Scan Report
5 /100
weshop-openapi-skill
Image-editing and image-generation tasks including model replacement, pose changes, background swapping, virtual try-on, and more via WeShop OpenAPI
This is a legitimate API integration skill for image processing via WeShop OpenAPI with no malicious behavior detected.
Safe to install
No action required. The skill is a well-documented API wrapper with appropriate security warnings about API key handling.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem operations declared or implied in SKILL.md |
| Network | READ | READ | ✓ Aligned | HTTPS API calls to openapi.weshop.ai; all network usage is declared |
| Environment | READ | READ | ✓ Aligned | WESHOP_API_KEY access declared in metadata; only used for authentication |
| Shell | NONE | NONE | — | No shell execution in this documentation-only skill |
| Skill Invoke | NONE | NONE | — | No nested skill invocation defined |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
6 findings
Medium External URL 外部 URL
https://openapi.weshop.ai/openapi/agent/openapi.yaml SKILL.md:13 Medium External URL 外部 URL
https://openapi.weshop.ai/openapi/* SKILL.md:19 Medium External URL 外部 URL
https://open.weshop.ai/authorization/apikey. SKILL.md:26 Medium External URL 外部 URL
https://openapi.weshop.ai/openapi/agent/runs SKILL.md:246 Medium External URL 外部 URL
https://ai-image.weshop.ai/example.png SKILL.md:253 Medium External URL 外部 URL
https://openapi.weshop.ai/openapi/agent/assets/images SKILL.md:267 File Tree
1 files · 14.1 KB · 312 lines Markdown 1f · 312L
└─
SKILL.md
Markdown
Security Positives
✓ API key security warnings prominently displayed - warns against sending keys to unauthorized domains
✓ No shell execution, filesystem writes, or sensitive path access
✓ Network access limited to single legitimate API endpoint (openapi.weshop.ai)
✓ No credential exfiltration or suspicious network patterns
✓ Pure documentation/specification file with no hidden executable code
✓ Transparent about required environment variables and their purpose
✓ API key is only sent to the declared legitimate endpoint