Scan Report
5 /100
signus-font-signature
Generate font-based signature images via Signus API and return image files for chat delivery
The skill performs declared font-signature generation with correct filesystem and network boundaries, presenting no security concerns.
Safe to install
No action required. The skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:23 and scripts/generate_font_signatures.js:126-127 writes to ~/.opencla… |
| Network | READ | READ | ✓ Aligned | SKILL.md:50 fixed to https://api.signus.ai; scripts/generate_font_signatures.js:… |
| Shell | NONE | NONE | — | No subprocess, exec, or child_process usage in code |
| Environment | NONE | NONE | — | SKILL.md:35 explicitly states no env reads; code contains no process.env access |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation detected |
| Clipboard | NONE | NONE | — | No clipboard API usage |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 findings
Medium External URL 外部 URL
https://api.signus.ai SKILL.md:50 File Tree
4 files · 9.6 KB · 326 lines JavaScript 1f · 219L
Markdown 1f · 74L
JSON 2f · 33L
├─
▾
scripts
│ └─
generate_font_signatures.js
JavaScript
├─
package-lock.json
JSON
├─
package.json
JSON
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
adm-zip | ^0.5.16 | npm | No | Standard ZIP library, version reasonably constrained |
Security Positives
✓ SKILL.md and code are tightly aligned — all declared behaviors match implementation
✓ No environment variable access
✓ No shell command execution
✓ Network target is hardcoded to a single trusted domain (api.signus.ai)
✓ Filesystem writes are constrained to a specific application directory (~/.openclaw/media/signatures-font/)
✓ JSON payload validation with proper error handling
✓ Dependency (adm-zip ^0.5.16) is a standard, well-known library with reasonable version constraint
✓ No credential harvesting, credential usage, or sensitive path access
✓ Output structure (name-timestamp directory) prevents file collision/overwrites