中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
design-studio
Professional design studio for creating covers, banners, avatars, logos, mockups, portfolios and GIF animations
This is a legitimate graphic design studio skill with no security concerns. All scripts perform image generation, quality checking, watermarking, and batch processing — all declared in SKILL.md and consistent with the stated purpose.
Skill Namedesign-studio
Duration38.7s
Enginepi
Safe to install
No action needed. The skill is safe to use as-is.

Findings 1 items

Severity Finding Location
Low
subprocess fc-match usage not explicitly declared in SKILL.md Doc Mismatch
SKILL.md mentions 'fc-list' and 'fc-match' as command examples for font discovery but does not explicitly declare that scripts use subprocess to invoke these commands. The fonttools mention is declared but subprocess is not called out as an implementation detail. Impact is negligible as this is standard font discovery.
subprocess.run(['fc-match', '--format=%{file}', style], capture_output=True, text=True, timeout=5)
→ Minor documentation gap. Consider adding 'subprocess (Python)' or 'fc-match (CLI)' to the Available Tools table in SKILL.md for completeness.
 scripts/design_utils.py:15
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned All scripts read SVG assets and write generated images; no sensitive path access
Shell NONE READ ✓ Aligned subprocess.run(['fc-match', ...]) in design_utils.py:15, generate_banner.py, gen…
Network NONE NONE No network requests found in any script
Environment NONE NONE No os.environ iteration or credential access
Skill Invoke NONE NONE No skill invocation chains
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser/web access
Database NONE NONE No database access

File Tree

41 files · 217.5 KB · 5173 lines
Python 12f · 4017L Markdown 6f · 1156L
├─ 📁 references
│ ├─ 📁 svg_elements
│ │ ├─ 📁 badges
│ │ │ ├─ 📦 bestseller.svg 753 B
│ │ │ ├─ 📦 hot.svg 520 B
│ │ │ ├─ 📦 new.svg 459 B
│ │ │ ├─ 📦 premium.svg 423 B
│ │ │ └─ 📦 verified.svg 440 B
│ │ ├─ 📁 frames
│ │ │ ├─ 📦 rounded_frame.svg 367 B
│ │ │ ├─ 📦 simple_frame.svg 351 B
│ │ │ └─ 📦 tech_frame.svg 1.3 KB
│ │ ├─ 📁 icons
│ │ │ ├─ 📦 arrow_right.svg 491 B
│ │ │ ├─ 📦 chart_up.svg 732 B
│ │ │ ├─ 📦 checkmark.svg 394 B
│ │ │ ├─ 📦 clock.svg 582 B
│ │ │ ├─ 📦 code_brackets.svg 623 B
│ │ │ ├─ 📦 dollar.svg 657 B
│ │ │ ├─ 📦 gear.svg 825 B
│ │ │ ├─ 📦 lightning.svg 346 B
│ │ │ ├─ 📦 shield.svg 377 B
│ │ │ └─ 📦 star.svg 621 B
│ │ └─ 📁 shapes
│ │ ├─ 📦 circle.svg 310 B
│ │ ├─ 📦 corner_decoration.svg 693 B
│ │ ├─ 📦 diamond.svg 333 B
│ │ ├─ 📦 hexagon.svg 465 B
│ │ └─ 📦 wave_divider.svg 371 B
│ ├─ 📝 color-palettes.md Markdown 205L · 6.8 KB
│ ├─ 📝 design-rules.md Markdown 183L · 9.0 KB
│ ├─ 📝 font-pairings.md Markdown 162L · 7.4 KB
│ └─ 📝 knowledge-base.md Markdown 457L · 25.5 KB
├─ 📁 scripts
│ ├─ 🐍 ab_variants.py Python 148L · 5.8 KB
│ ├─ 🐍 batch_generate.py Python 201L · 7.5 KB
│ ├─ 🐍 check_design.py Python 321L · 13.8 KB
│ ├─ 🐍 design_pipeline.py Python 435L · 15.9 KB
│ ├─ 🐍 design_utils.py Python 84L · 3.3 KB
│ ├─ 🐍 generate_avatar.py Python 272L · 10.6 KB
│ ├─ 🐍 generate_banner.py Python 326L · 12.2 KB
│ ├─ 🐍 generate_gif_banner.py Python 413L · 16.9 KB
│ ├─ 🐍 generate_marketplace_cover.py Python 505L · 19.5 KB
│ ├─ 🐍 generate_svg_library.py Python 556L · 18.7 KB
│ ├─ 🐍 mockup_generator.py Python 576L · 19.7 KB
│ └─ 🐍 watermark.py Python 180L · 6.8 KB
├─ 📝 README.md Markdown 53L · 1.7 KB
└─ 📝 SKILL.md Markdown 96L · 4.2 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
Pillow * pip No Not pinned, standard imaging library
svgwrite * pip No Not pinned, SVG generation library
cairosvg * pip No Not pinned, SVG-to-raster rendering
fonttools * pip No Not pinned, font metrics library

Security Positives

✓ No network requests, no outbound data transfers, no C2 communication
✓ No credential harvesting, no API key access, no environment variable scanning for secrets
✓ No base64-encoded payloads, no eval(), no obfuscated code
✓ No remote script execution (curl|bash, wget|sh)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No persistence mechanisms (no cron jobs, startup hooks, backdoors)
✓ No prompt injection, no hidden instructions
✓ All functionality (image generation, design checking, watermarking, batch processing) is fully declared in SKILL.md
✓ No supply chain risks — all imports are standard graphic design libraries (Pillow, svgwrite, cairosvg)
✓ File I/O is limited to reading SVG reference assets and writing generated images to the working directory
✓ Watermark text is hardcoded and benign ('© AlexKZ AI')
✓ All scripts use safe image processing via Pillow — no arbitrary code execution vectors