扫描报告
5 /100
aippt
通过 AiPPT.cn 开放平台 API 智能生成专业 PPT 演示文稿
This is a legitimate AiPPT.cn API integration skill. It performs standard PPT generation via bash script, makes HTTPS calls only to the declared AiPPT API endpoint (co.aippt.cn), reads user-configured API keys from environment for local use only, and writes downloaded PPTX files to user-specified output directories. No credential exfiltration, no obfuscation, no hidden functionality, and no suspicious network behavior.
可以安装
No action required. This skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | bash scripts/aippt.sh commands throughout SKILL.md |
| 文件系统 | READ | READ | ✓ 一致 | File upload reads for .doc/.docx/.pdf/.txt/.pptx/.xmind/.mm/.md; SKILL.md scenar… |
| 文件系统 | NONE | WRITE | ✓ 一致 | mkdir -p output_dir; curl -o outfile download_url; .token_cache.json write; all … |
| 网络访问 | READ | READ | ✓ 一致 | All network calls go exclusively to https://co.aippt.cn with signed HMAC-SHA1 au… |
| 环境变量 | NONE | READ | ✓ 一致 | Reads AIPPT_APP_KEY/AIPPT_SECRET_KEY/AIPPT_UID from .env; credentials are used O… |
4 项发现
中危 外部 URL 外部 URL
https://aippt.cn SKILL.md:3 中危 外部 URL 外部 URL
https://open.aippt.cn SKILL.md:31 中危 外部 URL 外部 URL
https://open.aippt.cn/docs/zh/ scripts/aippt.sh:4 中危 外部 URL 外部 URL
https://co.aippt.cn scripts/aippt.sh:13 目录结构
3 文件 · 77.0 KB · 1831 行 Shell 1f · 1236L
Markdown 1f · 553L
JSON 1f · 42L
├─
▾
scripts
│ └─
aippt.sh
Shell
├─
skill.json
JSON
└─
SKILL.md
Markdown
依赖分析 3 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
curl | system | system | 否 | Standard system tool, no version constraints needed |
python3 | system | system | 否 | Standard system tool, used only for JSON parsing and no external packages |
openssl | system | system | 否 | Standard system tool, used only for HMAC-SHA1 signature generation |
安全亮点
✓ All network requests are exclusively to the legitimate AiPPT API endpoint (https://co.aippt.cn) with HMAC-SHA1 signature authentication
✓ API credentials (AIPPT_APP_KEY, AIPPT_SECRET_KEY) are read from the user's .env file and used ONLY for local API authentication — never exfiltrated
✓ No base64 encoding, no eval(), no dynamic code generation — all execution is straightforward bash/curl/python3
✓ No iteration over os.environ searching for sensitive keys — only reads explicitly named AIPPT_* variables
✓ No remote code execution (curl|bash, wget|sh) — all scripts are local
✓ No suspicious path access (no ~/.ssh, ~/.aws, .env scanning)
✓ File downloads are written only to user-specified output directories with magic-byte verification (PPTX/PDF header checks)
✓ SKILL.md is comprehensive and accurately describes all implemented behavior — no doc-to-code mismatch
✓ No hidden HTML comments, no hidden instructions, no steganography
✓ Token caching is local-only (${SKILL_DIR}/.token_cache.json), not transmitted anywhere
✓ Error handling is thorough and user-friendly, mapping all API error codes to Chinese descriptions