中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 10/100
上次扫描:1 天前 重新扫描
10 /100
pure-wan-fridge-gourmet
纯血万相冰箱盲盒 - 基于 Wan2.1 视觉大模型的烹饪灵感触发器
This is a legitimate image generation skill that calls Alibaba DashScope Wan2.1 API. No malicious behavior detected - all capabilities align with documented functionality, and hardcoded credentials in docs are clearly placeholders.
技能名称pure-wan-fridge-gourmet
分析耗时30.1s
引擎pi
可以安装
Skill is safe to use. No action required.

安全发现 2 项

严重性 安全发现 位置
低危
Placeholder API keys in documentation 文档欺骗
SKILL.md lines 86 and 137 contain 'your-wan-api-key' and 'your-dashscope-api-key' as example values. These are clearly documented as placeholders requiring user substitution.
export WAN_API_KEY="your-wan-api-key"
→ This is expected documentation practice. No action needed.
 SKILL.md:86
提示
requests library used without version pinning 供应链
SKILL.md specifies 'pip install requests' without version constraints. While not pinning versions is a general security concern, the requests library is a well-maintained standard library.
pip install requests
→ Consider pinning: pip install requests==2.31.0
 SKILL.md:148
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 SKILL.md:89 - image_path parameter; generate_gourmet.py:145 - open() for image e…
网络访问 WRITE WRITE ✓ 一致 SKILL.md:138 - DashScope API; generate_gourmet.py:230-240 - POST to dashscope.al…
环境变量 READ READ ✓ 一致 SKILL.md:86,137 - WAN_API_KEY; generate_gourmet.py:109 - os.environ.get()
命令执行 NONE NONE No subprocess or shell execution found
技能调用 NONE NONE No cross-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser automation
数据库 NONE NONE No database access
3 高危 6 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-wan-api-key"
SKILL.md:86
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-dashscope-api-key"
SKILL.md:137
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your-wan-api-key-here"
scripts/examples.md:7
🔗
中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/api/v1/services/aigc/multimodal-generation/generation
SKILL.md:138
🔗
中危 外部 URL 外部 URL
https://api.wan.xxx/v1/images/generate
scripts/examples.md:8
🔗
中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/api/v1/tasks/
scripts/generate_gourmet.py:266

目录结构

3 文件 · 26.2 KB · 736 行
Python 1f · 491L Markdown 2f · 245L
├─ 📁 scripts
│ ├─ 📝 examples.md Markdown 64L · 1.5 KB
│ └─ 🐍 generate_gourmet.py Python 491L · 18.0 KB
└─ 📝 SKILL.md Markdown 181L · 6.8 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned - standard HTTP library

安全亮点

✓ Code matches documentation - 100% Wan2.1 API usage declared and verified
✓ No credential harvesting beyond reading WAN_API_KEY for API calls
✓ No data exfiltration - only sends image to DashScope API and receives generated image URL
✓ No obfuscation techniques - base64 only used for legitimate image encoding
✓ No shell execution or subprocess usage
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No reverse shell, C2, or command-and-control behavior
✓ No hidden instructions in comments or documentation
✓ Single, well-documented external API endpoint (dashscope.aliyuncs.com)
✓ API key read from environment variable only when not provided as parameter