Scan Report
5 /100
weshop-cli-skill
Image editing and generation skill using the WeShop CLI (virtual try-on, model swap, background replace, pose change, canvas expand, background removal)
This is a straightforward WeShop CLI wrapper skill with no security issues — it only documents and invokes the weshop CLI for image editing tasks, uses environment variables for API key storage (never passed as CLI args), and contains no hidden functionality.
Safe to install
No action required. This skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:27 - npm install -g weshop-cli |
| Environment | READ | READ | ✓ Aligned | SKILL.md:8 - reads WESHOP_API_KEY from environment |
| Network | READ | READ | ✓ Aligned | SKILL.md:10 - only openapi.weshop.ai is referenced as the API endpoint |
3 findings
Medium External URL 外部 URL
https://open.weshop.ai/authorization/apikey. SKILL.md:23 Medium External URL 外部 URL
https://www.npmjs.com/package/weshop-cli SKILL.md:27 Medium External URL 外部 URL
https://open.weshop.ai/authorization/apikey SKILL.md:31 File Tree
1 files · 3.8 KB · 96 lines Markdown 1f · 96L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
weshop-cli | 0.1.0 | npm | No | Pinned version from npm registry |
Security Positives
✓ API key is read from environment variable only, never passed as CLI argument
✓ Skill explicitly warns against sending API key to any other endpoint
✓ API endpoint is explicitly declared (openapi.weshop.ai)
✓ No subprocess calls or file operations beyond installing and running the weshop CLI
✓ No credential exfiltration or data theft patterns detected
✓ Skill properly checks for pre-existing environment variable before asking user
✓ Uses version pinning ([email protected]) for reproducible installs