中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
feishu-voice
飞书语音消息收发:接收语音自动转文字(飞书原生 Transcript + Whisper 降级),回复语音由 MiniMax T2A 合成后发送
Legitimate Feishu voice message skill with properly documented subprocess usage and API calls; no hidden functionality or security concerns identified.
技能名称feishu-voice
分析耗时25.6s
引擎pi
可以安装
No action needed. Consider pinning the requests library version for better supply chain hygiene.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned requests dependency 供应链
The requests library is used without version pinning, which could lead to unexpected behavior if a malicious version is installed.
import requests
→ Add version pinning: requests>=2.31.0 or requests==2.31.0
 scripts/send_voice.py:7
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 tempfile usage in send_voice.py:20
命令执行 WRITE WRITE ✓ 一致 subprocess.run ffmpeg in send_voice.py:42
环境变量 READ READ ✓ 一致 MINIMAX_API_KEY read in send_voice.py:24
网络访问 READ READ ✓ 一致 POST to api.minimaxi.com in send_voice.py:35
1 项发现
🔗
中危 外部 URL 外部 URL
https://api.minimaxi.com/v1/t2a_v2
SKILL.md:55

目录结构

2 文件 · 5.4 KB · 170 行
Markdown 1f · 108L Python 1f · 62L
├─ 📁 scripts
│ └─ 🐍 send_voice.py Python 62L · 2.2 KB
└─ 📝 SKILL.md Markdown 108L · 3.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
requests * pip Version not pinned

安全亮点

✓ All subprocess execution (ffmpeg) is explicitly documented in SKILL.md
✓ API key access is explicitly declared and scoped to MINIMAX_API_KEY only
✓ No credential exfiltration or data theft observed
✓ No obfuscation techniques (base64, eval, atob) detected
✓ Network calls use domain names, not direct IP addresses
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Code matches documentation - no doc-to-code mismatch
✓ Legitimate audio processing workflow: TTS → format conversion → send