中文 EN

扫描报告

扫描新文件

可信 — 风险评分 0/100
上次扫描:1 天前 重新扫描
0 /100
ecommerce-img-gen
跨境电商图片生成工具 — generates platform-compliant e-commerce images for 7 platforms
ecommerce-img-gen is a legitimate cross-border e-commerce image generation skill. No malicious behavior, credential theft, obfuscation, or hidden functionality was found. All capabilities (filesystem read/write + network) are correctly declared and directly necessary for the image generation feature.
技能名称ecommerce-img-gen
分析耗时42.6s
引擎pi
可以安装
No action needed. This skill is safe to use as described.
资源类型声明权限推断权限状态证据
文件系统 READ READ ✓ 一致 generate_image.py:encode_image() reads ref_image_path
文件系统 WRITE WRITE ✓ 一致 generate_image.py:save_path writes PNG to disk
网络访问 READ READ ✓ 一致 generate_image.py:http.request POST to https://1xm.ai
命令执行 NONE NONE No subprocess or os.system calls found
环境变量 READ READ ✓ 一致 Reads 1XM_API_KEY env var; API key is required for legitimate operation
1 项发现
🔗
中危 外部 URL 外部 URL
https://1xm.ai/v1/chat/completions
scripts/generate_image.py:20

目录结构

8 文件 · 62.9 KB · 1855 行
Markdown 7f · 1482L Python 1f · 373L
├─ 📁 references
│ ├─ 📝 compliance_engine.md Markdown 149L · 4.0 KB
│ ├─ 📝 cultural_compliance.md Markdown 69L · 2.0 KB
│ ├─ 📝 detail_page_workflow.md Markdown 420L · 18.1 KB
│ ├─ 📝 main_image_workflow.md Markdown 166L · 4.5 KB
│ ├─ 📝 platform_specs.md Markdown 337L · 10.4 KB
│ └─ 📝 styles_and_routing.md Markdown 144L · 3.7 KB
├─ 📁 scripts
│ └─ 🐍 generate_image.py Python 373L · 13.7 KB
└─ 📝 SKILL.md Markdown 197L · 6.5 KB

依赖分析 1 项

包名版本来源已知漏洞备注
urllib3 * stdlib Bundled with Python stdlib; no external package dependencies

安全亮点

✓ No subprocess or shell execution — pure Python stdlib (urllib3, json, base64)
✓ No base64 obfuscation or eval() — image decoding uses straightforward re.search + b64decode
✓ No credential theft — 1XM_API_KEY is read only to authenticate with 1xm.ai, never exfiltrated
✓ No sensitive file enumeration (no ~/.ssh, ~/.aws, .env scanning)
✓ No curl|bash or remote script execution
✓ No hidden instructions or steganographic payloads
✓ No suspicious network patterns (uses HTTPS domain, not raw IP)
✓ API key fallback to .env is explicitly declared and necessary for operation
✓ Comprehensive compliance engine documented in plain markdown, no hidden logic
✓ SKILL.md accurately reflects all implemented capabilities