Chanjing Ai Creation

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chanjing API client that stores local API credentials and only downloads generated files when explicitly run.

Install this only if you intend to connect it to your Chanjing Open API account. Protect ~/.chanjing/credentials.json from other users, backups, and sync tools; keep the API base URL trusted; review raw JSON payloads before submitting tasks; and verify the optional credentials-guard helper if that login flow is used.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises capabilities to read/write local credentials, use environment variables, make network calls, and invoke shell-adjacent helper scripts, but the finding indicates these capabilities are not formally declared in permissions. That mismatch weakens reviewability and consent boundaries: operators may underestimate what the skill can do, especially since it handles secrets and can launch a browser or related helper tooling.

Context-Inappropriate Capability

Medium

Confidence: 75% confidence
Finding: The authentication helper performs side effects beyond token retrieval by launching an external script or opening a browser automatically when credentials are missing. In an agent skill context, unexpected process spawning and browser opening can violate user expectations, create phishing or UX risks, and expand the trust boundary to another skill's script.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger section uses broad natural-language phrases like '帮我提交一个 AI 创作视频任务' and '把刚生成的图片下载到本地' without defining boundaries, confirmation requirements, or exclusions. In an agent setting, this can cause overbroad activation and unintended execution of networked task submission or local-download behavior when a user is only discussing or exploring options.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The examples explicitly instruct downloading a remote URL to the local machine and state that the script outputs a local file path, but they do not warn that this causes a local file write or describe destination, overwrite behavior, or trust requirements for the source URL. In a skill that interacts with remote services and generated outputs, this increases the risk of users or agents writing untrusted content to disk without informed consent.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The code writes tokens and possibly long-lived credentials to credentials.json without setting restrictive file permissions or warning the user in this file. On multi-user systems or permissive umasks, this can expose API secrets to other local users or other processes.

Missing User Warnings

Low

Confidence: 72% confidence
Finding: Automatically opening a browser login or registration page without explicit prior user consent is potentially unsafe behavior for an agent skill. It can surprise users, trigger unwanted external interactions, and if the URL source were ever changed elsewhere, could facilitate phishing-like flows.

Credential Access

High

Category: Privilege Escalation
Content: description: >- Chanjing AI creation Open API client: submit image/video tasks, poll task status, list and get tasks, and optionally download outputs when the user runs download_result.py. Reads and writes local credentials.json; calls open-api.chanjing.cc. credential: credentials.json (read/write app_id, secret_key, access_token on disk) openclaw_primary_env: false
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: status, list and get tasks, and optionally download outputs when the user runs download_result.py. Reads and writes local credentials.json; calls open-api.chanjing.cc. credential: credentials.json (read/write app_id, secret_key, access_token on disk) openclaw_primary_env: false environment: CHANJING_OPENAPI_CREDENTIALS_DIR, CHANJING_OPENAPI_BASE_URL legacy_environment: CHANJING_CONFIG_DIR, CHANJING_API_BASE
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: ## 功能说明调用蝉镜 **AI 创作** Open API：**提交任务**、**轮询状态**、**列表与单条查询**；仅在用户明确要求时用 `download_result.py` **可选下载**输出。需**读写**本地 `credentials.json` 并访问 Open API。跨模型文生图/视频等由 `submit_task.py` 参数与透传体决定。本 skill 脚本**不**依赖 ffmpeg/ffprobe。 ## 运行依赖
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: * **轮询**异步结果直至完成（`poll_task.py`） * 仅在用户明确要求时**下载**输出（`download_result.py`）上述流程依赖读写本地 `credentials.json` 并调用 `open-api.chanjing.cc`。如果需求更接近“文生数字人”，优先使用 `chanjing-text-to-digital-person`。如果需求更接近“已有数字人视频合成”，优先使用 `chanjing-video-compose`。
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: 本 Skill 与 guard 共用： * `~/.chanjing/credentials.json` * `https://open-api.chanjing.cc` 无凭证时，脚本会自动打开蝉镜登录页，并提示配置命令。
Confidence: 93% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: 与 **Purpose / Credentials / Persistence**、**`download_result.py`** 信任边界相关的逐项说明见 **`manifest.yaml`**。 **运行时范围**：本 Skill 的说明与脚本仅服务于已声明用途——读取本地 **`credentials.json`**、调用蝉镜 **Open API** 端点；**不**在轮询或查询成功时自动落盘生成物，**仅**在用户显式执行 **`download_result.py`** 时下载资源。 **`_auth.py` 与仓库布局**：鉴权辅助可能打开系统浏览器，或按相对路径调用同仓库下的 **`chanjing-credentials-guard`** 脚本（例如 `open_login_page.py`）。这假设当前工作区为 **chan-skills 式多 Skill 目录结构**，或已单独安装并具备等效路径的 guard skill；否则将回退为仅打开登录页 URL。
Confidence: 92% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: **`_auth.py` 与仓库布局**：鉴权辅助可能打开系统浏览器，或按相对路径调用同仓库下的 **`chanjing-credentials-guard`** 脚本（例如 `open_login_page.py`）。这假设当前工作区为 **chan-skills 式多 Skill 目录结构**，或已单独安装并具备等效路径的 guard skill；否则将回退为仅打开登录页 URL。 **敏感数据与持久化**：预期仅处理 **`credentials.json`** 中的 `app_id`、`secret_key`、`access_token`（及与 token 生命周期相关的字段，见 `manifest.yaml`）。将 **`access_token` 写入磁盘** 是有意设计且已文档化，对 API 客户端而言通常可接受；但在**多人共用主机**、**全盘备份/同步到不可信存储**等场景下，磁盘上的 token 会**扩大泄露面**，需按环境自行评估。 ## Standard Workflow
Confidence: 96% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: | 脚本 | 说明 | |------|------| | `_auth.py` | 读写 `credentials.json`、获取或刷新 `access_token` | | `submit_task.py` | 提交 AI 创作任务，输出 `unique_id` | | `get_task.py` | 获取单个任务详情 | | `list_tasks.py` | 列出图片或视频任务 |
Confidence: 94% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: persistAccessTokenOnDisk: true primaryEnvIntentionallyOmitted: true doNotCommitToVcs: - credentials.json clientPermissions: network:
Confidence: 84% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: read: - "${CHANJING_OPENAPI_CREDENTIALS_DIR or CHANJING_CONFIG_DIR or ~/.chanjing}/credentials.json" write: - "${CHANJING_OPENAPI_CREDENTIALS_DIR or CHANJING_CONFIG_DIR or ~/.chanjing}/credentials.json" browser: mayOpenForAuth: true documentedHosts:
Confidence: 81% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: status, list and get tasks, and optionally download outputs when the user runs download_result.py. Reads and writes local credentials.json; calls open-api.chanjing.cc. credential: credentials.json (read/write app_id, secret_key, access_token on disk) openclaw_primary_env: false environment: CHANJING_OPENAPI_CREDENTIALS_DIR, CHANJING_OPENAPI_BASE_URL legacy_environment: CHANJING_CONFIG_DIR, CHANJING_API_BASE
Confidence: 96% confidence
Finding: write app_id, secret_key, access_token on disk) openclaw_primary_env: false environment: CHANJING_OPENAPI_CREDENTIALS_DIR, CHANJING_OPENAPI_BASE_URL legacy_environment: CHANJING_CONFIG_DIR, CHANJING_A

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal