中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:17 小时前 重新扫描
5 /100
senseaudio-voice-ab-lab
Generate multiple spoken ad variants from a typed or spoken brief, transcribe voice memos with AudioClaw ASR, and synthesize variants with the same AudioClaw voice for A/B testing.
AudioClaw Voice AB Lab is a legitimate commercial voice A/B testing skill that uses AudioClaw ASR and TTS APIs; no malicious behavior, credential theft, or undeclared capabilities were found.
技能名称senseaudio-voice-ab-lab
分析耗时53.4s
引擎pi
可以安装
No action needed. The skill is safe to deploy. Consider pinning SenseAudio API key dependencies for supply-chain hygiene.

安全发现 1 项

严重性 安全发现 位置
低危
Bootstrap parent-directory path traversal 权限提升
_bootstrap_shared_senseaudio_env() walks parent directories looking for _shared/senseaudio_env.py and adds it to sys.path. This is a common Python packaging pattern but could theoretically load a file from an unexpected parent directory.
for parent in current.parents: candidate = parent / "_shared" / "senseaudio_env.py"
→ Use __file__ directory + a known fixed relative path instead of traversing all parent directories.
 scripts/senseaudio_asr.py:14
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 All scripts read/write local files for manifests, audio output, and results — fu…
网络访问 READ READ ✓ 一致 POSTs to AudioClaw ASR/TTS APIs and Feishu webhook — all declared in SKILL.md Re…
命令执行 NONE READ ✓ 一致 senseaudio_asr.py calls /usr/bin/afinfo via subprocess; send_ab_variants_to_feis…
环境变量 READ READ ✓ 一致 All scripts read SENSEAUDIO_API_KEY, SENSEAUDIO_PLATFORM_TOKEN from os.environ —…
技能调用 NONE NONE No cross-skill invocation found
5 项发现
🔗
中危 外部 URL 外部 URL
https://api.senseaudio.cn/v1/audio/transcriptions
references/asr_brief_pipeline.md:8
🔗
中危 外部 URL 外部 URL
https://platform.senseaudio.cn/api
references/asr_brief_pipeline.md:13
🔗
中危 外部 URL 外部 URL
https://api.senseaudio.cn/v1/t2a_v2
scripts/batch_tts_variants.py:31
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id
scripts/send_ab_variants_to_feishu.py:119
🔗
中危 外部 URL 外部 URL
https://platform.senseaudio.cn/api/audio/transcriptions
scripts/senseaudio_asr.py:35

目录结构

12 文件 · 60.5 KB · 1674 行
Python 8f · 1373L Markdown 3f · 297L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 509 B
├─ 📁 references
│ ├─ 📝 asr_brief_pipeline.md Markdown 30L · 1.7 KB
│ └─ 📝 commercial_ab_patterns.md Markdown 73L · 1.6 KB
├─ 📁 scripts
│ ├─ 🐍 batch_tts_variants.py Python 171L · 6.1 KB
│ ├─ 🐍 build_voice_ab_variants.py Python 230L · 7.4 KB
│ ├─ 🐍 export_ab_review_csv.py Python 55L · 2.0 KB
│ ├─ 🐍 extract_spoken_brief.py Python 106L · 4.0 KB
│ ├─ 🐍 run_spoken_brief_pipeline.py Python 170L · 5.9 KB
│ ├─ 🐍 run_typed_brief_pipeline.py Python 152L · 5.4 KB
│ ├─ 🐍 send_ab_variants_to_feishu.py Python 217L · 8.4 KB
│ └─ 🐍 senseaudio_asr.py Python 272L · 9.8 KB
└─ 📝 SKILL.md Markdown 194L · 7.7 KB

依赖分析 3 项

包名版本来源已知漏洞备注
senseaudio_api_guard unpinned import Imported from _shared; not in requirements.txt
audioclaw_paths unpinned import Imported from _shared; not in requirements.txt
imageio-ffmpeg unpinned optional Optional fallback for ffmpeg; no known vulnerabilities

安全亮点

✓ SKILL.md is comprehensive and accurately describes all 8 scripts, their purposes, and API key dependencies
✓ No base64-encoded strings, eval(), or anti-analysis techniques found in any script
✓ No access to sensitive paths such as ~/.ssh, ~/.aws, .env, or /etc
✓ No credential exfiltration — API keys are only used as Bearer tokens for AudioClaw/Feishu API calls
✓ No curl|bash or wget|sh remote script execution
✓ No hidden HTML comments or prompt injection instructions
✓ Subprocess calls are limited to legitimate CLI tools (afinfo, ffmpeg) documented and necessary for audio processing
✓ All external URLs are documented, named AudioClaw and Feishu API endpoints — no direct IP exfiltration
✓ API key bootstrap from ~/.audioclaw/workspace/state/senseaudio_credentials.json is explicitly declared in SKILL.md
✓ The load_helper_module() function in send_ab_variants_to_feishu.py correctly scopes path traversal to a named skill directory