中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:17 hr ago Rescan
5 /100
voice-interview-simulator
中文求职语音模拟面试器 — 使用 LLM 生成问题、ASR 转写回答、TTS 播报面试官语音,输出结构化评估报告
A legitimate Chinese voice interview simulator using LLM, ASR, and TTS APIs. No malicious behavior detected; all functionality is accurately documented and scoped.
Skill Namevoice-interview-simulator
Duration43.3s
Enginepi
Safe to install
This skill is safe to use. No security concerns require action.

Findings 1 items

Severity Finding Location
Low
Loose dependency version pinning Supply Chain
All three dependencies in requirements.txt use >= lower-bounds pinning (requests>=2.31.0, openai>=1.30.0, python-dotenv>=1.0.0) instead of exact versions. This could theoretically allow a future incompatible version to be installed.
openai>=1.30.0
requests>=2.31.0
python-dotenv>=1.0.0
→ Consider pinning exact versions (e.g., requests==2.31.0) to ensure reproducible builds and prevent supply chain surprises.
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned scripts/run_interview.py:359 writes to OUTPUT_DIR/
Network READ READ ✓ Aligned scripts/run_interview.py:295-315 POSTs to ASR/TTS APIs; scripts/run_interview.py…
Shell NONE NONE No subprocess, os.system, or shell execution found
Environment READ READ ✓ Aligned scripts/run_interview.py:75-95 reads API keys from env vars; no key exfiltration
Skill Invoke NONE NONE No inter-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser access
Database NONE NONE No database access
3 findings
🔗
Medium External URL 外部 URL
https://models.audiozen.cn/v1
scripts/run_interview.py:83
🔗
Medium External URL 外部 URL
https://api.senseaudio.cn/v1/audio/transcriptions
scripts/run_interview.py:89
🔗
Medium External URL 外部 URL
https://api.senseaudio.cn/v1/t2a_v2
scripts/run_interview.py:95

File Tree

6 files · 28.5 KB · 925 lines
Python 1f · 511L Markdown 3f · 409L Text 1f · 3L YAML 1f · 2L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 2L · 51 B
├─ 📁 references
│ ├─ 📝 prompts_cn.md Markdown 127L · 3.0 KB
│ └─ 📝 state_schema_cn.md Markdown 91L · 2.0 KB
├─ 📁 scripts
│ └─ 🐍 run_interview.py Python 511L · 17.5 KB
├─ 📄 requirements.txt Text 3L · 53 B
└─ 📝 SKILL.md Markdown 191L · 5.9 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
openai >=1.30.0 pip No Lower-bounds pin only
requests >=2.31.0 pip No Lower-bounds pin only
python-dotenv >=1.0.0 pip No Lower-bounds pin only

Security Positives

✓ SKILL.md accurately declares all three external API integrations (LLM, ASR, TTS) with their base URLs
✓ No subprocess, shell execution, or command injection found anywhere in the codebase
✓ No credential exfiltration — API keys are read from environment variables and used only for authentication to declared APIs
✓ No obfuscation techniques (no base64, eval, or dynamic code loading)
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, .env, or secrets directories
✓ File writes are scoped to a dedicated outputs/ directory, not system paths
✓ No inter-skill invocation abuse or privilege escalation attempts
✓ Hardcoded fallback defaults (e.g., model names, base URLs) are documented in SKILL.md
✓ Environment variable access is targeted (specific keys), not a broad os.environ iteration
✓ No hidden instructions, HTML comments with payloads, or prompt injection vectors