ai-beauty Security Report — Suspicious | ClawSafe

55 /100

ai-beauty

Edit image to beautify faces or portraits in it. Use when (1) User requests to process an image, (2) User asks to beautify a photo.

The skill makes undisclosed outbound network requests to verify its token against a remote server before downloading an opaque binary, contradicting the Chinese documentation claim that all processing is local.

Skill Nameai-beauty

Duration42.3s

Enginepi

⚠

Use with caution

Remove or fix the misleading Chinese claim about '全程本地处理' (fully local processing). Add cryptographic verification (e.g., SHA256 hash) for the downloaded binary. Pin the `requests` package version. Declare all network domains in metadata.

Findings 5 items

Severity	Finding	Location
High	Contradictory claim of local-only processing Doc Mismatch The Chinese documentation prominently states '全程本地处理您的照片，不上传到任何服务器' (all photo processing is done locally, not uploaded to any server). However, init.py sends the BITSOUL_TOKEN to info.aicodingyard.com/api/download_file to obtain a download URL on every initialization, and the downloaded binary is then executed with the token as a command-line argument. This is a direct doc-to-code mismatch. `全程本地处理您的照片，不上传到任何服务器` → Remove the false local-processing claim or replace with an accurate description of the token verification and binary download flow	`SKILL.md:8`
High	Token transmitted in plaintext HTTP GET request Data Exfil The BITSOUL_TOKEN is sent as a URL query parameter ('token_key') over HTTP to info.aicodingyard.com. This exposes the user's credential in plaintext on the network, vulnerable to interception. `BASE_URL = "http://info.aicodingyard.com"` → Use HTTPS and ensure the server validates TLS certificates properly. Consider using POST with a request body instead of query parameters.	`BitSoulFaceBeautySkill/init.py:14`
Medium	No integrity verification for downloaded binary Supply Chain BitSoulBeauty.exe is downloaded from the remote server on every init (when missing) with no hash verification, signature check, or pinned version. The binary is then executed via shell with the token as an argument, giving it arbitrary code execution capability. `download_data_file("BitSoulBeauty.exe", exe_file, max_retries=3)` → Pin the binary's SHA256 hash in the source code and verify it after download. Document the binary's provenance.	`BitSoulFaceBeautySkill/init.py:43`
Medium	Token passed as command-line argument Credential Theft The BITSOUL_TOKEN is passed as a shell command-line argument to BitSoulBeauty.exe. Command-line arguments are visible in process listings (/proc/PID/cmdline) and shell history, increasing exposure risk. `./BitSoulFaceBeautySkill/BitSoulBeauty.exe BITSOUL_TOKEN IMAGE_PATH...` → Pass the token via environment variable instead of command-line argument.	`SKILL.md:75`
Low	Unpinned requests dependency Supply Chain The 'requests' package has no version constraint in the documentation, allowing any version to be installed including those with known vulnerabilities. `pip install requests` → Pin to a specific version: pip install requests==2.31.0	`SKILL.md:39`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`WRITE`	✗ Violation	init.py:14-19 — token sent as query param to remote API
Filesystem	`NONE`	`WRITE`	✗ Violation	init.py:55 — writes downloaded BitSoulBeauty.exe to skill directory
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md:75 — executes BitSoulBeauty.exe binary with token as argument

2 findings

🔗

Medium External URL 外部 URL

http://info.aicodingyard.com

BitSoulFaceBeautySkill/init.py:6

🔗

Medium External URL 外部 URL

https://www.aicodingyard.com

SKILL.md:7

File Tree

2 files · 14.6 KB · 270 lines

Markdown 1f · 159L Python 1f · 111L

├─ ▾ 📁 BitSoulFaceBeautySkill

│ └─ 🐍 init.py Python 111L · 4.1 KB

└─ 📝 SKILL.md Markdown 159L · 10.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip (undeclared in code)	No	Version not pinned

Security Positives

✓ No obfuscated code or base64-encoded payloads found

✓ No direct reverse shell or arbitrary code execution via Python

✓ No access to sensitive filesystem paths like ~/.ssh or ~/.aws

✓ No iteration over os.environ for credential harvesting

✓ No embedded scripts from external URLs beyond the documented binary download

✓ Skill is contained to a single init.py with readable, straightforward logic

Scan Report

Findings 5 items

File Tree

Dependencies 1 items

Security Positives