中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:1 day ago Rescan
0 /100
ecommerce-img-gen
跨境电商图片生成工具 — generates platform-compliant e-commerce images for 7 platforms
ecommerce-img-gen is a legitimate cross-border e-commerce image generation skill. No malicious behavior, credential theft, obfuscation, or hidden functionality was found. All capabilities (filesystem read/write + network) are correctly declared and directly necessary for the image generation feature.
Skill Nameecommerce-img-gen
Duration42.6s
Enginepi
Safe to install
No action needed. This skill is safe to use as described.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned generate_image.py:encode_image() reads ref_image_path
Filesystem WRITE WRITE ✓ Aligned generate_image.py:save_path writes PNG to disk
Network READ READ ✓ Aligned generate_image.py:http.request POST to https://1xm.ai
Shell NONE NONE No subprocess or os.system calls found
Environment READ READ ✓ Aligned Reads 1XM_API_KEY env var; API key is required for legitimate operation
1 findings
🔗
Medium External URL 外部 URL
https://1xm.ai/v1/chat/completions
scripts/generate_image.py:20

File Tree

8 files · 62.9 KB · 1855 lines
Markdown 7f · 1482L Python 1f · 373L
├─ 📁 references
│ ├─ 📝 compliance_engine.md Markdown 149L · 4.0 KB
│ ├─ 📝 cultural_compliance.md Markdown 69L · 2.0 KB
│ ├─ 📝 detail_page_workflow.md Markdown 420L · 18.1 KB
│ ├─ 📝 main_image_workflow.md Markdown 166L · 4.5 KB
│ ├─ 📝 platform_specs.md Markdown 337L · 10.4 KB
│ └─ 📝 styles_and_routing.md Markdown 144L · 3.7 KB
├─ 📁 scripts
│ └─ 🐍 generate_image.py Python 373L · 13.7 KB
└─ 📝 SKILL.md Markdown 197L · 6.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
urllib3 * stdlib No Bundled with Python stdlib; no external package dependencies

Security Positives

✓ No subprocess or shell execution — pure Python stdlib (urllib3, json, base64)
✓ No base64 obfuscation or eval() — image decoding uses straightforward re.search + b64decode
✓ No credential theft — 1XM_API_KEY is read only to authenticate with 1xm.ai, never exfiltrated
✓ No sensitive file enumeration (no ~/.ssh, ~/.aws, .env scanning)
✓ No curl|bash or remote script execution
✓ No hidden instructions or steganographic payloads
✓ No suspicious network patterns (uses HTTPS domain, not raw IP)
✓ API key fallback to .env is explicitly declared and necessary for operation
✓ Comprehensive compliance engine documented in plain markdown, no hidden logic
✓ SKILL.md accurately reflects all implemented capabilities