bizyair-video Security Report — Low Risk | ClawSafe

20 /100

bizyair-video

基于 BizyAir 异步 API 的视频生成助手，支持 5 种视频生成模式

This is a legitimate BizyAir video generation API skill with properly declared network access and API key usage. Minor documentation gap exists between declared shell usage in requires vs actual subprocess execution, but no malicious behavior detected.

Skill Namebizyair-video

Duration43.6s

Enginepi

✓

Safe to install

Update SKILL.md to explicitly declare shell:WRITE permission for curl-based HTTP requests, and add dependency pinning for jq/bc in script documentation.

Findings 3 items

Severity	Finding	Location
Low	Shell execution not explicitly declared in SKILL.md Doc Mismatch SKILL.md declares 'requires: curl' but scripts execute bash scripts with curl subprocess. The shell:WRITE permission is not explicitly documented. `requires: {"curl": "用于执行 HTTP 请求"}` → Add explicit permission declaration for bash/shell execution, or restructure scripts to be invoked differently	`SKILL.md:5`
Info	Placeholder API key examples in documentation Doc Mismatch SKILL.md:302 and scripts/README.md:141 contain 'your_actual_api_key_here' placeholder text. These are example strings, not actual credentials, but could cause user confusion. `export BIZYAIR_API_KEY="your_actual_api_key_here"` → Use clearly marked placeholder format like '<INSERT_API_KEY>' or '{{API_KEY}}' to distinguish from real credentials	`SKILL.md:302`
Low	Optional script dependencies not documented as required Supply Chain get_task_outputs.sh uses 'bc' for floating-point math (line 56), but this is not declared in system requirements `scale=1; $ms / 1000 \| bc 2>/dev/null` → Add 'bc' to required dependencies or use pure bash arithmetic	`scripts/get_video_task_outputs.sh:56`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:155-161 - POST to api.bizyair.cn, SKILL.md:190 - GET outputs endpoint
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/create_video_task.sh:217 - curl subprocess execution; scripts/README.md …
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:302, scripts/create_video_task.sh:24 - reads BIZYAIR_API_KEY only

2 High 9 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_actual_api_key_here"

SKILL.md:302

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

scripts/README.md:141

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/create

SKILL.md:155

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=

SKILL.md:190

🔗

Medium External URL 外部 URL

https://storage.bizyair.cn/outputs/xxx.mp4

SKILL.md:339

🔗

Medium External URL 外部 URL

https://storage.bizyair.cn/inputs/20260108/JYLqRJcgPJ1GcOrzRfXJ8qsXnia1aWSB.png

scripts/README.md:81

🔗

Medium External URL 外部 URL

https://storage.bizyair.cn/inputs/20260108/...

scripts/README.md:88

🔗

Medium External URL 外部 URL

https://storage.bizyair.cn/outputs/xxx.png

scripts/README.md:127

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=$

scripts/get_task_outputs.sh:47

File Tree

8 files · 47.2 KB · 1508 lines

Shell 4f · 748L Markdown 2f · 535L JSON 2f · 225L

├─ ▾ 📁 .claude

│ └─ 📋 settings.local.json JSON 7L · 220 B

├─ ▾ 📁 evals

│ └─ 📋 evals.json JSON 218L · 8.8 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 create_angle_task.sh Shell 147L · 4.9 KB

│ ├─ 🔧 create_video_task.sh Shell 285L · 9.0 KB

│ ├─ 🔧 get_task_outputs.sh Shell 135L · 4.6 KB

│ ├─ 🔧 get_video_task_outputs.sh Shell 181L · 5.5 KB

│ └─ 📝 README.md Markdown 173L · 4.0 KB

└─ 📝 SKILL.md Markdown 362L · 10.2 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`curl`	`N/A`	system	No	Required system tool for HTTP requests
`bc`	`N/A`	system	No	Optional - used for float math in duration formatting
`jq`	`N/A`	system	No	Optional - for JSON parsing if available

Security Positives

✓ All network requests go to documented bizyair.cn API endpoints

✓ API key is used only for authentication to the intended service

✓ No credential enumeration or exfiltration to unknown endpoints

✓ No base64, eval, or obfuscated code patterns detected

✓ No sensitive file access (~/.ssh, ~/.aws, .env scanning)

✓ No reverse shell, C2, or data theft patterns

✓ Scripts have proper error handling and validation

✓ No hidden HTML comments or steganographic payloads

Scan Report

Findings 3 items

File Tree

Dependencies 3 items

Security Positives