Scan Report
8 /100
pdf-master-translator
Multi-agent PDF translation pipeline using Gemini AI for complex engineering documents with LaTeX and image handling
This is a legitimate PDF translation pipeline using Gemini AI with no malicious indicators. All declared capabilities are appropriate for the stated function.
Safe to install
No action needed. The skill is safe to use. Consider pinning dependency versions in production for reproducibility.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned dependency versions in inline script metadata Supply Chain | scripts/translator_engine_v10.py:1 |
| Info | Placeholder API key in documentation Doc Mismatch | SKILL.md:48 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | SKILL.md:45 shows 'uv run translator_engine_v10.py' for PDF input; code writes t… |
| Network | READ | READ | ✓ Aligned | SKILL.md declares API calls; code calls gemini.google.dev API and math.vercel.ap… |
| Shell | NONE | NONE | — | No subprocess, no os.system, no popen calls found across all scripts |
| Environment | READ | READ | ✓ Aligned | SKILL.md:48 explicitly declares GEMINI_API_KEY env var requirement |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser automation detected |
| Database | NONE | NONE | — | No database access detected |
1 High 3 findings
High API Key 疑似硬编码凭证
API_KEY="your_api_key_here" SKILL.md:48 Medium External URL 外部 URL
http://127.0.0.1:10809 SKILL.md:50 Medium External URL 外部 URL
https://math.vercel.app/?from= scripts/translator_engine.py:76 File Tree
11 files · 83.8 KB · 1713 lines Python 9f · 1633L
Markdown 1f · 74L
JSON 1f · 6L
├─
▾
scripts
│ ├─
translator_engine_v10.py
Python
│ ├─
translator_engine_v4.py
Python
│ ├─
translator_engine_v5.py
Python
│ ├─
translator_engine_v6.py
Python
│ ├─
translator_engine_v7.py
Python
│ ├─
translator_engine_v8.py
Python
│ ├─
translator_engine_v9_final.py
Python
│ ├─
translator_engine_v9.py
Python
│ └─
translator_engine.py
Python
├─
package.json
JSON
└─
SKILL.md
Markdown
Dependencies 6 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
pymupdf | * | pip | No | Version not pinned |
google-genai | * | pip | No | Version not pinned |
markdown2 | * | pip | No | Version not pinned |
weasyprint | * | pip | No | Version not pinned |
pillow | * | pip | No | Version not pinned |
tenacity | * | pip | No | Version not pinned |
Security Positives
✓ No subprocess, os.system, or shell command execution — purely Python library calls
✓ No obfuscation (no base64 decode+execute, no eval, no dynamic code generation)
✓ No sensitive file path access (~/.ssh, ~/.aws, .env, /etc/passwd)
✓ No credential harvesting or exfiltration — GEMINI_API_KEY only used to authenticate with Google Gemini API
✓ No C2 communication, reverse shell, or data theft behavior
✓ No hidden functionality — code matches stated purpose in SKILL.md
✓ Temporary working directories are cleaned up after execution (shutil.rmtree)
✓ Uses reputable, well-known Python packages (pymupdf, weasyprint, google-genai)
✓ Multiple script versions (v4-v10) indicate iterative development of a legitimate tool rather than obfuscated malware
✓ External network calls (math.vercel.app for LaTeX SVG rendering) are explicitly documented in SKILL.md