中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
zhipu-free-image-video
智谱免费图片与视频生成技能
Legitimate Zhipu AI image/video generation skill with clean code, proper API key handling, and no suspicious behavior.
Skill Namezhipu-free-image-video
Duration28.6s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 1 items

Severity Finding Location
Low
Undeclared capability in allowed-tools mapping
SKILL.md uses node shebangs and https.network but doesn't explicitly declare shell:WRITE and network:READ in the allowed-tools mapping section.
#!/usr/bin/env node / https.request() calls
→ Consider documenting the use of shell (node) and network (HTTPS to open.bigmodel.cn) in SKILL.md for completeness.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Shell NONE WRITE ✓ Aligned All scripts use #!/usr/bin/env node shebang
Network NONE READ ✓ Aligned lib.js:38 uses https.request to open.bigmodel.cn
Environment NONE READ ✓ Aligned lib.js:14 reads IMAGE_VIDEO_GENERATION_API_KEY or ZHIPU_API_KEY
Filesystem NONE NONE No filesystem access found

File Tree

8 files · 14.1 KB · 464 lines
JavaScript 7f · 282L Markdown 1f · 182L
├─ 📁 scripts
│ ├─ 📜 batch_generate_images.js JavaScript 71L · 2.4 KB
│ ├─ 📜 configure_models.js JavaScript 28L · 962 B
│ ├─ 📜 generate_image.js JavaScript 24L · 847 B
│ ├─ 📜 generate_video.js JavaScript 27L · 1.0 KB
│ ├─ 📜 lib.js JavaScript 82L · 2.2 KB
│ ├─ 📜 query_video_result.js JavaScript 14L · 502 B
│ └─ 📜 wait_for_video.js JavaScript 36L · 1.0 KB
└─ 📝 SKILL.md Markdown 182L · 5.2 KB

Security Positives

✓ All network requests target a single, legitimate AI API endpoint (open.bigmodel.cn)
✓ API keys are properly sourced from environment variables, not hardcoded
✓ No obfuscation, base64, or eval patterns present
✓ No credential exfiltration or data theft patterns
✓ No filesystem access beyond script execution
✓ No remote code execution, curl|bash, or suspicious download patterns
✓ Batch processing includes proper rate limiting (batch_size, max_concurrent, delay)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Clean, readable code with no hidden functionality