扫描报告
5 /100
signus-font-signature
Generate font-based signature images via Signus API and return image files for chat delivery
The skill performs declared font-signature generation with correct filesystem and network boundaries, presenting no security concerns.
可以安装
No action required. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md:23 and scripts/generate_font_signatures.js:126-127 writes to ~/.opencla… |
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:50 fixed to https://api.signus.ai; scripts/generate_font_signatures.js:… |
| 命令执行 | NONE | NONE | — | No subprocess, exec, or child_process usage in code |
| 环境变量 | NONE | NONE | — | SKILL.md:35 explicitly states no env reads; code contains no process.env access |
| 技能调用 | NONE | NONE | — | No inter-skill invocation detected |
| 剪贴板 | NONE | NONE | — | No clipboard API usage |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
1 项发现
中危 外部 URL 外部 URL
https://api.signus.ai SKILL.md:50 目录结构
4 文件 · 9.6 KB · 326 行 JavaScript 1f · 219L
Markdown 1f · 74L
JSON 2f · 33L
├─
▾
scripts
│ └─
generate_font_signatures.js
JavaScript
├─
package-lock.json
JSON
├─
package.json
JSON
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
adm-zip | ^0.5.16 | npm | 否 | Standard ZIP library, version reasonably constrained |
安全亮点
✓ SKILL.md and code are tightly aligned — all declared behaviors match implementation
✓ No environment variable access
✓ No shell command execution
✓ Network target is hardcoded to a single trusted domain (api.signus.ai)
✓ Filesystem writes are constrained to a specific application directory (~/.openclaw/media/signatures-font/)
✓ JSON payload validation with proper error handling
✓ Dependency (adm-zip ^0.5.16) is a standard, well-known library with reasonable version constraint
✓ No credential harvesting, credential usage, or sensitive path access
✓ Output structure (name-timestamp directory) prevents file collision/overwrites