pure-wan-fridge-gourmet Security Report — Low Risk | ClawSafe

10 /100

pure-wan-fridge-gourmet

纯血万相冰箱盲盒 - 基于 Wan2.1 视觉大模型的烹饪灵感触发器

This is a legitimate image generation skill that calls Alibaba DashScope Wan2.1 API. No malicious behavior detected - all capabilities align with documented functionality, and hardcoded credentials in docs are clearly placeholders.

Skill Namepure-wan-fridge-gourmet

Duration30.1s

Enginepi

✓

Safe to install

Skill is safe to use. No action required.

Findings 2 items

Severity	Finding	Location
Low	Placeholder API keys in documentation Doc Mismatch SKILL.md lines 86 and 137 contain 'your-wan-api-key' and 'your-dashscope-api-key' as example values. These are clearly documented as placeholders requiring user substitution. `export WAN_API_KEY="your-wan-api-key"` → This is expected documentation practice. No action needed.	`SKILL.md:86`
Info	requests library used without version pinning Supply Chain SKILL.md specifies 'pip install requests' without version constraints. While not pinning versions is a general security concern, the requests library is a well-maintained standard library. `pip install requests` → Consider pinning: pip install requests==2.31.0	`SKILL.md:148`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:89 - image_path parameter; generate_gourmet.py:145 - open() for image e…
Network	`WRITE`	`WRITE`	✓ Aligned	SKILL.md:138 - DashScope API; generate_gourmet.py:230-240 - POST to dashscope.al…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:86,137 - WAN_API_KEY; generate_gourmet.py:109 - os.environ.get()
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

3 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your-wan-api-key"

SKILL.md:86

🔑

High API Key 疑似硬编码凭证

API_KEY="your-dashscope-api-key"

SKILL.md:137

🔑

High API Key 疑似硬编码凭证

API_KEY="your-wan-api-key-here"

scripts/examples.md:7

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation

SKILL.md:138

🔗

Medium External URL 外部 URL

https://api.wan.xxx/v1/images/generate

scripts/examples.md:8

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/api/v1/tasks/

scripts/generate_gourmet.py:266

File Tree

3 files · 26.2 KB · 736 lines

Python 1f · 491L Markdown 2f · 245L

├─ ▾ 📁 scripts

│ ├─ 📝 examples.md Markdown 64L · 1.5 KB

│ └─ 🐍 generate_gourmet.py Python 491L · 18.0 KB

└─ 📝 SKILL.md Markdown 181L · 6.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned - standard HTTP library

Security Positives

✓ Code matches documentation - 100% Wan2.1 API usage declared and verified

✓ No credential harvesting beyond reading WAN_API_KEY for API calls

✓ No data exfiltration - only sends image to DashScope API and receives generated image URL

✓ No obfuscation techniques - base64 only used for legitimate image encoding

✓ No shell execution or subprocess usage

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)

✓ No reverse shell, C2, or command-and-control behavior

✓ No hidden instructions in comments or documentation

✓ Single, well-documented external API endpoint (dashscope.aliyuncs.com)

✓ API key read from environment variable only when not provided as parameter

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives