jiuma 安全扫描报告 — 低风险 | ClawSafe

15 /100

jiuma

免费的ai视频生成创作平台（Video Generation Skill），支持生成视频、图片、声音、视频动作模仿、视频人物替换等等

This is a legitimate AI video generation skill integrating with jiuma.com platform. No malicious behavior detected - all network calls target the declared API endpoint, credentials are stored securely via keyring, and file operations are limited to upload functionality.

技能名称jiuma

分析耗时39.8s

引擎pi

✓

可以安装

Consider pinning dependencies (keyring, requests) to specific versions for reproducibility. Otherwise, this skill appears safe for use.

安全发现 2 项

严重性	安全发现	位置
低危	Dependencies not version-pinned SKILL.md specifies 'pip install keyring' and 'pip install keyrings.alt' without version constraints. While not a security vulnerability, this can lead to dependency conflicts or unexpected behavior with future versions. `pip install keyring pip install keyrings.alt` → Pin versions: pip install keyring==<version> keyrings.alt==<version> requests==<version>	`SKILL.md:97`
提示	Python code embedded in SKILL.md SKILL.md contains raw Python code (function definitions, imports) starting around line 99. While unusual for documentation, the code appears to be legitimate implementation details and doesn't introduce security risks. `import json import sys import keyring import requests` → No action needed - this appears to be documentation artifacts	`SKILL.md:99`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	upload_file.py:51 reads user-specified files via open(os.path.expanduser(file_pa…
网络访问	`READ`	`READ`	✓ 一致	All scripts make HTTPS requests to api.jiuma.com only
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`NONE`	—	keyring used for token storage, not environment variable harvesting
技能调用	`NONE`	`NONE`	—	No skill invocation chaining detected

3 项发现

🔗

中危外部 URL 外部 URL

https://www.jiuma.com

SKILL.md:3

🔗

中危外部 URL 外部 URL

https://picsum.photos/800/450

SKILL.md:37

🔗

中危外部 URL 外部 URL

https://api.jiuma.com/

scripts/auth.py:11

目录结构

6 文件 · 20.4 KB · 543 行

Python 5f · 420L Markdown 1f · 123L

├─ ▾ 📁 scripts

│ ├─ 🐍 auth.py Python 126L · 4.8 KB

│ ├─ 🐍 check_auth_status.py Python 42L · 1.1 KB

│ ├─ 🐍 submit_generation_task.py Python 90L · 3.0 KB

│ ├─ 🐍 task_result.py Python 93L · 2.8 KB

│ └─ 🐍 upload_file.py Python 69L · 1.9 KB

└─ 📝 SKILL.md Markdown 123L · 6.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`keyring`	`*`	pip	否	Version not pinned in SKILL.md
`keyrings.alt`	`*`	pip	否	Version not pinned in SKILL.md
`requests`	`*`	pip	否	Implied dependency, version not pinned

安全亮点

✓ All network communication is limited to api.jiuma.com (declared in documentation)

✓ Credentials stored using system keyring (secure storage method)

✓ No credential exfiltration or data theft patterns detected

✓ No base64-encoded payloads or obfuscated code

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ No reverse shell, C2 communication, or malicious behavioral patterns

✓ File operations are scoped to user-specified upload targets only

✓ Proper token validation and error handling throughout