扫描报告
10 /100
seedream5.0
使用 Seedream5.0 接口进行文生图与参考图生成
Legitimate image generation skill with properly declared API key storage, environment variable access, and external network calls. No malicious behavior detected.
可以安装
Skill is safe for use. Monitor external API endpoint availability and ensure X_API_KEY is obtained from the legitimate source kexiangai.com.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | External API endpoint dependency | SKILL.md:68 |
| 低危 | API key source externalization | SKILL.md:13 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md:119 writes to ~/.config/seedream5.0/.env |
| 环境变量 | READ | READ | ✓ 一致 | SKILL.md:48 reads X_API_KEY env var |
| 网络访问 | WRITE | WRITE | ✓ 一致 | SKILL.md:68 POSTs to external API |
| 命令执行 | WRITE | WRITE | ✓ 一致 | scripts/generate.sh and set_key.sh use bash for API calls |
1 项发现
中危 外部 URL 外部 URL
https://agent.mathmind.cn/minimalist/api/volcengine/ai/fzGenerateImg5 SKILL.md:68 目录结构
4 文件 · 8.6 KB · 302 行 Markdown 2f · 170L
Shell 2f · 132L
├─
▾
references
│ └─
api-guide.md
Markdown
├─
▾
scripts
│ ├─
generate.sh
Shell
│ └─
set_key.sh
Shell
└─
SKILL.md
Markdown
安全亮点
✓ API key is masked in logs (SKILL.md:21: '日志与回显仅允许掩码展示')
✓ File permissions properly set to 600 for credential storage (scripts/set_key.sh:18)
✓ Network timeout configured (scripts/generate.sh:9: TIMEOUT=600)
✓ Input validation present (prompt required, size/watermark normalized)
✓ All capabilities declared in SKILL.md
✓ No hidden functionality or suspicious patterns detected
✓ No base64 encoding, eval(), or remote script execution
✓ No credential exfiltration or suspicious network destinations