gen.ts:460

🔗

中危外部 URL 外部 URL

https://your-compatible-endpoint.example/v1beta

SKILL.md:314

🔗

中危外部 URL 外部 URL

https://your-relay.example.com/v1beta

SKILL.md:325

🔗

中危外部 URL 外部 URL

https://vip.123everything.com/v1beta

scripts/image-gen.ts:215

🔗

中危外部 URL 外部 URL

https://cdn.example.com

scripts/qiniu-upload.ts:84

🔗

中危外部 URL 外部 URL

https://developer.qiniu.com/kodo/1671/region-endpoint-fq

scripts/qiniu-upload.ts:96

🔗

中危外部 URL 外部 URL

https://up-z0.qiniup.com

scripts/qiniu-upload.ts:100

🔗

中危外部 URL 外部 URL

https://up-cn-east-2.qiniup.com

scripts/qiniu-upload.ts:101

🔗

中危外部 URL 外部 URL

https://up-z1.qiniup.com

scripts/qiniu-upload.ts:102

🔗

中危外部 URL 外部 URL

https://up-z2.qiniup.com

scripts/qiniu-upload.ts:103

🔗

中危外部 URL 外部 URL

https://up-na0.qiniup.com

scripts/qiniu-upload.ts:104

🔗

中危外部 URL 外部 URL

https://up-as0.qiniup.com

scripts/qiniu-upload.ts:105

🔗

中危外部 URL 外部 URL

https://up-ap-southeast-2.qiniup.com

scripts/qiniu-upload.ts:106

🔗

中危外部 URL 外部 URL

https://up-ap-southeast-3.qiniup.com

scripts/qiniu-upload.ts:107

目录结构

9 文件 · 108.0 KB · 3403 行

TypeScript 4f · 2347L Markdown 4f · 1027L JSON 1f · 29L

├─ ▾ 📁 references

│ ├─ 📝 config-schema.md Markdown 227L · 6.3 KB

│ └─ 📝 prompt-guide.md Markdown 336L · 10.8 KB

├─ ▾ 📁 scripts

│ ├─ 📜 illustrate-article.ts TypeScript 537L · 16.6 KB

│ ├─ 📜 image-gen.ts TypeScript 513L · 15.1 KB

│ ├─ 📜 plan-illustrations.ts TypeScript 977L · 32.4 KB

│ └─ 📜 qiniu-upload.ts TypeScript 320L · 10.1 KB

├─ 📝 README.md Markdown 104L · 1.8 KB

├─ 📝 SKILL.md Markdown 360L · 14.2 KB

└─ 📋 tsconfig.json JSON 29L · 713 B

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`Node.js builtins only`	`N/A`	bundled	否	Uses only Node.js standard library (fs, path, crypto, child_process)

安全亮点

✓ Buffer.from(base64, 'base64') usage is legitimate image decoding for API responses, not obfuscation

✓ Environment variable access is limited to explicitly configured API keys (GEMINI_API_KEY, XIAOMI_API_KEY, QINIU_*), not indiscriminate iteration

✓ Shell execution (spawn) is limited to running internal scripts (image-gen.ts, plan-illustrations.ts, qiniu-upload.ts)

✓ All network requests go to documented providers (Gemini, OpenAI, Xiaomi, Qiniu) with declared API keys

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files outside skill scope)

✓ No base64-encoded dynamic code execution or eval() patterns

✓ SKILL.md accurately documents all capabilities and tool usage