中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
find-moments
Find specific moments in a video using a natural language query via WayinVideo API
A legitimate video moment-finding skill using the WayinVideo API. One minor gap: `subprocess` for `openclaw` system events is used but not declared in SKILL.md.
Skill Namefind-moments
Duration39.2s
Enginepi
Safe to install
Add `openclaw` CLI subprocess invocation to SKILL.md's metadata or script documentation. No other action needed.

Findings 2 items

Severity Finding Location
Low
Undeclared subprocess usage
polling_results.py uses subprocess.run to invoke the 'openclaw' CLI for system event notifications. SKILL.md declares only python3 as a binary dependency but does not mention subprocess or the openclaw tool. The invocation is gated behind --event-interval flag and is a legitimate framework integration, but it should be declared.
subprocess.run(["openclaw", "system", "event", "--text", text, "--mode", "now"], check=True, capture_output=True, text=True)
→ Add 'openclaw' to the bins list in SKILL.md metadata or document the --event-interval behavior with a note about the openclaw dependency
 scripts/polling_results.py:91
Info
No external dependency pinning
The skill has no requirements.txt, package.json, or equivalent. It relies solely on Python standard library (urllib, json, argparse, subprocess, datetime), which is a positive security trait, but documenting this explicitly would improve transparency.
No package manager files present
→ Add a requirements.txt or Pipfile documenting zero external dependencies for maximum transparency
 N/A
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned All HTTP calls use urllib.request to wayinvideo-api.wayin.ai (documented domain)
Filesystem NONE READ ✓ Aligned upload_video.py reads local files only when user provides --file-path; submit_ta…
Shell NONE WRITE ✓ Aligned polling_results.py:91 — subprocess.run(['openclaw', 'system', 'event', ...]) is …
Environment READ READ ✓ Aligned All scripts read WAYIN_API_KEY from os.environ only; key is not persisted or exf…
6 findings
🔗
Medium External URL 外部 URL
https://wayin.ai/api-docs/find-moments/
SKILL.md:17
🔗
Medium External URL 外部 URL
https://wayin.ai/wayinvideo/api-dashboard
SKILL.md:22
🔗
Medium External URL 外部 URL
https://wayin.ai/wayinvideo/home
SKILL.md:62
🔗
Medium External URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments/results/
SKILL.md:93
🔗
Medium External URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments
scripts/polling_results.py:19
🔗
Medium External URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/upload/single-file
scripts/upload_video.py:52

File Tree

8 files · 34.6 KB · 700 lines
Python 3f · 465L Markdown 4f · 229L JSON 1f · 6L
├─ 📁 assets
│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB
│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B
│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 polling_results.py Python 191L · 8.3 KB
│ ├─ 🐍 submit_task.py Python 163L · 7.0 KB
│ └─ 🐍 upload_video.py Python 111L · 4.4 KB
├─ 📋 skill.json JSON 6L · 178 B
└─ 📝 SKILL.md Markdown 94L · 8.9 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
Python standard library only N/A stdlib No No external packages — uses urllib.request, json, argparse, subprocess, datetime, time, socket, os, sys, mimetypes, datetime

Security Positives

✓ No credential exfiltration — WAYIN_API_KEY is used only for authenticated API calls to wayin.ai
✓ No base64/encoded payloads or obfuscated code
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No remote script execution (curl|bash, wget|sh)
✓ File I/O is limited to user-provided paths (--file-path, --save-dir, --save-file)
✓ Uses only Python standard library — minimal supply chain risk
✓ All network destinations are documented and consistent (wayin.ai domain)
✓ API responses are not forwarded to third parties