bizyair-video 安全扫描报告 — 低风险 | ClawSafe

20 /100

bizyair-video

基于 BizyAir 异步 API 的视频生成助手，支持 5 种视频生成模式

This is a legitimate BizyAir video generation API skill with properly declared network access and API key usage. Minor documentation gap exists between declared shell usage in requires vs actual subprocess execution, but no malicious behavior detected.

技能名称bizyair-video

分析耗时43.6s

引擎pi

✓

可以安装

Update SKILL.md to explicitly declare shell:WRITE permission for curl-based HTTP requests, and add dependency pinning for jq/bc in script documentation.

安全发现 3 项

严重性	安全发现	位置
低危	Shell execution not explicitly declared in SKILL.md 文档欺骗 SKILL.md declares 'requires: curl' but scripts execute bash scripts with curl subprocess. The shell:WRITE permission is not explicitly documented. `requires: {"curl": "用于执行 HTTP 请求"}` → Add explicit permission declaration for bash/shell execution, or restructure scripts to be invoked differently	`SKILL.md:5`
提示	Placeholder API key examples in documentation 文档欺骗 SKILL.md:302 and scripts/README.md:141 contain 'your_actual_api_key_here' placeholder text. These are example strings, not actual credentials, but could cause user confusion. `export BIZYAIR_API_KEY="your_actual_api_key_here"` → Use clearly marked placeholder format like '<INSERT_API_KEY>' or '{{API_KEY}}' to distinguish from real credentials	`SKILL.md:302`
低危	Optional script dependencies not documented as required 供应链 get_task_outputs.sh uses 'bc' for floating-point math (line 56), but this is not declared in system requirements `scale=1; $ms / 1000 \| bc 2>/dev/null` → Add 'bc' to required dependencies or use pure bash arithmetic	`scripts/get_video_task_outputs.sh:56`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:155-161 - POST to api.bizyair.cn, SKILL.md:190 - GET outputs endpoint
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/create_video_task.sh:217 - curl subprocess execution; scripts/README.md …
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:302, scripts/create_video_task.sh:24 - reads BIZYAIR_API_KEY only

2 高危 9 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_actual_api_key_here"

SKILL.md:302

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="your_api_key_here"

scripts/README.md:141

🔗

中危外部 URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/create

SKILL.md:155

🔗

中危外部 URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=

SKILL.md:190

🔗

中危外部 URL 外部 URL

https://storage.bizyair.cn/outputs/xxx.mp4

SKILL.md:339

🔗

中危外部 URL 外部 URL

https://storage.bizyair.cn/inputs/20260108/JYLqRJcgPJ1GcOrzRfXJ8qsXnia1aWSB.png

scripts/README.md:81

🔗

中危外部 URL 外部 URL

https://storage.bizyair.cn/inputs/20260108/...

scripts/README.md:88

🔗

中危外部 URL 外部 URL

https://storage.bizyair.cn/outputs/xxx.png

scripts/README.md:127

🔗

中危外部 URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=$

scripts/get_task_outputs.sh:47

目录结构

8 文件 · 47.2 KB · 1508 行

Shell 4f · 748L Markdown 2f · 535L JSON 2f · 225L

├─ ▾ 📁 .claude

│ └─ 📋 settings.local.json JSON 7L · 220 B

├─ ▾ 📁 evals

│ └─ 📋 evals.json JSON 218L · 8.8 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 create_angle_task.sh Shell 147L · 4.9 KB

│ ├─ 🔧 create_video_task.sh Shell 285L · 9.0 KB

│ ├─ 🔧 get_task_outputs.sh Shell 135L · 4.6 KB

│ ├─ 🔧 get_video_task_outputs.sh Shell 181L · 5.5 KB

│ └─ 📝 README.md Markdown 173L · 4.0 KB

└─ 📝 SKILL.md Markdown 362L · 10.2 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`curl`	`N/A`	system	否	Required system tool for HTTP requests
`bc`	`N/A`	system	否	Optional - used for float math in duration formatting
`jq`	`N/A`	system	否	Optional - for JSON parsing if available

安全亮点

✓ All network requests go to documented bizyair.cn API endpoints

✓ API key is used only for authentication to the intended service

✓ No credential enumeration or exfiltration to unknown endpoints

✓ No base64, eval, or obfuscated code patterns detected

✓ No sensitive file access (~/.ssh, ~/.aws, .env scanning)

✓ No reverse shell, C2, or data theft patterns

✓ Scripts have proper error handling and validation

✓ No hidden HTML comments or steganographic payloads