中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
wan26-text-to-image
使用阿里云万相 2.6 模型生成微信公众号封面图和技术架构设计图
Legitimate Alibaba Cloud Wanxiang 2.6 image generation skill with no malicious indicators. All declared capabilities (network API calls, local file writes, .env loading) match implementation. Shell access is user-initiated setup only.
技能名称wan26-text-to-image
分析耗时47.0s
引擎pi
可以安装
Skill is safe to use. Consider pinning exact dependency versions in requirements.txt for reproducible builds.

安全发现 2 项

严重性 安全发现 位置
低危
Loose version pinning in requirements.txt
requirements.txt uses 'dashscope>=1.25.8' instead of an exact version. This can lead to unexpected behavior if a breaking update is released.
dashscope>=1.25.8
→ Pin exact version: dashscope==1.25.8 (or latest verified stable)
 requirements.txt:1
提示
Multiple .env loading paths
Skill loads .env from 4 locations (OPENCLAW_ENV_FILE, skill dir, ~/.openclaw/.env, ~/.workbuddy/.env). This is documented behavior matching OpenClaw conventions, but could theoretically load a rogue .env file.
candidates.append(os.path.join(skill_dir, ".env"))
→ Ensure only trusted .env files are present in these directories
 wan26_generator.py:301
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 wan26_generator.py:58-63 - API calls to Alibaba Cloud domains (dashscope.aliyunc…
文件系统 WRITE WRITE ✓ 一致 wan26_generator.py:417-426 - saves images to ~/WorkBuddy/<skill-name>/
文件系统 READ READ ✓ 一致 wan26_generator.py:301-328 - reads .env from multiple paths (documented behavior…
命令执行 WRITE WRITE ✓ 一致 setup.sh:44-56 - user-initiated API key setup only, not called automatically
环境变量 READ READ ✓ 一致 wan26_generator.py:40-43 - reads DASHSCOPE_API_KEY from environment
5 项发现
🔗
中危 外部 URL 外部 URL
https://help.aliyun.com/zh/model-studio/get-api-key
SKILL.md:96
🔗
中危 外部 URL 外部 URL
https://help.aliyun.com/zh/model-studio/wan-image-generation-api-reference
SKILL.md:136
🔗
中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/api/v1
config.py:133
🔗
中危 外部 URL 外部 URL
https://dashscope-intl.aliyuncs.com/api/v1
wan26_generator.py:62
🔗
中危 外部 URL 外部 URL
https://dashscope-us.aliyuncs.com/api/v1
wan26_generator.py:63

目录结构

5 文件 · 31.3 KB · 895 行
Python 2f · 688L Markdown 1f · 136L Shell 1f · 69L Text 1f · 2L
├─ 🐍 config.py Python 148L · 4.7 KB
├─ 📄 requirements.txt Text 2L · 27 B
├─ 🔧 setup.sh Shell 69L · 1.9 KB
├─ 📝 SKILL.md Markdown 136L · 4.4 KB
└─ 🐍 wan26_generator.py Python 540L · 20.2 KB

依赖分析 2 项

包名版本来源已知漏洞备注
dashscope >=1.25.8 pip Version not pinned
requests * pip Version not pinned, standard library fallback

安全亮点

✓ No subprocess/shell execution in main generator code
✓ No base64, eval(), or dynamic code execution
✓ No credential exfiltration or external data transmission
✓ API key not echoed to terminal output
✓ .env files properly gitignored
✓ File permissions set to 0o600 for sensitive files
✓ Clean separation: shell access only for user-initiated setup, not automated execution
✓ Uses official Alibaba Cloud SDK (dashscope) with documented API endpoints
✓ All network requests go to legitimate Alibaba Cloud domains