imutils-skill 安全扫描报告 — 低风险 | ClawSafe

15 /100

imutils-skill

Batch image processing skill for rotate, resize, translate, and skeletonize operations

A benign image processing skill with undocumented shell execution via execSync, but with limited attack surface due to external CLI dependency and no credential/data exfiltration behavior.

技能名称imutils-skill

分析耗时31.1s

引擎pi

✓

可以安装

Document the shell:WRITE permission requirement in SKILL.md and add input path sanitization to prevent path traversal attacks. Pin the cli-anything-imutils dependency version.

安全发现 3 项

严重性	安全发现	位置
中危	SKILL.md does not declare required permissions 文档欺骗 The skill uses child_process.execSync() for shell execution but SKILL.md contains no capability model declaration. Users cannot see that shell:WRITE permission is required. `No '## Capabilities' section found in SKILL.md` → Add a capabilities section declaring shell:WRITE for subprocess execution and filesystem:READ/WRITE for image operations.	`SKILL.md:1`
低危	execSync with unvalidated user input paths 代码执行 All four scripts concatenate user-provided --input and --output paths directly into shell commands without sanitization. While the cli-anything-imutils CLI may provide protection, the JavaScript layer lacks input validation. const cmd = `cli-anything-imutils rotate-cmd "${input}" "${output}" --angle ${angle} --scale ${scale}` → Add path validation to ensure paths don't contain path traversal sequences (../) or command injection characters (; \| &).	`scripts/rotate.js:30`
低危	External CLI dependency not declared 供应链 The skill depends on cli-anything-imutils being pre-installed, but this dependency is not listed in package.json and SKILL.md references local Windows paths (E:\AI-Tools\...). `cd E:\AI-Tools\CLI-Anything\CLI-Anything\imutils\agent-harness` → Document the external dependency requirement clearly and consider adding version pinning guidance.	`SKILL.md:22`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	scripts/rotate.js:30 - execSync reads input image file
文件系统	`NONE`	`WRITE`	✓ 一致	scripts/rotate.js:30 - execSync writes output image file
命令执行	`NONE`	`WRITE`	✗ 越权	scripts/rotate.js:3, scripts/resize.js:3, scripts/translate.js:3, scripts/skelet…

7 项发现

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://opensource.org/licenses/MIT

README.md:5

🔗

中危外部 URL 外部 URL

https://img.shields.io/github/stars/PyImageSearch/imutils?label=imutils

README.md:6

🔗

中危外部 URL 外部 URL

https://opencv.org/

README.md:112

🔗

中危外部 URL 外部 URL

https://numpy.org/

README.md:113

🔗

中危外部 URL 外部 URL

https://docs.opencv.org/

SKILL.md:259

🔗

中危外部 URL 外部 URL

https://www.pyimagesearch.com/

SKILL.md:260

目录结构

8 文件 · 16.4 KB · 722 行

Markdown 2f · 451L JavaScript 4f · 216L JSON 1f · 29L Ignore 1f · 26L

├─ ▾ 📁 scripts

│ ├─ 📜 resize.js JavaScript 62L · 1.8 KB

│ ├─ 📜 rotate.js JavaScript 53L · 1.5 KB

│ ├─ 📜 skeleton.js JavaScript 49L · 1.3 KB

│ └─ 📜 translate.js JavaScript 52L · 1.4 KB

├─ 📄 .gitignore Ignore 26L · 210 B

├─ 📋 package.json JSON 29L · 749 B

├─ 📝 README.md Markdown 149L · 3.0 KB

└─ 📝 SKILL.md Markdown 302L · 6.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`cli-anything-imutils`	`not declared`	external CLI (must be pre-installed)	否	Dependency not listed in package.json - must be installed separately per SKILL.md instructions

安全亮点

✓ No credential harvesting or sensitive file access detected

✓ No network requests to external IPs observed

✓ No base64 encoding, eval(), or obfuscation detected

✓ No persistence mechanisms (cron, startup hooks) present

✓ No prompt injection instructions in documentation

✓ Standard image processing tool with clear, documented use case