Habilidades faceswap Histórico de Auditoria
🎭

Histórico de Auditoria

faceswap - 3 auditorias

Versão da auditoria 3

Mais recente Risco Médio

Jun 8, 2026, 11:50 AM

The skill is a documentation/instruction file (no executable code) that guides an AI assistant to run shell commands (yt-dlp, ffmpeg, curl) and make API calls to verging.ai. All 82 static findings are false positives in context: backtick patterns are markdown code examples, URLs are legitimate API endpoints, API key references are standard authentication documentation, and temp directory access is standard media processing. The combination of network + credentials + external commands is expected for this use case. No malicious intent detected. Risk level is medium due to the breadth of system access required.

2
Arquivos analisados
225
Linhas analisadas
9
achados
claude
Auditado por
Problemas de Risco Médio (1)
SKILL.md:11-18
Broad system access required
The skill requires yt-dlp, ffmpeg, ffprobe, and curl binaries plus the VERGING_API_KEY environment variable. While all usages are documented and legitimate for face-swap workflows, the combination of network access, external command execution, credential handling, and filesystem write access represents a significant attack surface if the skill were modified maliciously. This is a known characteristic of media-processing skills, not a current vulnerability.
Problemas de Baixo Risco (4)
SKILL.md:138-153
Temp directory usage in /tmp
The skill uses /tmp/verging-faceswap/ for intermediate video and image files. This is standard practice for media processing but files may persist if not cleaned up. The documentation recommends cleanup. Low risk.
SKILL.md:27-153
Static analyzer false positives: backtick patterns
The static scanner flagged 44 instances of 'Ruby/shell backtick execution' in markdown files. These are all code-block examples in documentation showing curl, ffmpeg, and yt-dlp commands. They are not executable code in the skill itself. False positive.
SKILL.md:50-112
Static analyzer false positives: hardcoded URLs
17 URL references flagged as suspicious are all legitimate API endpoints (verging.ai/api/v1/*) and documentation links. False positive.
SKILL.md:3-33
Static analyzer false positives: weak cryptography
The 'weak cryptographic algorithm' findings at SKILL.md:3 and SKILL.md:33 are likely false positives triggered by the term 'key' in API key context or video codec references (libx264). No actual cryptographic operations are performed by the skill.

Fatores de risco

⚙️ Comandos externos (5)
SKILL.md:27 SKILL.md:118 SKILL.md:119 SKILL.md:120 SKILL.md:123
🌐 Acesso à rede (5)
SKILL.md:50 SKILL.md:53 SKILL.md:63 SKILL.md:70 SKILL.md:110
🔑 Variáveis de ambiente (3)
SKILL.md:12 SKILL.md:18 SKILL.md:40
📁 Acesso ao sistema de arquivos (3)
SKILL.md:88 SKILL.md:99 SKILL.md:138

Versão da auditoria 2

Seguro

Mar 18, 2026, 06:56 AM

This is a legitimate face swap API client skill. The static findings reflect expected behavior: network calls to the verging.ai API service, environment variable access for API key authentication, and external command execution for video processing tools (yt-dlp, ffmpeg, curl). These are all necessary for the skill's core functionality. No malicious intent detected.

4
Arquivos analisados
347
Linhas analisadas
4
achados
claude
Auditado por
Nenhum problema de segurança encontrado

Fatores de risco

🌐 Acesso à rede (18)
openclaw.json:14 openclaw.json:19 README.md:14 SKILL.md:50 SKILL.md:80 SKILL.md:87 SKILL.md:93 SKILL.md:98 SKILL.md:99 SKILL.md:105 SKILL.md:111 SKILL.md:115 SKILL.md:122 SKILL.md:125 SKILL.md:129 SKILL.md:133 SKILL.md:258 SKILL.md:269
🔑 Variáveis de ambiente (16)
openclaw.json:13 README.md:16 SKILL.md:12 SKILL.md:18 SKILL.md:41 SKILL.md:49 SKILL.md:66 SKILL.md:86 SKILL.md:90 SKILL.md:108 SKILL.md:119 SKILL.md:128 SKILL.md:132 SKILL.md:137 SKILL.md:257 SKILL.md:276
⚙️ Comandos externos (36)
SKILL.md:28-30 SKILL.md:30-63 SKILL.md:63-65 SKILL.md:65-67 SKILL.md:67-72 SKILL.md:72-78 SKILL.md:78-84 SKILL.md:84-134 SKILL.md:134-137 SKILL.md:137-138 SKILL.md:138 SKILL.md:138 SKILL.md:138-144 SKILL.md:144-145 SKILL.md:145-146 SKILL.md:146-157 SKILL.md:157 SKILL.md:157-167 SKILL.md:167-168 SKILL.md:168-179 SKILL.md:179-181 SKILL.md:181-183 SKILL.md:183-185 SKILL.md:185-194 SKILL.md:194 SKILL.md:194 SKILL.md:194-197 SKILL.md:197-201 SKILL.md:201-204 SKILL.md:204-205 SKILL.md:205-206 SKILL.md:206-207 SKILL.md:207-208 SKILL.md:208-209 SKILL.md:209-276 SKILL.md:276-281
📁 Acesso ao sistema de arquivos (3)
SKILL.md:167 SKILL.md:171 SKILL.md:281

Versão da auditoria 1

Baixo Risco

Mar 17, 2026, 04:11 PM

Static analysis flagged 77 patterns but all are false positives. Network URLs point to documented verging.ai API endpoints. Environment variable access is for user-provided API key authentication. Shell commands in SKILL.md are markdown documentation examples, not executable code. Temp directory usage is documented with cleanup. Skill is a legitimate CLI wrapper for a paid AI service.

4
Arquivos analisados
341
Linhas analisadas
5
achados
claude
Auditado por
Problemas de Baixo Risco (1)
SKILL.md:165SKILL.md:275
Temporary File Storage
Skill uses /tmp/verging-faceswap/ directory for temporary video and image files during processing. Files are documented to be cleaned up after processing but temporary storage of user media could pose privacy risks if cleanup fails.

Fatores de risco

🌐 Acesso à rede (18)
openclaw.json:14 openclaw.json:19 README.md:14 SKILL.md:50 SKILL.md:80 SKILL.md:87 SKILL.md:93 SKILL.md:98 SKILL.md:99 SKILL.md:105 SKILL.md:111 SKILL.md:115 SKILL.md:122 SKILL.md:125 SKILL.md:129 SKILL.md:133 SKILL.md:252 SKILL.md:263
🔑 Variáveis de ambiente (16)
openclaw.json:13 README.md:16 SKILL.md:12 SKILL.md:18 SKILL.md:41 SKILL.md:49 SKILL.md:66 SKILL.md:86 SKILL.md:90 SKILL.md:108 SKILL.md:119 SKILL.md:128 SKILL.md:132 SKILL.md:137 SKILL.md:251 SKILL.md:270
⚙️ Comandos externos (32)
SKILL.md:28-30 SKILL.md:30-63 SKILL.md:63-65 SKILL.md:65-67 SKILL.md:67-72 SKILL.md:72-78 SKILL.md:78-84 SKILL.md:84-134 SKILL.md:134-137 SKILL.md:137-138 SKILL.md:138 SKILL.md:138 SKILL.md:138 SKILL.md:138-143 SKILL.md:143-163 SKILL.md:163-173 SKILL.md:173-175 SKILL.md:175-177 SKILL.md:177-179 SKILL.md:179-188 SKILL.md:188 SKILL.md:188 SKILL.md:188-191 SKILL.md:191-195 SKILL.md:195-198 SKILL.md:198-199 SKILL.md:199-200 SKILL.md:200-201 SKILL.md:201-202 SKILL.md:202-203 SKILL.md:203-270 SKILL.md:270-275
📁 Acesso ao sistema de arquivos (2)
SKILL.md:165 SKILL.md:275
← Voltar para Skill