中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:1 day ago Rescan
15 /100
imutils-skill
Batch image processing skill for rotate, resize, translate, and skeletonize operations
A benign image processing skill with undocumented shell execution via execSync, but with limited attack surface due to external CLI dependency and no credential/data exfiltration behavior.
Skill Nameimutils-skill
Duration31.1s
Enginepi
Safe to install
Document the shell:WRITE permission requirement in SKILL.md and add input path sanitization to prevent path traversal attacks. Pin the cli-anything-imutils dependency version.

Findings 3 items

Severity Finding Location
Medium
SKILL.md does not declare required permissions Doc Mismatch
The skill uses child_process.execSync() for shell execution but SKILL.md contains no capability model declaration. Users cannot see that shell:WRITE permission is required.
No '## Capabilities' section found in SKILL.md
→ Add a capabilities section declaring shell:WRITE for subprocess execution and filesystem:READ/WRITE for image operations.
 SKILL.md:1
Low
execSync with unvalidated user input paths RCE
All four scripts concatenate user-provided --input and --output paths directly into shell commands without sanitization. While the cli-anything-imutils CLI may provide protection, the JavaScript layer lacks input validation.
const cmd = `cli-anything-imutils rotate-cmd "${input}" "${output}" --angle ${angle} --scale ${scale}`
→ Add path validation to ensure paths don't contain path traversal sequences (../) or command injection characters (; | &).
 scripts/rotate.js:30
Low
External CLI dependency not declared Supply Chain
The skill depends on cli-anything-imutils being pre-installed, but this dependency is not listed in package.json and SKILL.md references local Windows paths (E:\AI-Tools\...).
cd E:\AI-Tools\CLI-Anything\CLI-Anything\imutils\agent-harness
→ Document the external dependency requirement clearly and consider adding version pinning guidance.
 SKILL.md:22
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned scripts/rotate.js:30 - execSync reads input image file
Filesystem NONE WRITE ✓ Aligned scripts/rotate.js:30 - execSync writes output image file
Shell NONE WRITE ✗ Violation scripts/rotate.js:3, scripts/resize.js:3, scripts/translate.js:3, scripts/skelet…
7 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg
README.md:5
🔗
Medium External URL 外部 URL
https://opensource.org/licenses/MIT
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/github/stars/PyImageSearch/imutils?label=imutils
README.md:6
🔗
Medium External URL 外部 URL
https://opencv.org/
README.md:112
🔗
Medium External URL 外部 URL
https://numpy.org/
README.md:113
🔗
Medium External URL 外部 URL
https://docs.opencv.org/
SKILL.md:259
🔗
Medium External URL 外部 URL
https://www.pyimagesearch.com/
SKILL.md:260

File Tree

8 files · 16.4 KB · 722 lines
Markdown 2f · 451L JavaScript 4f · 216L JSON 1f · 29L Ignore 1f · 26L
├─ 📁 scripts
│ ├─ 📜 resize.js JavaScript 62L · 1.8 KB
│ ├─ 📜 rotate.js JavaScript 53L · 1.5 KB
│ ├─ 📜 skeleton.js JavaScript 49L · 1.3 KB
│ └─ 📜 translate.js JavaScript 52L · 1.4 KB
├─ 📄 .gitignore Ignore 26L · 210 B
├─ 📋 package.json JSON 29L · 749 B
├─ 📝 README.md Markdown 149L · 3.0 KB
└─ 📝 SKILL.md Markdown 302L · 6.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
cli-anything-imutils not declared external CLI (must be pre-installed) No Dependency not listed in package.json - must be installed separately per SKILL.md instructions

Security Positives

✓ No credential harvesting or sensitive file access detected
✓ No network requests to external IPs observed
✓ No base64 encoding, eval(), or obfuscation detected
✓ No persistence mechanisms (cron, startup hooks) present
✓ No prompt injection instructions in documentation
✓ Standard image processing tool with clear, documented use case