中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:19 小时前 重新扫描
5 /100
voice-interview-simulator
中文求职语音模拟面试器 — 使用 LLM 生成问题、ASR 转写回答、TTS 播报面试官语音,输出结构化评估报告
A legitimate Chinese voice interview simulator using LLM, ASR, and TTS APIs. No malicious behavior detected; all functionality is accurately documented and scoped.
技能名称voice-interview-simulator
分析耗时43.3s
引擎pi
可以安装
This skill is safe to use. No security concerns require action.

安全发现 1 项

严重性 安全发现 位置
低危
Loose dependency version pinning 供应链
All three dependencies in requirements.txt use >= lower-bounds pinning (requests>=2.31.0, openai>=1.30.0, python-dotenv>=1.0.0) instead of exact versions. This could theoretically allow a future incompatible version to be installed.
openai>=1.30.0
requests>=2.31.0
python-dotenv>=1.0.0
→ Consider pinning exact versions (e.g., requests==2.31.0) to ensure reproducible builds and prevent supply chain surprises.
 requirements.txt:1
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 scripts/run_interview.py:359 writes to OUTPUT_DIR/
网络访问 READ READ ✓ 一致 scripts/run_interview.py:295-315 POSTs to ASR/TTS APIs; scripts/run_interview.py…
命令执行 NONE NONE No subprocess, os.system, or shell execution found
环境变量 READ READ ✓ 一致 scripts/run_interview.py:75-95 reads API keys from env vars; no key exfiltration
技能调用 NONE NONE No inter-skill invocation
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser access
数据库 NONE NONE No database access
3 项发现
🔗
中危 外部 URL 外部 URL
https://models.audiozen.cn/v1
scripts/run_interview.py:83
🔗
中危 外部 URL 外部 URL
https://api.senseaudio.cn/v1/audio/transcriptions
scripts/run_interview.py:89
🔗
中危 外部 URL 外部 URL
https://api.senseaudio.cn/v1/t2a_v2
scripts/run_interview.py:95

目录结构

6 文件 · 28.5 KB · 925 行
Python 1f · 511L Markdown 3f · 409L Text 1f · 3L YAML 1f · 2L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 2L · 51 B
├─ 📁 references
│ ├─ 📝 prompts_cn.md Markdown 127L · 3.0 KB
│ └─ 📝 state_schema_cn.md Markdown 91L · 2.0 KB
├─ 📁 scripts
│ └─ 🐍 run_interview.py Python 511L · 17.5 KB
├─ 📄 requirements.txt Text 3L · 53 B
└─ 📝 SKILL.md Markdown 191L · 5.9 KB

依赖分析 3 项

包名版本来源已知漏洞备注
openai >=1.30.0 pip Lower-bounds pin only
requests >=2.31.0 pip Lower-bounds pin only
python-dotenv >=1.0.0 pip Lower-bounds pin only

安全亮点

✓ SKILL.md accurately declares all three external API integrations (LLM, ASR, TTS) with their base URLs
✓ No subprocess, shell execution, or command injection found anywhere in the codebase
✓ No credential exfiltration — API keys are read from environment variables and used only for authentication to declared APIs
✓ No obfuscation techniques (no base64, eval, or dynamic code loading)
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, .env, or secrets directories
✓ File writes are scoped to a dedicated outputs/ directory, not system paths
✓ No inter-skill invocation abuse or privilege escalation attempts
✓ Hardcoded fallback defaults (e.g., model names, base URLs) are documented in SKILL.md
✓ Environment variable access is targeted (specific keys), not a broad os.environ iteration
✓ No hidden instructions, HTML comments with payloads, or prompt injection vectors