Scan Report
5 /100
aippt
通过 AiPPT.cn 开放平台 API 智能生成专业 PPT 演示文稿
This is a legitimate AiPPT.cn API integration skill. It performs standard PPT generation via bash script, makes HTTPS calls only to the declared AiPPT API endpoint (co.aippt.cn), reads user-configured API keys from environment for local use only, and writes downloaded PPTX files to user-specified output directories. No credential exfiltration, no obfuscation, no hidden functionality, and no suspicious network behavior.
Safe to install
No action required. This skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | bash scripts/aippt.sh commands throughout SKILL.md |
| Filesystem | READ | READ | ✓ Aligned | File upload reads for .doc/.docx/.pdf/.txt/.pptx/.xmind/.mm/.md; SKILL.md scenar… |
| Filesystem | NONE | WRITE | ✓ Aligned | mkdir -p output_dir; curl -o outfile download_url; .token_cache.json write; all … |
| Network | READ | READ | ✓ Aligned | All network calls go exclusively to https://co.aippt.cn with signed HMAC-SHA1 au… |
| Environment | NONE | READ | ✓ Aligned | Reads AIPPT_APP_KEY/AIPPT_SECRET_KEY/AIPPT_UID from .env; credentials are used O… |
4 findings
Medium External URL 外部 URL
https://aippt.cn SKILL.md:3 Medium External URL 外部 URL
https://open.aippt.cn SKILL.md:31 Medium External URL 外部 URL
https://open.aippt.cn/docs/zh/ scripts/aippt.sh:4 Medium External URL 外部 URL
https://co.aippt.cn scripts/aippt.sh:13 File Tree
3 files · 77.0 KB · 1831 lines Shell 1f · 1236L
Markdown 1f · 553L
JSON 1f · 42L
├─
▾
scripts
│ └─
aippt.sh
Shell
├─
skill.json
JSON
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
curl | system | system | No | Standard system tool, no version constraints needed |
python3 | system | system | No | Standard system tool, used only for JSON parsing and no external packages |
openssl | system | system | No | Standard system tool, used only for HMAC-SHA1 signature generation |
Security Positives
✓ All network requests are exclusively to the legitimate AiPPT API endpoint (https://co.aippt.cn) with HMAC-SHA1 signature authentication
✓ API credentials (AIPPT_APP_KEY, AIPPT_SECRET_KEY) are read from the user's .env file and used ONLY for local API authentication — never exfiltrated
✓ No base64 encoding, no eval(), no dynamic code generation — all execution is straightforward bash/curl/python3
✓ No iteration over os.environ searching for sensitive keys — only reads explicitly named AIPPT_* variables
✓ No remote code execution (curl|bash, wget|sh) — all scripts are local
✓ No suspicious path access (no ~/.ssh, ~/.aws, .env scanning)
✓ File downloads are written only to user-specified output directories with magic-byte verification (PPTX/PDF header checks)
✓ SKILL.md is comprehensive and accurately describes all implemented behavior — no doc-to-code mismatch
✓ No hidden HTML comments, no hidden instructions, no steganography
✓ Token caching is local-only (${SKILL_DIR}/.token_cache.json), not transmitted anywhere
✓ Error handling is thorough and user-friendly, mapping all API error codes to Chinese descriptions