中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 8/100
上次扫描:20 小时前 重新扫描
8 /100
pdf-master-translator
Multi-agent PDF translation pipeline using Gemini AI for complex engineering documents with LaTeX and image handling
This is a legitimate PDF translation pipeline using Gemini AI with no malicious indicators. All declared capabilities are appropriate for the stated function.
技能名称pdf-master-translator
分析耗时105.1s
引擎pi
可以安装
No action needed. The skill is safe to use. Consider pinning dependency versions in production for reproducibility.

安全发现 2 项

严重性 安全发现 位置
低危
Unpinned dependency versions in inline script metadata 供应链
The inline script header declares dependencies like 'pymupdf', 'google-genai', etc. without version pins. While these are well-known packages from PyPI, version floating could theoretically allow a supply chain compromise.
# dependencies = ["pymupdf", "google-genai", "markdown2", "weasyprint", "pillow", "tenacity"]
→ Pin versions for production use: e.g., pymupgf>=1.43.0, google-genai>=0.8.0
 scripts/translator_engine_v10.py:1
提示
Placeholder API key in documentation 文档欺骗
SKILL.md shows export GEMINI_API_KEY="your_api_key_here" as an example. This is a placeholder string, not a real credential. The pre-scan flagged it as a potential hardcoded credential, but review confirms it is purely documentation text.
export GEMINI_API_KEY="your_api_key_here"
→ No action needed. The string is clearly a placeholder example. This is a false positive from the pre-scan.
 SKILL.md:48
资源类型声明权限推断权限状态证据
文件系统 READ WRITE ✓ 一致 SKILL.md:45 shows 'uv run translator_engine_v10.py' for PDF input; code writes t…
网络访问 READ READ ✓ 一致 SKILL.md declares API calls; code calls gemini.google.dev API and math.vercel.ap…
命令执行 NONE NONE No subprocess, no os.system, no popen calls found across all scripts
环境变量 READ READ ✓ 一致 SKILL.md:48 explicitly declares GEMINI_API_KEY env var requirement
技能调用 NONE NONE No inter-skill invocation found
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser automation detected
数据库 NONE NONE No database access detected
1 高危 3 项发现
🔑
高危 API 密钥 疑似硬编码凭证
API_KEY="your_api_key_here"
SKILL.md:48
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:10809
SKILL.md:50
🔗
中危 外部 URL 外部 URL
https://math.vercel.app/?from=
scripts/translator_engine.py:76

目录结构

11 文件 · 83.8 KB · 1713 行
Python 9f · 1633L Markdown 1f · 74L JSON 1f · 6L
├─ 📁 scripts
│ ├─ 🐍 translator_engine_v10.py Python 186L · 9.3 KB
│ ├─ 🐍 translator_engine_v4.py Python 202L · 10.4 KB
│ ├─ 🐍 translator_engine_v5.py Python 194L · 10.0 KB
│ ├─ 🐍 translator_engine_v6.py Python 249L · 11.4 KB
│ ├─ 🐍 translator_engine_v7.py Python 192L · 9.8 KB
│ ├─ 🐍 translator_engine_v8.py Python 80L · 3.2 KB
│ ├─ 🐍 translator_engine_v9_final.py Python 142L · 7.4 KB
│ ├─ 🐍 translator_engine_v9.py Python 163L · 7.2 KB
│ └─ 🐍 translator_engine.py Python 225L · 10.5 KB
├─ 📋 package.json JSON 6L · 218 B
└─ 📝 SKILL.md Markdown 74L · 4.4 KB

依赖分析 6 项

包名版本来源已知漏洞备注
pymupdf * pip Version not pinned
google-genai * pip Version not pinned
markdown2 * pip Version not pinned
weasyprint * pip Version not pinned
pillow * pip Version not pinned
tenacity * pip Version not pinned

安全亮点

✓ No subprocess, os.system, or shell command execution — purely Python library calls
✓ No obfuscation (no base64 decode+execute, no eval, no dynamic code generation)
✓ No sensitive file path access (~/.ssh, ~/.aws, .env, /etc/passwd)
✓ No credential harvesting or exfiltration — GEMINI_API_KEY only used to authenticate with Google Gemini API
✓ No C2 communication, reverse shell, or data theft behavior
✓ No hidden functionality — code matches stated purpose in SKILL.md
✓ Temporary working directories are cleaned up after execution (shutil.rmtree)
✓ Uses reputable, well-known Python packages (pymupdf, weasyprint, google-genai)
✓ Multiple script versions (v4-v10) indicate iterative development of a legitimate tool rather than obfuscated malware
✓ External network calls (math.vercel.app for LaTeX SVG rendering) are explicitly documented in SKILL.md