扫描报告
5 /100
xai-studio
xAI Studio — generate and edit images and videos via the xAI API
Legitimate xAI API wrapper for image/video generation with no security concerns. All capabilities match documentation.
可以安装
This skill is safe to use. No security issues detected.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | _encode_image() reads local files |
| 文件系统 | WRITE | WRITE | ✓ 一致 | _prepare_out_dir() creates directories, _save_response() writes files |
| 网络访问 | READ | READ | ✓ 一致 | urlretrieve() downloads from user-provided URLs; SDK communicates with xAI API |
| 命令执行 | NONE | NONE | — | No subprocess calls; venv commands are CLI instructions, not executed |
2 项发现
中危 外部 URL 外部 URL
https://openclaw.ai README.md:3 中危 外部 URL 外部 URL
https://clawhub.ai/H0llyW00dzZ/xai-studio README.md:16 目录结构
3 文件 · 31.1 KB · 933 行 Python 1f · 648L
Markdown 2f · 285L
├─
▾
scripts
│ └─
run.py
Python
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
xai-sdk | * | pip | 否 | Official xAI SDK; version unpinned in SKILL.md docs |
安全亮点
✓ All documented features verified in implementation
✓ No credential harvesting - XAI_API_KEY only used through official SDK
✓ No external data exfiltration - only communicates with xAI API
✓ No subprocess or shell execution in code
✓ No obfuscation or suspicious patterns
✓ Standard base64 encoding for API payload handling
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env access)
✓ Clear separation between documented CLI setup and runtime behavior