ifly-pdf&image-ocr 安全扫描报告 — 低风险 | ClawSafe

15 /100

ifly-pdf&image-ocr

AI-powered OCR service for images and PDF documents using iFlytek's advanced recognition APIs

Legitimate OCR skill using iFlytek APIs with no malicious behavior; minor issue of unpinned dependencies.

技能名称ifly-pdf&image-ocr

分析耗时157.4s

引擎pi

✓

可以安装

No immediate action required. Consider pinning the requests library version in a requirements.txt for reproducibility.

安全发现 2 项

严重性	安全发现	位置
低危	Unpinned dependency 供应链 The requests library is imported but not pinned to a specific version. No requirements.txt or dependency manifest exists. `import requests` → Add a requirements.txt with 'requests>=2.28.0' or similar to ensure reproducible builds	`scripts/image_ocr.py:17`
低危	Missing _meta.json 文档欺骗 No _meta.json metadata file found for the skill. `N/A` → Add _meta.json with skill metadata for tracking purposes	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	Scripts read image/PDF files specified by user
网络访问	`READ`	`READ`	✓ 一致	Makes API calls to cbm01.cn-huabei-1.xf-yun.com and iocr.xfyun.cn
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`READ`	`READ`	✓ 一致	Reads IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET for API authentication

6 项发现

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/

SKILL.md:46

🔗

中危外部 URL 外部 URL

http://bjcdn.openstorage.cn/...

SKILL.md:185

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/services/se75ocrbm

SKILL.md:235

🔗

中危外部 URL 外部 URL

https://console.xfyun.cn/sale/buy?wareId=9166&packageId=9166001&serviceName=%E9%80%9A%E7%94%A8%E6%96%87%E6%A1%A3%E8%AF%8...

SKILL.md:236

🔗

中危外部 URL 外部 URL

https://cbm01.cn-huabei-1.xf-yun.com/v1/private/se75ocrbm

scripts/image_ocr.py:25

🔗

中危外部 URL 外部 URL

https://iocr.xfyun.cn/ocrzdq/v1/pdfOcr

scripts/pdf_ocr.py:24

目录结构

3 文件 · 27.8 KB · 872 行

Python 2f · 598L Markdown 1f · 274L

├─ ▾ 📁 scripts

│ ├─ 🐍 image_ocr.py Python 260L · 7.9 KB

│ └─ 🐍 pdf_ocr.py Python 338L · 10.0 KB

└─ 📝 SKILL.md Markdown 274L · 9.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned, no requirements.txt

安全亮点

✓ All network requests go to legitimate iFlytek API endpoints (xf-yun.com domains)

✓ API credentials are used only for authentication, not exfiltrated

✓ HMAC-SHA256 and HMAC-SHA1 signatures are standard cryptographic practices

✓ No shell execution, subprocess, or command injection vectors found

✓ No base64 obfuscation or dynamic code execution (eval/exec)

✓ File access is limited to user-specified image/PDF paths only

✓ Documentation accurately describes all functionality and API behavior

✓ No hidden functionality or undocumented behavior detected