Skill Trust Decision
ai-beauty
The skill makes undisclosed outbound network requests to verify its token against a remote server before downloading an opaque binary, contradicting the Chinese documentation claim that all processing is local.
Most direct threat evidence
High Doc Mismatch
Contradictory claim of local-only processing The Chinese documentation prominently states '全程本地处理您的照片,不上传到任何服务器' (all photo processing is done locally, not uploaded to any server). However, init.py sends the BITSOUL_TOKEN to info.aicodingyard.com/api/download_file to obtain a download URL on every initialization, and the downloaded binary is then executed with the token as a command-line argument. This is a direct doc-to-code mismatch.
SKILL.md:8 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Doc-to-code mismatch on network behavior +20
SKILL.md Chinese section claims '全程本地处理您的照片,不上传到任何服务器' (all processing is local), yet init.py sends the BITSOUL_TOKEN to info.aicodingyard.com for verification before every binary download
Undeclared network access +15
Metadata declares only info.aicodingyard.com as network access, but the token is sent as a query parameter to /api/download_file with no HTTPS enforcement
Unverified binary download and execution +10
BitSoulBeauty.exe is downloaded from the remote server and then executed via shell, with no hash verification or signature check
Unpinned dependency +5
requests package has no version pin, allowing any version including vulnerable ones
No HTTPS enforcement +5
BASE_URL uses http:// not https://, exposing token in transit
Most important evidence
High Doc Mismatch
Contradictory claim of local-only processing
The Chinese documentation prominently states '全程本地处理您的照片,不上传到任何服务器' (all photo processing is done locally, not uploaded to any server). However, init.py sends the BITSOUL_TOKEN to info.aicodingyard.com/api/download_file to obtain a download URL on every initialization, and the downloaded binary is then executed with the token as a command-line argument. This is a direct doc-to-code mismatch.
SKILL.md:8 Remove the false local-processing claim or replace with an accurate description of the token verification and binary download flow
High Data Exfil
Token transmitted in plaintext HTTP GET request
The BITSOUL_TOKEN is sent as a URL query parameter ('token_key') over HTTP to info.aicodingyard.com. This exposes the user's credential in plaintext on the network, vulnerable to interception.
BitSoulFaceBeautySkill/init.py:14 Use HTTPS and ensure the server validates TLS certificates properly. Consider using POST with a request body instead of query parameters.
Medium Supply Chain
No integrity verification for downloaded binary
BitSoulBeauty.exe is downloaded from the remote server on every init (when missing) with no hash verification, signature check, or pinned version. The binary is then executed via shell with the token as an argument, giving it arbitrary code execution capability.
BitSoulFaceBeautySkill/init.py:43 Pin the binary's SHA256 hash in the source code and verify it after download. Document the binary's provenance.
Medium Credential Theft
Token passed as command-line argument
The BITSOUL_TOKEN is passed as a shell command-line argument to BitSoulBeauty.exe. Command-line arguments are visible in process listings (/proc/PID/cmdline) and shell history, increasing exposure risk.
SKILL.md:75 Pass the token via environment variable instead of command-line argument.
Low Supply Chain
Unpinned requests dependency
The 'requests' package has no version constraint in the documentation, allowing any version to be installed including those with known vulnerabilities.
SKILL.md:39 Pin to a specific version: pip install requests==2.31.0
Declared capability vs actual capability
Network Block
Declared READ
→ Inferred WRITE
init.py:14-19 — token sent as query param to remote API Filesystem Block
Declared NONE
→ Inferred WRITE
init.py:55 — writes downloaded BitSoulBeauty.exe to skill directory Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md:75 — executes BitSoulBeauty.exe binary with token as argument Suspicious artifacts and egress
Medium External URL
http://info.aicodingyard.com BitSoulFaceBeautySkill/init.py:6
Medium External URL
https://www.aicodingyard.com SKILL.md:7
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| requests | * | pip (undeclared in code) | No | Version not pinned |
File composition
2 files · 270 lines
Markdown 1 files · 159 linesPython 1 files · 111 lines
Files of concern · 2
SKILL.md Contradictory claim of local-only processing · Token passed as command-line argument · Unpinned requests dependency · https://www.aicodingyard.com
BitSoulFaceBeautySkill/init.py Token transmitted in plaintext HTTP GET request · No integrity verification for downloaded binary · http://info.aicodingyard.com
Security positives
No obfuscated code or base64-encoded payloads found
No direct reverse shell or arbitrary code execution via Python
No access to sensitive filesystem paths like ~/.ssh or ~/.aws
No iteration over os.environ for credential harvesting
No embedded scripts from external URLs beyond the documented binary download
Skill is contained to a single init.py with readable, straightforward logic