扫描报告
0 /100
ifly-image-understanding
iFlytek Image Understanding (图片理解) — analyze and answer questions about images using Spark Vision model. WebSocket API, pure Python stdlib, no pip dependencies.
iFlytek Image Understanding skill is a legitimate, well-documented image analysis tool that uses WebSocket API with HMAC-SHA256 auth — no malicious behavior detected.
可以安装
This skill is safe to use. No security concerns were identified.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | read_image_base64() only reads user-specified image files with size validation (… |
| 网络访问 | READ | READ | ✓ 一致 | WebSocket client connects exclusively to wss://spark-api.cn-huabei-1.xf-yun.com |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution — pure stdlib socket/ssl only |
| 环境变量 | READ | READ | ✓ 一致 | Reads IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET — all declared in SKILL.md |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser access |
| 数据库 | NONE | NONE | — | No database access |
3 项发现
中危 外部 URL 外部 URL
https://console.xfyun.cn SKILL.md:12 中危 外部 URL 外部 URL
https://console.xfyun.cn/services/image SKILL.md:112 中危 外部 URL 外部 URL
https://console.xfyun.cn/sale/buy?wareId=9046&packageId=9046002&serviceName=%E5%9B%BE%E7%89%87%E7%90%86%E8%A7%A3&busines... SKILL.md:113 目录结构
3 文件 · 17.0 KB · 517 行 Python 1f · 394L
Markdown 1f · 115L
JSON 1f · 8L
├─
▾
.claude
│ └─
settings.local.json
JSON
├─
▾
scripts
│ └─
image_understanding.py
Python
└─
SKILL.md
Markdown
安全亮点
✓ No pip dependencies — uses only Python stdlib (socket, ssl, json, hmac, base64)
✓ HMAC-SHA256 authentication is industry-standard for API auth
✓ Image size validation (4MB max) prevents resource exhaustion
✓ All environment variable usage is explicitly declared in SKILL.md
✓ No subprocess, shell execution, or eval usage
✓ WebSocket uses TLS (wss://) for encrypted transport
✓ Network target is restricted to a single declared iFlytek endpoint
✓ File path access is limited to user-specified image files with existence checks
✓ Clean code with no obfuscation, base64 execution, or hidden payloads