aigc-images Security Report — Trusted | ClawSafe

5 /100

aigc-images

基于 BizyAir 异步 API 的批量多密钥图片生成助手

This is a legitimate BizyAir AIGC image generation tool with no malicious behavior detected. All functionality is properly declared and API keys are only used for their intended purpose.

Skill Nameaigc-images

Duration27.2s

Enginepi

✓

Safe to install

This skill is safe to use. The only minor issue is a placeholder API key example in documentation which poses no security risk.

Findings 1 items

Severity	Finding	Location
Low	Placeholder API key in documentation Doc Mismatch SKILL.md contains 'your_api_key_here' as an example value, but this is clearly a documentation placeholder with no security impact. `export BIZYAIR_API_KEY="your_api_key_here"` → No action needed - this is standard documentation practice	`SKILL.md:45`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	Uses curl, grep, subprocess in scripts - declared in requires section
Network	`READ`	`READ`	✓ Aligned	Makes API calls to api.bizyair.cn - declared functionality
Filesystem	`READ`	`READ`	✓ Aligned	Reads ~/.bizyair_keys.txt for key loading - declared in documentation
Environment	`READ`	`READ`	✓ Aligned	Reads BIZYAIR_API_KEY env var - declared in fallback section

1 High 5 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your_api_key_here"

SKILL.md:45

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/create

SKILL.md:163

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/detail?requestId=$

SKILL.md:206

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi/outputs?requestId=$

SKILL.md:216

🔗

Medium External URL 外部 URL

https://api.bizyair.cn/w/v1/webapp/task/openapi

assets/bizyair_api.sh:18

File Tree

2 files · 20.5 KB · 715 lines

Markdown 1f · 488L Shell 1f · 227L

├─ ▾ 📁 assets

│ └─ 🔧 bizyair_api.sh Shell 227L · 6.7 KB

└─ 📝 SKILL.md Markdown 488L · 13.8 KB

Security Positives

✓ All shell commands (curl, jq, grep) are declared in the requires section

✓ API keys are only used to call the legitimate BizyAir API for image generation

✓ No credential exfiltration or data theft observed

✓ No obfuscation techniques (base64, eval, etc.) detected

✓ No network connections to suspicious IPs or domains

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Remote URL fetching is explicitly documented as a feature

✓ Clean, readable shell script with no malicious patterns

Scan Report

Findings 1 items

File Tree

Security Positives