中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
doubao-all-in-one
使用豆包(火山引擎 Ark)生成图片或视频,将结果保存到本地
Legitimate Doubao/Volcengine AI media generation skill with no malicious indicators; all network activity is to official API endpoints.
技能名称doubao-all-in-one
分析耗时35.1s
引擎pi
可以安装
No action needed. The skill is safe to use.

安全发现 1 项

严重性 安全发现 位置
低危
Local IP detection via 8.8.8.8 socket connection 敏感访问
The get_local_ip() function in create_video_task.py uses s.connect(('8.8.8.8', 80)) to determine the local network interface IP. This is a standard, well-documented technique used by many tools (including requests library). 8.8.8.8 is Google's public DNS — not a C2 or exfiltration endpoint.
s.connect(("8.8.8.8", 80))
→ No action needed. This is legitimate behavior. Could optionally use a different anchor like 1.1.1.1 for diversity, but 8.8.8.8 is benign here.
 scripts/create_video_task.py:45
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All outbound requests to ark.cn-beijing.volces.com, the official Doubao Ark API …
文件系统 WRITE WRITE ✓ 一致 Writes to OUTPUT_ROOT/outputs/doubao/ only, as declared in SKILL.md
环境变量 READ READ ✓ 一致 Reads ARK_API_KEY and OUTPUT_ROOT env vars only, as declared in SKILL.md
命令执行 WRITE WRITE ✓ 一致 Uses uv run python for script execution, as declared in SKILL.md
1 高危 2 项发现
📡
高危 IP 地址 硬编码 IP 地址
8.8.8.8
scripts/create_video_task.py:45
🔗
中危 外部 URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3
scripts/common.py:57

目录结构

14 文件 · 84.0 KB · 2227 行
Python 9f · 1535L Markdown 4f · 688L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 272 B
├─ 📁 references
│ ├─ 📝 seedance_1_5_pro_prompt_guide.md Markdown 162L · 7.6 KB
│ ├─ 📝 seedream_prompt_guide.md Markdown 97L · 6.4 KB
│ └─ 📝 usage.md Markdown 44L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 common.py Python 392L · 11.9 KB
│ ├─ 🐍 create_video_task.py Python 343L · 11.4 KB
│ ├─ 🐍 delete_video_task.py Python 51L · 1.4 KB
│ ├─ 🐍 download_video.py Python 61L · 1.9 KB
│ ├─ 🐍 image_to_image.py Python 148L · 5.9 KB
│ ├─ 🐍 list_video_tasks.py Python 68L · 2.1 KB
│ ├─ 🐍 query_video_task.py Python 116L · 3.7 KB
│ ├─ 🐍 text_to_image.py Python 136L · 5.5 KB
│ └─ 🐍 webhook_server.py Python 220L · 8.2 KB
└─ 📝 SKILL.md Markdown 385L · 16.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
volcengine-python-sdk[ark] * pip Version not pinned, but package source is trusted (official Volcengine SDK)
flask * pip Version not pinned in webhook_server.py

安全亮点

✓ No credential theft — only reads ARK_API_KEY which is required for the Doubao API
✓ No data exfiltration — all network traffic goes to ark.cn-beijing.volces.com (official Volcengine endpoint)
✓ No obfuscation — all code is plaintext Python, easy to audit
✓ No RCE or subprocess abuse — uses uv run python as declared in SKILL.md
✓ No hidden functionality — SKILL.md accurately describes all capabilities
✓ Webhook server binds to localhost only (127.0.0.1:8888) with token-based auth
✓ SQLite database is stored locally under OUTPUT_ROOT, not externally accessible
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Pinned SDK dependency: volcengine-python-sdk[ark]
✓ Webhook server includes IP-based access control rejecting non-localhost origins