扫描报告
18 /100
instagram-posting-pipeline
Generate promotional images and post them to Instagram Business accounts via Meta Graph API. Handles Pillow image generation, Cloudinary hosting, and Meta Graph API two-step posting.
This is a legitimate Instagram marketing automation pipeline with no malicious behavior. All network, filesystem, and credential access are declared and necessary for its documented purpose.
可以安装
Skill is safe to use. Replace hardcoded placeholder credential strings in SKILL.md documentation with generic placeholders to avoid confusion. Consider pinning Pillow version in any future dependency file.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Placeholder credential examples in documentation 文档欺骗 | SKILL.md:26 |
| 低危 | Web scraper extracts email and phone via regex 敏感访问 | scripts/scrape_business.py:101 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | generate_course_promo.py:39 — img.save() to configured OUTPUT_DIR |
| 网络访问 | READ | READ | ✓ 一致 | post_to_instagram.py, upload_cloudinary.py, scrape_business.py — all HTTPS API c… |
| 命令执行 | NONE | NONE | — | No subprocess or shell invocation found |
| 环境变量 | READ | READ | ✓ 一致 | os.environ.get() used to read IG_ACCESS_TOKEN, IG_BUSINESS_ACCOUNT_ID, CLOUDINAR… |
2 高危 9 项发现
高危 API 密钥 疑似硬编码凭证
ACCESS_TOKEN="your_page_access_token" SKILL.md:26 高危 API 密钥 疑似硬编码凭证
ACCESS_TOKEN="token_for_account_a" SKILL.md:128 中危 外部 URL 外部 URL
https://developers.facebook.com/tools/explorer/ SKILL.md:42 中危 外部 URL 外部 URL
https://res.cloudinary.com/demo/image/upload/xyz.png SKILL.md:85 中危 外部 URL 外部 URL
https://graph.facebook.com/v21.0/ scripts/post_to_instagram.py:39 中危 外部 URL 外部 URL
https://www.instagram.com/p/ scripts/post_to_instagram.py:71 中危 外部 URL 外部 URL
https://www.caddeskcentre.com scripts/scrape_business.py:168 中危 外部 URL 外部 URL
https://cloudinary.com scripts/upload_cloudinary.py:40 中危 外部 URL 外部 URL
https://api.cloudinary.com/v1_1/ scripts/upload_cloudinary.py:57 目录结构
5 文件 · 23.3 KB · 682 行 Python 4f · 551L
Markdown 1f · 131L
├─
▾
scripts
│ ├─
generate_course_promo.py
Python
│ ├─
post_to_instagram.py
Python
│ ├─
scrape_business.py
Python
│ └─
upload_cloudinary.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
Pillow | unpinned | import | 否 | Pillow is not pinned in any requirements file. The script uses 'from PIL import Image'. Ensure Pillow is installed in the target environment. |
安全亮点
✓ No subprocess or shell execution found — all logic uses Python stdlib
✓ No base64 obfuscation or dynamic code execution (no eval, exec, ast.literal_eval misuse)
✓ SSRF protection implemented in scrape_business.py — blocks localhost, private IPs, and internal network hostnames
✓ Cloudinary upload requires explicit env vars (no accidental demo cloud uploads) — security-conscious default
✓ All network access is declared in SKILL.md and is necessary for the pipeline's stated purpose
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No credential exfiltration — IG_ACCESS_TOKEN is used only for Meta Graph API authentication
✓ No persistence mechanisms (no cron, startup hooks, or backdoor installation)
✓ No supply chain risk — only depends on Pillow (standard, trusted package)
✓ No hidden HTML comments or embedded instructions
✓ No direct IP network requests — all outbound calls go to well-known domains (graph.facebook.com, api.cloudinary.com)