中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 20/100
上次扫描:2 天前 重新扫描
20 /100
find-moments
Find specific moments in a video using a natural language query via WayinVideo API
A legitimate video moment-finding skill using the WayinVideo API. One minor gap: `subprocess` for `openclaw` system events is used but not declared in SKILL.md.
技能名称find-moments
分析耗时39.2s
引擎pi
可以安装
Add `openclaw` CLI subprocess invocation to SKILL.md's metadata or script documentation. No other action needed.

安全发现 2 项

严重性 安全发现 位置
低危
Undeclared subprocess usage
polling_results.py uses subprocess.run to invoke the 'openclaw' CLI for system event notifications. SKILL.md declares only python3 as a binary dependency but does not mention subprocess or the openclaw tool. The invocation is gated behind --event-interval flag and is a legitimate framework integration, but it should be declared.
subprocess.run(["openclaw", "system", "event", "--text", text, "--mode", "now"], check=True, capture_output=True, text=True)
→ Add 'openclaw' to the bins list in SKILL.md metadata or document the --event-interval behavior with a note about the openclaw dependency
 scripts/polling_results.py:91
提示
No external dependency pinning
The skill has no requirements.txt, package.json, or equivalent. It relies solely on Python standard library (urllib, json, argparse, subprocess, datetime), which is a positive security trait, but documenting this explicitly would improve transparency.
No package manager files present
→ Add a requirements.txt or Pipfile documenting zero external dependencies for maximum transparency
 N/A
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 All HTTP calls use urllib.request to wayinvideo-api.wayin.ai (documented domain)
文件系统 NONE READ ✓ 一致 upload_video.py reads local files only when user provides --file-path; submit_ta…
命令执行 NONE WRITE ✓ 一致 polling_results.py:91 — subprocess.run(['openclaw', 'system', 'event', ...]) is …
环境变量 READ READ ✓ 一致 All scripts read WAYIN_API_KEY from os.environ only; key is not persisted or exf…
6 项发现
🔗
中危 外部 URL 外部 URL
https://wayin.ai/api-docs/find-moments/
SKILL.md:17
🔗
中危 外部 URL 外部 URL
https://wayin.ai/wayinvideo/api-dashboard
SKILL.md:22
🔗
中危 外部 URL 外部 URL
https://wayin.ai/wayinvideo/home
SKILL.md:62
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments/results/
SKILL.md:93
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/clips/find-moments
scripts/polling_results.py:19
🔗
中危 外部 URL 外部 URL
https://wayinvideo-api.wayin.ai/api/v2/upload/single-file
scripts/upload_video.py:52

目录结构

8 文件 · 34.6 KB · 700 行
Python 3f · 465L Markdown 4f · 229L JSON 1f · 6L
├─ 📁 assets
│ ├─ 📝 caption_style.md Markdown 30L · 4.3 KB
│ ├─ 📝 platform_ratio.md Markdown 5L · 376 B
│ └─ 📝 supported_languages.md Markdown 100L · 1.2 KB
├─ 📁 scripts
│ ├─ 🐍 polling_results.py Python 191L · 8.3 KB
│ ├─ 🐍 submit_task.py Python 163L · 7.0 KB
│ └─ 🐍 upload_video.py Python 111L · 4.4 KB
├─ 📋 skill.json JSON 6L · 178 B
└─ 📝 SKILL.md Markdown 94L · 8.9 KB

依赖分析 1 项

包名版本来源已知漏洞备注
Python standard library only N/A stdlib No external packages — uses urllib.request, json, argparse, subprocess, datetime, time, socket, os, sys, mimetypes, datetime

安全亮点

✓ No credential exfiltration — WAYIN_API_KEY is used only for authenticated API calls to wayin.ai
✓ No base64/encoded payloads or obfuscated code
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env, etc.)
✓ No remote script execution (curl|bash, wget|sh)
✓ File I/O is limited to user-provided paths (--file-path, --save-dir, --save-file)
✓ Uses only Python standard library — minimal supply chain risk
✓ All network destinations are documented and consistent (wayin.ai domain)
✓ API responses are not forwarded to third parties