中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
ai-clipping
AI-powered video highlight extraction using WayinVideo API
A legitimate video clipping skill that wraps the WayinVideo API; no credential theft, no suspicious network destinations, and no malicious patterns found.
技能名称ai-clipping
分析耗时32.2s
引擎pi
可以安装
No blocking action needed. The undeclared subprocess call to openclaw for system events is a minor doc-to-code mismatch (+5 pts) but serves a documented framework integration purpose.

安全发现 1 项

严重性 安全发现 位置
低危
Undeclared subprocess usage
polling_results.py uses subprocess.run to invoke the openclaw CLI for system event notifications. This shell:WRITE behavior is not declared in SKILL.md. The subprocess only runs the agent framework's own notification tool with fixed arguments, not arbitrary shell commands.
subprocess.run(['openclaw', 'system', 'event', '--text', text, '--mode', 'now'], check=True, capture_output=True, text=True)
→ Add a note in SKILL.md that this skill uses the openclaw CLI for progress notifications when --event-interval is set.
 scripts/polling_results.py:107
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 scripts/upload_video.py:58-60 reads local video files for upload; declared in SK…
文件系统 WRITE WRITE ✓ 一致 scripts/submit_task.py:67 writes result JSON; scripts/polling_results.py:117 wri…
网络访问 READ READ ✓ 一致 All scripts communicate exclusively with wayinvideo-api.wayin.ai; declared in SK…
命令执行 NONE WRITE ✓ 一致 scripts/polling_results.py:107 calls subprocess.run(['openclaw', 'system', 'even…
环境变量 READ READ ✓ 一致 All scripts read WAYIN_API_KEY from os.environ; declared in SKILL.md Step 0
6 项发现
🔗
中危 外部 URL 外部 URL
https://wayin.ai/api-docs/ai-clipping/
SKILL.md:17
🔗
中危 外部 URL 外部 URL
https://wayin.ai/wayinvideo/api-dashboard
SKILL.md:22
🔗
中危 外部 URL 外部 URL
https://wayin.ai/wayinvideo/home
SKILL.md:61
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/results/
SKILL.md:92
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips
scripts/polling_results.py:19
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/upload/single-file
scripts/upload_video.py:52

目录结构

9 文件 · 36.8 KB · 705 行
Python 3f · 464L Markdown 5f · 235L JSON 1f · 6L
├─ 📁 assets
│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB
│ ├─ 📝 platform_duration.md Markdown 8L · 2.0 KB
│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B
│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 polling_results.py Python 191L · 8.3 KB
│ ├─ 🐍 submit_task.py Python 162L · 7.0 KB
│ └─ 🐍 upload_video.py Python 111L · 4.4 KB
├─ 📋 skill.json JSON 6L · 161 B
└─ 📝 SKILL.md Markdown 92L · 9.1 KB

依赖分析 1 项

包名版本来源已知漏洞备注
stdlib only N/A built-in Uses only Python standard library (os, sys, urllib, subprocess, json, datetime, argparse, mimetypes, time, socket)

安全亮点

✓ API key is read from environment only and never exfiltrated or logged
✓ All network traffic is confined to the legitimate wayinvideo-api.wayin.ai endpoints (HTTPS)
✓ No base64, eval(), atob(), or dynamic code execution patterns present
✓ No credential harvesting (SSH, AWS, .env paths) observed
✓ No curl|bash or remote script execution
✓ File reads are limited to explicitly user-provided video file paths
✓ File writes are scoped to a dedicated api_results directory with a structured JSON schema
✓ No hidden HTML comments, steganography, or obfuscated payloads
✓ Dependencies are standard library only (no third-party packages needed)