Scan Report
0 /100
group-director
Creates short videos from claw-prepared prompts for Feishu/Lark group chat scenarios using the SenseAudio video API
This is a straightforward video generation skill that calls the SenseAudio API via standard Python HTTP requests. No malicious behavior, obfuscation, credential theft, or hidden functionality detected. The single external URL is a legitimate API endpoint, and the API key usage is scoped to authentication only.
Safe to install
No action needed. The skill is safe to use. Consider pinning the requests library version in a requirements.txt for supply-chain hygiene.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations found in scripts/main.py or scripts/video_api.py |
| Network | READ | READ | ✓ Aligned | scripts/video_api.py:65-72, 79-86 — requests.post/get to senseaudio.cn API only |
| Shell | NONE | NONE | — | No subprocess, os.system, or shell invocation found |
| Environment | NONE | READ | ✓ Aligned | scripts/video_api.py:37-38 — reads SENSEAUDIO_API_KEY and SENSEAUDIO_BASE_URL; n… |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 findings
Medium External URL 外部 URL
https://api.senseaudio.cn SKILL.md:125 File Tree
6 files · 12.1 KB · 388 lines Markdown 3f · 197L
Python 2f · 188L
YAML 1f · 3L
├─
▾
agents
│ └─
openai.yaml
YAML
├─
▾
references
│ ├─
integration_cn.md
Markdown
│ └─
provider_notes.md
Markdown
├─
▾
scripts
│ ├─
main.py
Python
│ └─
video_api.py
Python
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned — no requirements.txt found; consider adding one for reproducible builds |
Security Positives
✓ No subprocess, shell execution, or os.system calls — all HTTP done via the requests library
✓ No obfuscation: no base64, no eval, no atob patterns
✓ No credential exfiltration — SENSEAUDIO_API_KEY is used only for Bearer token auth with the video API
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env files)
✓ No persistence mechanisms (no cron, no startup hooks, no backdoors)
✓ No reverse shell, no C2 communication, no data theft
✓ Clean two-step pattern (create then poll) fully documented in SKILL.md and code
✓ Input validation present — empty prompt and task_id checks with clear error messages
✓ Timeout enforced on API calls (60s create, 30s status) and overall polling (600s)
✓ Hardcoded sensible defaults prevent parameter confusion