Scan Report
0 /100
ifly-image-understanding
iFlytek Image Understanding (图片理解) — analyze and answer questions about images using Spark Vision model. WebSocket API, pure Python stdlib, no pip dependencies.
iFlytek Image Understanding skill is a legitimate, well-documented image analysis tool that uses WebSocket API with HMAC-SHA256 auth — no malicious behavior detected.
Safe to install
This skill is safe to use. No security concerns were identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | read_image_base64() only reads user-specified image files with size validation (… |
| Network | READ | READ | ✓ Aligned | WebSocket client connects exclusively to wss://spark-api.cn-huabei-1.xf-yun.com |
| Shell | NONE | NONE | — | No subprocess or shell execution — pure stdlib socket/ssl only |
| Environment | READ | READ | ✓ Aligned | Reads IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET — all declared in SKILL.md |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
3 findings
Medium External URL 外部 URL
https://console.xfyun.cn SKILL.md:12 Medium External URL 外部 URL
https://console.xfyun.cn/services/image SKILL.md:112 Medium External URL 外部 URL
https://console.xfyun.cn/sale/buy?wareId=9046&packageId=9046002&serviceName=%E5%9B%BE%E7%89%87%E7%90%86%E8%A7%A3&busines... SKILL.md:113 File Tree
3 files · 17.0 KB · 517 lines Python 1f · 394L
Markdown 1f · 115L
JSON 1f · 8L
├─
▾
.claude
│ └─
settings.local.json
JSON
├─
▾
scripts
│ └─
image_understanding.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ No pip dependencies — uses only Python stdlib (socket, ssl, json, hmac, base64)
✓ HMAC-SHA256 authentication is industry-standard for API auth
✓ Image size validation (4MB max) prevents resource exhaustion
✓ All environment variable usage is explicitly declared in SKILL.md
✓ No subprocess, shell execution, or eval usage
✓ WebSocket uses TLS (wss://) for encrypted transport
✓ Network target is restricted to a single declared iFlytek endpoint
✓ File path access is limited to user-specified image files with existence checks
✓ Clean code with no obfuscation, base64 execution, or hidden payloads