Scan Report
10 /100
seedream5.0
使用 Seedream5.0 接口进行文生图与参考图生成
Legitimate image generation skill with properly declared API key storage, environment variable access, and external network calls. No malicious behavior detected.
Safe to install
Skill is safe for use. Monitor external API endpoint availability and ensure X_API_KEY is obtained from the legitimate source kexiangai.com.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | External API endpoint dependency | SKILL.md:68 |
| Low | API key source externalization | SKILL.md:13 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md:119 writes to ~/.config/seedream5.0/.env |
| Environment | READ | READ | ✓ Aligned | SKILL.md:48 reads X_API_KEY env var |
| Network | WRITE | WRITE | ✓ Aligned | SKILL.md:68 POSTs to external API |
| Shell | WRITE | WRITE | ✓ Aligned | scripts/generate.sh and set_key.sh use bash for API calls |
1 findings
Medium External URL 外部 URL
https://agent.mathmind.cn/minimalist/api/volcengine/ai/fzGenerateImg5 SKILL.md:68 File Tree
4 files · 8.6 KB · 302 lines Markdown 2f · 170L
Shell 2f · 132L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
Security Positives
✓ API key is masked in logs (SKILL.md:21: '日志与回显仅允许掩码展示')
✓ File permissions properly set to 600 for credential storage (scripts/set_key.sh:18)
✓ Network timeout configured (scripts/generate.sh:9: TIMEOUT=600)
✓ Input validation present (prompt required, size/watermark normalized)
✓ All capabilities declared in SKILL.md
✓ No hidden functionality or suspicious patterns detected
✓ No base64 encoding, eval(), or remote script execution
✓ No credential exfiltration or suspicious network destinations