中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
design-studio
Professional design studio for creating covers, banners, avatars, logos, mockups, portfolios and GIF animations
This is a legitimate graphic design studio skill with no security concerns. All scripts perform image generation, quality checking, watermarking, and batch processing — all declared in SKILL.md and consistent with the stated purpose.
技能名称design-studio
分析耗时38.7s
引擎pi
可以安装
No action needed. The skill is safe to use as-is.

安全发现 1 项

严重性 安全发现 位置
低危
subprocess fc-match usage not explicitly declared in SKILL.md 文档欺骗
SKILL.md mentions 'fc-list' and 'fc-match' as command examples for font discovery but does not explicitly declare that scripts use subprocess to invoke these commands. The fonttools mention is declared but subprocess is not called out as an implementation detail. Impact is negligible as this is standard font discovery.
subprocess.run(['fc-match', '--format=%{file}', style], capture_output=True, text=True, timeout=5)
→ Minor documentation gap. Consider adding 'subprocess (Python)' or 'fc-match (CLI)' to the Available Tools table in SKILL.md for completeness.
 scripts/design_utils.py:15
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 All scripts read SVG assets and write generated images; no sensitive path access
命令执行 NONE READ ✓ 一致 subprocess.run(['fc-match', ...]) in design_utils.py:15, generate_banner.py, gen…
网络访问 NONE NONE No network requests found in any script
环境变量 NONE NONE No os.environ iteration or credential access
技能调用 NONE NONE No skill invocation chains
剪贴板 NONE NONE No clipboard access
浏览器 NONE NONE No browser/web access
数据库 NONE NONE No database access

目录结构

41 文件 · 217.5 KB · 5173 行
Python 12f · 4017L Markdown 6f · 1156L
├─ 📁 references
│ ├─ 📁 svg_elements
│ │ ├─ 📁 badges
│ │ │ ├─ 📦 bestseller.svg 753 B
│ │ │ ├─ 📦 hot.svg 520 B
│ │ │ ├─ 📦 new.svg 459 B
│ │ │ ├─ 📦 premium.svg 423 B
│ │ │ └─ 📦 verified.svg 440 B
│ │ ├─ 📁 frames
│ │ │ ├─ 📦 rounded_frame.svg 367 B
│ │ │ ├─ 📦 simple_frame.svg 351 B
│ │ │ └─ 📦 tech_frame.svg 1.3 KB
│ │ ├─ 📁 icons
│ │ │ ├─ 📦 arrow_right.svg 491 B
│ │ │ ├─ 📦 chart_up.svg 732 B
│ │ │ ├─ 📦 checkmark.svg 394 B
│ │ │ ├─ 📦 clock.svg 582 B
│ │ │ ├─ 📦 code_brackets.svg 623 B
│ │ │ ├─ 📦 dollar.svg 657 B
│ │ │ ├─ 📦 gear.svg 825 B
│ │ │ ├─ 📦 lightning.svg 346 B
│ │ │ ├─ 📦 shield.svg 377 B
│ │ │ └─ 📦 star.svg 621 B
│ │ └─ 📁 shapes
│ │ ├─ 📦 circle.svg 310 B
│ │ ├─ 📦 corner_decoration.svg 693 B
│ │ ├─ 📦 diamond.svg 333 B
│ │ ├─ 📦 hexagon.svg 465 B
│ │ └─ 📦 wave_divider.svg 371 B
│ ├─ 📝 color-palettes.md Markdown 205L · 6.8 KB
│ ├─ 📝 design-rules.md Markdown 183L · 9.0 KB
│ ├─ 📝 font-pairings.md Markdown 162L · 7.4 KB
│ └─ 📝 knowledge-base.md Markdown 457L · 25.5 KB
├─ 📁 scripts
│ ├─ 🐍 ab_variants.py Python 148L · 5.8 KB
│ ├─ 🐍 batch_generate.py Python 201L · 7.5 KB
│ ├─ 🐍 check_design.py Python 321L · 13.8 KB
│ ├─ 🐍 design_pipeline.py Python 435L · 15.9 KB
│ ├─ 🐍 design_utils.py Python 84L · 3.3 KB
│ ├─ 🐍 generate_avatar.py Python 272L · 10.6 KB
│ ├─ 🐍 generate_banner.py Python 326L · 12.2 KB
│ ├─ 🐍 generate_gif_banner.py Python 413L · 16.9 KB
│ ├─ 🐍 generate_marketplace_cover.py Python 505L · 19.5 KB
│ ├─ 🐍 generate_svg_library.py Python 556L · 18.7 KB
│ ├─ 🐍 mockup_generator.py Python 576L · 19.7 KB
│ └─ 🐍 watermark.py Python 180L · 6.8 KB
├─ 📝 README.md Markdown 53L · 1.7 KB
└─ 📝 SKILL.md Markdown 96L · 4.2 KB

依赖分析 4 项

包名版本来源已知漏洞备注
Pillow * pip Not pinned, standard imaging library
svgwrite * pip Not pinned, SVG generation library
cairosvg * pip Not pinned, SVG-to-raster rendering
fonttools * pip Not pinned, font metrics library

安全亮点

✓ No network requests, no outbound data transfers, no C2 communication
✓ No credential harvesting, no API key access, no environment variable scanning for secrets
✓ No base64-encoded payloads, no eval(), no obfuscated code
✓ No remote script execution (curl|bash, wget|sh)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No persistence mechanisms (no cron jobs, startup hooks, backdoors)
✓ No prompt injection, no hidden instructions
✓ All functionality (image generation, design checking, watermarking, batch processing) is fully declared in SKILL.md
✓ No supply chain risks — all imports are standard graphic design libraries (Pillow, svgwrite, cairosvg)
✓ File I/O is limited to reading SVG reference assets and writing generated images to the working directory
✓ Watermark text is hardcoded and benign ('© AlexKZ AI')
✓ All scripts use safe image processing via Pillow — no arbitrary code execution vectors