jiuma Security Report — Low Risk | ClawSafe

15 /100

jiuma

免费的ai视频生成创作平台（Video Generation Skill），支持生成视频、图片、声音、视频动作模仿、视频人物替换等等

This is a legitimate AI video generation skill integrating with jiuma.com platform. No malicious behavior detected - all network calls target the declared API endpoint, credentials are stored securely via keyring, and file operations are limited to upload functionality.

Skill Namejiuma

Duration39.8s

Enginepi

✓

Safe to install

Consider pinning dependencies (keyring, requests) to specific versions for reproducibility. Otherwise, this skill appears safe for use.

Findings 2 items

Severity	Finding	Location
Low	Dependencies not version-pinned SKILL.md specifies 'pip install keyring' and 'pip install keyrings.alt' without version constraints. While not a security vulnerability, this can lead to dependency conflicts or unexpected behavior with future versions. `pip install keyring pip install keyrings.alt` → Pin versions: pip install keyring==<version> keyrings.alt==<version> requests==<version>	`SKILL.md:97`
Info	Python code embedded in SKILL.md SKILL.md contains raw Python code (function definitions, imports) starting around line 99. While unusual for documentation, the code appears to be legitimate implementation details and doesn't introduce security risks. `import json import sys import keyring import requests` → No action needed - this appears to be documentation artifacts	`SKILL.md:99`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	upload_file.py:51 reads user-specified files via open(os.path.expanduser(file_pa…
Network	`READ`	`READ`	✓ Aligned	All scripts make HTTPS requests to api.jiuma.com only
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	keyring used for token storage, not environment variable harvesting
Skill Invoke	`NONE`	`NONE`	—	No skill invocation chaining detected

3 findings

🔗

Medium External URL 外部 URL

https://www.jiuma.com

SKILL.md:3

🔗

Medium External URL 外部 URL

https://picsum.photos/800/450

SKILL.md:37

🔗

Medium External URL 外部 URL

https://api.jiuma.com/

scripts/auth.py:11

File Tree

6 files · 20.4 KB · 543 lines

Python 5f · 420L Markdown 1f · 123L

├─ ▾ 📁 scripts

│ ├─ 🐍 auth.py Python 126L · 4.8 KB

│ ├─ 🐍 check_auth_status.py Python 42L · 1.1 KB

│ ├─ 🐍 submit_generation_task.py Python 90L · 3.0 KB

│ ├─ 🐍 task_result.py Python 93L · 2.8 KB

│ └─ 🐍 upload_file.py Python 69L · 1.9 KB

└─ 📝 SKILL.md Markdown 123L · 6.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`keyring`	`*`	pip	No	Version not pinned in SKILL.md
`keyrings.alt`	`*`	pip	No	Version not pinned in SKILL.md
`requests`	`*`	pip	No	Implied dependency, version not pinned

Security Positives

✓ All network communication is limited to api.jiuma.com (declared in documentation)

✓ Credentials stored using system keyring (secure storage method)

✓ No credential exfiltration or data theft patterns detected

✓ No base64-encoded payloads or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No reverse shell, C2 communication, or malicious behavioral patterns

✓ File operations are scoped to user-specified upload targets only

✓ Proper token validation and error handling throughout

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives