中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:2 天前 重新扫描
5 /100
zhipu-free-image-video
智谱免费图片与视频生成技能
Legitimate Zhipu AI image/video generation skill with clean code, proper API key handling, and no suspicious behavior.
技能名称zhipu-free-image-video
分析耗时28.6s
引擎pi
可以安装
This skill is safe to use. No security concerns identified.

安全发现 1 项

严重性 安全发现 位置
低危
Undeclared capability in allowed-tools mapping
SKILL.md uses node shebangs and https.network but doesn't explicitly declare shell:WRITE and network:READ in the allowed-tools mapping section.
#!/usr/bin/env node / https.request() calls
→ Consider documenting the use of shell (node) and network (HTTPS to open.bigmodel.cn) in SKILL.md for completeness.
 SKILL.md:1
资源类型声明权限推断权限状态证据
命令执行 NONE WRITE ✓ 一致 All scripts use #!/usr/bin/env node shebang
网络访问 NONE READ ✓ 一致 lib.js:38 uses https.request to open.bigmodel.cn
环境变量 NONE READ ✓ 一致 lib.js:14 reads IMAGE_VIDEO_GENERATION_API_KEY or ZHIPU_API_KEY
文件系统 NONE NONE No filesystem access found

目录结构

8 文件 · 14.1 KB · 464 行
JavaScript 7f · 282L Markdown 1f · 182L
├─ 📁 scripts
│ ├─ 📜 batch_generate_images.js JavaScript 71L · 2.4 KB
│ ├─ 📜 configure_models.js JavaScript 28L · 962 B
│ ├─ 📜 generate_image.js JavaScript 24L · 847 B
│ ├─ 📜 generate_video.js JavaScript 27L · 1.0 KB
│ ├─ 📜 lib.js JavaScript 82L · 2.2 KB
│ ├─ 📜 query_video_result.js JavaScript 14L · 502 B
│ └─ 📜 wait_for_video.js JavaScript 36L · 1.0 KB
└─ 📝 SKILL.md Markdown 182L · 5.2 KB

安全亮点

✓ All network requests target a single, legitimate AI API endpoint (open.bigmodel.cn)
✓ API keys are properly sourced from environment variables, not hardcoded
✓ No obfuscation, base64, or eval patterns present
✓ No credential exfiltration or data theft patterns
✓ No filesystem access beyond script execution
✓ No remote code execution, curl|bash, or suspicious download patterns
✓ Batch processing includes proper rate limiting (batch_size, max_concurrent, delay)
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
✓ Clean, readable code with no hidden functionality