中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:19 小时前 重新扫描
15 /100
image-to-svg
Convert image files (PNG/JPG/WebP/GIF/BMP/TIFF) to SVG wrappers with embedded base64 data
A straightforward image-to-SVG converter with no malicious behavior, though it declares an overly broad shell:exec permission that doesn't match actual usage.
技能名称image-to-svg
分析耗时44.3s
引擎pi
可以安装
Narrow the shell permission to shell:WRITE or filesystem permissions in _meta.json. Pin Pillow to a specific version in requirements.txt.

安全发现 2 项

严重性 安全发现 位置
低危
Overly broad shell permission declared 权限提升
_meta.json declares 'shell:exec' but the Python script is invoked via 'python3 scripts/convert_image_to_svg.py' without shell expansion. No shell command execution occurs in the code.
"permissions": ["shell:exec"]
→ Replace with filesystem:READ and filesystem:WRITE since the skill only reads images and writes SVG files.
 _meta.json:6
低危
Unpinned dependency version 供应链
Pillow in requirements.txt has no version constraint, which could allow a malicious future version to be installed.
Pillow
→ Pin Pillow to a specific version, e.g., 'Pillow==10.0.0'
 requirements.txt:1
资源类型声明权限推断权限状态证据
命令执行 WRITE NONE ✓ 一致 _meta.json declares shell:exec but no shell commands are executed
文件系统 READ READ ✓ 一致 Reads input images (line 99: input_path.read_bytes())
文件系统 WRITE WRITE ✓ 一致 Writes SVG output (line 140: output_path.write_text())
网络访问 NONE NONE No HTTP requests; hardcoded promo URL only appears in generated SVG metadata
3 项发现
🔗
中危 外部 URL 外部 URL
https://videoany.io/tools/image-to-svg
SKILL.md:15
🔗
中危 外部 URL 外部 URL
https://videoany.io/tools/image-to-svg.
clawhub.json:4
🔗
中危 外部 URL 外部 URL
http://www.w3.org/2000/svg
scripts/convert_image_to_svg.py:144

目录结构

6 文件 · 9.2 KB · 269 行
Python 2f · 188L Markdown 1f · 62L JSON 2f · 18L Text 1f · 1L
├─ 📁 scripts
│ ├─ 🐍 convert_image_to_svg.py Python 172L · 5.5 KB
│ └─ 🐍 convert_svg.py Python 16L · 344 B
├─ 📋 _meta.json JSON 6L · 132 B
├─ 📋 clawhub.json JSON 12L · 788 B
├─ 📄 requirements.txt Text 1L · 7 B
└─ 📝 SKILL.md Markdown 62L · 2.4 KB

依赖分析 1 项

包名版本来源已知漏洞备注
Pillow * pip Version not pinned; only dependency with no known vulnerabilities

安全亮点

✓ No credential harvesting or environment variable access
✓ No network exfiltration or C2 communication
✓ No obfuscation or base64-encoded malicious payloads
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No reverse shell or remote execution mechanisms
✓ Code is clean, readable, and does exactly what SKILL.md describes
✓ Proper error handling for file I/O operations
✓ Input validation (file existence, type checking)