中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:21 小时前 重新扫描
5 /100
ark-video-storyboard
Generate storyboard and prompts from scene description, confirm with user, then optionally submit multi-segment video generation tasks to Volcengine Ark API
Legitimate video storyboard generation skill using Volcengine's Ark API with no malicious behavior detected.
技能名称ark-video-storyboard
分析耗时41.9s
引擎pi
可以安装
The skill is safe to use. Consider documenting subprocess/curl usage explicitly in SKILL.md for transparency.

安全发现 1 项

严重性 安全发现 位置
低危
Shell execution not explicitly documented 文档欺骗
SKILL.md describes the workflow and API usage but does not explicitly mention that subprocess with curl commands is used for API calls. However, shell:WRITE is declared in the tool mapping.
Uses scripts/ for API submission and polling
→ Add explicit mention of shell/curl usage in SKILL.md capabilities section
 SKILL.md:1
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 Downloads videos to ~/.openclaw/media/
命令执行 WRITE WRITE ✓ 一致 subprocess.run with curl commands in submit_segment.py:36-40, download_video.py:…
网络访问 READ READ ✓ 一致 API calls to https://ark.cn-beijing.volces.com/api/v3/
环境变量 READ READ ✓ 一致 Reads ARK_API_KEY environment variable in submit_segment.py:18-19
2 项发现
🔗
中危 外部 URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks
references/api.md:5
🔗
中危 外部 URL 外部 URL
https://ark.cn-beijing.volces.com/api/v3/contents/generations/tasks/
references/api.md:34

目录结构

11 文件 · 34.0 KB · 888 行
Markdown 5f · 467L Python 6f · 421L
├─ 📁 references
│ ├─ 📝 api.md Markdown 91L · 3.7 KB
│ ├─ 📝 examples.md Markdown 14L · 912 B
│ ├─ 📝 prompt-rules.md Markdown 32L · 746 B
│ └─ 📝 storyboard-schema.md Markdown 65L · 1.7 KB
├─ 📁 scripts
│ ├─ 🐍 build_storyboard.py Python 59L · 2.6 KB
│ ├─ 🐍 download_video.py Python 74L · 2.5 KB
│ ├─ 🐍 get_task_result.py Python 46L · 1.4 KB
│ ├─ 🐍 poll_task_until_done.py Python 58L · 1.9 KB
│ ├─ 🐍 run_full_generation.py Python 123L · 5.2 KB
│ └─ 🐍 submit_segment.py Python 61L · 2.0 KB
└─ 📝 SKILL.md Markdown 265L · 11.4 KB

安全亮点

✓ All network requests go to legitimate Volcengine API endpoint (ark.cn-beijing.volces.com)
✓ API key access follows documented hierarchy (env var → config file)
✓ Confirmation-first workflow prevents accidental execution
✓ Videos are downloaded locally to ~/.openclaw/media/ not exfiltrated
✓ No credential harvesting beyond user's own ARK_API_KEY
✓ No obfuscation, base64 execution, or anti-analysis techniques
✓ Clear error handling with user-facing messages
✓ Sequential segment submission prevents race conditions