中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:19 小时前 重新扫描
25 /100
sum2slides-lite
对话总结成专业PPT,支持纯本地处理和可选飞书上传
This is a legitimate PPT generation skill with clearly documented optional Feishu upload functionality. The skill properly declares its capabilities and handles credentials appropriately through environment variables.
技能名称sum2slides-lite
分析耗时57.5s
引擎pi
可以安装
The skill is safe for use. Users should only enable the optional Feishu upload feature if they trust the service, and should verify no environment variables are set if they want pure local operation.

安全发现 3 项

严重性 安全发现 位置
低危
Example API key in documentation 文档欺骗
credentials_management.md contains a hardcoded example API key 'sk_live_1234567890abcdef' at line 67. This is explicitly marked as an example of what NOT to do (wrong practice), not actual malicious code.
API_KEY = "sk_live_1234567890abcdef"
→ This is educational documentation showing bad practices. No action needed.
 credentials_management.md:67
提示
Destructive shell commands in documentation examples 文档欺骗
INSTALL.md:127 and INSTRUCTION_SCOPE_VISUAL.md:206 contain examples of 'rm -rf ~' and 'rm -rf /' commands. These are documented as dangerous examples to avoid, not actual execution.
rm -rf ~
→ This is documentation about what NOT to do. The skill does not execute these commands.
 INSTALL.md:127
提示
Subprocess usage for AppleScript WPS automation 代码执行
core/wps_generator.py uses subprocess.run(['osascript', ...]) to automate WPS Office on macOS for PPT generation. This is legitimate functionality for WPS-based PPT creation.
subprocess.run(['osascript', script_file], capture_output=True, text=True, timeout=30)
→ This is documented WPS automation functionality, not malicious code execution.
 core/wps_generator.py:53
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md:36 declares file writing for PPT generation
网络访问 READ READ ✓ 一致 SKILL.md:46 declares optional feishu.enabled network activity
命令执行 WRITE WRITE ✓ 一致 core/wps_generator.py:53 subprocess for WPS AppleScript - documented feature
环境变量 NONE READ ✓ 一致 SKILL.md:11 'requires: env: []' - optional FEISHU_* vars correctly marked
技能调用 NONE NONE No cross-skill invocation detected
剪贴板 NONE NONE No clipboard access found
浏览器 NONE NONE No browser automation found
数据库 NONE NONE No database access found
2 严重 1 高危 9 项发现
💀
严重 危险命令 危险 Shell 命令
rm -rf ~
INSTALL.md:127
💀
严重 危险命令 危险 Shell 命令
rm -rf /
INSTRUCTION_SCOPE_VISUAL.md:206
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY = "sk_live_1234567890abcdef"
credentials_management.md:67
🔗
中危 外部 URL 外部 URL
http://malicious.com
INSTRUCTION_SCOPE_VISUAL.md:214
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
SECURE_INSTALLATION_GUIDE.md:56
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn
docs/OPERATIONAL_RISKS.md:186
🔗
中危 外部 URL 外部 URL
https://open.feishu.cn/open-apis
platforms/feishu/feishu_platform.py:19
🔗
中危 外部 URL 外部 URL
https://feishu.cn/file/
platforms/feishu/feishu_platform.py:156
📧
提示 邮箱 邮箱地址
[email protected]
CHANGELOG.md:291

目录结构

39 文件 · 286.3 KB · 10233 行
Python 18f · 5331L Markdown 18f · 4700L YAML 1f · 96L Text 1f · 88L JSON 1f · 18L
├─ 📁 config
│ ├─ 📋 config.yaml YAML 96L · 2.4 KB
│ └─ 🐍 settings.py Python 356L · 11.0 KB
├─ 📁 core
│ ├─ 🐍 base_generator.py Python 289L · 7.9 KB
│ ├─ 🐍 content_planner.py Python 395L · 13.3 KB
│ ├─ 🐍 pptx_generator.py Python 328L · 11.8 KB
│ └─ 🐍 wps_generator.py Python 439L · 14.2 KB
├─ 📁 docs
│ ├─ 📝 OPERATIONAL_RISKS.md Markdown 339L · 8.2 KB
│ ├─ 📝 PERMISSIONS.md Markdown 253L · 6.0 KB
│ ├─ 📝 PLATFORM_COMPATIBILITY.md Markdown 282L · 8.1 KB
│ ├─ 📝 SECURITY_GUIDE.md Markdown 322L · 6.5 KB
│ └─ 📝 USER_GUIDE.md Markdown 467L · 9.9 KB
├─ 📁 examples
│ └─ 🐍 basic_usage.py Python 50L · 1.1 KB
├─ 📁 platforms
│ ├─ 📁 feishu
│ │ └─ 🐍 feishu_platform.py Python 365L · 12.6 KB
│ └─ 🐍 base_platform.py Python 290L · 8.0 KB
├─ 📁 utils
│ ├─ 🐍 error_handler.py Python 307L · 9.1 KB
│ ├─ 🐍 file_utils.py Python 400L · 11.2 KB
│ └─ 🐍 logger.py Python 224L · 6.0 KB
├─ 🐍 __init__.py Python 307L · 8.5 KB
├─ 📝 capability_verification.md Markdown 123L · 3.4 KB
├─ 📝 CHANGELOG.md Markdown 345L · 8.3 KB
├─ 📋 clawhub.json JSON 18L · 593 B
├─ 🔑 credentials_management.md Markdown 342L · 8.3 KB
├─ 📝 ENV_VAR_CLARIFICATION.md Markdown 34L · 1014 B
├─ 📝 install_mechanism.md Markdown 306L · 6.8 KB
├─ 📝 INSTALL_SPECIFICATION.md Markdown 253L · 5.5 KB
├─ 🐍 INSTALL_VERIFICATION.py Python 296L · 8.8 KB
├─ 📝 INSTALL_WITHOUT_SETUP.md Markdown 273L · 5.8 KB
├─ 📝 INSTALL.md Markdown 168L · 3.8 KB
├─ 📝 INSTRUCTION_SCOPE_VISUAL.md Markdown 240L · 9.4 KB
├─ 📝 instruction_scope.md Markdown 205L · 4.8 KB
├─ 🐍 quick_permission_check.py Python 130L · 4.7 KB
├─ 📝 README.md Markdown 265L · 7.6 KB
├─ 🐍 risk_confirmation.py Python 160L · 5.3 KB
├─ 📝 SECURE_INSTALLATION_GUIDE.md Markdown 262L · 6.1 KB
├─ 🐍 setup_info.py Python 137L · 3.9 KB
├─ 🐍 simple_sum2slides_test.py Python 250L · 7.9 KB
├─ 📝 SKILL.md Markdown 221L · 6.0 KB
├─ 🐍 sum2slides.py Python 608L · 20.7 KB
└─ 📄 VERSION.txt Text 88L · 2.0 KB

依赖分析 2 项

包名版本来源已知漏洞备注
python-pptx >=0.6.21 pip Version constraint present
requests * pip No version pinning - minor supply chain risk

安全亮点

✓ SKILL.md clearly documents optional network access with feishu.enabled=false by default
✓ Credentials are properly handled via environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET) - no hardcoded credentials in actual code
✓ INSTALL_VERIFICATION.py includes security verification checks for subprocess, eval, exec patterns
✓ Documentation includes comprehensive security guidance and risk acknowledgment process
✓ No credential harvesting - skill only uses user-provided Feishu credentials for their intended purpose
✓ No base64 encoding, obfuscation, or anti-analysis techniques detected
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Network requests only go to official Feishu API endpoints (open.feishu.cn)
✓ Includes safety confirmation prompts and risk acceptance records
✓ AppleScript execution is scoped to WPS automation with 30-second timeout protection