Chanjing Text To Digital Person
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent Chanjing API wrapper, but it uses local Chanjing credentials, persists an access token, and can save downloaded results when explicitly asked.
Before installing, make sure you trust the Chanjing API integration and protect the credentials file it uses. Keep the API base URL environment variables pointed at the official service unless you intentionally use a trusted alternate endpoint, and only download generated outputs to safe local paths.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the user's Chanjing API account and stores a reusable access token locally.
The skill reads Chanjing app_id/secret_key from the local credentials file, sends them to the configured API base to obtain a token, and writes the returned token back to disk.
url = API_BASE + "/open/v1/access_token" ... data=json.dumps({"app_id": app_id, "secret_key": secret_key}) ... data["access_token"] = new_token ... write_config(data)Use this only with a trusted Chanjing credentials file, protect ~/.chanjing/credentials.json, and avoid setting CHANJING_OPENAPI_BASE_URL or CHANJING_API_BASE to an untrusted host.
If used carelessly, the download helper could write a file outside the default outputs directory or overwrite an existing user-writable file.
The downloader fetches a user-supplied URL and writes it to a user-supplied or default local path. This is purpose-aligned, but the code does not enforce host or output-path restrictions.
output_path = Path(args.output) if args.output else default_dir / infer_filename(args.url) ... urllib.request.urlopen(req, timeout=120) ... open(output_path, "wb")
Only run downloads for expected Chanjing output URLs and use the default outputs/text-to-digital-person directory or another safe, non-sensitive path.
A missing-credentials flow may launch a local helper script or browser window to guide authentication.
When credentials are missing, the skill may execute the companion credentials-guard login-page helper if present, or open the Chanjing login URL in a browser.
if script.exists(): subprocess.run([sys.executable, str(script)], check=False, timeout=5) else: webbrowser.open(LOGIN_URL)
Ensure any installed chanjing-credentials-guard skill comes from a trusted source, and expect a browser login page only when credentials are not configured.