jiuma-free-meta-human Security Report — Trusted | ClawSafe

5 /100

jiuma-free-meta-human

九马AI免费数字人视频生成技能

A legitimate digital human video generation skill using the Jiuma AI platform. All functionality is declared in documentation, no hidden behavior detected, and credential handling is appropriate for the service.

Skill Namejiuma-free-meta-human

Duration31.3s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning the requests library version for better dependency hygiene.

Findings 1 items

Severity	Finding	Location
Low	Unpinned requests dependency The requests library in generate_video.py and utils.py does not specify a version constraint. While requests is a well-maintained library with no currently known vulnerabilities, version pinning is a security best practice. `import requests` → Add version pinning: requests>=2.28.0	`generate_video.py:14`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	utils.py:11 - creates .jiuma directory and saves API key
Network	`READ`	`READ`	✓ Aligned	generate_video.py:23, login.py:6-7 - calls api.jiuma.com API
Shell	`NONE`	`NONE`	—	No shell execution detected
Environment	`NONE`	`NONE`	—	No environment variable access

5 findings

🔗

Medium External URL 外部 URL

https://.../qrcode.png

LOGIN.md:41

🔗

Medium External URL 外部 URL

https://.../login

LOGIN.md:42

🔗

Medium External URL 外部 URL

https://api.jiuma.com

generate_video.py:23

🔗

Medium External URL 外部 URL

https://api.jiuma.com/user/getLoginQrcode

login.py:6

🔗

Medium External URL 外部 URL

https://api.jiuma.com/user/checkLoginStatus

login.py:7

File Tree

7 files · 19.0 KB · 596 lines

Python 3f · 285L Markdown 2f · 267L JSON 2f · 44L

├─ 🐍 generate_video.py Python 155L · 5.5 KB

├─ 📝 LOGIN.md Markdown 105L · 3.2 KB

├─ 🐍 login.py Python 52L · 1.6 KB

├─ 📋 meta-human.json JSON 33L · 491 B

├─ 📝 SKILL.md Markdown 162L · 5.7 KB

├─ 🐍 utils.py Python 78L · 2.3 KB

└─ 📋 voice.json JSON 11L · 200 B

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned

Security Positives

✓ All functionality declared in SKILL.md with clear parameter documentation

✓ Network calls only to legitimate service endpoint (api.jiuma.com)

✓ No base64-encoded commands or obfuscated code

✓ No subprocess/shell execution - uses only standard Python libraries

✓ No access to sensitive system paths (~/.ssh, ~/.aws, etc.)

✓ API key storage location and purpose clearly documented in LOGIN.md

✓ No credential exfiltration or data theft indicators

✓ Uses standard argparse for CLI - no suspicious command construction

✓ No hidden HTML comments or steganographic payloads

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives