扫描报告
5 /100
weshop-cli-skill
Image editing and generation skill using the WeShop CLI (virtual try-on, model swap, background replace, pose change, canvas expand, background removal)
This is a straightforward WeShop CLI wrapper skill with no security issues — it only documents and invokes the weshop CLI for image editing tasks, uses environment variables for API key storage (never passed as CLI args), and contains no hidden functionality.
可以安装
No action required. This skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:27 - npm install -g weshop-cli |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md:8 - reads WESHOP_API_KEY from environment |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:10 - only openapi.weshop.ai is referenced as the API endpoint |
3 项发现
中危 外部 URL 外部 URL
https://open.weshop.ai/authorization/apikey. SKILL.md:23 中危 外部 URL 外部 URL
https://www.npmjs.com/package/weshop-cli SKILL.md:27 中危 外部 URL 外部 URL
https://open.weshop.ai/authorization/apikey SKILL.md:31 目录结构
1 文件 · 3.8 KB · 96 行 Markdown 1f · 96L
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
weshop-cli | 0.1.0 | npm | 否 | Pinned version from npm registry |
安全亮点
✓ API key is read from environment variable only, never passed as CLI argument
✓ Skill explicitly warns against sending API key to any other endpoint
✓ API endpoint is explicitly declared (openapi.weshop.ai)
✓ No subprocess calls or file operations beyond installing and running the weshop CLI
✓ No credential exfiltration or data theft patterns detected
✓ Skill properly checks for pre-existing environment variable before asking user
✓ Uses version pinning ([email protected]) for reproducible installs